web vulnerabilities - building basic security awareness
TRANSCRIPT
![Page 1: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/1.jpg)
Web VulnerabilitiesBeing Aware of Risks and Mitigation options
Gurpreet Luthra@_zenx_
![Page 2: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/2.jpg)
![Page 3: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/3.jpg)
Please enter your google credentials to access the photo album.
![Page 4: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/4.jpg)
Phishing
![Page 5: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/5.jpg)
Simple Google Search
![Page 6: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/6.jpg)
Another Example --- Gym Membership
![Page 7: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/7.jpg)
![Page 8: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/8.jpg)
Spear Phishing
![Page 9: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/9.jpg)
Strong Security
Useless!
![Page 10: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/10.jpg)
Social Engineering
The clever manipulation of the natural human tendency to trust.
![Page 11: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/11.jpg)
Social Engineering• Phishing
• Spear Phishing
• Vishing
• Baiting
• Tailgaiting
![Page 12: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/12.jpg)
PROTECT
![Page 13: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/13.jpg)
PROTECT
SSL / Digital Certificates
Personal Image or Message [Verified by Visa]
RSA / 2-Step Auth
OTP (ICICI or Facebook)
Log Referral Websites
Safe Browsing API (Google)https://developers.google.com/safe-browsing/
Phishing Detection Plugin
![Page 14: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/14.jpg)
Social Engineering
“A typical system will reject log-ins continually, ensuring the victim enters PINs or passwords multiple times, often disclosing several different passwords!”
http://en.wikipedia.org/wiki/Social_engineering_(security)
![Page 15: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/15.jpg)
Cookies
![Page 16: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/16.jpg)
![Page 17: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/17.jpg)
Gmail Cookies
ThoughtWorks Cookies
![Page 18: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/18.jpg)
![Page 19: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/19.jpg)
![Page 20: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/20.jpg)
Cross Site Request Forgery (CSRF)
<img src="http://my-email.com/logout">
<img src="http://facebook.com/add_friend?uid=2345adbehd3332a23">
<img src=“http://intranet/report-app/mail?r=1&[email protected]” width=“1” height=“1” border=“0”/>
![Page 21: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/21.jpg)
Cross Site Request Forgery (CSRF)
<body onload="document.getElementById('frm').submit()"> <form id="frm" action="http://my-mail.com/logout" method="post"> <input name="Log Me Out" value="Log Me Out" /> </form></body>
On website of http://www.attacker.com:
![Page 22: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/22.jpg)
PROTECT
Check Referer
GET should not change state or have side effects
User auth for transactions + Captcha
Double submit cookies + CSRF Token
Separate Browser
![Page 23: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/23.jpg)
Cross Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) was among the twenty most-exploited security vulnerabilities of 2007, along with Cross-Site Scripting (XSS) and SQL Injection.
Also mentioned in the OWASP Top 10 Vulnerabilities of 2010.
![Page 24: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/24.jpg)
OWASP Top 10• Injection (SQL, LDAP, etc)
• Cross Site Scripting (XSS)
• Broken Auth and Session Mgmt
• Insecure Direct Object Reference
• Cross Site Request Forgery (CSRF)
• Security Misconfiguration
• Insecure Cryptographic Storage
• Failure to Restrict URL access
• Insufficient Transport Layer Protection
• Un-validated Redirects and Forwards
![Page 25: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/25.jpg)
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”
– Gene Spafford
Gurpreet Luthra@_zenx_
![Page 26: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/26.jpg)
SAM WORM --- MySpace
<div style="background:url('javascript:alert(1)')">
<div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')">
No Javascript Allowed
Out of Quotes
![Page 27: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/27.jpg)
SAM WORM --- MySpace
<div id="mycode" expr="alert('hah!')" style="background:url('java script:eval(document.all.mycode.expr)')">
<div id="mycode" expr="alert('double quote: ' + String.fromCharCode(34))" style="background:url('java script:eval(document.all.mycode.expr)')">
“Javascript” word
More Quotes needed
![Page 28: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/28.jpg)
SAM WORM --- MySpace
alert(eval('document.body.inne' + 'rHTML'));
No Problem. First post a GET in an Ajax request, and then take the hash and put it as part of a POST.
http://namb.la/popular/tech.html
Words like innerHTML – not allowed
Unique Hash needed to POST
![Page 29: Web Vulnerabilities - Building Basic Security Awareness](https://reader036.vdocument.in/reader036/viewer/2022070512/588a145a1a28ab132f8b5fa3/html5/thumbnails/29.jpg)
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards.”
– Gene Spafford
Gurpreet Luthra@_zenx_