automated vs. manual: you can’t filter the stupid · low incremental cost minimal training...
TRANSCRIPT
![Page 1: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/1.jpg)
The OWASP Foundation
AppSec DC
http://www.owasp.org
Automated vs. Manual: You can’t filter The Stupid
Charles Henderson David Byrne
Trustwave
![Page 2: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/2.jpg)
OWASP
What is “The Stupid”?
Does not refer to people Defies technical definition A vulnerability that is not a result of
programmatic error Astoundingly simple, yet critically dangerous
2
![Page 3: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/3.jpg)
OWASP
Industry Application Security Offerings
Automated Web application scanners Code review tools Web app firewalls Intrusion Prevention Systems (IPS)
Manual Application penetration test Code review
3
![Page 4: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/4.jpg)
OWASP
Automated vs. Manual: Advantages
Advantages of automated solutions Low incremental cost Minimal training Potentially 24/7 protection
Advantages of manual solutions No false positives Guaranteed code coverage Ability to identify complex vulnerabilities Understand business logic Acts like a determined attacker Can combine vulnerabilities
4
![Page 5: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/5.jpg)
OWASP
Ever-changing Threats
Everyone knows about SQL Injection, XSS, etc OWASP Top Ten was never intended as a
complete list Simple vulnerabilities are easy to exploit, easy to
find, and easy to fix Absence of simple vulnerabilities is not sufficient
protection Criminals can improve their skills too
5
![Page 6: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/6.jpg)
OWASP
What Automated Solutions Miss
Theoretical Logic flaws (business and application) Design flaws The Stupid
Practical Difficulty interacting with Rich Internet Applications (RIA) Complex variants of common attacks (SQL Injection, XSS,
etc) Cross-Site Request Forgery (CSRF) Uncommon or custom infrastructure Authorization enforcement Abstract information leakage
6
![Page 7: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/7.jpg)
OWASP
Real World Automation Results
7
![Page 8: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/8.jpg)
OWASP
Real World Automation Results
8
![Page 9: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/9.jpg)
OWASP
Only Discoverable Through Code Review
Back-doors Very complex vulnerabilities
Unusual SQL Injection points Exotic injection Secondary / indirect attacks
Insecure data storage Currently unexploitable best-practices violations
9
![Page 10: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/10.jpg)
OWASP
Code Disclosure Possibilities
Infrastructure vulnerabilities (e.g. Java source code disclosure)
Directory traversal vulnerability (application or infrastructure)
Public leakage (email, anonymous FTP, etc) Internal attack Malicious developers
10
![Page 11: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/11.jpg)
OWASP
Examples
Design flaws Logic flaws Insecure data storage Authentication / authorization bypass Combined vulnerabilities Source code review only Complex attacks Information leakage The Stupid The Very Stupid
11
![Page 12: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/12.jpg)
OWASP
Design Flaws: No Human Validation
12
AKA: “Someone setup us the bomb”
![Page 13: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/13.jpg)
OWASP
Design Flaws: No Human Validation
13
![Page 14: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/14.jpg)
OWASP
Design Flaws: It rhymes with “Lando"
14
![Page 15: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/15.jpg)
OWASP
Design Flaws: Internal Probes
15
![Page 16: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/16.jpg)
OWASP
Design Flaws: SQL Execution
POST /request.asp HTTP/1.1 Accept: */* Accept-Language: en-us Content-Type: text/xml Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Host: insecure.example.com Content-Length: 600 Connection: Keep-Alive Cache-Control: no-cache
<xml><data>2357A529BABC8462F263E971F29132B6EE25957364A60AC60A35108971E0225D3E26B87DD804EA765CC2EF200B7C97CE31375DE59129C6FF5D472EEF48A90A1296DB00A69742F2F4981E88969FE6C6635A7C593386D0F27FE7BA4D0D8ADEE1F4CBF085179A05254A803C3012AFC9EB8A0CF4C0E570EACC2FD825900539A0AD4EA6FB83742D7DD6EDABD</data><cust_name>asm</cust_name><cfg_inf></cnfg_inf></xml>
16
![Page 17: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/17.jpg)
OWASP
Design Flaws: SQL Execution
2357A529BABC8462F263E971F29132B6EE25957364A60AC60A35108971E0225D3E26B87DD804EA765CC2EF200B7C97CE31375DE59129C6FF5D472EEF48A90A1296DB00A69742F2F4981E88969FE6C6635A7C593386D0F27FE7BA4D0D8ADEE1F4CBF085179A05254A803C3012AFC9EB8A0CF4C0E570EACC2FD825900539A0AD4EA6FB83742D7DD6EDAB9197029DA0204769B41780543AACBEF7AA6E6D98A92B43FFAF1871F1FEEB41D6F87E1258A744DBE519E9E5D0D924476A59F51E9DD8458BD6F2F120A0C8325866D0C619DABFDC3396127E69911BB94E3CD03251CF17CFF6B3C21F1D1536FFC015E397A602757619B6DCB178FC93FE58976A3B8257DC955D
#W¥)º¼ÿbòcéqòÿ2¶î%ÿsd¦ÿÆÿ5ÿqà"]>&¸}Øêv\Âïÿ|ÿÎ17]åÿ)Æÿ]G.ïH©ÿÿÛ
17
![Page 18: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/18.jpg)
OWASP
Design Flaws: SQL Execution
#W¥)º¼ÿbòcéqòÿ2¶î%ÿsd¦ÿÆÿ5ÿqà"]>&¸}Øêv\Âïÿ|ÿÎ17]åÿ)Æÿ]G.ïH©ÿÿÛ
18
![Page 19: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/19.jpg)
OWASP
Design Flaws: SQL Execution
19
![Page 20: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/20.jpg)
OWASP
Design Flaws: SQL Execution
20
![Page 21: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/21.jpg)
OWASP
Logic Flaws: Shopping Cart Manipulation
21
![Page 22: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/22.jpg)
OWASP
Logic Flaws: Data Theft
22
![Page 23: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/23.jpg)
OWASP
Logic Flaws: Data Theft
23
![Page 24: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/24.jpg)
OWASP
Logic Flaws: Data Theft
24
![Page 25: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/25.jpg)
OWASP
Logic Flaws: Data Theft
25
![Page 26: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/26.jpg)
OWASP
Logic Flaws: Data Theft
26
![Page 27: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/27.jpg)
OWASP
Insecure Data Storage: Grade “A” Encryption
27
private static byte[] GetEncryptionKey() { ManagementClass mc = new ManagementClass("Win32_NetworkAdapterConfiguration"); ManagementObjectCollection moc = mc.GetInstances(); string add = ""; foreach (ManagementObject mo in moc) { if ((bool)mo["IPEnabled"] == true) { add = (string)mo["MacAddress"].Replace(":", null); break; } } return Encoding.ASCII.GetBytes(add); }
![Page 28: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/28.jpg)
OWASP
Insecure Data Storage: Encryp– What?
28
Line 17: ReadConfFile(secName, "ip_addr", "10.3.5.11", ipAddr, 39);
Line 71: ReadConFile("db_server", "user", "sa", db_user, 20); Line 72: ReadConFile("db_server", "pwd", "", db_pwd, 20);
Line 46: strcpy(_pan, "4721█████████████ "); Line 47: strcpyl(pmt, "4721█████████████ ", 19);
![Page 29: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/29.jpg)
OWASP
Authentication Bypass: Centralized Security
29
http://www.example.com/main.php?page=report.php http://www.example.com/report.php
![Page 30: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/30.jpg)
OWASP
Combined Vulnerabilities:
30
How shall I own thee? Let me count the ways.
![Page 31: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/31.jpg)
OWASP
Combined Vulnerabilities:
31
How shall I own thee? Let me count the ways.
![Page 32: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/32.jpg)
OWASP
Combined Vulnerabilities: Code Disclosure
32
![Page 33: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/33.jpg)
OWASP
Combined Vulnerabilities: Code Disclosure
33
![Page 34: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/34.jpg)
OWASP
Source Code Review Only: SQL Injection
34
query = 'SELECT transID, time, descr, client ' + 'FROM transactions ' + 'ORDER BY upper(' + sort + ') ' + sortDir
http://serve.example.com/grid/uReport.asp?sort=descr,(select+1+from+information_schema.tables+where+1=1+and+1=1/0))+--+&sortDir=ASC
![Page 35: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/35.jpg)
OWASP
Complex Attacks: XML Entity Expansion
35
![Page 36: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/36.jpg)
OWASP
Complex Attacks: Blind SQL Injection & FTP
36
http://www3.example.com/reports/monthly.aspx?client='%3b+EXEC+xp_cmdshell+'bcp+master..sysobjects+out+c%3a%5cinetpub%5cftproot%5csysobjects.txt+-c+-t%2c+-T+-S'+--+
![Page 37: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/37.jpg)
OWASP
Complex Attacks: Code Injection
https://sec.example.com/store/order.html?sessionid=jd4J9M3dj&itemquantity=1&itemid=608454asdf[]
37
![Page 38: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/38.jpg)
OWASP
Complex Attacks: Code Injection
https://sec.example.com/store/order.html?sessionid=jd4J9M3dj&itemquantity=1&itemid=608454%22+]+[perl]return+%22***+This+came+from+Perl+***%22;[/perl][a%3d%22
" ] [perl]return "*** This came from Perl ***";[/perl][a="
38
![Page 39: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/39.jpg)
OWASP
The Stupid
39
![Page 40: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/40.jpg)
OWASP
The Stupid: Defense In-Depth
'2007-11-27 If single quote is at the 'start of the search string, replace it 'with an empty string 'refer to scanner report
If uQuery.IndexOf("'") = 0 Then uQuery = uQuery.Substring(1,
uQuery.Length - 1) End If
40
![Page 41: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/41.jpg)
OWASP
The Stupid: Privilege Escalation
POST https://pass.example.com:443/esp/PassChange.do HTTP/1.1 Host: pass.example.com User-Agent: Mozilla/5.0 (Windows NT 5.1) Firefox/3.0.4 Referer: https://pass.example.com/esp/ForcePassChange.do Cookie: JSESSIONID=nF2T1yhBmfk0RXKQ2xZTt1zPN7f7lN6s7PJXQ2NYKz Content-Type: application/x-www-form-urlencoded Content-length: 187
acctId=31218&username=dbyrnepentest&passNew=test123123&passNewConfirm=test123123&siteRole=7&firstName=David&lastName=Byrne
41
![Page 42: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/42.jpg)
OWASP
The Stupid: Arbitrary Uploads
42
![Page 43: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/43.jpg)
OWASP
The Stupid: Arbitrary Uploads
<% response.write("Hello World!") %>
43
![Page 44: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/44.jpg)
OWASP
The Stupid: Arbitrary Uploads
44
![Page 45: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/45.jpg)
OWASP
Authentication Lottery
After ~ 20 bad logins, it works Major COTS software vendor
if (failedLogins > rand(10) + 15)
{
authenticated = true; }
45
![Page 46: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/46.jpg)
OWASP
The Very Stupid
46
![Page 47: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/47.jpg)
OWASP
The Very Stupid: Awesome Exploit
POST https://secure.example.com:443/Coupon.aspx HTTP/1.1 Host: secure.example.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://secure.example.com/CartSummary.aspx Cookie: FDCX=RVLAXGDGJSQX634; [email protected] Content-Type: application/x-www-form-urlencoded Content-length: 69
FreePurchase=yes&Command=use-coupon&CouponNumber=11111111111111111111 FreePurchase=yes
![Page 48: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/48.jpg)
OWASP
Conclusion
Over 90% of ecommerce PCI breaches are from application flaws
Application security is not a percentage game; one missed flaw is all it takes
Vulnerabilities can come from more than one avenue: Acquisitions Old or dead code Third-party libraries
Beware of zombies
48
![Page 49: Automated vs. Manual: You can’t filter The Stupid · Low incremental cost Minimal training Potentially 24/7 protection Advantages of manual solutions ... Complex variants of common](https://reader034.vdocuments.net/reader034/viewer/2022042807/5f7a65eda4f7a943f7779036/html5/thumbnails/49.jpg)
The OWASP Foundation
AppSec DC
http://www.owasp.org
Thank You!