Click here to load reader
Upload
slashn
View
920
Download
0
Embed Size (px)
DESCRIPTION
Citation preview
-- Sri Harsha
Keeping a commercial site secure
- Outside-in approach
Agenda
Where do I start !
XSS SQL Injection
Request Forgery
Replay Attacks
Session Management
Open Redirects
Data Validation
Third Party
Integration
Password Storage
Local/Remote file
injection
Access / Role
privileges
Clickjacking
Network Security
Denial Of Service
Transport Layer
Business Logic
Mobile applications
Public API
DDoS
Just Too Many !
Back to basics
Let's state Flipkart's Business in a simple sentence
Back to basics
Raju pays 100 + 30 Rupees and buys one copy of "Revolution
2020"
This statement is loaded with assumptions !
Assumptions
Raju pays 100 + 30 Rupees and buys one copy of "Revolution
2020"
Raju "pays" 130 Rs
Really ?
Flipkart Payment Gateways Banks
Raju "pays" 130 Rs
Flipkart has multiple payment methods
Flipkart has multiple payment gateway integrations
Flipkart has mobile site and apps
Assumptions
Raju pays 100 + 30 Rupees and buys one copy of "Revolution
2020"
Raju pays "130 Rs"
Alrighty !
Raju pays "130 Rs"
Assumptions
Raju pays 100 + 30 Rupees and buys one copy of "Revolution
2020"
"Raju" buys Revolution 2020 for 130 Rs
Guess the password
Bruteforce
Hijack Session
Steal the Database
Social Logins
Mobile sites, Mobile Apps ...
Phishing Attacks
Clickjacking
Social Engineering
Try all of the above options
Assumptions
Raju pays 100 + 30 Rupees and buys one copy of "Revolution
2020"
Raju buys "Revolution 2020" for 130 Rs
Assumptions
Raju pays 100 + 30 Rupees and buys one copy of "Revolution
2020"
Raju "pays 100 for the book"
Raju pays for "Revolution 2020"
"Raju" buys the book
Raju buys "One copy"
Question each of these assumptions !
Back to Basics
Breaking down assumptions makes easy to visualize the
vulnerabilities
Rinse and repeat
State an assumption
Break it
???
Profit !!!
Repeat
Recap
Questions ?
sharsha@flipkart
@mylittlefinger