Explore application security fundamentals in this 43-minute DerbyCon conference talk. Dive into web browser mechanics, HTTP requests, and URL structures. Learn to set up browser proxies, understand cookies, and analyze HTML responses. Adopt an attacker's mindset by identifying threats and objectives. Discover tips for addressing insufficient authentication and authorization, and explore common vulnerabilities like session hijacking, cross-site scripting (XSS), SQL injection, and cross-site request forgery (CSRF). Gain practical insights with examples, test strings, and attack scenarios to enhance your web application security knowledge.
Overview
Syllabus
Intro
What is this web
Browsers!
How can I see what a browser is doing?
Setting up your Browser Proxy.
What is a HTTP Request?
URL Structure
COOOKIES YOU SAY?
HTML Responses
Attacker Mentality
Who is your threat?
What do you want to get?
How will you get it?
Insufficient Authentication Tips
Insufficient Authorization
Authorization Tips & Tricks
Session Hi-Jacking (Session Fixation)
Cross Site Scripting (XSS)
XSS EXAMPLE
Common XSS Test Strings
XSS Analysis
What is SQL?
Common SQLi Uses
SQL Injection Workflow
Cross Site Request Forgery (CSRF)
CSRF Attack Scenario
Quick Bonuses
