Web Application Security | A developer's perspective - Insecure Direct Object References

50 %
50 %
Information about Web Application Security | A developer's perspective - Insecure Direct...
Technology

Published on February 27, 2014

Author: null0x00

Source: slideshare.net

Description

null Bangalore Feb 2014 meet
Author: Vamsi Krishna

Web Application Security - The pitfalls and the brick walls A DEVELOPER’S PERSPECTIVE – INSECURE DIRECT OBJECT REFERENCES

What exactly is it about ?  Authentication and authorization  Insecure Direct Object References  Why does it happen ?  How to fix ?

Authentication - Who are you ?  Authentication is the process of identifying you.  It’s the first step in securing any application or a system.  Usual process follows by the user explicitly telling the system who he is by providing his login credentials

Authorization – What are you ?  Authorization is the process of identifying what permissions the authenticated user has in the current system  Obviously, it starts after authentication  Authorization is usually initiated by the system/application on behalf of a authenticated user, by fetching his permission set from a data store

Insecure Direct Object References  It’s a design flaw, where the system designer/developer expects the user to follow the rules set by the system, without any infrastructure to protect sensitive assets and data, when the user does not go by the rules  This vulnerability is usually exploited by an already authenticated user with some level of access to the system  An authenticated user may exploit a vulnerable system to access sensitive data by changing the parameters passed to the server, to the one’s he is trying to access

Why does it happen ?  A thought process generally referred to as Security through obscurity  Fear of cost involved in authorizing the user on every request  General lack of awareness and oversight

How to fix this ?  Authorization checks for every request by the user  Using cryptographic hashes like MD5 to prevent data manipulation by user

Add a comment

Related presentations

Related pages

W-JAX | Konferenz für Java, Architektur & Softwareinnovationen

Web Development & JavaScript ... Performance & Security Sichere Webanwendungen. Serverside Java Spring, JDK & mehr. Digital Transformation & IT Leadership
Read more

Consorsbank – Banking wie wir leben!

Kontoumzug in wenigen Minuten; automatische Identifizierung Ihrer Zahlungspartner; Erstellung und Versand von Briefen durch fino
Read more

Online-Casino.de – Deutschland`s beste Online Casinos 2016

... denn das Angebot und die besten Spielcasinos mit guten Jackpots im World Wide Web ist schon unübersichtlich genug als das wir hier für weitere ...
Read more

Powie's Tech Blog • php - IT - Android - Modellflug

... Inspire Italien JavaScript LFS Lightroom Linux MP3 Multicopter mySQL Panorama Phantom php phpBB3 PLESK Plugin RC Root S4 Samsung Schnitzel Security ...
Read more

Nutzfahrzeuge, Lkw, Bus, Service | MAN Truck & Bus Unternehmen

MAN Truck & Bus Unternehmen. Die MAN Truck & Bus AG mit Sitz in München zählt zu den führenden Anbietern von Nutzfahrzeugen und Transportlösungen in ...
Read more

Telekom Apps für Smartphone und Tablet | Telekom

Die ganze Welt des Internet auf Ihrem Smartphone oder Tablet. Für iOS, Android und Windows: Die Apps der Telekom lohnen sich.
Read more

Scheer GmbH

Process 2 Application; Anwendungsbeispiele; Business App Flat; E2E Bridge. E2E Bridge; Zentrale Plattform für die Anbindung aller Systeme; Referenzen ...
Read more

Bilfinger - der internationale Engineering- und ...

Bilfinger im Web. Twitter; YouTube; LinkedIn; Xing; Facebook; Google+; Flickr; Bilfinger SE. Impressum; Datenschutz; Sitemap; Kontakt; Links ...
Read more

Norton Antivirus und Internet Security Software | Norton.de

Lassen Sie nicht zu, dass ein neues Betriebssystem auch neue Sicherheitsprobleme bedeutet. Mit Norton Security können Sie Ihre Computer, Smartphones und ...
Read more

Die günstige Direktversicherung | AllSecur

Ihre Vorteile Leistungsstarke Tarife, schneller Service und kompetente Betreuung. Mit einer Direktversicherung von AllSecur erhalten Sie viele Vorteile.
Read more