SlideShare a Scribd company logo

Varun-Subtle_Security_flaws

Download as PPT, PDF
G
guest66dc5f

Varun Sharma from Microsoft India identifies 5 common authentication and authorization flaws in web applications: 1. Custom authentication is implemented instead of using proven system methods. 2. Rule-based authorization is not considered, with authorization relying only on disabling UI elements. 3. Input validation only checks for blacklisted characters instead of whitelisting allowed values. 4. Cryptography is improperly implemented without understanding what security mechanisms provide. 5. Applications are vulnerable to denial of service attacks from excessive automated requests.

TechnologyBusiness
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India
Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation Flaw – 4 Improper use of Crypto Flaw – 5 App layer DOS attack
Site implements custom forms authentication Buggy code Demo
Principles:- Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
Authorization implemented by disabling UI Rule based authorization not considered Demo
Principles:- Do not rely on UI for authorization Disabled buttons is not authorization Consider rule based authorization in your design
Only set of bad characters are checked for Becomes vulnerable in special situations Demo
Principles:- Validate for valid allowed values (white list) If white list validation is not possible, Encode to prevent XSS Parameterize to prevent SQL Injection…
Not knowing what services are provided by what mechanisms For example, what services do Digital Signatures provide? Demo
Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST
Principles:- Know what service each mechanism provides Do not implement crypto mechanisms yourself Use system provided methods
Book movie ticket Screen 1 for User 1
Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- … . Click to Book
Book movie ticket Screen 1 for User 2
Book movie ticket Screen 1 for User 2 after 7 minutes
Principles:- Use CAPTCHA to avoid automated attacks Design with security in mind
 

More Related Content

PPT
Computer viruses
nkosana cusson ngwenya
 
PDF
Computer hardware software and firmware
nafisarayhana1
 
PDF
Foca_sbatc
guest66dc5f
 
PPT
01_Day_1_Oxburgh
guest66dc5f
 
PPT
arma05-era
guest66dc5f
 
PDF
Golfphotos
guest66dc5f
 
PPT
Media and Public Health Law
guest66dc5f
 
PPT
05_Day_1_Lackner
guest66dc5f
 
Computer viruses
nkosana cusson ngwenya
 
Computer hardware software and firmware
nafisarayhana1
 
Foca_sbatc
guest66dc5f
 
01_Day_1_Oxburgh
guest66dc5f
 
arma05-era
guest66dc5f
 
Golfphotos
guest66dc5f
 
Media and Public Health Law
guest66dc5f
 
05_Day_1_Lackner
guest66dc5f
 

Similar to Varun-Subtle_Security_flaws (20)

PDF
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
 
PDF
Psdot 19 four factor password authentication
ZTech Proje
 
PPTX
[OPD 2019] Inter-application vulnerabilities
OWASP
 
PPTX
Security testing
Khizra Sammad
 
PPT
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PDF
The Immune System of Internet
Mohit Kanwar
 
PPT
Security Testing for Mobile and Web Apps
DrKaramHatim
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PDF
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
PPTX
Ways to protect From Keyloggers!
Multisoft Virtual Academy
 
PPT
Security Testing
ISsoft
 
PPTX
Security of LLM APIs by Ankita Gupta, Akto.io
Nordic APIs
 
PPTX
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Precisely
 
PPT
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
PPT
Two way authentication
sree valli
 
PPT
Two way authentication
sree valli
 
PDF
a famework for analyzing template security and privacy in biometric authenti...
ZTech Proje
 
PPT
Ethical_Hacking_ppt
Narayanan
 
PPTX
Automation Attacks At Scale
Mayank Dhiman
 
PPTX
ransomware keylogger rootkit.pptx
dawitTerefe5
 
"Inter- application vulnerabilities. hunting for bugs in secure applications"...
PROIDEA
 
Psdot 19 four factor password authentication
ZTech Proje
 
[OPD 2019] Inter-application vulnerabilities
OWASP
 
Security testing
Khizra Sammad
 
Sql securitytesting
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
The Immune System of Internet
Mohit Kanwar
 
Security Testing for Mobile and Web Apps
DrKaramHatim
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
The 5 Layers of Security Testing by Alan Koch
QA or the Highway
 
Ways to protect From Keyloggers!
Multisoft Virtual Academy
 
Security Testing
ISsoft
 
Security of LLM APIs by Ankita Gupta, Akto.io
Nordic APIs
 
Combat Passwords on Post-Its with Multi-Factor Authentication for IBM i
Precisely
 
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
Two way authentication
sree valli
 
Two way authentication
sree valli
 
a famework for analyzing template security and privacy in biometric authenti...
ZTech Proje
 
Ethical_Hacking_ppt
Narayanan
 
Automation Attacks At Scale
Mayank Dhiman
 
ransomware keylogger rootkit.pptx
dawitTerefe5
 
Ad

More from guest66dc5f (20)

PPT
Os Timed Original
guest66dc5f
 
PPT
Control your entire house with your iPhone
guest66dc5f
 
PPT
Awesome car collection
guest66dc5f
 
PPT
Freaky car number plates
guest66dc5f
 
PDF
David-FPGA
guest66dc5f
 
PPT
Sunil-Hacking_firefox
guest66dc5f
 
PDF
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
PPT
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
PDF
WHITEPAPER-7_years_of_Indian_Cyber_Law
guest66dc5f
 
PPT
Rohas-7_years_of_indian_cyber_laws
guest66dc5f
 
PDF
David-FPGA
guest66dc5f
 
PDF
Shreeraj-Hacking_Web_2
guest66dc5f
 
PPT
Dror-Crazy_toaster
guest66dc5f
 
PDF
Ajit-Legiment_Techniques
guest66dc5f
 
PPT
CostofWarinIraq
guest66dc5f
 
PDF
NR-golf-sept07
guest66dc5f
 
PDF
NR-golf-sept07
guest66dc5f
 
PDF
golf
guest66dc5f
 
PDF
longisland_golf_07
guest66dc5f
 
PDF
GolfLakeCity_002
guest66dc5f
 
Os Timed Original
guest66dc5f
 
Control your entire house with your iPhone
guest66dc5f
 
Awesome car collection
guest66dc5f
 
Freaky car number plates
guest66dc5f
 
David-FPGA
guest66dc5f
 
Sunil-Hacking_firefox
guest66dc5f
 
Rahul-Analysis_of_Adversarial_Code
guest66dc5f
 
Chetan-Mining_Digital_Evidence_in_Microsoft_Windows
guest66dc5f
 
WHITEPAPER-7_years_of_Indian_Cyber_Law
guest66dc5f
 
Rohas-7_years_of_indian_cyber_laws
guest66dc5f
 
David-FPGA
guest66dc5f
 
Shreeraj-Hacking_Web_2
guest66dc5f
 
Dror-Crazy_toaster
guest66dc5f
 
Ajit-Legiment_Techniques
guest66dc5f
 
CostofWarinIraq
guest66dc5f
 
NR-golf-sept07
guest66dc5f
 
NR-golf-sept07
guest66dc5f
 
golf
guest66dc5f
 
longisland_golf_07
guest66dc5f
 
GolfLakeCity_002
guest66dc5f
 
Ad

Recently uploaded (20)

PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
PPTX
Modernising the Digital Integration Hub
Daniel Toomey
 
PDF
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPT
What is a Computer? Input Devices /output devices
GulJan8
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PPTX
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PPTX
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
PDF
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
PDF
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Developing a website for English-speaking practice to English as a foreign la...
IAESIJAI
 
Modernising the Digital Integration Hub
Daniel Toomey
 
TrustArc Webinar - Click, Consent, Trust: Winning the Privacy Game
TrustArc
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Web App vs Mobile App What Should You Build First.pdf
KodekX
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
What is a Computer? Input Devices /output devices
GulJan8
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
TLE Review Electricity (Electricity).pptx
JayPolicarpio2
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
observCloud-Native Containerability and monitoring.pptx
anupsingh76937
 
2021 HotChips TSMC Packaging Technologies for Chiplets and 3D_0819 publish_pu...
KeXue5
 
ENT215_Completing-a-large-scale-migration-and-modernization-with-AWS.pdf
ssuser28425f
 

Varun-Subtle_Security_flaws

  • 1. Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India
  • 2. Flaw – 1 Custom Authentication Flaw – 2 Lack of Rule based Authorization Flaw – 3 Black list input validation Flaw – 4 Improper use of Crypto Flaw – 5 App layer DOS attack
  • 3. Site implements custom forms authentication Buggy code Demo
  • 4. Principles:- Use well known and time tested, system provided methods for authentication. Avoid writing custom authentication code.
  • 5. Authorization implemented by disabling UI Rule based authorization not considered Demo
  • 6. Principles:- Do not rely on UI for authorization Disabled buttons is not authorization Consider rule based authorization in your design
  • 7. Only set of bad characters are checked for Becomes vulnerable in special situations Demo
  • 8. Principles:- Validate for valid allowed values (white list) If white list validation is not possible, Encode to prevent XSS Parameterize to prevent SQL Injection…
  • 9. Not knowing what services are provided by what mechanisms For example, what services do Digital Signatures provide? Demo
  • 10. Product 1 ‘s Site Product 2 ‘s Site Product 3 ‘s Site Central Payment Site Signed XML POST
  • 11. Principles:- Know what service each mechanism provides Do not implement crypto mechanisms yourself Use system provided methods
  • 12. Book movie ticket Screen 1 for User 1
  • 13. Book movie ticket Screen 2 for User 1 You have 7 minutes left Enter Payment details:- Name:- Credit Card Number:- Address:- … . Click to Book
  • 14. Book movie ticket Screen 1 for User 2
  • 15. Book movie ticket Screen 1 for User 2 after 7 minutes
  • 16. Principles:- Use CAPTCHA to avoid automated attacks Design with security in mind
  • 17.  

Editor's Notes

  • #2: I will be presenting five subtle and interesting flaws in applications.