SlideShare une entreprise Scribd logo

Web 2.0 threats, vulnerability analysis,secure web 2.0 application development and risk management

Marco Morana
Marco Morana

Analysis of Web Vulnerabilities, Secure design of Web 2.0 applications and risk management

Technologie
1  sur  38
Télécharger pour lire hors ligne
Copyright © 2010 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP http://www.owasp.org Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications Marco Morana OWASP Cincinnati Chapter, November 2010 Meeting
OWASP What is OWASP? 2
OWASP 3 Agenda For Today’s Presentation 1. The Evolution of Web 2.0 2. Web 2.0 Vulnerability Analysis 3. Building Secure Web 2.0 Applications 4. Web 2.0 Risk Management
OWASP 4 The Evolution of the Internet to Web 2.0
OWASP General Web 2.0 Background 5  Can be defined as: “Web applications that facilitate interactive information sharing and collaboration, interoperability, and user-centered design on the World Wide Web” … the main characteristics of web 2.0 are: 1. Encourage user’s participation and collaboration through a virtual community of social networks/sites. Users can and add and update their own content, examples include Twitter and social networks such as Facebook, Myspace, LinkedIn, YouTube 2. Transcend from the technology/frameworks used AJAX, Adobe AIR, Flash, Flex, Dojo, Google Gears and others 3. Combine and aggregate data and functionality from different applications and systems, example include “mashups” as aggregators of client functionality provided by different in-house developed and/or third party services (e.g. web services, SaaS)
OWASP Web 2.0 As Evolution of Human Knowledge Source http://digigogy.blogspot.com/2009/02/digital-blooms-visual.html
OWASP Web 2.0 As Adoption By Businesses 7
OWASP How Web 2.0 Changes The Threat Landscape  Web 1.0 threats are amplified by the intrinsic nature of Web 2.0 such as expanded interaction model and use of both old and new Web 2.0 technologies, examples: Social networks as target for attack users with malware, FaceBook is 350 Million users ! Web 2.0 prone to Web 1.0 vulnerabilities such as XSS, CSRF, Phishing, Injection Flaws  Web 2.0 enable more effective attacks because of sharing and integration between disparate systems, examples are: Complexity of integration of different technologies and services, front-end/client and back-end/server Rich client interfaces increase the attack surface and the likelihood of business logic attacks  Social networks facilitate information disclosure of confidential PII, examples are: Abuse of user’s trust first-verify model by attackers Sharing data model breaks boundaries of confidentiality, not clear boundaries between private vs. public, personal life vs. professional life
OWASP Web 2.O: Old Vulnerabilities And New Exploit Scenarios
OWASP 10 Web 2.O Vulnerabilities
OWASP Top 50 WASC Threats and Top 10 OWASP Risks Especially Impacting Web 2.0
OWASP WASC-23 XML INJECTION, WASC-29 XPATH INJECTION, OWASP A1: INJECTION FLAWS  WEB 2.0 EXPLOIT SCENARIOS: XML INJECTION/POISONING  User-supplied input is inserted into XML without sufficient validation affecting the structure of the XML record and the tags (and not just content) XPATH INJECTION  XPath injection is an attack to alter an XML query to achieve the attacker’s goals JSON INJECTION  An attacker can force execution of malicious code by injecting malicious JavaScript code into the JSON (JavaScript Object Notation structure) on the client. RSS FEED INJECTION  RSS feeds can consume un-trusted sources injected with XSS  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2008-47: The Federal Suppliers Guide validates login credential in JavaScript -
OWASP WASC-08/OWASP A2: CROSS SITE SCRIPTING (XSS)  WEB 2.0 EXPLOIT SCENARIOS: INSUFFICIENT LIMITS ON USER INPUT  Users are allowed to enter HTML data that can be potentially malicious (e.g. while creating contents such as networks, blogs or wikis)  Users have extensive control over user content including unsafe HTML tags that can be abused for XSS INSUFFICIENT FILTERING FOR XSS DOM  XSS exposure is increased for Web 2.0 especially for XSS DOM since is used in RIA written in FLASH or Silverlight, Mashups and Widgets using DOM  AJAX increases the entry points for potential XSS injections  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2008-32: Yahoo HotJobs XSS  Hackers exploiting an XSS vulnerability on Yahoo HotJobs to steal session cookies of victims
OWASP WASC-01: INSUFFICIENT AUTHENTICATION OWASP-A3: BROKEN AUTHENTICATION AND SESSION MANAGEMENT  WEB 2.0 EXPLOIT SCENARIOS: WEAK PASSWORDS  User choice of simple-to-guess passwords and trivial password-reminder questions set by on-line site contributors CLEAR TEXT PASSWORDS  Password stored in AJAX Widgets/Mashups sent and stored in clear outside the control of the host INSUFFICIENT PASSWORD MANAGEMENT CONTROLS  Password recovery/reminders not protected from brute force attacks SINGLE-SIGN-ON DESIGN FLAWS  Passwords stored in personalized homepage and in the desktop widget as “autologon feature” or in the cloud to SSO from the desktop  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2009-2: Twitter Accounts of the Famous Hacked
OWASP WASC-09/OWASP A5: CROSS SITE REQUEST FORGERY (CSRF)  WEB 2.0 EXPLOIT SCENARIOS: CSRF USING AJAX REQUESTS  XHR calls enable invisible queries of a web application by the client that user cannot visually validate for forgery INSUFFICIENT BROWSER ENFORCEMENT OF SINGLE ORIGIN POLICY  Desktop widgets do not have the same SOA protection as browser applications and faciilitate CSRF WEAK SESSION MANAGEMENT  Session expiration times are typically quite high, increasing the risk of session base attacks such as CSRF  Persistent session cookies are shared by Widgets increase the opportunities for CSRF attacks  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2009-4: Twitter Personal Info CSRF -By exploiting a CSRF bug in Twitter, site owners can get Twitter profiles of their visitors.
OWASP WASC-21: INSUFFICIENT ANTI-AUTOMATION  WEB 2.0 EXPLOIT SCENARIOS: AUTOMATIC SPREAD OF SPAM AND PHISHING LINKS  Spammers can automatically post links to increase the popularity ranking of site  Fraudsters can use automation to embed malicious links such as malicious advertisements for drive by download malware attacks AUTOMATIC REGISTRATION OF USER ACCOUNTS  Scripts to automatically register web e-mail accounts in order to authenticate to other services/applications AUTOMATIC EMBEDDING OF COMMANDS  Embedding commands for controlling botnet using RSS feeds, social networking sites AUTOMATIC BUSINESS LOGIC EXPLOITS  Automatically bid on items to increase prices, resource exhaustion of available seats, buy and resale tickets  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2007-65: Botnet to manipulate Facebook
OWASP Vulnerability Root Cause Analysis
OWASP WASC Classification of Root Causes Of Web 2.0 Vulnerabilities 1. USER GENERATED CONTENT Ability of consumers to add and update their own content 2. MASHUPS & WEB SERVICES Aggregation of data on the desktop through mashups and web services 3. DATA CONVERGENCE No boundary between private and public information 4. DIVERSITY OF CLIENT SOFTWARE Data and software functions available across many different technologies and environments 5. COMPLEXITY & ASYNCHRONOUS OPERATION Increased user interaction, integration APIs lead to complexity one of which is AJAX
OWASP Summary of Top Web 2.0 Security Threats VULNERABILITY EXPLOIT SCENARIO WEB 2.0 ROOT CAUSES V1: INSUFFICIENT AUTHENTICATION CONTROLS V1.1 WEAK PASSWORDS V1.2 INSUFFICIENT ANTI-BRUTE FORCE CONTROLS V1.3 CLEAR TEXT PASSWORDS V1.4 SINGLE-SIGN-ON W1 – User contributed content W2 – Mashups, W4 – Diversity of client software, W5 - Complexity V2: CROSS SITE SCRIPTING (XSS) V2.1 INSUFFICIENT LIMITS ON USER INPUT W1 – User contributed content V3: CROSS SITE REQUEST FORGERY (CSRF) V3.1 CREDENTIAL SHARING BETWEEN GADGETS V3.2 CSRF USING AJAX REQUESTS V3.3 LENGTHY SESSIONS W5 - Complexity & Asynchronous Operation W2 – Mashups, W4 – Diversity of client software V4: PHISHING V4.1 PHONY WIDGETS V4.2 PHONY CONTENT USED FOR PHISHING V4.3 XSS EXPLOITED FOR PHISHING W2 – Mashups, W4 – Diversity of client software W1 – User Contributed Content V5:INFORMATION LEAKAGE V5.1 SENSITIVE INFORMATION POSTED TO WEB 2.0 SITES V5.2 INFORMATION AGGREGATION IN SOCIAL NETWORKS V5.3 EASY RETRIEVAL OF INFORMATION THROUGH WEB SERVICES W1 – User contributed content W3 – Consumer and enterprise worlds convergence) W4 – Mashups & Web Services V6: INJECTION FLAWS V6.1 XML INJECTION V6.2 XPATH INJECTION V6.3 JSON INJECTION W4 – Mashups & Web Services, W5: Complexity & Asynchronous Operation V7:INFORMATION INTEGRITY V7.1 AUTHENTICATED USERS PUBLISH FRAUDULENT INFORMATION W1 – User contributed content V8:INSUFFICIENT ANTI- AUTOMATION V8.1 WEB SPAM V8.2 AUTOMATIC OPENING OF USER ACCOUNTS V8.3 UNFAIR ADVANTAGE ON SITE W1 – User contributed content W2 – Mashup & Web Services Source www.secure-enterprise2.0.org
OWASP 20 Building Secure Web 2.0 Applications
OWASP Making Application Security Visible…
OWASP Web 2.0 Security Engineering Essential Steps 1. Document Security Standards For Web 2.0 Document Web 2.0 technology security requirements (e.g. AJAX, FLASH) and enforce them at the beginning of the SDLC 2. Conduct Application Threat Modeling during design Examine the architecture of Web 2.0 application and all tiers for secure design of authentication-session management, authorizations, input validation, error handling-logging 3. Perform Secure Code Reviews On Web 2.0 Components/Frameworks Assure source code adherence to security coding standards Identify security bugs in both client (e.g. Widgets, AJAX) as well as servers (e.g. Web services, SOA) 4. Security test Web 2.0 components Security test cases for AJAX and Web Services, use the OWASP test guide test cases 5. Assess the whole Web. 2.0 applications for vulnerabilities Conduct final vulnerability assessment on whole Web 2.0 application (e.g. test for OWASP T10, WASC, SANS-25 vulnerabilities)
OWASP Security Touch Points For Web 2.0 using AGILE SDLC STEP 5: Final Web 2.0 Vulnerability Assessment Security Sprint Reviews STEP 4: Security Tests For Web 2.0 Components 1. Iteration Planning Meeting 2. Begin Sprint # Requirements Iteration # 3. SPRINT Initiation, Design Discussion 4. Review Use Cases and Storyboard 5. Build & Deploy Prototype 6. Demo Prototype & Gather FeedBack 7. Incorporate F/B & Continue Development (iter #N) 8. Incremental Integrated System Tests 9. User Acceptance Testing (No Iteraction) 10. Release STEP 3: Secure Code Reviews @ End of Each Sprint STEP 1: Incorporate Web.20 Security Requirements STEP 2: Secure Architecture Reviews/Threat Modeling
OWASP Secure Architecting AJAX In Web 2.0 Applications Client side business logic/state Backends Servces accessible from untrusted callers without server side security enforcements ESB can only be called by trusted internal systems AJAX endpoint call backend directly Secure Communications Authentication & session Management, Access Controls Input validations Error Handling/Logging AJAX call associated with active sessions/ server side
OWASP Secure Code Reviews Of Web 2.0 Applications
OWASP “TOP 10” Secure Coding Requirements for AJAX 1. Validate data on the server side for all data entry points and URLs of AJAX calls for code injection vulnerabilities such as Javascript injection, JSON injection, DOM injection, XML injection. Use JSON.parse to parse objects before calling eval() if used 2. Make sure business logic is enforced on the server not by client side logic ! using server parameters 3. Validate a well formatted XML against allowed specification of values at server side 4. Enforce authentication before any XMLHTTPRequest (XHR) session. 5. Enforce authorization checks on data accessed through XHR 6. Add token to the URL and verify at server side for CSRF vulnerabilities via forging of dynamic script tags. 7. Do not store or cache sensitive data on the client such as passwords, sessionIDs, client javascript, Flash local shared object and Mozilla’s DOM storage 8. Avoid using dynamic <script> tags since there is no opportunity for data validation before execution 9. Always use POST method to send request as default 10. Do not use javascript alert() for error handling
OWASP Secure Testing Web 2.0 Client and Server Components
OWASP 28 Web 2.O Risk Management
OWASP OWASP Risk Framework (used in OWASP T10)
OWASP Potential Web. 2.0 Attack Vectors And Targets XML, JSON Injections JS Injection XSS, Malware Broken Auth and Session Mgmt DOM XSS CSRF Phishing, Drive by Download Information Disclosure & Integrity Information Disclosure, DDOS XPATH & SQL injection
OWASP Web 2.0 Application Risk Framework Threat Agents Misuses and Attack Vectors Security Weaknesses Security Controls/ Countermeasures Technical Impacts Business Impacts Web 2.0 Users, Customers/ Employees User shares private/confidential information, agents post confidential information Inherent weaknesses in controlling user contributed content in social networks, blogs, IMs, private emails Web 2.0 Social Networking Security Policies, Compliance, Monitoring, filtering, archiving, approval workflow for social site posts Loss of sensitive/ confidential data Reputation loss. Unlawful compliance fines Malicious Users, Fraudsters Victim is targeted by phishing, download of phony widgets, clicking on malicious POSTS Social Engineering, Web 2.0 Vulnerabilities: XSS Consumer Education, Data Filtering, escape all un- trusted data based on HTML content Execute JS on client, install malware Fraud, financial losses, reputation loss/defacements Malicious Users, Fraudsters Attacker sends malicious data to the application’s interfaces Web 2.0 Input Validation Vulnerabilities: XPATH injection, XML injection, JSON injection Filtering, parameterized API, ESAPI filtering APIs, white-list validations Loss of data, data alteration, denial of service/access Public disclosure of XSS- Reputation damage Malicious Users, Fraudsters Attacker uses leaks or flaws in the authentication or session management functions Web 2.0 Broken Auth and Session Mgmt Vulnerabilities Follow Security Requirements For Secure Password Policies, Implement Locking, Disable “Auto-logons” Unauthorized access to data, functions Loss of CIA, legal and financial implications Fraudsters Attacker creates forged HTTP requests and tricks a victim into submitting them We 2.0 Cross Site Request Forgery Vulnerabilities Include the unique token in a hidden field. Can change data and functions on behalf of the user Loss of CIA, fraud, denial of access Automated Scripts/ Spam Bots Application post links, create accounts, game the application Insufficient Anti- Automation Include CAPTCHA, ESAPI intrusion detection APIs Can overflow process with spam, Enumerations Business Disruptions/losse s, reputational damage
OWASP Web 2.0 Business App Example: Twitter  Company’s Customer Support offers help through twitter’s help account, Bank Of America Example
OWASP Managing Risks of Company’s Twitter  Twitter Application Security Vulnerabilities Landing page for selecting twitter might be vulnerable to web 2.0 vulnerabilities  Countermeasure: Require a scan of web 2.0 vulnerabilities of the landing page hosting the link to twitter Use of AJAX might introduce new source code vulnerabilities  Countermeasure: Validate existence of filtering for sanitization of malicious characters for XSS, XPATH, XML injection and mitigation of CSRF, sufficient anti-automation controls  Countermeasure: Validate compliance of source code with AJAX secure coding standards
OWASP Managing Risks of Company’s Twitter  Twitter Information Security And Compliance Risks Customers can disclose confidential information by micro blogging to twitter’s company account  Countermeasure : Ask the user not to enter anything sensitive such as PII, SSN ACC# but his phone number Company is not liable for user’s content posted to third party twitter and for twitter vulnerabilities  Countermeasure : Once the customer selects to go to twitter he will be presented a speed bump with notice of release of liability to user and to twitter Content shared between enterprise customer support representatives (twitter agents) can leak customer’s confidential information such as PII, ACC#  Countermeasure : use a content enterprise social filtering and monitoring tool, agents moderate the content that is posted on twitter
OWASP 35 Q U E S T I O N S A N S W E R S
OWASP Thanks for listening, further references  Ajax and Other "Rich" Interface Technologies http://www.owasp.org/index.php/Ajax_and_Other_%22Rich%22_Int erface_Technologies  Vulnerability Scanners for Flash Components http://www.owasp.org/index.php/Category:OWASP_Flash_Security_ Project  Web Application Vulnerability Scanners http://samate.nist.gov/index.php/Web_Application_Vulnerability_Sca nners.html  Facebook Outs Hacker Krillos http://threatpost.com/en_us/blogs/facebook-outs-hacker-kirllos- 051310?utm_source=Recent+Articles&utm_medium=Left+Sidebar+ Topics&utm_campaign=Web+Application+Security 36
OWASP Further references con’t  Facebook Now Trending As Phishing Target http://threatpost.com/en_us/blogs/facebook-now-trending- phishing-target- 051310?utm_source=Recent+Articles&utm_medium=Left+Sideba r+Topics&utm_campaign=Web+Application+Security  Botnet Herders Can Command Via Twitter http://threatpost.com/en_us/blogs/botnet-herders-can-now- command-twitter- 051310?utm_source=Recent+Articles&utm_medium=Left+Sideba r+Topics&utm_campaign=Web+Application+Security  OWASP TOP 10 Risks http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Pro ject  Guide to Twitter Compliance http://insights.socialware.com/ 37
OWASP Further references con’t  Web 2.0 Top 10 Web 2.0 Attack Vectors http://www.net-security.org/article.php?id=949&p=4  Defending against the worst web based application vulnerabilities of 2010 http://www.slideshare.net/shreeraj/web-attacks-top-threats-2010  Security Concerns Hinder Adoption of Web 2.0 and Social Networking in Business http://investor.mcafee.com/releasedetail.cfm?ReleaseID=511103  Web 2.0 a Top Security Threat in 2010, Survey Finds http://pr.webroot.com/threat-research/ent/web-2- security-survey-170210.html 38

Recommandé

Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoatZakaria SMAHI
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 

Recommandé

Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Owasp webgoat
Owasp webgoatOwasp webgoat
Owasp webgoatZakaria SMAHI
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Top 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTop 10 Web Application vulnerabilities
Top 10 Web Application vulnerabilitiesTerrance Medina
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
OWASP
OWASPOWASP
OWASPgehad hamdy
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 JagjitJagjit Singh Brar
 
Owasp web security
Owasp web securityOwasp web security
Owasp web securityPankaj Kumar Sharma
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10YasserElsnbary
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testingPaúl Sn
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10Shivam Porwal
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
4.Xss
4.Xss4.Xss
4.Xssphanleson
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NETDaniel Krasnokucki
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Web 2.0 Ethics
Web 2.0 EthicsWeb 2.0 Ethics
Web 2.0 EthicsThe New School
 
Pros and Cons of Web 2.0 tools
Pros and Cons of Web 2.0 toolsPros and Cons of Web 2.0 tools
Pros and Cons of Web 2.0 toolsprayslide
 

Contenu connexe

Tendances

OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1Telefónica
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testingPaúl Sn
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 nat page
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 

Tendances (20)

OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1OWASP TOP TEN 2017 RC1
OWASP TOP TEN 2017 RC1
 
OWASP
OWASPOWASP
OWASP
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers
 
OWASP -Top 5 Jagjit
OWASP -Top 5 JagjitOWASP -Top 5 Jagjit
OWASP -Top 5 Jagjit
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testing
 
Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011 Web Application Security Guide by Qualys 2011
Web Application Security Guide by Qualys 2011
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
4.Xss
4.Xss4.Xss
4.Xss
 
OWASP TOP 10 & .NET
OWASP TOP 10 & .NETOWASP TOP 10 & .NET
OWASP TOP 10 & .NET
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 

En vedette

Pros and Cons of Web 2.0 tools
Pros and Cons of Web 2.0 toolsPros and Cons of Web 2.0 tools
Pros and Cons of Web 2.0 toolsprayslide
 
Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...NetZealous LLC
 
Mba 1 me u 4 profit management & risk analysis
Mba 1 me u 4 profit management & risk analysisMba 1 me u 4 profit management & risk analysis
Mba 1 me u 4 profit management & risk analysisRai University
 
Risk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy WongRisk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy WongBCM Institute
 
Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)
Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)
Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)S. L. Faisal
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk ManagementGrafic.guru
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of ViewBob Sanders
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentAndris Soroka
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Denim Group
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Marco Morana
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsMarco Morana
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014m1splacedsoul
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organizationAntonio Fontes
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panoramanfteodoro
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspectivehong_nona
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1Bryan Cline, Ph.D.
 

En vedette (20)

Web 2.0 Ethics
Web 2.0 EthicsWeb 2.0 Ethics
Web 2.0 Ethics
 
Pros and Cons of Web 2.0 tools
Pros and Cons of Web 2.0 toolsPros and Cons of Web 2.0 tools
Pros and Cons of Web 2.0 tools
 
Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...Understanding risk analysis and risk management with net zealous llc services...
Understanding risk analysis and risk management with net zealous llc services...
 
Mba 1 me u 4 profit management & risk analysis
Mba 1 me u 4 profit management & risk analysisMba 1 me u 4 profit management & risk analysis
Mba 1 me u 4 profit management & risk analysis
 
Risk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy WongRisk Analysis In Business Continuity Management - Jeremy Wong
Risk Analysis In Business Continuity Management - Jeremy Wong
 
Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)
Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)
Reaching the Users Where They Are: Web 2.0 Tools for Libraries (Library 2.0)
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk Management
 
SDLC Transformation-Point of View
SDLC Transformation-Point of ViewSDLC Transformation-Point of View
SDLC Transformation-Point of View
 
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk EnvironmentDSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
DSS ITSEC 2013 Conference 07.11.2013 - Security in High Risk Environment
 
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
Giving your AppSec program the edge - using OpenSAMM for benchmarking and sof...
 
Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1Owasp atlanta-ciso-guidevs1
Owasp atlanta-ciso-guidevs1
 
Software Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity ModelsSoftware Security Initiative And Capability Maturity Models
Software Security Initiative And Capability Maturity Models
 
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
BSIMM and Security Initiative Improvement @OWASPNoVA 02/06/2014
 
Securing your web apps before they hurt the organization
Securing your web apps before they hurt the organizationSecuring your web apps before they hurt the organization
Securing your web apps before they hurt the organization
 
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web PanoramaWeb Applications Security Assessment In The Portuguese World Wide Web Panorama
Web Applications Security Assessment In The Portuguese World Wide Web Panorama
 
Web 2.0 Opportunities and Risks
Web 2.0 Opportunities and RisksWeb 2.0 Opportunities and Risks
Web 2.0 Opportunities and Risks
 
Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective Washington Mutual Bank's Collapse Under An Audit Perspective
Washington Mutual Bank's Collapse Under An Audit Perspective
 
Risk management
Risk managementRisk management
Risk management
 
UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1UoF - HITRUST & Risk Analysis v1
UoF - HITRUST & Risk Analysis v1
 
Lan & Wan
Lan & WanLan & Wan
Lan & Wan
 

Similaire à Web 2.0 threats, vulnerability analysis,secure web 2.0 application development and risk management

4163A - What is Web 2.0.ppt
4163A - What is Web 2.0.ppt4163A - What is Web 2.0.ppt
4163A - What is Web 2.0.pptMatthew Perrins
 
Web 2 0 Ppt
Web 2 0 PptWeb 2 0 Ppt
Web 2 0 Pptrsyokesh
 
Web2.0 Oakley 10 Jun07
Web2.0 Oakley 10 Jun07Web2.0 Oakley 10 Jun07
Web2.0 Oakley 10 Jun07burkso2
 
Web2.0 Ajax and REST in WebSphere Portal
Web2.0 Ajax and REST in WebSphere PortalWeb2.0 Ajax and REST in WebSphere Portal
Web2.0 Ajax and REST in WebSphere PortalMunish Gupta
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxrichardnorman90310
 
Ajax, rss, feeds, web service,
Ajax, rss, feeds, web service, Ajax, rss, feeds, web service,
Ajax, rss, feeds, web service, jmradha krishnan
 

Similaire à Web 2.0 threats, vulnerability analysis,secure web 2.0 application development and risk management (20)

4163A - What is Web 2.0.ppt
4163A - What is Web 2.0.ppt4163A - What is Web 2.0.ppt
4163A - What is Web 2.0.ppt
 
Web 2 0 Ppt
Web 2 0 PptWeb 2 0 Ppt
Web 2 0 Ppt
 
Web 2 0 Ppt
Web 2 0 PptWeb 2 0 Ppt
Web 2 0 Ppt
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 
Web2 0
Web2 0Web2 0
Web2 0
 
Web2.0
Web2.0Web2.0
Web2.0
 
Web 2.0
Web 2.0 Web 2.0
Web 2.0
 
Web2.0 Oakley 10 Jun07
Web2.0 Oakley 10 Jun07Web2.0 Oakley 10 Jun07
Web2.0 Oakley 10 Jun07
 
Web2.0 Ajax and REST in WebSphere Portal
Web2.0 Ajax and REST in WebSphere PortalWeb2.0 Ajax and REST in WebSphere Portal
Web2.0 Ajax and REST in WebSphere Portal
 
Continuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docxContinuing in your role as a human service provider for your local.docx
Continuing in your role as a human service provider for your local.docx
 
Web 2 0
Web 2 0Web 2 0
Web 2 0
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 
Ajax, rss, feeds, web service,
Ajax, rss, feeds, web service, Ajax, rss, feeds, web service,
Ajax, rss, feeds, web service,
 
Web 2.0
Web 2.0Web 2.0
Web 2.0
 
Web 2 0
Web 2 0Web 2 0
Web 2 0
 
Web
WebWeb
Web
 

Plus de Marco Morana

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco moranaMarco Morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfMarco Morana
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-finalMarco Morana
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Marco Morana
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_securityMarco Morana
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalMarco Morana
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011Marco Morana
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksMarco Morana
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksMarco Morana
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security InitiativesMarco Morana
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software securityMarco Morana
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementMarco Morana
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security TestingMarco Morana
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security FrameworksMarco Morana
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Marco Morana
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsMarco Morana
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASPMarco Morana
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code ReviewsMarco Morana
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 

Plus de Marco Morana (20)

Is talent shortage ws marco morana
Is talent shortage ws marco moranaIs talent shortage ws marco morana
Is talent shortage ws marco morana
 
Isaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdfIsaca conference threat_modeling_marco_morana_short.pdf
Isaca conference threat_modeling_marco_morana_short.pdf
 
Owasp e crime-london-2012-final
Owasp e crime-london-2012-finalOwasp e crime-london-2012-final
Owasp e crime-london-2012-final
 
Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012Security And Privacy Cagliari 2012
Security And Privacy Cagliari 2012
 
Presentation sso design_security
Presentation sso design_securityPresentation sso design_security
Presentation sso design_security
 
Owasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_finalOwasp security summit_2012_milanovs_final
Owasp security summit_2012_milanovs_final
 
Security Summit Rome 2011
Security Summit Rome 2011Security Summit Rome 2011
Security Summit Rome 2011
 
Risk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware AttacksRisk Analysis Of Banking Malware Attacks
Risk Analysis Of Banking Malware Attacks
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Software Security Initiatives
Software Security InitiativesSoftware Security Initiatives
Software Security Initiatives
 
Business cases for software security
Business cases for software securityBusiness cases for software security
Business cases for software security
 
Security Compliance Web Application Risk Management
Security Compliance Web Application Risk ManagementSecurity Compliance Web Application Risk Management
Security Compliance Web Application Risk Management
 
Web Application Security Testing
Web Application Security TestingWeb Application Security Testing
Web Application Security Testing
 
Software Security Frameworks
Software Security FrameworksSoftware Security Frameworks
Software Security Frameworks
 
Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'Software Open Source, Proprierio, Interoperabilita'
Software Open Source, Proprierio, Interoperabilita'
 
Progetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web ApplicationsProgetti Open Source Per La Sicurezza Delle Web Applications
Progetti Open Source Per La Sicurezza Delle Web Applications
 
Introduction To OWASP
Introduction To OWASPIntroduction To OWASP
Introduction To OWASP
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery Vulnerabilities
 
Secure Code Reviews
Secure Code ReviewsSecure Code Reviews
Secure Code Reviews
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 

Dernier

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesThousandEyes
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Dernier (20)

So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyesAssure Ecommerce and Retail Operations Uptime with ThousandEyes
Assure Ecommerce and Retail Operations Uptime with ThousandEyes
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 

Web 2.0 threats, vulnerability analysis,secure web 2.0 application development and risk management

  • 1. Copyright © 2010 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP http://www.owasp.org Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications Marco Morana OWASP Cincinnati Chapter, November 2010 Meeting
  • 3. OWASP 3 Agenda For Today’s Presentation 1. The Evolution of Web 2.0 2. Web 2.0 Vulnerability Analysis 3. Building Secure Web 2.0 Applications 4. Web 2.0 Risk Management
  • 4. OWASP 4 The Evolution of the Internet to Web 2.0
  • 5. OWASP General Web 2.0 Background 5  Can be defined as: “Web applications that facilitate interactive information sharing and collaboration, interoperability, and user-centered design on the World Wide Web” … the main characteristics of web 2.0 are: 1. Encourage user’s participation and collaboration through a virtual community of social networks/sites. Users can and add and update their own content, examples include Twitter and social networks such as Facebook, Myspace, LinkedIn, YouTube 2. Transcend from the technology/frameworks used AJAX, Adobe AIR, Flash, Flex, Dojo, Google Gears and others 3. Combine and aggregate data and functionality from different applications and systems, example include “mashups” as aggregators of client functionality provided by different in-house developed and/or third party services (e.g. web services, SaaS)
  • 6. OWASP Web 2.0 As Evolution of Human Knowledge Source http://digigogy.blogspot.com/2009/02/digital-blooms-visual.html
  • 7. OWASP Web 2.0 As Adoption By Businesses 7
  • 8. OWASP How Web 2.0 Changes The Threat Landscape  Web 1.0 threats are amplified by the intrinsic nature of Web 2.0 such as expanded interaction model and use of both old and new Web 2.0 technologies, examples: Social networks as target for attack users with malware, FaceBook is 350 Million users ! Web 2.0 prone to Web 1.0 vulnerabilities such as XSS, CSRF, Phishing, Injection Flaws  Web 2.0 enable more effective attacks because of sharing and integration between disparate systems, examples are: Complexity of integration of different technologies and services, front-end/client and back-end/server Rich client interfaces increase the attack surface and the likelihood of business logic attacks  Social networks facilitate information disclosure of confidential PII, examples are: Abuse of user’s trust first-verify model by attackers Sharing data model breaks boundaries of confidentiality, not clear boundaries between private vs. public, personal life vs. professional life
  • 9. OWASP Web 2.O: Old Vulnerabilities And New Exploit Scenarios
  • 10. OWASP 10 Web 2.O Vulnerabilities
  • 11. OWASP Top 50 WASC Threats and Top 10 OWASP Risks Especially Impacting Web 2.0
  • 12. OWASP WASC-23 XML INJECTION, WASC-29 XPATH INJECTION, OWASP A1: INJECTION FLAWS  WEB 2.0 EXPLOIT SCENARIOS: XML INJECTION/POISONING  User-supplied input is inserted into XML without sufficient validation affecting the structure of the XML record and the tags (and not just content) XPATH INJECTION  XPath injection is an attack to alter an XML query to achieve the attacker’s goals JSON INJECTION  An attacker can force execution of malicious code by injecting malicious JavaScript code into the JSON (JavaScript Object Notation structure) on the client. RSS FEED INJECTION  RSS feeds can consume un-trusted sources injected with XSS  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2008-47: The Federal Suppliers Guide validates login credential in JavaScript -
  • 13. OWASP WASC-08/OWASP A2: CROSS SITE SCRIPTING (XSS)  WEB 2.0 EXPLOIT SCENARIOS: INSUFFICIENT LIMITS ON USER INPUT  Users are allowed to enter HTML data that can be potentially malicious (e.g. while creating contents such as networks, blogs or wikis)  Users have extensive control over user content including unsafe HTML tags that can be abused for XSS INSUFFICIENT FILTERING FOR XSS DOM  XSS exposure is increased for Web 2.0 especially for XSS DOM since is used in RIA written in FLASH or Silverlight, Mashups and Widgets using DOM  AJAX increases the entry points for potential XSS injections  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2008-32: Yahoo HotJobs XSS  Hackers exploiting an XSS vulnerability on Yahoo HotJobs to steal session cookies of victims
  • 14. OWASP WASC-01: INSUFFICIENT AUTHENTICATION OWASP-A3: BROKEN AUTHENTICATION AND SESSION MANAGEMENT  WEB 2.0 EXPLOIT SCENARIOS: WEAK PASSWORDS  User choice of simple-to-guess passwords and trivial password-reminder questions set by on-line site contributors CLEAR TEXT PASSWORDS  Password stored in AJAX Widgets/Mashups sent and stored in clear outside the control of the host INSUFFICIENT PASSWORD MANAGEMENT CONTROLS  Password recovery/reminders not protected from brute force attacks SINGLE-SIGN-ON DESIGN FLAWS  Passwords stored in personalized homepage and in the desktop widget as “autologon feature” or in the cloud to SSO from the desktop  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2009-2: Twitter Accounts of the Famous Hacked
  • 15. OWASP WASC-09/OWASP A5: CROSS SITE REQUEST FORGERY (CSRF)  WEB 2.0 EXPLOIT SCENARIOS: CSRF USING AJAX REQUESTS  XHR calls enable invisible queries of a web application by the client that user cannot visually validate for forgery INSUFFICIENT BROWSER ENFORCEMENT OF SINGLE ORIGIN POLICY  Desktop widgets do not have the same SOA protection as browser applications and faciilitate CSRF WEAK SESSION MANAGEMENT  Session expiration times are typically quite high, increasing the risk of session base attacks such as CSRF  Persistent session cookies are shared by Widgets increase the opportunities for CSRF attacks  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2009-4: Twitter Personal Info CSRF -By exploiting a CSRF bug in Twitter, site owners can get Twitter profiles of their visitors.
  • 16. OWASP WASC-21: INSUFFICIENT ANTI-AUTOMATION  WEB 2.0 EXPLOIT SCENARIOS: AUTOMATIC SPREAD OF SPAM AND PHISHING LINKS  Spammers can automatically post links to increase the popularity ranking of site  Fraudsters can use automation to embed malicious links such as malicious advertisements for drive by download malware attacks AUTOMATIC REGISTRATION OF USER ACCOUNTS  Scripts to automatically register web e-mail accounts in order to authenticate to other services/applications AUTOMATIC EMBEDDING OF COMMANDS  Embedding commands for controlling botnet using RSS feeds, social networking sites AUTOMATIC BUSINESS LOGIC EXPLOITS  Automatically bid on items to increase prices, resource exhaustion of available seats, buy and resale tickets  WEB 2.0 KNOWN INCIDENT EXAMPLE: WHID 2007-65: Botnet to manipulate Facebook
  • 18. OWASP WASC Classification of Root Causes Of Web 2.0 Vulnerabilities 1. USER GENERATED CONTENT Ability of consumers to add and update their own content 2. MASHUPS & WEB SERVICES Aggregation of data on the desktop through mashups and web services 3. DATA CONVERGENCE No boundary between private and public information 4. DIVERSITY OF CLIENT SOFTWARE Data and software functions available across many different technologies and environments 5. COMPLEXITY & ASYNCHRONOUS OPERATION Increased user interaction, integration APIs lead to complexity one of which is AJAX
  • 19. OWASP Summary of Top Web 2.0 Security Threats VULNERABILITY EXPLOIT SCENARIO WEB 2.0 ROOT CAUSES V1: INSUFFICIENT AUTHENTICATION CONTROLS V1.1 WEAK PASSWORDS V1.2 INSUFFICIENT ANTI-BRUTE FORCE CONTROLS V1.3 CLEAR TEXT PASSWORDS V1.4 SINGLE-SIGN-ON W1 – User contributed content W2 – Mashups, W4 – Diversity of client software, W5 - Complexity V2: CROSS SITE SCRIPTING (XSS) V2.1 INSUFFICIENT LIMITS ON USER INPUT W1 – User contributed content V3: CROSS SITE REQUEST FORGERY (CSRF) V3.1 CREDENTIAL SHARING BETWEEN GADGETS V3.2 CSRF USING AJAX REQUESTS V3.3 LENGTHY SESSIONS W5 - Complexity & Asynchronous Operation W2 – Mashups, W4 – Diversity of client software V4: PHISHING V4.1 PHONY WIDGETS V4.2 PHONY CONTENT USED FOR PHISHING V4.3 XSS EXPLOITED FOR PHISHING W2 – Mashups, W4 – Diversity of client software W1 – User Contributed Content V5:INFORMATION LEAKAGE V5.1 SENSITIVE INFORMATION POSTED TO WEB 2.0 SITES V5.2 INFORMATION AGGREGATION IN SOCIAL NETWORKS V5.3 EASY RETRIEVAL OF INFORMATION THROUGH WEB SERVICES W1 – User contributed content W3 – Consumer and enterprise worlds convergence) W4 – Mashups & Web Services V6: INJECTION FLAWS V6.1 XML INJECTION V6.2 XPATH INJECTION V6.3 JSON INJECTION W4 – Mashups & Web Services, W5: Complexity & Asynchronous Operation V7:INFORMATION INTEGRITY V7.1 AUTHENTICATED USERS PUBLISH FRAUDULENT INFORMATION W1 – User contributed content V8:INSUFFICIENT ANTI- AUTOMATION V8.1 WEB SPAM V8.2 AUTOMATIC OPENING OF USER ACCOUNTS V8.3 UNFAIR ADVANTAGE ON SITE W1 – User contributed content W2 – Mashup & Web Services Source www.secure-enterprise2.0.org
  • 20. OWASP 20 Building Secure Web 2.0 Applications
  • 22. OWASP Web 2.0 Security Engineering Essential Steps 1. Document Security Standards For Web 2.0 Document Web 2.0 technology security requirements (e.g. AJAX, FLASH) and enforce them at the beginning of the SDLC 2. Conduct Application Threat Modeling during design Examine the architecture of Web 2.0 application and all tiers for secure design of authentication-session management, authorizations, input validation, error handling-logging 3. Perform Secure Code Reviews On Web 2.0 Components/Frameworks Assure source code adherence to security coding standards Identify security bugs in both client (e.g. Widgets, AJAX) as well as servers (e.g. Web services, SOA) 4. Security test Web 2.0 components Security test cases for AJAX and Web Services, use the OWASP test guide test cases 5. Assess the whole Web. 2.0 applications for vulnerabilities Conduct final vulnerability assessment on whole Web 2.0 application (e.g. test for OWASP T10, WASC, SANS-25 vulnerabilities)
  • 23. OWASP Security Touch Points For Web 2.0 using AGILE SDLC STEP 5: Final Web 2.0 Vulnerability Assessment Security Sprint Reviews STEP 4: Security Tests For Web 2.0 Components 1. Iteration Planning Meeting 2. Begin Sprint # Requirements Iteration # 3. SPRINT Initiation, Design Discussion 4. Review Use Cases and Storyboard 5. Build & Deploy Prototype 6. Demo Prototype & Gather FeedBack 7. Incorporate F/B & Continue Development (iter #N) 8. Incremental Integrated System Tests 9. User Acceptance Testing (No Iteraction) 10. Release STEP 3: Secure Code Reviews @ End of Each Sprint STEP 1: Incorporate Web.20 Security Requirements STEP 2: Secure Architecture Reviews/Threat Modeling
  • 24. OWASP Secure Architecting AJAX In Web 2.0 Applications Client side business logic/state Backends Servces accessible from untrusted callers without server side security enforcements ESB can only be called by trusted internal systems AJAX endpoint call backend directly Secure Communications Authentication & session Management, Access Controls Input validations Error Handling/Logging AJAX call associated with active sessions/ server side
  • 25. OWASP Secure Code Reviews Of Web 2.0 Applications
  • 26. OWASP “TOP 10” Secure Coding Requirements for AJAX 1. Validate data on the server side for all data entry points and URLs of AJAX calls for code injection vulnerabilities such as Javascript injection, JSON injection, DOM injection, XML injection. Use JSON.parse to parse objects before calling eval() if used 2. Make sure business logic is enforced on the server not by client side logic ! using server parameters 3. Validate a well formatted XML against allowed specification of values at server side 4. Enforce authentication before any XMLHTTPRequest (XHR) session. 5. Enforce authorization checks on data accessed through XHR 6. Add token to the URL and verify at server side for CSRF vulnerabilities via forging of dynamic script tags. 7. Do not store or cache sensitive data on the client such as passwords, sessionIDs, client javascript, Flash local shared object and Mozilla’s DOM storage 8. Avoid using dynamic <script> tags since there is no opportunity for data validation before execution 9. Always use POST method to send request as default 10. Do not use javascript alert() for error handling
  • 27. OWASP Secure Testing Web 2.0 Client and Server Components
  • 28. OWASP 28 Web 2.O Risk Management
  • 29. OWASP OWASP Risk Framework (used in OWASP T10)
  • 30. OWASP Potential Web. 2.0 Attack Vectors And Targets XML, JSON Injections JS Injection XSS, Malware Broken Auth and Session Mgmt DOM XSS CSRF Phishing, Drive by Download Information Disclosure & Integrity Information Disclosure, DDOS XPATH & SQL injection
  • 31. OWASP Web 2.0 Application Risk Framework Threat Agents Misuses and Attack Vectors Security Weaknesses Security Controls/ Countermeasures Technical Impacts Business Impacts Web 2.0 Users, Customers/ Employees User shares private/confidential information, agents post confidential information Inherent weaknesses in controlling user contributed content in social networks, blogs, IMs, private emails Web 2.0 Social Networking Security Policies, Compliance, Monitoring, filtering, archiving, approval workflow for social site posts Loss of sensitive/ confidential data Reputation loss. Unlawful compliance fines Malicious Users, Fraudsters Victim is targeted by phishing, download of phony widgets, clicking on malicious POSTS Social Engineering, Web 2.0 Vulnerabilities: XSS Consumer Education, Data Filtering, escape all un- trusted data based on HTML content Execute JS on client, install malware Fraud, financial losses, reputation loss/defacements Malicious Users, Fraudsters Attacker sends malicious data to the application’s interfaces Web 2.0 Input Validation Vulnerabilities: XPATH injection, XML injection, JSON injection Filtering, parameterized API, ESAPI filtering APIs, white-list validations Loss of data, data alteration, denial of service/access Public disclosure of XSS- Reputation damage Malicious Users, Fraudsters Attacker uses leaks or flaws in the authentication or session management functions Web 2.0 Broken Auth and Session Mgmt Vulnerabilities Follow Security Requirements For Secure Password Policies, Implement Locking, Disable “Auto-logons” Unauthorized access to data, functions Loss of CIA, legal and financial implications Fraudsters Attacker creates forged HTTP requests and tricks a victim into submitting them We 2.0 Cross Site Request Forgery Vulnerabilities Include the unique token in a hidden field. Can change data and functions on behalf of the user Loss of CIA, fraud, denial of access Automated Scripts/ Spam Bots Application post links, create accounts, game the application Insufficient Anti- Automation Include CAPTCHA, ESAPI intrusion detection APIs Can overflow process with spam, Enumerations Business Disruptions/losse s, reputational damage
  • 32. OWASP Web 2.0 Business App Example: Twitter  Company’s Customer Support offers help through twitter’s help account, Bank Of America Example
  • 33. OWASP Managing Risks of Company’s Twitter  Twitter Application Security Vulnerabilities Landing page for selecting twitter might be vulnerable to web 2.0 vulnerabilities  Countermeasure: Require a scan of web 2.0 vulnerabilities of the landing page hosting the link to twitter Use of AJAX might introduce new source code vulnerabilities  Countermeasure: Validate existence of filtering for sanitization of malicious characters for XSS, XPATH, XML injection and mitigation of CSRF, sufficient anti-automation controls  Countermeasure: Validate compliance of source code with AJAX secure coding standards
  • 34. OWASP Managing Risks of Company’s Twitter  Twitter Information Security And Compliance Risks Customers can disclose confidential information by micro blogging to twitter’s company account  Countermeasure : Ask the user not to enter anything sensitive such as PII, SSN ACC# but his phone number Company is not liable for user’s content posted to third party twitter and for twitter vulnerabilities  Countermeasure : Once the customer selects to go to twitter he will be presented a speed bump with notice of release of liability to user and to twitter Content shared between enterprise customer support representatives (twitter agents) can leak customer’s confidential information such as PII, ACC#  Countermeasure : use a content enterprise social filtering and monitoring tool, agents moderate the content that is posted on twitter
  • 35. OWASP 35 Q U E S T I O N S A N S W E R S
  • 36. OWASP Thanks for listening, further references  Ajax and Other "Rich" Interface Technologies http://www.owasp.org/index.php/Ajax_and_Other_%22Rich%22_Int erface_Technologies  Vulnerability Scanners for Flash Components http://www.owasp.org/index.php/Category:OWASP_Flash_Security_ Project  Web Application Vulnerability Scanners http://samate.nist.gov/index.php/Web_Application_Vulnerability_Sca nners.html  Facebook Outs Hacker Krillos http://threatpost.com/en_us/blogs/facebook-outs-hacker-kirllos- 051310?utm_source=Recent+Articles&utm_medium=Left+Sidebar+ Topics&utm_campaign=Web+Application+Security 36
  • 37. OWASP Further references con’t  Facebook Now Trending As Phishing Target http://threatpost.com/en_us/blogs/facebook-now-trending- phishing-target- 051310?utm_source=Recent+Articles&utm_medium=Left+Sideba r+Topics&utm_campaign=Web+Application+Security  Botnet Herders Can Command Via Twitter http://threatpost.com/en_us/blogs/botnet-herders-can-now- command-twitter- 051310?utm_source=Recent+Articles&utm_medium=Left+Sideba r+Topics&utm_campaign=Web+Application+Security  OWASP TOP 10 Risks http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Pro ject  Guide to Twitter Compliance http://insights.socialware.com/ 37
  • 38. OWASP Further references con’t  Web 2.0 Top 10 Web 2.0 Attack Vectors http://www.net-security.org/article.php?id=949&p=4  Defending against the worst web based application vulnerabilities of 2010 http://www.slideshare.net/shreeraj/web-attacks-top-threats-2010  Security Concerns Hinder Adoption of Web 2.0 and Social Networking in Business http://investor.mcafee.com/releasedetail.cfm?ReleaseID=511103  Web 2.0 a Top Security Threat in 2010, Survey Finds http://pr.webroot.com/threat-research/ent/web-2- security-survey-170210.html 38