Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
trends in web vulnerabilities

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction - PowerPoint PPT Presentation

Oct 05, 2023 •274 likes •907 views

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

  1. TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND

  2. Introduction Agenda • Introduction – Session Goals – Presenter and Trustwave SpiderLabs background • Analysis Overview – Data Source – Most frequently found SEVERE vulnerabilities – Most frequently found OVERALL vulnerabilities • About the Vulnerabilities – What are they? – How to fix them – Why you should care • Conclusion

  3. Introduction Session Goals • Provide an overall sense of the state of web application vulnerabilities that are commonly found by professional penetration testers • Provide you with the tools to identify overlooked areas in your web applications. • Help you determine where to focus your efforts in order to help your organization

  4. Introduction About the Presenter • Michel “Mike” Chamberland , MSc • North America Practice Lead with Trustwave SpiderLabs • CISSP, OSCP, OSWP. CEH, CHFI, CCSK, MCP, GIAC G2700, MCTS, Security+, etc. • Grew up in Sherbrooke, Qc and now lives in Sarasota, FL • Works closely with all USA and Canada based SpiderLabs resources

  5. Introduction About Trustwave SpiderLabs • A division within Trustwave • Consists of 150+ specialized security experts • Focuses on penetration testing, research and incident respons e • Performed millions of scans and thousands of penetration tests • Over 9 million web application attacks researched last year • 97% of applications tested by Trustwave had one or more vulnerability

  6. Analysis Overview

  7. Analysis Overview Data Source • Based on an analysis of vulnerabilities found by the Trustwave SpiderLabs team over the last few years • Will cover both most frequently found overall as well as most frequently found severe vulnerabilities. • Vulnerabilities will be grouped based on similarities and then discussed in further details • Statistics on vulnerabilities and vulnerability groups will be explored

  8. Analysis Overview Data Source • Vulnerability data collected from thousands of web application security assessments performed • All data collected is anonymous and not associated with any specific organizations • Trustwave serves over 3 million customers in 96 countries • The customer base is spread across all verticals • Many of these customers are in the educational sector

  9. What is a Severe Finding Types of Severe Findings • What is defined as severe : – Critical – High • Combined, they make up approximately 10% of findings

  10. What is a Severe Finding Critical Severity Findings • The attack scenario tested in this exercise succeeded, and resulted in a systems compromise • Exploitation is trivial • Exploitation requires no authentication , or authentication is available to a member of the public with minimal effort • Exploitation results in a large-scale loss of sensitive information or tangible assets • A strong need for immediate corrective measures exists

  11. What is a Severe Finding High Severity Findings • The attack scenario tested in this exercise succeeded, and resulted in a systems compromise • The attack can only be performed by an authenticated user • Technical vulnerability details and/or exploit code are publicly available • An additional attack vector may be needed to craft a successful attack using this exploit, but that vector is trivial • Exploitation of the vulnerability (1) may result in the costly loss of sensitive data or tangible assets , or (2) may significantly violate, harm, or impede the organization’s mission, reputation, or interest . • A strong need for corrective measures exists

  14. The Vulnerabilities

  15. The Vulnerabilities • The Rock Stars • The Heavy Hitters • Forgotten Killers • The Misunderstood • The Personal Problems

  16. The Rock Stars

  17. The Rock Stars Description • These are the vulnerabilities everyone knows about and almost always result in a severe impact • Used to be found systemically • SQL Injection – Allows an attacker to insert arbitrary commands into a database query or statement. • Cross-site Scripting – Occurs when web applications do not properly validate user- supplied inputs before including them in dynamic web pages.

  19. The Rock Stars Why they matter • Cross-Site Scripting – Session hijacking – Can be used to virtually deface web applications – Social engineering (login prompts, fake updates, payment form, etc.) – Redirect users to another site – Tunneling and network discovery – Log user’s keystrokes • SQL Injection – Exfiltration or tampering of data – Get operating system level access – Escalate privileges

  20. The Rock Stars Mitigation • Define a solid application architecture – Don’t fix each instances individually • Sanitize user input • Prefer a white listing approach • Use prepared statements and stored procedures for all SQL operations • Validate input on both client and server side • Escape output before storing in database or rendering in web browser

  21. The Heavy Hitters

  22. The Heavy Hitters Description • Caused by poor authentication and authorization controls • These are vulnerabilities that are often overlooked but almost always result in a severe impact • Today’s tools do not do a good job at finding these types of vulnerabilities • Authentication Bypass – Valid session identifier is not required to access resources • Vertical Privilege Escalation – Authorization controls are not properly enforced, allowing unauthorized access to resources or functions • Horizontal Privilege Escalation – Ability to view, delete or modify other user’s data

  24. The Heavy Hitters Why they matter • Almost always lead to a severe impact • Overlooked by automated tools • Often overlooked by traditional application testing – Focused on UI • Your firewall, IDS, IPS and/or WAF will not help you • Requires little technical skill to exploit

  25. The Heavy Hitters Mitigation • Fixed at the architecture level • Difficult to successfully implement from scratch – Leverage existing frameworks • These authentication and authorization frameworks should: – Ensure a proper session identifier is associated with each request – Ensure the user’s role and permissions allow the requested action • Ensure roles and permissions are defined and tested • Review release management/deployment procedures

  26. The Forgotten Killers

  27. The Forgotten Killers Description • Very frequently found and overlooked • Trivial to exploit • Insecure Password Policy – Having a weak password policy in place – Often associated with insecure password storage • Cross-site Request Forgery (CSRF) – Processing requests that where not sourced from the application

  29. Insecure Password Policy • Why is an insecure password policy and insecure password storage bad? • Let’s review some examples…

  30. Adobe – 153 Million Accounts (2013) • Username, password and password hint compromised • Improper password storage • Most passwords cracked within days and made publicly available

  31. Bell Canada – 22 Thousand Accounts (2014) • Affected Bell small business customers • Email, username, password credit card data compromised • Improper password storage

  32. Comcast – 590 Thousand Accounts (2015) • Data was being sold on the underground market • Email and passwords compromised • Improper password storage

  33. Last.fm – 43 Million Accounts (2012) • Full extent was not known publicly until 2016 • Email, username and passwords were compromised • Passwords hashed with MD5 and not salted • Most passwords were easily cracked • Most used password: “123456”

  34. LinkedIn – 164 Million Accounts (2012) • Hacked in 2012 but found on a dark market in 2016 • Email and passwords were compromised • Hashed with SHA1 and no salt • Most passwords were easily cracked

  35. Cross-Site Request Forgery • Why is cross-site request forgery bad? • Let’s review some examples…

  36. PayPal CSRF • Affected account management • Allowed the attacker to add/remove/confirm email, change security questions, add full privilege users to business accounts, etc. • Publicly disclosed in 2014

  37. Go Daddy CSRF • Affected domain registrations • Allowed an attacker to hijack a victim’s domain • Publicly disclosed in 2015

  38. Hilton CSRF • Affected the Hilton Honors loyalty program • Allowed an attacker to hijack a victim’s account • Publicly disclosed in 2015

  39. Too Many Network Device Affected by CSRF • Examples: – Netgear Routers – Cisco Residential Gateway – Siemens Ruggedcom NMS – Huawei 3G Router – Ubiquiti Networking Products • Impact is often full control and administration of the device • Often used for botnets

  40. Xzeres CSRF • Affects 442SR Wind Turbine • Allows an attacker to cut off power to ALL attached systems • Publicly disclosed in 2015

Recommend

Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A

Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A

Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A long way to get here What is a Web Service? What is a Web Service? What is a Web Service? Web Services Web Services Software service :

552 views • 33 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

903 views • 39 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

971 views • 57 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

777 views • 20 slides
Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years

Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years

Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years old Evolution of the Web The Future of the Web? THE SEMANTIC WEB The Semantic Web what is the Semantic Web? Semantic Web?

1.36k views • 99 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.3k views • 80 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities > analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

414 views • 20 slides
The Laws of Vulnerabilities The Laws of Vulnerabilities Terry Ramos Terry Ramos Qualys Qualys

The Laws of Vulnerabilities The Laws of Vulnerabilities Terry Ramos Terry Ramos Qualys Qualys

The Laws of Vulnerabilities The Laws of Vulnerabilities Terry Ramos Terry Ramos Qualys Qualys 02/15/06 - HT1-202 02/15/06 - HT1-202 Are We Getting Better or Worse ? What is a vulnerability? How significant is this vulnerability? How

753 views • 40 slides
RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A

RIPS RIPS A static source code analyser NDS Seminar for vulnerabilities in PHP scripts A static source code analyser A static source code analyser for vulnerabilities in PHP scripts for vulnerabilities in PHP scripts 1 Johannes Dahse

805 views • 35 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

622 views • 11 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security & Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

201 views • 8 slides
E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS

E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS

E-TRENDS ARABNET 2014 IYAD KAMAL IY AD@ ARAMEX.COM IY AD KAMAL @ IY ADKAM E-TRENDS BUSINESS TRENDS P AYMENTS RETURNS SOCIAL TRENDS LAST MILE SOLUTION BUSINESS TRENDS THE MIXER E-TRENDS INCLUDE MIXED DATA FROM : SHOP AND SHIP

929 views • 28 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.22k views • 60 slides
Web Mining Web Mining to automatically discover and extract information from Web

Web Mining Web Mining to automatically discover and extract information from Web

What is Web Mining? What is Web Mining? Web mining is the use of data mining techniques Web Mining Web Mining to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) 1 2 The Web The Web

469 views • 23 slides
Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web

Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web

Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web scraping The easy way, using web service APIs Well see examples of both. 2 / 9 Web Scraping Web scraping, a.k.a. screen scraping, means getting

486 views • 9 slides
Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon Mikhaiel Struts framework rimon@cs.ualberta.ca Example of workflow management. A Hello World Example Web Model 2 Web Model 1 Web MVC

611 views • 4 slides
E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton

E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton

E-SAFETY Practical parenting in the digital age Derek Crabtree London Borough of Merton derek.crabtree@merton.gov.uk E-SAFETY E -Safety isn't all about your technical skills. It's about behaviour and parenting! Really no different to what

461 views • 24 slides
International Computer Association July 27 th , 2017 Leveraging Artificial Intelligence to detect

International Computer Association July 27 th , 2017 Leveraging Artificial Intelligence to detect

International Computer Association July 27 th , 2017 Leveraging Artificial Intelligence to detect New, Emerging Cyber Threats in Realtime John Kirch Regional Director - North Asia ICA Darktrace : Background & Growth Founded by

584 views • 25 slides
on Tomcat and ITEXT Ramanathan Perinkolam Tata Consultancy Services Date of Presentation

on Tomcat and ITEXT Ramanathan Perinkolam Tata Consultancy Services Date of Presentation

COBOL VSAM Reporting using Java on Tomcat and ITEXT Ramanathan Perinkolam Tata Consultancy Services Date of Presentation (12-March 2012) Session Number (10982) Agenda Objective and Scope Technical Environment JZ/OS, ITEXT,

433 views • 29 slides
Cyber Security And For Business Seminar Enter your business card for an opportunity to win the

Cyber Security And For Business Seminar Enter your business card for an opportunity to win the

Cyber Security And For Business Seminar Enter your business card for an opportunity to win the most productivity tool for your business worth over $200 Cyber Security And For Business Seminar How Cyber Criminals Are Targeting Small

463 views • 30 slides
Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November

Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November

Intelligent Transportation Systems (ITS) Joint Program Office (JPO) Connected Vehicle Reference Implementation Architecture Update Stakeholders Webinar November & December 2013 1 Commercial Vehicle & Freight Applications of

548 views • 36 slides
Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation

Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation

Am I Too Small To Be A Target? Cybersecurity Issues for Small Businesses A Special Presentation For <Name> Date Location Special thanks to Your Speaker Bob Weiss MCSE, A+, CEH Senior Cybersecurity Engineer at CIT

722 views • 55 slides
Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break

Myth Busters Open source and Security By Aseem Jakhar $ whoami $ whoami We break break things! things! We $ whoami When not working, we do charity $ whoami When not working, we do charity By breaking products for free :)

659 views • 28 slides
The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What

The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What

The Common Debian Build System (CDBS) Peter Eisentraut FOSDEM 2009 Peter Eisentraut CDBS What is CDBS? A set of makefile fragments to include into debian/rules Makes packaging complex packages easier. Makes packaging simple packages harder.

453 views • 27 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.