-- Sri Harsha

Keeping a commercial site secure

- Outside-in approach

Agenda

Where do I start !

XSS SQL Injection

Request Forgery

Replay Attacks

Session Management

Open Redirects

Data Validation

Third Party

Integration

Password Storage

Local/Remote file

injection

Access / Role

privileges

Clickjacking

Network Security

Denial Of Service

Transport Layer

Business Logic

Mobile applications

Public API

DDoS

Just Too Many !

Back to basics

Let's state Flipkart's Business in a simple sentence

Back to basics

Raju pays 100 + 30 Rupees and buys one copy of "Revolution

2020"

This statement is loaded with assumptions !

Assumptions

Raju pays 100 + 30 Rupees and buys one copy of "Revolution

2020"

Raju "pays" 130 Rs

Really ?

Flipkart Payment Gateways Banks

Raju "pays" 130 Rs

Flipkart has multiple payment methods

Flipkart has multiple payment gateway integrations

Flipkart has mobile site and apps

Assumptions

Raju pays 100 + 30 Rupees and buys one copy of "Revolution

2020"

Raju pays "130 Rs"

Alrighty !

Raju pays "130 Rs"

Assumptions

Raju pays 100 + 30 Rupees and buys one copy of "Revolution

2020"

"Raju" buys Revolution 2020 for 130 Rs

Guess the password

Bruteforce

Hijack Session

Steal the Database

Social Logins

Mobile sites, Mobile Apps ...

Phishing Attacks

Clickjacking

Social Engineering

Try all of the above options

Assumptions

Raju pays 100 + 30 Rupees and buys one copy of "Revolution

2020"

Raju buys "Revolution 2020" for 130 Rs

Assumptions

Raju pays 100 + 30 Rupees and buys one copy of "Revolution

2020"

Raju "pays 100 for the book"

Raju pays for "Revolution 2020"

"Raju" buys the book

Raju buys "One copy"

Question each of these assumptions !

Back to Basics

Breaking down assumptions makes easy to visualize the

vulnerabilities

Rinse and repeat

State an assumption

Break it

???

Profit !!!

Repeat

Recap

Questions ?

sharsha@flipkart

@mylittlefinger