Web Security Common security threats and hacking Nahidul KibriaCo-Leader, OWASP Bangladesh,Senior Software Engineer, KAZ Software Ltd. Twitter:@nahidupa

Writing code for fun and food. And security enthusiasticThe OWASP Foundationhttp://www.owasp.org2Shahee Mirza

# Certified Ethical Hacker (C|EH).# Microsoft Certified Systems Administrator.#Information Security Consultant, Nexus IT Zone.

http://www.shaheemirza.com FB: shaheemirzaTwitter: @shaheemirza

The OWASP Foundationhttp://www.owasp.org3

Why should we care?You already learn about web programming 4

5

NOT SECUREPhone/SMS banking and Online bankinge-comarce

56

Most sites are not secure!Attacker can access unauthorized data!They use your web site to attack your users!

67

Historically the web wasnt designed to be secure

Built for static, read only pagesAlmost no intrinsic securityA few security features were bolted-on later

The web wasnt designed to be secure Built for static, read only pagesAlmost no intrinsic securityA few security features were bolted on later

Do not have session initially

78What does that mean?

Cookie based sessions can be hijacked

No separation of logic and data

All client supplied data cannot be trusted

89The vast majority of web applications have serious security vulnerabilities!

Most developers not aware of the issues.

The vast majority of web applications have serious security vulnerabilities! Most developers not aware of the issues.910

Lets start over1011

Web Application threat surface12

XSSCSRFClick jackingParameter tempering /sniffingFORGED TOKENDirectory TraversalDIRECT OBJECT REFERENCESQL InjectionXML InjectionThe way web browser handle Sessions --CSRFJavaScript-XSSTransparency -Click jackingData transported-Parameter tempering /sniffingAuthentication/authorization

Files are uploaded/downloaded path travel Interact with database Interact with web service

All are hotspot and exploitable

Ajax/flash/ flex /air /applets

Large attack surface and its growing

1213Ajax FlashSilverlight Applets

The attack surface is growing!

13Some incident example

14

INSECURE-Mag-31

http://www.dnaindia.com/mumbai/report_cyber-crime-costs-india-rs34110-crore-per-year_1588917Study: Global cybercrime costs more than illegal drugs Global drug tradeabout $288 billionGlobal $114 billion India 34,110 core Rs

http://news.consumerreports.org/electronics/2011/09/study-global-cybercrime-costs-more-than-fighting-llegal-drugs.html

15Common question is Im inocent why should I will be target? 16

I dont have any sensitive data.Im not even serve any important data.I have no enemy

16Answer is You have resource...May be a Multi-core processor...BandwidthAttacker weaponize your pc to attack other or use you resource ...

17

Turn your pc to zombie

Even they may run hash crackerAnonimity Attack otherClick floodDDOS

You may got i said about botnets

17Botnet-Just in brief18

18

19This is a problem

Network security and others20

But developers21

Application security Threat modeling

2122

S e c u r ityQuick Resource Guide23About OWASPOWASPs mission is to make application security visible, so that people and organizations can make informed decisions about true application

Attacker not use black art to exploit your application 24220 Chapters25

25OWASP Bangladesh Chapter Bangladeshi community of Security professionalGlobally recognizedOpen for allFree for all

What do we have to offer?Monthly MeetingsMailing ListPresentations & GroupsOpen Forums for DiscussionVendor Neutral Environments

The OWASP Foundationhttp://www.owasp.orgOWASP Top 10 Web Application Security Risks (2010 Edition)http://www.owasp.org/index.php/Top_10Application Developers

28

New attacks/ defense guidelineCheat SheetsWeb Goat-emulator-designed to teach web application security lessons

28The OWASP Enterprise Security API29Existing Enterprise Security Services/Libraries29Application Testers and Quality Assurance

30

ToolsTesting guide/pentesterApplication Security Verification Standard Project

30

OWASP ZAP Proxy/ WebScarab31

31OWASP CSRFTester

3232Application Project Management and Staff

33

Define the processSDLCCode ReviewDecision maker

33OWASP Code Review Project

Code review toolhttp://codecrawler.codeplex.com/Release/ProjectReleases.aspxhttp://orizon.sourceforge.net

code review is not only for readability/better architecture/

But you goal only can be code review for finding un secure code. 34OWASP Testing Framework4.2 Information Gathering4.3 Configuration Management Testing4.4 Business logic testing4.5 Authentication Testing4.6 Authorization Testing4.7 Session Management Testing4.8 Data Validation Testing4.9 Testing for Denial of Service4.10 Web Services Testing4.11 Ajax Testing

http://www.owasp.org/index.php/OWASP_Testing_Guide_v3_Table_of_Contents

OWASP Testing Guide v3

V4 is not finalize

3536

Myth-The developer will provide me with a secure solution without me asking36Download

Get OWASP Books3738Coolest Jobs in Information Security

#1 Information Security Crime Investigator/Forensics Expert#2 System, Network, and/or Web Penetration Tester#3 Forensic Analyst#4 Incident Responder#5 Security Architect#6 Malware Analyst#7 Network Security Engineer#8 Security Analyst#9 Computer Crime Investigator#10 CISO/ISO or Director of Security#11 Application Penetration Tester#12 Security Operations Center Analyst#13 Prosecutor Specializing in Information Security Crime#14 Technical Director and Deputy CISO#15 Intrusion Analyst#16 Vulnerability Researcher/ Exploit Developer#17 Security Auditor#18 Security-savvy Software Developer#19 Security Maven in an Application Developer Organization#20 Disaster Recovery/Business Continuity Analyst/Manager

39Subscribe mailing listhttps://www.owasp.org/index.php/Bangladeshhttps://www.facebook.com/OWASP.BangladeshKeep up to date!Twitter:@nahidupaTwitter:@owaspbangladesh

39