Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Advertisements

Mythbusters Debunking Common SharePoint Farm Misconceptions ITP361 Spencer Harbar.
OWASP Secure Coding Practices Quick Reference Guide
WORDPRESS. SEO AKA – “Search Engine Optimization” Technique to make sure large search engines like Google, Yahoo, and Bing find your site and let others.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Attributes of SharePoint Migration  Quickly Migrate bulk SharePoint offline or Online database in other SharePoint or Office365.  Transfer Multiple.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
COMS S1007 Object-Oriented Programming and Design in Java August 5, 2008.
CM143 - Web Week 2 Basic HTML. Links and Image Tags.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 16 The World Wide Web. 2 Chapter Goals Compare and contrast the Internet and the World Wide Web Describe general Web processing Write basic HTML.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.
Penetration Testing James Walden Northern Kentucky University.
Advanced Web Forms with Databases Programming Right from the Start with Visual Basic.NET 1/e 13.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Testing Case Study 360logica Software Testing Services.
Jeopardy Computer Internet Policy & Legal Potpourri Q $100 Q $200 Q $300 Q $400 Q $500 Q $100 Q $200 Q $300 Q $400 Q $500 Final Jeopardy.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Linking electronic documents and standardisation of URL’s What can libraries do to enhance dynamic linking and bring related information within a distance.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
University of Palestine Faculty of Engineering and Urban planning Software Engineering department Software Engineering Group Project Requirements Project.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Scottish Centre for Regeneration (SCR) – Learning Networks quick guide to the online forum platform.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Applications Testing By Jamie Rougvie Supported by.
Technology Vocabulary Words. Understanding the meaning A motherboard is the main circuit board of the computer. Why do you think it is called a motherboard.
HTML, Third Edition--Illustrated Brief 1 HTML, Third Edition Illustrated Brief Unit A Creating an HTML Document.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Testing From The Browser. What Is eValid? eValid is a test tool suite for WebSite Quality Analysis that is a full-featured IE- compatible web browser.
Copyright © 2002 Pearson Education, Inc. Slide 3-1 Internet II A consortium of more than 180 universities, government agencies, and private businesses.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
R Some of these slides are from Prof Frank Lin SJSU. r Minor modifications are made. 1.
Software sales at U Waterloo Successfully moved software sales online Handle purchases from university accounts Integrated with our Active Directory and.
111 State Management Beginning ASP.NET in C# and VB Chapter 4 Pages
ArcGIS for Server Security: Advanced
Web Programming Language
Why API?.
Technology Vocabulary Words
4166 Review.
Web Software Model CS 4640 Programming Languages for Web Applications
AJAX.
Protecting Your Maps and Data when using ArcGIS Server
Back end Development CS Programming Languages for Web Applications
Back end Development CS Programming Languages for Web Applications
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP EU09 Poland Web Application Harvesting Esteban Ribičić - Individual Member - Speaker kisero at gmail dot com

OWASP AppSecEU09 Poland 2 Title Content Who am I and what is all this about? How we got here? Spidering, Scrapping, depth web, Harvesting Example So how does it work? How does it relates to security? Examples All you need, nothing you dont. The right solution for the specific scenario. Conclusions

OWASP AppSecEU09 Poland 3 Who am I? What I did Application Developer Linux Administrator (ISP and Portals) Network & Security Engineer Solution Architect and PM Lead Web App. Developments Full time boyfriend Article Objective Expose to the web (and security) community, that a trivial technique as harvesting could be lethal for the online business (the one that pays our bills).

OWASP AppSecEU09 Poland 4 How did we get here? SpideringScrappingHarvesting Origins: Spidering, Search Engines boom. Scrapping: no agreement on what to share. Deep Web definition. Harvesting comes to play.

OWASP AppSecEU09 Poland 5 How does it work? Ingredients: Perform reverse engineering on the target Web Application. Re-create a normal request with a piece of code. Run it with multiple threads. Fast Clicking run them all quick!

OWASP AppSecEU09 Poland 6 How does it relates to security? Social Network Example Brute Force attack Session (cookies) Login portal Subject Oriented SPAM Privacy Disclosure DoS Attacks Storage Exhaustion Request Exhaustion Etc…

OWASP AppSecEU09 Poland 7 How does it relates to security? Airline Example Ratio between search / operations sold will increase. Database off-load or mining. Harvested: Ratio between processing capacity / request and SLOs are lost, $ comes in to the game.

OWASP AppSecEU09 Poland 8 Solutions: All you need, nothing you dont. Token Session + Page Session The server sends a token (created based on the original inputs –aka: credentials, etc) to the user. Regenerates every X seconds/minutes –accommodate this to paranoia- The web servers creates links on the html not based on classic url but using the token and mapping this to the real urls. Delta between clicks Event Correlation Content Presentation (images) CAPTCHAS Web servers, AJAX makes crawling far more complex Monitoring

OWASP AppSecEU09 Poland 9 Dziekuje! and lets go for a beer….

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.