Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities....
Transcript of Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities....
![Page 1: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/1.jpg)
Exploiting and Defending:Common Web Application
Vulnerabilities
![Page 2: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/2.jpg)
Principal Security Consultant
SANS Instructor
Denver OWASP Chapter Lead
CertificationsCISSP, GWAPT, GSSP-Java, CISM
Contact [email protected]
@skosten
Introduction: Steve Kosten
![Page 3: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/3.jpg)
Principal Security Consultant
SANS Instructor & Contributing Author
Certifications
CISSP, GSSP.NET, GWAPT, GMOB, GPEN
Contact Info
@curea
Introduction: Aaron Cure
![Page 4: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/4.jpg)
Using real attack tools
Illegal to attack targets without written contractual consent
Obey all state and federal laws
Cypress Data Defense assumes no liability
Disclaimer
![Page 5: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/5.jpg)
Introduction
A6: Sensitive Data Exposure
A5: Security Misconfiguration
A1: Injection
A3: Cross-Site Scripting (XSS)
A8: Cross-Site Request Forgery (CSRF)
Secure Software Development LifeCycle (SSDLC)
Agenda
![Page 6: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/6.jpg)
Software Development LifeCycle (SDLC)
• Software Development Life Cycle
• Process for planning, creating, testing, and deploying an information system
REQUIREMENTSPLANNING &
DESIGNDEVELOPMENT
VERIFICATION &
TESTINGRELEASE
![Page 7: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/7.jpg)
Security considered at each phase
Initial and ongoing Security Training
Overall security is the priority
Testing and evaluation of security throughout
What is a Secure SDLC?
![Page 8: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/8.jpg)
Secure Software Development LifeCycle (SSDLC)
SECURITY TRAINING
REQUIREMENTSPLANNING &
DESIGNDEVELOPMENT
VERIFICATION &
TESTINGRELEASE
Core Security Training
Specialized TrainingOngoing Training
User StoriesSecurity Stories
Abuse StoriesRisk Analysis
Risk AnalysisAttack Surface
Threat Modeling
Peer ReviewStatic Analysis
Penetration Testing
Attack Surface Review
Continuous MonitoringContinuous Feedback
![Page 9: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/9.jpg)
Meet George
![Page 10: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/10.jpg)
Meet George
![Page 11: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/11.jpg)
Oh, THAT notice…
![Page 12: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/12.jpg)
It Just Gets Worse…
![Page 13: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/13.jpg)
Sensitive Data Exposure occurs when an application does not adequately protect sensitive information. The data can vary and anything from passwords, session tokens, credit card data to private health data and more can be exposed.
A6: Sensitive Data Exposure
![Page 14: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/14.jpg)
HTTPS (TLS Cert)
HTTP Security Headers
HSTS (HTTP Strict Transport Security)
A6: Mitigation
![Page 15: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/15.jpg)
Stack Trace Anyone?
![Page 16: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/16.jpg)
Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date.
A5: Security Misconfiguration
![Page 17: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/17.jpg)
Custom Error Handler
Single Error Message/Page
No Error Information – Including Return Code
Internal Error Logging
A5: Mitigation
![Page 18: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/18.jpg)
What Threw the Stack Trace?
![Page 19: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/19.jpg)
Text-based attacks that exploit the syntax of the targeted interpreter.
Almost any source of data can be an injection vector, including internal sources.
Injection flaws occur when an application sends untrusted data to an interpreter.
A1: Injection
![Page 20: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/20.jpg)
A1: SQL Injection
![Page 21: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/21.jpg)
110 million customer records
Email, Mailing addresses, other Personally Identifiable Information (PII)
In The News (Target)
![Page 22: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/22.jpg)
50 million customer records
Email, DOB, Password Hashes, Challenge Questions & Answers
In The News (Living Social)
![Page 23: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/23.jpg)
Command Injection
Inline SQL
A1: Example (1)
rs = statement.executeQuery(
"Select EmployeeId, LastName, FirstName, PhoneNumber " +
"From Employees " +
"Where EmployeeId = " + request.getParameter(”employeeId”))
Runtime.getRuntime().exec(String.format("myTestProcess.exe %s",
request.getParameter(”employeeId")))
![Page 25: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/25.jpg)
Parameterized Queries
Object Relation Mappers (ORM)
A1: Mitigation
![Page 26: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/26.jpg)
Remember Me?
![Page 27: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/27.jpg)
XSS
Cross-Site Scripting
![Page 28: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/28.jpg)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper encoding.
Execute scripts in the victim’s browser
Hijack user sessions
Deface web sites
Redirect the user to malicious sites.
A3: Cross-Site Scripting (XSS)
![Page 29: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/29.jpg)
In The News (Sears)
![Page 30: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/30.jpg)
Site defaced to contain flashing images designed to cause seizures
Some victims required hospital care
In The News (EF)
![Page 31: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/31.jpg)
HTML Context
URL Context
JavaScript Context
Reflected Example
<td><%= request.getParameter("Name") %></td>
<a href='<%= String.format("details.aspx?id=%s",
request.getParameter("Name")) %>'></a>
<a href='<%= String.format("javascript:redirect
('{%s}')", request.getParameter("Name"))
%>'>View</a>
![Page 32: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/32.jpg)
Browser Exploitation Framework (BeEF)
http://beefproject.com/
Written in Ruby
Exploitation DEMO
![Page 33: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/33.jpg)
Encoding, encoding, encoding
Validation is not the solution
Contexts to consider
Html, Url, JavaScript
HtmlAttribute, Css, Xml, XmlAttribute
Mitigations
![Page 34: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/34.jpg)
Language Specific Encoding Libraries
HTTP Security HeadersX-XSS-Protection
Content-Security-Policy (CSP)
Mitigations (2)
![Page 35: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/35.jpg)
CSRF
Cross Site Request Forgery
![Page 36: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/36.jpg)
Admin console vulnerable to CSRF allowing attackers to perform the following:
Modify automatic renewals
Edit zone files
Name server management
In The News (GoDaddy)
![Page 37: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/37.jpg)
Multiple manufacturers
4.5 Million Routers Compromised in Brazil
In The News (TP-Link)
![Page 38: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/38.jpg)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information.
Audit logs will show the user made the transaction
User has no knowledge of the transaction
Cross-Site Request Forgery
![Page 39: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/39.jpg)
Multiple Tabs
Authenticated Session
Cross-Site Request Forgery (CSRF) Example
![Page 40: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/40.jpg)
Payload on attack page
Cross-Site Request Forgery (CSRF) Example (2)
<form id="csrfForm"
action="http://localhost:8080/csrf/content/vulnerable/changepa
ssword" method="POST" >
<input type="hidden" name="newPassword"
value="StorageRoomB" />
<input type="hidden" name="confirmPassword"
value="StorageRoomB" />
</form>
![Page 41: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/41.jpg)
Request triggered from authenticated session
Cross-Site Request Forgery (CSRF) Example (3)
POST /csrf/content/vulnerable/changepassword HTTP/1.1
Host: localhost:8080
Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
newPassword=StorageRoomB&confirmPassword=StorageRoomB
![Page 42: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/42.jpg)
200 Response from web site
Cross-Site Request Forgery (CSRF) Example (4)
HTTP/1.1 200 OK
<div class="alert alert-dismissable alert-success">
<span>Your password was successfully changed.</span>
</div>
![Page 43: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/43.jpg)
Simple Javascript Post
Exploitation DEMO
![Page 44: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/44.jpg)
CSRF Mitigations
Random nonce for each request
Anti-Forgery Tokens
CSRF Guard (OWASP Project)
Browsers looking at headers (e.g., Origin)
Mitigations
![Page 45: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/45.jpg)
Payload with incorrect csrf token
Cross-Site Request Forgery (CSRF) Mitigation (1)
<form id="csrfForm"
action="http://localhost:8080/csrf/content/vulnerable/changepa
ssword" method="POST" >
<input type="hidden" name="newPassword"
value="StorageRoomB" />
<input type="hidden" name="confirmPassword"
value="StorageRoomB" />
<input type="hidden" name="_csrf"
value="103ae2a3-d4d6-46e9-8ba6-
92188ff998c2" />
</form>
![Page 46: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/46.jpg)
Request with invalid token submitted
Cross-Site Request Forgery (CSRF) Mitigation (2)
POST /csrf/content/vulnerable/changepassword HTTP/1.1
Host: localhost:8080
Cookie: JSESSIONID=2E7F523BE6E086F5EEB593B2B69842D2
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
newPassword=StorageRoomB&confirmPassword=StorageRoomB&_csrf=10
3ae2a3-d4d6-46e9-8ba6-92188ff998c2
![Page 47: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/47.jpg)
403 response from web site
Cross-Site Request Forgery (CSRF) Example (3)
HTTP/1.1 403 Forbidden
<div class="alert alert-dismissable alert-danger">
<span>java.lang.NullPointerException</span>
</div>
![Page 48: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/48.jpg)
Secure Software Development LifeCycle (SSDLC)
SECURITY TRAINING
REQUIREMENTSPLANNING &
DESIGNDEVELOPMENT
VERIFICATION &
TESTINGRELEASE
Core Security Training
Specialized TrainingOngoing Training
User StoriesSecurity Stories
Abuse StoriesRisk Analysis
Risk AnalysisAttack Surface
Threat Modeling
Peer ReviewStatic Analysis
Penetration Testing
Attack Surface Review
Continuous MonitoringContinuous Feedback
![Page 49: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/49.jpg)
Involve security through lifecycle
Security Training
Requirements
Design
Automated testing during implementation
Manual testing of critical security components during implementation
Secure Code Review and Penetration Testing
Secure Lifecycle
![Page 50: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/50.jpg)
Security Headers
Parameterized Queries/ORM
Treat Untrusted Data Appropriately
What Can I Do TODAY?
![Page 51: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/51.jpg)
Questions?
Aaron
Twitter: @curea
Email: [email protected]
Steve
Twitter: @skosten
Email: [email protected]
Thanks for attending!
![Page 52: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/52.jpg)
Questions?
Aaron
Twitter: @curea
Email: [email protected]
Steve
Twitter: @skosten
Email: [email protected]
Thanks for attending!
![Page 53: Exploiting and Defending: Common Web Application ......Common Web Application Vulnerabilities. Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead ... HTTPS (TLS](https://reader033.fdocuments.in/reader033/viewer/2022052519/5f0fed8f7e708231d4469578/html5/thumbnails/53.jpg)
Cypress Data Defense, LLChttps://www.cypressdefense.com
[email protected] @[email protected] @skosten
(720) 588-8133