Web Application

SecurityFirewalls will not be able to protect you

Akash Mahajan – Chapter Lead for null Bangalore

What should keep you up at night

• 95% of attacks are against “Web Servers and Web Applications” aka Websites

• The top 3 verticals compromised were Financial Services, Hospitality and Retail.

• More than 60% of attacks were caused by external agents.

• Primary attack vector was SQL Injection and was used to install customized malware.

• Injection Attacks are #1 critical flaw in applications

Sources Verizon DBIR 2010, Whitehat Sec Statistics, OWASP Top 10 2010

Web App Attacks• SQL Injection Attacks

• Number plate to foil an automatic license plate scanner!

• An attack which allows SQL to be executed as part of the input.

Web App Attacks• Bobby Tables!

Web App Attacks• XSS was used to get root on a apache.org server in

April 2010

• A popular shopping website used to sell only books and now sell other stuff as well.

• That inner window is an iframe injected in a simple search request.

Picture courtesy null Keeda Vulnerability Database

Other Critical Flaws/Attacks

• Cross Site Request Forgeryo Attacks the user of the application

• Clickjackingo Facebook Like attack

• Security Mis-configurationso Default passwords in DSL routers

• Insecure Cryptographic Storageo Apache Attack

• Tiny URLso Employees trust and click on anything!

Solutions/Mitigations• Training in Secure Coding for Developers• Code Reviews by competent security folks• Regular mining of web server logs• Application Security Practice• Awareness about new attacks• Setup a red team in the company

About null• Null – Indian Open Security Community null.co.in• Registered non-profit society• 5 active chapters in India• We conduct monthly meetings, regular awareness

camps and trainings.• More than 1000+ security professionals and

enthusiasts in the group.• Null Keeda Vulnerability Database

http://keeda.nullcon.net

Akash Mahajan• Chapter Lead of null Bangalore• Web Security Consultant• I hack, test, secure web apps and servers• Help companies become secure on AWS cloud• Website: akashm.com• Email: akashmahajan@gmail.com /

aka@null.co.in• Twitter: @makash• Linkedin: www.linkedin.com/in/akashm