security vulnerabilities in new web applications
play

Security vulnerabilities in new web applications Ing. Pavol Luptk, - PowerPoint PPT Presentation

Sep 24, 2023 •436 likes •594 views

Security vulnerabilities in new web applications Ing. Pavol Luptk, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com Introduction $whoami Pavol Luptk 10+ years of practical experience in security and seeking

  1. Security vulnerabilities in new web applications Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant www.nethemba.com www.nethemba.com

  2. Introduction $whoami Pavol Lupták  10+ years of practical experience in security and seeking vulnerabilities with a strong theoretical background (CISSP, CEH)  OWASP Slovakia Chapter Leader  co-author of the OWASP Testing Guide v3.0  owner of security company Nethemba s.r.o. focused on penetration tests and web application security audits www.nethemba.com

  3. The goal of this presentation  To show security vulnerabilities common in new web applications (Internet banking, e-shops, online casinos, ..) during the period 2008-2009  “Real data” from plenty of new web applications developed by Czech/Slovak companies was used  To ensure their privacy, the used data was aggregated www.nethemba.com

  4. SQL injection downtrend, risk of second-order injection vulnerabilities  Most new applications use prepared statements/parametrized queries  Complex architecture with multiple different applications can increase the likelihood of second-order injection vulnerabilities  New fully-automatized SQL injection tools are available (sqlmap, Power SQL injector) www.nethemba.com

  5. Increased complexity of XSS vulnerabilities, AJAX security ● Due to a huge number of XSS variations, “ blacklisting” simply does not work ● Importance of the “output validation” (inevitable if the stored data is contaminated with injected code) ● It is still a problem to automatically reveal persistent XSS / AJAX vulnerabilities ● New XSS demo tools (Browser Rider, Beef) www.nethemba.com

  6. Vulnerabilities in session management  Many new applications use own session management that is almost always bad implemented  If it is possible, use language underlying session management instead  At this moment, there is no automated way to fully test session management security www.nethemba.com

  7. Session Fixation Attacks  If the attacker can inject an arbitrary value in anonymous session tokens and the application accepts this value and uses it for authenticated login, session fixation attacks are feasible  Can be used to hijack user sessions using social engineering, XSS vulnerabilities, ..  The application should not accept injected session token, should regenerate it after login, invalidate after logout www.nethemba.com

  8. Absence of “secure” and “HttpOnly” flag for cookies  Secure flag prevents the browser to send a cookie through unencrypted connection  HttpOnly flag prevents the injected javascript code to steal cookies using the document.cookie parameter  HttpOnly is effective only when TRACE/TRACK HTTP methods are disabled on web server www.nethemba.com

  9. Simultaneous sessions  In normal circumstances there is no need for simultaneous sessions for one user in the application  User should be informed if another user with the same credentials is logged to the application  Bind the user session with its IP address/subnet  Session logging is very important www.nethemba.com

  10. Brute force attack against session management  Feasible when session token is shorter than 128 bits or it is easily determinable  Almost no application can detect this attack because session token is not associated with an existing user  The application should detect increased number of session tokens from one IP address in a short time and blocks it for a defined period www.nethemba.com

  11. CSRF vulnerabilities  GET requests are still used for sensitive operations  Many ways how to protect against CSRF:  Requiring special non-determinable parameters in GET/POST requests (hidden fields)  AJAX “double submit” cookies  Using other verification channels (email, SMS, ..) www.nethemba.com

  12. Weak and broken CAPTCHA ● We successfully break all our tested CAPTCHAs with CAPTCHA killer ● It is really difficult to create strong CAPTCHA ● Many CAPTCHA implementations are vulnerable to replay attacks ● Is still using CAPTCHA a good idea? www.nethemba.com

  13. Business Logic Security Flaws  Still prevailed because of complexity to detect them automatically  Common problems:  Permanent user's account locking  Using negative numbers to gain a lot of money  Enumeration of users using “forgotten password” or “registration” form www.nethemba.com

  14. Vulnerable SSL protocol, weak ciphers, hashes and passwords  SSLv2 is still massively used  Weak (less than 56-bits) SSL ciphers are used  MD5 is still massively used  DES ECB is still used (in a bank environment!)  Applications have password complexity restrictions that drastically decrease all possible combinations  Short complicated passwords are still used  Hashes are not salted (risk of rainbow table attacks) www.nethemba.com

  15. Any questions? Thank you for listening Ing. Pavol Lupták, CISSP CEH www.nethemba.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe

Software Vulnerabilities in Programming Languages and Applications A presentation to Ada Europe 2010 Stephen Michell, Maurya Software, Ottawa, Canada Security There are people out there trying to attack every computer that we own. Most

503 views • 48 slides
Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten

Static Detection of Second-Order Vulnerabilities in Web Applications Johannes Dahse and Thorsten Holz Ruhr-University Bochum USENIX Security 14, 20-22 August 2014, San Diego, CA, USA 1. Introduction 2. Implementation 3. Evaluation 4.

579 views • 40 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @ Symantec Speaker at Hakon and Geek Street - Infosecurity Europe Bug Hunter | Penetration Tester Security Blogger @tiger_tigerboy

801 views • 38 slides
(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK & THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at Swisscom frei@techzoom.net Twitter @stefan_frei Cyber & Networking Security Networking security has become critical issue for all types

788 views • 66 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun & profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats Create defensive measures Evaluate security software What this talk is about Windows rootkits How they are used How they work

790 views • 54 slides
Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities

Wh What t abou out t th the e sof oftw twar are? e? How many security vulnerabilities are there in the software implementing all this smart grid functionality and the underlying protocols? Erik Poll Radboud University Nijmegen Moti

351 views • 33 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of

Network and Internet Vulnerabilities Computer Security Lecture 9 David Aspinall School of Informatics University of Edinburgh 24th February 2014 Outline Introduction Network and transport-level vulnerabilities Higher-level protocol

1.01k views • 88 slides
OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of

OWASP Most Critical Web Application Security Vulnerabilities Introduction 2 Purpose of Session: - Provide Overview Web Application Security Threats and Defense Using the Open Web Application Security Project (OWASP) Top List, we

830 views • 39 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2015-2016 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL 5 Client Technologies Vincent Simonet, 2015-2016 Universit Pierre et Marie Curie,

576 views • 33 slides
Introduction Emergency Operations Center (EOC): Secure location in which individuals come

Introduction Emergency Operations Center (EOC): Secure location in which individuals come

Project Ensayo : A Distributed, Virtual Emergency Operations Center Cynthia Nikolai, University of Notre Dame Irma Becerra-Fernandez, Florida International University Michael Prietula, Emory University Gregory Madey,

995 views • 33 slides
AJAX Lab. de Bases de Dados e Aplicaes Web MIEIC, FEUP 2010/11 Srgio Nunes Server calls

AJAX Lab. de Bases de Dados e Aplicaes Web MIEIC, FEUP 2010/11 Srgio Nunes Server calls

AJAX Lab. de Bases de Dados e Aplicaes Web MIEIC, FEUP 2010/11 Srgio Nunes Server calls from web pages using JavaScript call HTTP data Motivation The traditional request-response cycle in web applications is synchronous. With

552 views • 20 slides
Jquery and OpenCms Matt Butcher Aleph-Null, Inc. http://aleph-null.tv The Strengths of OpenCms

Jquery and OpenCms Matt Butcher Aleph-Null, Inc. http://aleph-null.tv The Strengths of OpenCms

Jquery and OpenCms Matt Butcher Aleph-Null, Inc. http://aleph-null.tv The Strengths of OpenCms Built on Mature Core Technologies Solid Object-Oriented Architecture Feature-packed Workplace JSP for Templates, Structured XML for

331 views • 10 slides
SAS Stored Processes and Developing Web Applications Phil Mason Independent SAS Consultant

SAS Stored Processes and Developing Web Applications Phil Mason Independent SAS Consultant

SAS Stored Processes and Developing Web Applications Phil Mason Independent SAS Consultant Contents Creating a Simple Web App using Enterprise Guide Make a report Turn it into a Stored Process Use Stored Process Web App Make

1.54k views • 138 slides
Google Web Toolkit (GWT) Architectural Impact on Enterprise Web Application First

Google Web Toolkit (GWT) Architectural Impact on Enterprise Web Application First

Google Web Toolkit (GWT) Architectural Impact on Enterprise Web Application First Generation HTTP request (URL or Form posting) W W W HTTP response (HTML Document) Client Tier Server Tier Data Tier CGI-Scripts Data Source Web

483 views • 22 slides
Web Architecture and Development SWEN-261 Introduction to Software Engineering Department of

Web Architecture and Development SWEN-261 Introduction to Software Engineering Department of

Web Architecture and Development SWEN-261 Introduction to Software Engineering Department of Software Engineering Rochester Institute of Technology HTTP is the protocol of the world-wide-web. The Hypertext Transfer Protocol (HTTP) was

621 views • 28 slides
INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 LAST TIME ON IOLAB

INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 LAST TIME ON IOLAB

INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 INFORMATION ORGANIZATION LAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 LAST TIME ON IOLAB INFORMATION ORGANIZATION LAB SEPTEMBER 17, 2012 GIT GUI CLIENTS MAC GitX GitT ower

538 views • 24 slides

More recommend