1 / 34

Web Application Security

Web Application Security. Matt York. 300!. Slides and code will be posted on the meetup group: http://meetup.com/achieverstech Video will be posted on: achievers.com/tech Tell your friends!. A bout Me. Joined A chievers in October 2009 Dev Manager @ A chievers

denna
Download Presentation

Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Security Matt York

  2. 300! Slides and code will be posted on the meetup group: http://meetup.com/achieverstech Video will be posted on: achievers.com/tech Tell your friends!

  3. About Me • Joined Achievers in October 2009 • Dev Manager @ Achievers • Professional Experience: • Web and desktop apps with Java, J2EE, Spring, Hibernate • PHP with CodeIgniter • Blackberry mobile development (ouch!)

  4. Scalability PHP Frameworks Optimizing MySQL Queries Security

  5. Average $6.5M in damages per incident Twitter, Facebook, and MySpace have all been affected by Cross Site Scripting 70% of all vulnerabilities are at the web application layer 73% of all organizations have been hacked in the past 2 years

  6. Goals To NOT make the audience fall asleep To teach you ABOUTweb application vulnerabilities To show you how to FIND web application vulnerabilities To DEMO web application vulnerabilities To show you how to FIX web application vulnerabilities

  7. Agenda Intro to supersecurebank.com and smrtattacker.com Intro to Burp Suite Start testing how secure this bank really is Help the bank out and fix some of their vulnerabilities

  8. supersecurebank.com The best bank around Secure Full of great features Amazing UX/UI!

  9. smrtattacker.com A hacker’s site Contains tools for executing exploits on other websites Amazing UX/UI!

  10. Burp Suite

  11. Burp Suite “I will never develop an application again without Burp Suite.” - Matt York “I would spend my own allowance on this tool!” - Dr. Aris Zakinthinos

  12. Burp Suite An amazing security testing tool A great tool for the $$$ (about $300/yr) Very good at automatically finding basic vulnerabilities Good features for doing your own manual testing

  13. Burp Suite – How Does It Work?

  14. Burp Suite Let’s take a look …

  15. TIP: Don’t Give Away Too Much Hide any details you can about the implementation of your system Remove unnecessary headers Verbose error messages

  16. TIP: HTTPS (OWASP A9) • HTTPS for protecting the transmission of sensitive data • HTTPS is not a silver bullet • Session cookies • Not all HTTPS encryption algorithms are equal • SSL, TLS, and different versions • What do your customers require? What is “good enough”?

  17. TIP: Passwords (OWASP A7) • Brute forcing passwords and usernames • Password policies: • Min. characters • Numbers, letters, and symbols • Time to change • Do you have a good strategy in case your system does get compromised? • Hashing: MD5, SHA1, Bcrypt

  18. Salt and Pepper • Not the fabulous musical group • Salt (per user) • HASH(password + saltU1) • HASH(password + saltU2) • Pepper (per system) • HASH(password + saltU1 + pepper) • Eg: password=“apples”, salt=“1394933”, pepper=“ajasdfasf”

  19. TIP: Iframes Allowing your site to be hosted in an iframe has potential for users to do things they didn’t intend to do X-Frame-Options header Frame-busting

  20. TIP: Account Harvesting Again, don’t give away too much Usernames are one half of the login process CAPTCHAS  "Completely Automated Public Turing test to tell Computers and Humans Apart"

  21. TIP: SQL Injections (OWASP A1) Running un-intended SQL queries on your database by passing SQL through request parameters Limit what your application DB user can do Know your database settings: MYSQL_OPTION_MULTI_STATEMENTS_OFF

  22. TIP: Cross Site Scripting (OWASP A2) XSS enables attackers to inject client side script into web pages viewed by other users Typical example is an alert One of the most common attacks on websites

  23. TIP: Session Cookies (OWASP A3) Http-only flag Secure flag (for HTTPS sites)

  24. Preventing Cross Site Scripting Output Encoding XSS Filtering

  25. TIP: Cross Site Request Forgery (OWASP A5) XSRF exploits occur when a website allows an authenticated user to perform a sensitive action but does not verify that the user is invoking that action

  26. Preventing Cross Site Request Forgery • XSRF Cookie and Token REST

  27. Insecure Direct Object Reference (OWASP A4) Kind of a complicated name, right? Think! Slow down!

  28. Final Random Tips type=“file” Dot dot slash dot dot slash Don’t email out passwords! Set Content-Type headers Validate your redirects

  29. Summary Start with good architecture and design Tradeoffs How do you stay secure? Its not that hard! Security is important

  30. Good Security Resources OWASP – The Open Web Application Security Project https://www.owasp.org/index.php/Main_Page Burp Suite http://ha.ckers.org/ (no new material) http://code.google.com/p/skipfish/ http://code.google.com/p/ratproxy/

  31. Announcements Achievers is hiring! (tech@achievers.com) Hackernestmeetup– Nov 26th @ Achievers Movember– Tech Talks / Beer / Food is Free Drinks!

More Related