Upload
leon-richardson
View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Cloud = Web, Web = Hacked!Fabio Viggiani
Why Web Apps?• Every organization exposes web apps• Most common entry point
Image source: http://i.imgur.com
Image source:https://www.flickr.com/photos/brianklug/6870002408
Focus
• SQL injection, XSS… again with that old stuff???• Well, we DO find them every day!• Why?
Demo Environment
Let’s hack!• Basic stuff – warm up and understand• Cross Site Scripting (XSS)• SQL injection
Image source: http://gizmodo.com/5498412/sql-injection-license-plate-hopes-to-foil-euro-traffic-cameras
We should be able to fix this
• XSS filters available online• Prepared statements – easy and well documented
• Let’s do it
Let’s hack, again.
Image source: http://www.ekantipur.com
Demo Environment
2nd order SQL injection
What went wrong?
• Best practices• Input validation / Output encoding• Whitelist / Blacklist
• Localized fixes• Code structure• Default behaviors
We hack once again. For real now.
We hack once again. For real now.
We hack once again. For real now.