least once in the past two years through insecure Web applications” State of Web Application Security, Ponemon Institute Download Examples: http://rapp.io/1y 4
is either more critical or equally critical to other security issues faced by their organizations” Download Examples: http://rapp.io/1y State of Web Application Security, Ponemon Institute 5
security budget is less than the organization’s coffee budget” State of Web Application Security, Ponemon Institute Download Examples: http://bit.ly/NcGSod 8
through an untrusted source, most frequently a web request – The data is included in dynamic content that is sent to a web user without being validated for malicious code https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 11
Attacks (Persistent) • When injected code is stored and unknowingly retrieved by victims – Reflected XSS Attacks (Non-Persistent) • When injected code is reflected off the application via an un-escaped field https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 12
an XSS vulnerability? – Launch a phishing attack – Steal session and cookie data to log in as the victim – Perform unwanted actions as the victim https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) 13
73 friends. I decided to release my little popularity program. I'm going to be famous...among my friends. 1:30 am: You have 73 friends and 1 friend request. One of my friends' girlfriend looks at my profile. She's obviously checking me out. I approve her inadvertent friend request and go to bed grinning. 8:35 am: You have 74 friends and 221 friend requests. Woah. I did not expect this much. I'm surprised it even worked.. 200 people have been infected in 8 hours. That means I'll have 600 new friends added every day. Woah. 9:30 am: You have 74 friends and 480 friend requests. Oh wait, it's exponential, isn't it. Shit. 22
• $_REQUEST • $_FILES • $_ENV • $_SERVER 25 https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) These all can be manipulated by the user Don’t trust anyone …Not even little girls
page that contains a malicious request • Malicious because the request inherits the identity and privileges of the victim forcing an undesired action on the victim’s behalf. – Posting a tweet – Purchasing a product http://en.wikipedia.org/wiki/Cross-site_request_forgery 27
harmless looking webpage • A visitor lands on the page while logged in to their bank's website, which has a CSRF vulnerability • The malicious page creates a request on behalf of the visitor to transfer funds without permission <img src="http://bank.com/transferFunds?amount=5000&to=Geoff's Bank Account" width="0" height="0" /> Example: lonestar12/CSRF/img.html 29
your crossdomain.xml • Putting this at example.com/crossdomain.xml allows Flash applets on other sites make requests to your site on behalf of the user 37 <cross-domain-policy> <allow-access-from domain="*" /> </cross-domain-policy>
to keep many connections to the target web server open and hold them open as long as possible. – It accomplishes this by opening connections to the target web server and sending a partial request. – Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. – Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients 55 Example: lonestar12/Denial of Service/slowloris.php