"the web is broken" by bipin upadhyay
DESCRIPTION
Can be used as a introductory presentation to web security basics. Contains intro on Attacks to Preventions Tips, organized neatly. http://codeinmybug.wordpress.com/2007/10/12/the-web-is-broken/TRANSCRIPT
![Page 1: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/1.jpg)
The Web Is BrokenWhy every feature is, in fact, a loophole!
![Page 2: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/2.jpg)
Bipin Upadhyay http://projectbee.org
The first matrix I designed was quite
naturally, perfect. It was a work of art.
Flawless. Sublime. A triumph only equaled by
its monumental failure.
![Page 3: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/3.jpg)
Bipin Upadhyay http://projectbee.org
RoadMap
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
![Page 4: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/4.jpg)
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
![Page 5: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/5.jpg)
Bipin Upadhyay http://projectbee.org
Who Am I?
• I am SpiderMan
• Apart from that, I:– am a part of ADMS
– work on WebAppSec
– am co-author of a yet to be released book
• I can be pinged @:– http://blog.projectbee.org
– Om-[AT]-PROJectBee-[DOT]-org
![Page 6: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/6.jpg)
Bipin Upadhyay http://projectbee.org
Web 1.0 versus Web 2.0
![Page 7: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/7.jpg)
Bipin Upadhyay http://projectbee.org
Technologies Involved
![Page 8: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/8.jpg)
Bipin Upadhyay http://projectbee.org
Fundamentals
Fundamentals,
less or more, still the same
![Page 9: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/9.jpg)
Bipin Upadhyay http://projectbee.org
Fundamentals…
Database
Web server(Server side scripts like
PHP, ASP, JSP etc.)
Database
User User
Firewall / IDSFirewall / IDS
![Page 10: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/10.jpg)
Bipin Upadhyay http://projectbee.org
Network Sec. versus Web Sec.
Ports
Firewall/IDS/IPS
80
443
0
65535
Web ServerAttacker
![Page 11: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/11.jpg)
Bipin Upadhyay http://projectbee.org
Network Sec. versus Web Sec…
Ports
Firewall/NATed IP
0
65535Malicious OR Compromised Web Server
Victim
![Page 12: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/12.jpg)
Bipin Upadhyay http://projectbee.org
How serious is the matter!
• 90% of web applications have serious vulnerabilities –Gartner Group
• 78% of attacks are at the web application level –Symantec
• XSS and SQLI replacing buffer overflows as the favourite hacker initiative –Mitre
• Every 8-9/10 sites vulnerable to XSS –WASC
![Page 13: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/13.jpg)
Bipin Upadhyay http://projectbee.org
How serious is the matter!...
![Page 14: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/14.jpg)
Bipin Upadhyay http://projectbee.org
How serious is the matter!...
![Page 15: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/15.jpg)
Bipin Upadhyay http://projectbee.org
What’s @ Stake
• Money
• Data
• Reputation
• Faith/Trust
• and…
![Page 16: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/16.jpg)
Bipin Upadhyay http://projectbee.org
What’s @ Stake…
• …
![Page 17: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/17.jpg)
Bipin Upadhyay http://projectbee.org
It’s a Mythical World out there…
• Myths often prevail rationality.
• Myths often are the cause of devastation.
![Page 18: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/18.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster
• Myth:– My developers have implemented security
• Reality:– Security ain’t no feature dude! It’s a metrics.
![Page 19: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/19.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Security is a non-functional requirement
• Reality:– By definition, Yes!
![Page 20: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/20.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– We use blah-blah framework. We’re safe
• Reality:– Frameworks are encouraged. Human brain isn’t.
![Page 21: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/21.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Java is secure by design
• Reality:– May be! But web isn’t… nor is human brain.
![Page 22: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/22.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– SSL is secure from sniffing
• Reality:– Far from it. It’s difficult for sure, though
![Page 23: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/23.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Procedures means no SQL Injection
• Reality:– Not always.
![Page 24: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/24.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– I use firewall. I am safe.
• Reality:– So what? Your browser ports are open.
![Page 25: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/25.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– I use latest antivirus and my system is patched.
• Reality:– Big Deal!!!
![Page 26: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/26.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– I browse net from inside a LAN.
• Reality:– Urghhh! Browser dude, browser!
![Page 27: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/27.jpg)
Bipin Upadhyay http://projectbee.org
Myth Buster…
• Myth:– Human stupidity is infinite
• Reality:– There you go! ☺
![Page 28: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/28.jpg)
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
![Page 29: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/29.jpg)
Bipin Upadhyay http://projectbee.org
Injection Attacks
• A form of attack where the user input manipulates the underlying platform in an undesired way.
• Several variants:-– SQL Injection
– Command Injection
– LDAP Injection
– XPATH Injection
– XML Injection
– JSON Injection
![Page 30: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/30.jpg)
Bipin Upadhyay http://projectbee.org
SQL Injections
![Page 31: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/31.jpg)
Bipin Upadhyay http://projectbee.org
XSS
• OWASP Top - 10 2007 #1
• Any type of user input that is reflected back to the user without being purified.
• Input can be HTML, CSS, or Javascript
• Two kinds --Persistent & Non-Persistent XSS
![Page 32: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/32.jpg)
Bipin Upadhyay http://projectbee.org
XSS…
• XSS attacks include, but not limited to:– Cookie Theft & Session Hijacking
– Site Defacement & Phishing
– Key logging
– History Theft
– Port Scanning
– CSRF & Web Worms
– DoS-ing
– … limited only by imagination
![Page 33: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/33.jpg)
Bipin Upadhyay http://projectbee.org
CSRF
• Also called Unauthorized Requests.
• The server is punished/exploited for trusting the user.
• CSRF is, arguably, more dangerous than XSS.
• Doesn’t necessarily require javascript.
• OWASP Top - 10 2007 #5, (also called the Sleeping Giant)
![Page 34: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/34.jpg)
Bipin Upadhyay http://projectbee.org
Cookie Poisoning
• Cookies sometimes store confidential data
• This information can be manipulated for fun and profit.e.g., price of a product on an ecommerce site
![Page 35: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/35.jpg)
Bipin Upadhyay http://projectbee.org
HTTP Response Splitting
• Attacker splits Http Response into two.
• Watch out for redirection scripts using user input in response headers
• CR-LF (0x0d & 0x0a) is the key to response splitting
• Web/browser cache poisoning, XSS etc. attacks possible
![Page 36: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/36.jpg)
Bipin Upadhyay http://projectbee.org
Google Hacking
• Search engines index all permissibledocuments inside the web tree
• These data can be recovered using special queries:– site:<sitename>
– inurl:<string>
– intitle:<string>
– filetype:<string>
![Page 37: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/37.jpg)
Bipin Upadhyay http://projectbee.org
Scary Cracks
• Credit Cards & Google
• Google.com UTF-7 XSS Vulnerability
• Yamanner
• “Samy is my Hero” OR Samy Worm
• Bank Of India Hack
• GMail CSRF Vulnerability
![Page 38: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/38.jpg)
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
![Page 39: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/39.jpg)
Bipin Upadhyay http://projectbee.org
The Arsenal
• A Web browser
• Textbox/Textarea
• Iframe
• TamperData/TamperIE
• WebScarab
• Fuzzer (Crowbar)
![Page 40: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/40.jpg)
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
![Page 41: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/41.jpg)
Bipin Upadhyay http://projectbee.org
Google Hacking
• Search engines index anything and everything
• Demo
![Page 42: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/42.jpg)
Bipin Upadhyay http://projectbee.org
Exploiting Mistakes
• Client side validation isn’t enough
• Demo
• “Clues in Codes/Comments”
• Demo
• Insecure implementation of “Forgot Password” feature
• Demo
![Page 43: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/43.jpg)
Bipin Upadhyay http://projectbee.org
Exploiting Mistakes…
• Too verbose error messages
• Demo
• Cookie Isn’t for sensitive data
• Demo
• Brute forcing Session id
• Demo
![Page 44: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/44.jpg)
Bipin Upadhyay http://projectbee.org
Exploiting Zero Days
• URI Vulnerabilities
• Demo
![Page 45: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/45.jpg)
Bipin Upadhyay http://projectbee.org
Injection Attacks
• SQL Injections
• Demo
• Command Injection
• Demo
• XPATH Injection
• Demo
![Page 46: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/46.jpg)
Bipin Upadhyay http://projectbee.org
XSS Family
• XSS (Cross Site Scripting)
• Demo
• XSS and encoding mistakes
• Demo
• CSRF, the sleeping Giant
• Demo
![Page 47: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/47.jpg)
Bipin Upadhyay http://projectbee.org
Http Response Splitting
• Why user is evil?
• Demo
![Page 48: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/48.jpg)
Bipin Upadhyay http://projectbee.org
RoadMap…
• Introduction
• Attacks
• The Arsenal
• Breaking the Web
• Preventing the Breakage
![Page 49: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/49.jpg)
Bipin Upadhyay http://projectbee.org
SDLC
• Integrate security into SDLC
DesignDesign
CodingCoding
TestingTesting
DeploymentDeployment
![Page 50: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/50.jpg)
Bipin Upadhyay http://projectbee.org
Design Phase
• Stick to standards
• Encourage usage of well-proven frameworks
• Prefer Whitelisting over Blacklisting
• Prefer Onion Model over Garlic Model
![Page 51: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/51.jpg)
Bipin Upadhyay http://projectbee.org
Coding Phase
• Do NOT trust the user.
• Do NOT rely on Client side validation.
• Prefer HttpOnly Cookie to avoid cookie theft
• Use nonces to prevent CSRF
• Don’t just hash passwords, salt them too
• Avoid too verbose/meaningful error messages
![Page 52: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/52.jpg)
Bipin Upadhyay http://projectbee.org
Coding Phase…
• Proper encoding can avoid most problems
• Input Encoding– prefer UTF-8 and ISO-8859-1
– refer http://ha.ckers.org/charsets.html
• Output Encoding– avoid rich html input from user
– decimal encode input before displaying
– refer OWASP_Encoding_Project
![Page 53: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/53.jpg)
Bipin Upadhyay http://projectbee.org
Coding Phase…
• Sanitize anything that comes from the user.
![Page 54: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/54.jpg)
Bipin Upadhyay http://projectbee.org
Coding Phase…
• Filter Metacharacters:• < %3c > %3e• | %7c ‘ %60• & %26 ( %28• %od %0a ..• / %2f \ %5c
• RegEx are your friend
• Use Stored Procedures
• Prefer usage of bind variables in SQL statement
![Page 55: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/55.jpg)
Bipin Upadhyay http://projectbee.org
Testing Phase
• Code Auditing:– OWASP – LAPSE plugin (Java)
– SPI Dynamics’ DevInspect (Java & .NET), etc.
• Web Application Scanners– w3af
– Watchfire AppScan
– SPI Dynamics’ WebInspect, etc.
• No substitute for an experienced human eye
![Page 56: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/56.jpg)
Bipin Upadhyay http://projectbee.org
Deployment Phase
• Keep out of the Web Tree; use robots.txt
• Set minimal permissions
• Keep the system patched & patched
• Use Web Application Firewall– urlScan
– ModSecurity
– SecureIIS, etc.…but, most importantly
![Page 57: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/57.jpg)
Bipin Upadhyay http://projectbee.org
Education
Educate your developers.
![Page 58: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/58.jpg)
Bipin Upadhyay http://projectbee.org
Final Words
• www was designed for information exchange
• Today, too much is at stake
• Ignorance, no longer a bliss
• Take responsibility and…
![Page 59: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/59.jpg)
Bipin Upadhyay http://projectbee.org
Final Words…
…be prepared.
“Do you know what HTML 5.0 and XHTML2.0 has in store for us? You don't even want to know…”
–Ronald van den Heetkamp
![Page 60: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/60.jpg)
Bipin Upadhyay http://projectbee.org
…and Finally,
String.fromCharCode(84,104,97,110,107,32,89,111,117,33)
i.e., Thank You! ☺
![Page 61: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/61.jpg)
Bipin Upadhyay http://projectbee.org
Acknowledgements
• Lalit Patel (http://lalit.org) & Lucky (http://reboot.in)• http://flickr.com• http://flickr.com/photos/jeanetteb1/1400824517• http://flickr.com/photos/jbhalper/334521840• http://flickr.com/photos/hondawang/566041603• http://flickr.com/photos/14018070@N08/1438910620• http://flickr.com/photos/44368636@N00/76684587• http://www.cyberpunkreview.com/images/matrixreloaded63.jpg• www.flickr.com/photos/johnengler/211482969• http://www.flickr.com/photos/lamkevin/458083458• http://www.flickr.com/photos/beavis/459281241• http://flickr.com/photos/briansolis/326278887• http://www.flickr.com/photos/focus2capture/297232107• http://flickr.com/photos/complexify/97303317• http://flickr.com/photos/amyking/142161588• http://xkcd.com/327/
![Page 62: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/62.jpg)
Bipin Upadhyay http://projectbee.org
References
• http://search.yahoo.com (To be safer)• http://0x000000.com• http://ha.ckers.org• http://sla.ckers.org• http://gnucitizen.com• XSS Attacks (Syngress Publications)• PenTesting for Web Applications (Wrox)• Hacking Exposed (Tata McGraw Hill)• 19 Deadly Sins of Sotware Security (Tata McGraw Hill)• OWASP & WASC• David Kierznowski, Amit Klien, Jeremiah Grossman, Gareth Hayes,
Andres Riancho, Ronald, RSnake, pdp, Billy Rios, Nate, Thor,….
……………………………. a lot many
![Page 63: "The Web Is Broken" by Bipin Upadhyay](https://reader033.vdocuments.mx/reader033/viewer/2022051012/5405f6f18d7f72a6768b4fed/html5/thumbnails/63.jpg)
Bipin Upadhyay http://projectbee.org
Got Questions???
Shoot them