web servislerinin hacklenmesi, Ömer Çıtak
TRANSCRIPT
![Page 1: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/1.jpg)
Web Servislerinin Hacklenmesi
Ömer ÇıtakXIII. BiLMÖK, 2017
![Page 2: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/2.jpg)
whoami
Security Researcher @ Netsparker Ltd.
Developer @ Another Times
Writer @ Ethical Hacking “Offensive & Defensive” Book
Blog: omercitak.com
All Social Platform: @Om3rCitak
![Page 3: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/3.jpg)
http
![Page 4: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/4.jpg)
?
![Page 5: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/5.jpg)
apple
![Page 6: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/6.jpg)
http web service
![Page 7: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/7.jpg)
vocabulary
● API => Application Programing Interface
![Page 8: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/8.jpg)
vocabulary
● API => Application Programing Interface● REST => REpresentational State Transfer
![Page 9: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/9.jpg)
vocabulary
● API => Application Programing Interface● REST => REpresentational State Transfer● RESTful => REpresentational State Transfer ful
![Page 10: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/10.jpg)
vocabulary
● API => Application Programing Interface● REST => REpresentational State Transfer● RESTful => REpresentational State Transfer ful● GET, POST, PATCH/PUT, OPTIONS, DELETE
![Page 11: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/11.jpg)
vocabulary
● API => Application Programing Interface● REST => REpresentational State Transfer● RESTful => REpresentational State Transfer ful● GET, POST, PATCH/PUT, OPTIONS, DELETE● Route
![Page 12: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/12.jpg)
vocabulary
● API => Application Programing Interface● REST => REpresentational State Transfer● RESTful => REpresentational State Transfer ful● GET, POST, PATCH/PUT, OPTIONS, DELETE● Route● Basic Authentication
![Page 13: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/13.jpg)
vocabulary
● API => Application Programing Interface● REST => REpresentational State Transfer● RESTful => REpresentational State Transfer ful● GET, POST, PATCH/PUT, OPTIONS, DELETE● Route● Basic Authentication● 200, 201, 400, 401 etc...
![Page 14: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/14.jpg)
vocabulary
● API => Application Programing Interface● REST => REpresentational State Transfer● RESTful => REpresentational State Transfer ful● GET, POST, PATCH/PUT, OPTIONS, DELETE● Route● Basic Authentication● 200, 201, 400, 401 etc…● Proxy
![Page 15: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/15.jpg)
restful routes
![Page 16: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/16.jpg)
OWASP Mobile Top 10
1. Improper Platform Usage2. Insecure Data Storage3. Insecure Communication4. Insecure Authentication5. Insufficient Cryptography6. Insecure Authorization7. Client Code Quality8. Code Tampering9. Reverse Engineering
10. Extraneous Functionality
![Page 17: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/17.jpg)
OWASP Mobile Top 10
Insecure Data Storage
This new category is a combination of M2 + M4 from Mobile Top Ten 2014. This covers insecure data storage and unintended data leakage.
![Page 18: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/18.jpg)
OWASP Mobile Top 10
Insecure Communication
This covers poor handshaking, incorrect SSL versions, weak negotiation, cleartext communication of sensitive assets, etc.
![Page 19: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/19.jpg)
OWASP Mobile Top 10
Insecure Authentication
This category captures notions of authenticating the end user or bad session management. This can include:
● Failing to identify the user at all when that should be required● Failure to maintain the user's identity when it is required● Weaknesses in session management
![Page 20: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/20.jpg)
OWASP Mobile Top 10
Insufficient Cryptography
The code applies cryptography to a sensitive information asset. However, the cryptography is insufficient in some way. Note that anything and everything related to TLS or SSL goes in M3. Also, if the app fails to use cryptography at all when it should, that probably belongs in M2. This category is for issues where cryptography was attempted, but it wasn't done correctly.
![Page 21: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/21.jpg)
OWASP Mobile Top 10
Insecure Authorization
This is a category to capture any failures in authorization (e.g., authorization decisions in the client side, forced browsing, etc.). It is distinct from authentication issues (e.g., device enrolment, user identification, etc.).
![Page 22: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/22.jpg)
demo
![Page 23: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/23.jpg)
where is the güvenlik?
![Page 24: Web Servislerinin Hacklenmesi, Ömer Çıtak](https://reader034.vdocuments.net/reader034/viewer/2022042509/58f2b73a1a28abe9658b45a3/html5/thumbnails/24.jpg)
thanks
www.omercitak.com
All Social Platform: @Om3rCitak