web security: concepts and tools used by attackers
DESCRIPTION
Today, with prominent Web attacks taking place seemingly every week is time to consider security a fundamental part of the development of web applications. This talk presents some basic concepts and demo some tools used by attackers targetting common web vulnerabilities.TRANSCRIPT
Web Security
Why?
2.7B worldwide Internet usersProtect user’s privacy is criticalLost of trust: If we leak, users will leave
Prominent web attacks every week
Why Security is difficult
“A system is secure if it behaves precisely in the manner intended and does nothing more”
Why Security is difficult
1. Software is complex● Difficult to analyze in complex real world scenarios
Why Security is difficult
2. The web was not designed to be secure● Targeted originally to provide unlimited access● Its speed of ascent brought design flaws that remained
until present days
Know who (really) are your users
“The most striking property of web browsers is that most people who use them are overwhelmingly unskilled”
Know who (really) are your users
Research #1● Casual users are oblivious to signals that make perfect
sense to a developer.● Good phishing websites fooled 90% of participants
Know who (really) are your users
Research #2● The ‘green URL bar’ security indicator
Who’s responsible for security
Avoid the “Security Department” excuseWe are the first line of defenseKeep maintainable Security strategies
Maintainable Security strategies
Consider Security during the whole lifecycle● For each new release, the potential for new security
issues increases.
User Stories?
“As an employee, I can search for other employees by their last name”
Add EVIL User Stories
Add EVIL User Stories
“As a hacker I can send bad data in HTTP headers, so I can access data and functions for which I’m not authorized.”
OWASP List
OWASP 2013 ListA1 - InjectionA2 - Broken Authentication and Session ManagementA3 - Cross-Site ScriptingA4 - Insecure Object ReferenceA5 - Security MisconfigurationA6 - Sensitive Data ExposureA7 - Missing Function Level Access ControlA8 - Cross-Site Request ForgeryA9 - Using Components with Known VulnerabilitiesA10 - Unvalidated Redirects and Forwards
Automated attacks
Unlike the tedious hours spent hacking a network’s perimeter, attacks against Web applications can be easily automated
Prevention
Don’t write your own security controls! Reinventing the wheel leads to wasted time and massive security holes.Understand and use the tools that the attackers use
Demo timehttps://github.com/tomasperezv/web-security-tools
Demo time: WebGoat
Demo time: THC-Hydra
Demo time: webscarab
Demo time: Nessus
Demo time: w3af
Demo time: xsssniper
Conclusion
● We are responsible of the security of our web applications
● Include the EVIL user stories● Is easy to perform attacks using automated tools● Don’t write your own security controls!
Questions
https://github.com/tomasperezv/web-security-tools