Web & Cloud Security

in theReal World

Madhu Akula@madhuakula

Madhu Akula - Profile• Information Security Researcher• Chapter Lead & Speaker null• Acknowledged by US Department

of Homeland Security.• Found bugs in Google, Microsoft,

Yahoo, Adobe … etc.• Open Source Contributor• Interested in Automation &

DevOps• Never ending learner !

www.madhuakula.com

This is for educational purpose only, I am not responsible for any illegal activities done by any one.

Let’s talk about Social Engineering

My Experience !

Fake Emails

Demo

Data Breaches in Wild

http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html

Sample Web Architecture

Web Security Statistics

http://www.imperva.com/docs/HII_Web_Application_Attack_Report_Ed6.pdf

Common Web Attacks• Cross Site Scripting (XSS)• SQL Injection• Information Disclosure• Remote Code Execution

Recent :

• Cross Site Port Attacks• Reflected File Download• Etc…

SQL Injection• SQL Injection is one of the most used

vectors when malicious people want to create a new botnet.

• SQL injection occurs when untrusted data is sent to an interpreter as part of a command

• It causes attacker to take control over the database

• SQL Injection Attack• Number plate to foil an automatic license plate

scanner !• An attack which allows SQL to be executed as

part of the input

Bobby Tables !

https://www.explainxkcd.com/wiki/index.php/327:_Exploits_of_a_Mom

Cross Site Scripting• XSS flaw occurs whenever an application

takes untrusted data and sends it to a web browser without proper validation and escaping.

• XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect user to malicious sites.

Example• One of the most in-famous example is the

MySpace Samy worm. In less than a day he got more a million friends and MySpace had to be shutdown.

• A XSS bug occurring on the website registration page can enable theft of registration details.

• There are many exploitation frameworks for this vulnerability like BEEF, Xenotics, etc.

Information Disclosure• Good security requires having a secure

configuration defined and deployed for the applications, frameworks, application server, web server, database server, and platform.

ExampleNetwork Solutions were offering

wordpress installation on a shared server. The main configuration file wp-config.php was world readable. It causes Mass hack of wordpress

based websites.

Remote Code Execution

An attacker's ability to execute any commands of the attacker's

choice on a target machine or in a target process.

Recent Popular Zero Days

• Java Deserialization Vulnerability• Venom Vulnerability• Beast Vulnerability• Poodle Vulnerability• Heartbleed Vulnerability• Shell Shock Vulnerability• Etc

SSL Related

Demo

Let’s talk about Cloud

Threats Service Provider vs On-

Premise

https://www.rackspace.com/knowledge_center/whitepaper/alert-logic-state-of-cloud-security-report-spring-2012

App Insecurity Scenario

• App has Local File Inclusion bug• The AWS root credentials are being used• They are stored in a world readable file on the server• Attacker reads the credentials and starts multiple

large instances to mine bitcoins• Victim saddled with a massive bill at the end of the

month

http://www.slideshare.net/akashm/security-in-the-cloud-workshop-hstc-2014

Infra Insecurity Scenario

• MySQL Production database is listening on external port

• Developers work directly on production database and requires SQL Management Software

• They log in using the root user of MySQL Database server and a simple password

• Attacker runs a bruteforce script and cracks the password, gains full access to the database.

http://www.slideshare.net/akashm/security-in-the-cloud-workshop-hstc-2014

Heartbleed

https://xkcd.com/1354/

Data Insecurity Scenario

• Database is getting backed up regularly.• Due to performance reasons, database wasn’t

encrypted when initial backups were done.• Dev team moves to newer type SSDs and doesn’t

decommission older HDDs.• Attacker finds older HDDs, does forensics for data

recovery and sell the data for profit.

http://www.slideshare.net/akashm/security-in-the-cloud-workshop-hstc-2014

10 Steps for Cloud• Enumerate all the network interfaces• List all the running services• Harden each service separately based on best

practices.• Secure remote access for server

management(SSH, RDP)• Check operating system patch levels

• Harden networking parameters of the kernel (Linux)

• Enable a host firewall• Do an inventory all user accounts on the server

and audit them• Enable centralized logging• Enable encryption on disks, storage, etc.

Missuses of Cloud(Recent Attacks)

http://thehackernews.com/

Resources• null – null.co.in• Security Tube –

securitytube.net• OWASP – owasp.org• CSA – cloudsecurityalliance.org• Google – Google.com

My info while I answer your questions

Madhu AkulaInformation Security Researcher

www.madhuakula.comTwitter : @madhuakula

madhu.akula@hotmail.com | +91-9676865642