Finally Stop Doing it! Analysis of Typical Vulnerabilities in Web-Based HMIs

29 марта



Язык доклада: Русский Сожность: Middle


Maxim Rupp

Application Security Researcher, Independent


This talk will focus on the main software issues and security weaknesses in the web-based HMIs of different types of devices from different fields, which were audited and analyzed by the speaker during the last few years. With the real-world examples, the presentation will cover the common security problems in web interfaces, their logic and interrelations with another application's components such as APIs or administrator interface. Although most of the discussed security issues in web applications are well-known and extensively documented errors that can be easily avoided, application developers continue making the same mistakes again and again. Predominately, this happens due to poor understanding of application architecture and design, lack of knowledge about the causes of security flaws by the software developers. This results in application vulnerabilities, which can be exploited even by the low-skilled attackers. The talk will discuss the most common flaws yielding such vulnerabilities and attacks as CSRF, XSS, Improper Access Control and Authentication Bypass as well as their possible consequences. These security flaws are often regarded as "critical" due to their severity and tremendous potential impact on the entire scope of the application. Note that code examples for specific programming languages will not be presented. The primary attention will be paid to the causes of security flaws, general recommendations and advises applicable to the web applications. This will allow covering a wider range of issues in a limited period of time.