Upload
akash-mahajan
View
698
Download
0
Embed Size (px)
Citation preview
Web Application
SecurityFirewalls will not be able to protect you
Akash Mahajan – Chapter Lead for null Bangalore
What should keep you up at night
• 95% of attacks are against “Web Servers and Web Applications” aka Websites
• The top 3 verticals compromised were Financial Services, Hospitality and Retail.
• More than 60% of attacks were caused by external agents.
• Primary attack vector was SQL Injection and was used to install customized malware.
• Injection Attacks are #1 critical flaw in applications
Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010
Web App Attacks• SQL Injection Attacks
• Number plate to foil an automatic license plate scanner!
• An attack which allows SQL to be executed as part of the input.
Web App Attacks• Bobby Tables!
Web App Attacks• XSS was used to get root on a apache.org server in
April 2010
• A popular shopping website used to sell only books and now sell other stuff as well.
• That inner window is an iframe injected in a simple search request.
Picture courtesy null Keeda Vulnerability Database
Other Critical Flaws/Attacks
• Cross Site Request Forgeryo Attacks the user of the application
• Clickjackingo Facebook Like attack
• Security Mis-configurationso Default passwords in DSL routers
• Insecure Cryptographic Storageo Apache Attack
• Tiny URLso Employees trust and click on anything!
Solutions/Mitigations• Training in Secure Coding for Developers• Code Reviews by competent security folks• Regular mining of web server logs• Application Security Practice• Awareness about new attacks• Setup a red team in the company
About null• Null – Indian Open Security Community null.co.in• Registered non-profit society• 5 active chapters in India• We conduct monthly meetings, regular awareness
camps and trainings.• More than 1000+ security professionals and
enthusiasts in the group.• Null Keeda Vulnerability Database
http://keeda.nullcon.net
Akash Mahajan• Chapter Lead of null Bangalore• Web Security Consultant• I hack, test, secure web apps and servers• Help companies become secure on AWS cloud• Website: akashm.com• Email: [email protected] /
[email protected]• Twitter: @makash• Linkedin: www.linkedin.com/in/akashm