MOBILE COMPUTING. Web Applications. (INTRODUCTION, Architecture and Security) Lecture-10 Instructor : Mazhar Hussain
|
|
- Mercy Allen
- 5 years ago
- Views:
Transcription
1 MOBILE COMPUTING Web Applications (INTRODUCTION, Architecture and Security) 1 Lecture-10 Instructor : Mazhar Hussain
2 INTRODUCTION TO WEB Web features Clent/Server HTTP HyperText Markup Language URL addresses Web server - a computer program that is responsible for accepting HTTP requests from clients and serving them HTTP responses Web application - a dynamic extension of a web or application server 2
3 WEB APPLICATIONS & COMPONENTS Two types of web applications: Presentation-oriented (HTML, XML pages) Service-oriented (Web services) Web components provide the dynamic extension capabilities for a web server: Java servlets JSP pages Web service endpoints 3
4 WEB APPLICATION INTERACTION [client] sends an HTTP request to the web server [web server] HTTP request HTTPServletRequest This object is delivered to a web component, which can interact with JavaBeans or a DB to generate dynamic content [web component] generates an HTTPServletResponse or pass the request to another web component [web server] HTTPServletResponse HTTP response [web server] returns HTTP response to the client 4
5 WEB APPLICATION INTERACTION 5
6 WEB COMPONENTS Servlets - Java classes that dynamically process requests and construct responses JSP pages - text-based documents that execute as servlets but allow a more natural approach to creating static content Appropriate usage Servlets - service-oriented applications, control functions JSP - generating text-based markup (HTML, SVG, WML, XML) 6
7 JAVA WEB APPLICATION TECHNOLOGIES Java Servlet technology is the foundation of 7 all the web application technologies
8 WEB CONTAINERS Web components are supported by the services of a runtime platform called a web container In J2EE, a web container "implements the web component contract of the J2EE architecture Web container services: request dispatching security concurrency life-cycle management naming, transactions, APIs 8
9 WEB CONTAINER EXAMPLES Non-commercial Apache Tomcat Jetty Commertial Sun Java System Application Server BEA WebLogic Server Oracle Application Server WebSphere Open source JBoss 9
10 DEPLOYMENT Web components have to be installed or deployed to the web container Aspects of web application behaviour can be configured during application deployment The configuration information is maintained in a XML file called a web application deployment descriptor 10
11 WEB APPLICATION DEVELOPMENT A web application consists of: Web components Static resource files (such as images) Helper classes and libraries The process for creating and running a web application is different from that of traditional stand-alone Java classes 11
12 DEVELOPMENT CYCLE 1. Develop the web component code 2. Develop the web application deployment descriptor 3. Compile the web application components and helper classes referenced by the components 4. Optionally package the application into a deployable unit 5. Deploy the application into a web container 6. Access a URL that references the web application 12
13 WEB MODULES According to Java EE architecture and Java Servlet Specification: Web components and static web content files such as images are called web resources A web module is the smallest deployable and usable unit of web resources Web module corresponds to a web application A web module has a specific structure 13
14 WEB MODULE STRUCTURE The top-level directory of a web module is the document root of the application The document root contains: JSP pages client-side classes client-side archives static web resources 14
15 WEB MODULE STRUCTURE The document root contains a subdirectory /WEB-INF/ web.xml: web application deployment descriptor lib: JAR archives of libraries called by server-side classes 15
16 WEB MODULE STRUCTURE classes: server-side classes: servlets utility classes JavaBeans components tags: tag files, which are implementations of tag libraries 16
17 WEB APPLICATION ARCHITECTURE 17
18 CLIENT SERVER MODEL 18
19 SERVER APPLICATIONS (SOFTWARE) Management and maintenance of Data including User login data Application data Data processing Centralized Access via Login 19
20 CLIENT APPLICATIONS (SOFTWARE) Provides user interface Stores some settings Can do some data processing Little to no application data storage Same view of data no matter where you login 20
21 CLIENT-SERVER ADVANTAGES Centralized Data Storage No data redundancy (no duplication of data) Reduces data dependencies If data is stored on each user s system and each system is different than data depends on how the user system is designed Data can not be shared easily if such dependencies exist 21
22 CLASSIC EXAMPLE: EARLY BANKING SYSTEMS Network: Local Area Network (LAN) covering local office branch. Server: Mainframe-like server in the back running custom banking system Client: Windows PC with client interface for each bank teller. Data is the same no matter what teller you go to. Data is NOT the same if you go to another branch unless servers exchanged some data at night. 22
23 CLASSIC EXAMPLE: EARLY BANKING SYSTEMS The Obvious Future: Change the LAN to a wide area network covering all the branches. Get rid of the individual servers at each branch Have clients connect to central server where ALL the banking data is stored. 23
24 CLASSIC EXAMPLE: EARLY BANKING SYSTEMS The Obvious Problems: Large banks could have thousands of tellers connecting to the central server. Combining data from all branches requires severs with lots of storage capacity. Branch data could be stored in different formats. Lack of Standardization. 24
25 3-TIERED SYSTEMS 25
26 3-TIERED SYSTEM Database Tier (Database Server) Data storage and low level data manipulation Server Tier (Application Server) Manage client connections and data processing Client Tier (Client Software installed locally) User interface and some data processing 26
27 ADVANTAGE OF 3-TIER SYSTEMS Central Database Server accessed by multiple Application Servers In turn, each Application Server could independently manage thousands of users Database Server is specially designed to do its job Database Operations: Update, Insert, Remove, etc. Lots of disk storage and memory needed Application Servers can be added to support more users or DIFFERENT APPLICATIONS Server Operations: Complex applicationdependent computations 27
28 INTERNET VS. WWW Internet is the infrastructure that makes the WWW work. Packet Switching TCP/IP Protocol Physical Infrastructure Fiber-optics lines, wires Satellites, Cable Modems Routers, Hubs, Network Cards, WiFi systems, etc. WWW is just one of many virtual networks built on the Internet. Websites: http, https, etc. pop, imap, etc. Other systems: ftp, instant messaging, etc. Note: Even to this day companies have private virtual networks that use the Internet, but are proprietary, locked-down. 28
29 WWW ULTIMATE CLIENT- SERVER SYSTEM Already Standardized Built on the Widest Area Network you could imagine, i.e., The Internet Standardized Clients that are free to use IE, Firefox, Safari, etc. Lots of Servers already in place Apache, Windows Server (IIS), etc. Database Servers Umm, this was initially missing 29
30 FIRST WEB APPLICATIONS 1993 Rob McCool proposed a framework called CGI (Common Gateway Interface) Data passed from a web browser to the server GET - passed via URL variables POST - passed via HTML forms Web server daemon (httpd) could then make remote system calls Example Web server could run a C++ program and write the output to public HTML folder Web server would send response back with location of the output. 30
31 FIRST WEB APPLICATIONS Using CGI, web server could run C++ programs Perl Programs Fortran Programs C++ has library functions that allow you to connect to a number of different databases: Oracle Sybase DB2 31
32 FIRST WEB APPLICATIONS Problem: To develop web applications you need to know Exactly how your server is configured HTML forms GET and POST conventions C++ database libraries SQL language 32
33 FIRST MAJOR IMPROVEMENT 1995 JJ Allaire developed a hack that allowed a web servers to communicate with other systems, namely a database system. Key: Instead of using a middle-man C++, Perl, Java, etc. Developer could directly add code to the their web pages Using a special Markup Language, this code could be embedded in any web page. Worked seamlessly with HTML forms Server process code directly 33
34 WEB APPLICATION SECURITY 34
35 OVERVIEW Background Web app vulnerabilities Securing web apps 35
36 BACKGROUND 36
37 HTTP Hypertext Transfer Protocol Hypertext Transfer Protocol (HTTP) is a communications protocol for the transfer of information on intranets and the World Wide Web. Its original purpose was to provide a way to publish and retrieve hypertext pages over the Internet. Server ( ) Port: 80 Client PC ( ) Request Response 37
38 HTTP REQUEST - GET Form data encoded in the URL Most common HTTP method used on the web Should be used to retrieve information, not for actions that have side-effects 38
39 HTTP REQUEST - GET GET HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv: ) Gecko/ Firefox/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*; q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: 39
40 HTTP REQUEST - GET 2coff%3D1%26rls%3DGGLG%252CGGLG%253A %252CGGLG%253Aen%26q%3Dhttp%253A%252F%252Fwww.google.com%252Fsearch%253Fhl %253Den%2526lr%253D%2526c2coff%253D1%2526rls%253DGGLG%25252CGGLG%25253A %25252CGGLG%25253Aen%2526q%253Dhttp%25253A%25252F%25252Fwww.google.com%252 52Fsearch%25253Fsourceid%25253Dnavclient%252526ie%25253DUTF- 8%252526rls%25253DGGLG%25252CGGLG%25253A %25252CGGLG%25253Aen%252526q%25253Dhttp% A% F% Fwww% Egoogle% Ecom% Fsearch% Fsourceid% Dnavclient% i e% dutf% d8% rls% dgglg% cgglg% a2005% D26% CGGLG% Aen% q% Dhttp% A% F% Fuk2% Emultimap% Ecom% Fmap% Fbro wse% ecgi% fclient% dpublic% gride% d% D0% E12640% GridN% D51% E50860% lon% D% D0% E12640% lat% D51% E50860% search% Fresult% DLondon% CGreater% London% db% Dfreegaz% cidr% Fclient% Dnone% lang% D% place% DLondon% CGreater% BLondon% pc% D% advanced% D% client% Dpublic% addr2% D% quicksear ch% dlondon% addr3% d% scale% d % addr1% D%2526btnG%253DSearch%26btnG%3DSearch&btnG=Search 40
41 HTTP REQUESTS - POST Data is included in the body of the request. Should be used for any action that has side-effects Storing/updating data, ordering a product, etc 41
42 HTTP REQUESTS - POST POST HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv: ) Gecko/ Firefox/ Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: catid=1 42
43 FAMOUS QUOTE OF THE DAY Every program has at least two purposes: the one for which it was written, and another for which it wasn't. -Alan J. Perlis 43
44 GET V. POST SECURITY There information contained in parameters can tell a user a lot about how your application works GET parameters are easily visible in the address bar POST parameters are hidden from the average user Users can still view source code Users can still view the packets Users can still intercept & modify web requests 44
45 WEB SITES No applications Static pages Hard coded links Browser Web Server 45
46 WEB APPLICATIONS Web Services Very complex architectures, multiple platforms, multiple protocols Web Application HTTP Network Wireless Web Servers Presentation Layer Application Server Business Logic Database Server Customer Identification Browser Media Store Content Services Access Controls Transaction Information Core Business Data 46
47 WEB APPLICATIONS BREACH THE PERIMETER Internet DMZ Trusted Inside IIS SunOne Apache ASP.NET WebSphere Java SQL Oracle DB2 HTTP(S) Browser Allows HTTP port 80 Allows HTTPS port 443 Firewall only allows applications on the web server to talk to application server. Firewall only allows application server to talk to database server. Corporate Inside 47
48 WHY WEB APPLICATION VULNERABILITIES OCCUR Security Professionals Don t Know The Applications As a Network Security Professional, I don t know how my companies web applications are supposed to work so I deploy a protective solution but don t know if it s protecting what it s supposed to. The Web Application Security Gap Application Developers and QA Professionals Don t Know Security As an Application Developer, I can build great features and functions while meeting deadlines, but I don t know how to develop my web application with security as a feature. 48
49 WEB APPLICATION VULNERABILITIES If builders built buildings the way programmers wrote programs, then the first woodpecker that came along would destroy civilization. -Weinberg's Second Law 49
50 WEB APPLICATION VULNERABILITIES Technical Vulnerabilities Result of insecure programming techniques Mitigation requires code changes Detectable by scanners p0wned )</ script>&price= Logical Vulnerabilities Result of insecure program logic Most often to due to poor decisions regarding trust Mitigation often requires design/architecture changes Detection often requires humans to understand the context 50
51 WEB APPLICATION VULNERABILITIES Web application vulnerabilities occur in multiple areas. Platform Known Vulnerabilities Administration Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting 51
52 WEB APPLICATION VULNERABILITIES Platform Known Vulnerabilities Platform: Known vulnerabilities can be exploited immediately with a minimum amount of skill or experience script kiddies Most easily defendable of all web vulnerabilities MUST have streamlined patching procedures 52
53 WEB APPLICATION VULNERABILITIES Administration Extension Checking Common File Checks Data Extension Checking Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Administration: Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings 53
54 WEB APPLICATION VULNERABILITIES Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Application Programming: Common coding techniques do not necessarily include security Administration Input is assumed to be valid, but not tested Unexamined input from a browser can inject scripts into page for replay against later visitors Unhandled error messages reveal application and database structures Unchecked database calls can be piggybacked with a hacker s own database call, giving direct access to business data through a web browser 54
55 HOW TO SECURE WEB APPLICATIONS Incorporate security into the lifecycle Apply information security principles to all software development efforts Educate Issue awareness, Training, etc 55
56 HOW TO SECURE WEB APPLICATIONS Incorporating security into lifecycle Integrate security into application requirements Including information security professionals in software architecture/design review Security APIs & libraries (e.g. ESAPI, Validator, etc.) when possible Threat modeling Web application vulnerability assessment tools 56
57 HOW TO SECURE WEB APPLICATIONS Educate Developers Software security best practices Testers Methods for identifying vulnerabilities Security Professionals Software development, Software coding best practices Executives, System Owners, etc. Understanding the risk and why they should be concerned 57
58 QUESTIONS/COMMENTS? 58
Web Application Architecture (based J2EE 1.4 Tutorial)
Web Application Architecture (based J2EE 1.4 Tutorial) Dr. Kanda Runapongsa (krunapon@kku.ac.th) Department of Computer Engineering Khon Kaen University 1 Agenda Web application, components and container
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationJava- EE Web Application Development with Enterprise JavaBeans and Web Services
Java- EE Web Application Development with Enterprise JavaBeans and Web Services Duration:60 HOURS Price: INR 8000 SAVE NOW! INR 7000 until December 1, 2011 Students Will Learn How to write Session, Message-Driven
More informationIntroduction to Web Application Development Using JEE, Frameworks, Web Services and AJAX
Introduction to Web Application Development Using JEE, Frameworks, Web Services and AJAX Duration: 5 Days US Price: $2795 UK Price: 1,995 *Prices are subject to VAT CA Price: CDN$3,275 *Prices are subject
More informationCourse 834 EC-Council Certified Secure Programmer Java (ECSP)
Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class
More informationLab 5: Web Attacks using Burp Suite
Lab 5: Web Attacks using Burp Suite Aim The aim of this lab is to provide a foundation in performing security testing of web applications using Burp Suite and its various tools. Burp Suite and its tools
More informationRBS NetGain Enterprise Manager Multiple Vulnerabilities of 11
RBS-2018-004 NetGain Enterprise Manager Multiple Vulnerabilities 2018-03-22 1 of 11 Table of Contents Vendor / Product Information 3 Vulnerable Program Details 3 Credits 3 Impact 3 Vulnerability Details
More informationOne application has servlet context(s).
FINALTERM EXAMINATION Spring 2010 CS506- Web Design and Development DSN stands for. Domain System Name Data Source Name Database System Name Database Simple Name One application has servlet context(s).
More informationCPET 581 E-Commerce & Business Technologies. Topics
CPET 581 E-Commerce & Business Technologies Design and Build E-Commerce Web Sites, Mobile Sites, and Apps Lecture Note 1 of 2 References: *Chapter 4. Building an E-Commerce Presence: Web Sites, Mobile
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationEnterprise Java Unit 1- Chapter 3 Prof. Sujata Rizal Introduction to Servlets
1. Introduction How do the pages you're reading in your favorite Web browser show up there? When you log into your favorite Web site, how does the Web site know that you're you? And how do Web retailers
More informationTABLE OF CONTENTS 1. INTRODUCTION DEFINITIONS Error! Bookmark not defined REASON FOR ISSUE 2 3. RELATED DOCUMENTS 2 4.
TABLE OF CONTENTS 1. INTRODUCTION 1 1.1 DEFINITIONS Error! Bookmark not defined. - 2 2. REASON FOR ISSUE 2 3. RELATED DOCUMENTS 2 4. OVERVIEW 2-3 5. HARDWARE ARCHITECTURE 3 6. SUPPORTED CONFIGURATIONS
More informationCh04 JavaServer Pages (JSP)
Ch04 JavaServer Pages (JSP) Introduce concepts of JSP Web components Compare JSP with Servlets Discuss JSP syntax, EL (expression language) Discuss the integrations with JSP Discuss the Standard Tag Library,
More informationCS WEB TECHNOLOGY
CS1019 - WEB TECHNOLOGY UNIT 1 INTRODUCTION 9 Internet Principles Basic Web Concepts Client/Server model retrieving data from Internet HTM and Scripting Languages Standard Generalized Mark up languages
More informationUnraveling the Mysteries of J2EE Web Application Communications
Unraveling the Mysteries of J2EE Web Application Communications An HTTP Primer Peter Koletzke Technical Director & Principal Instructor Common Problem What we ve got here is failure to commun cate. Captain,
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationThe HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1
The HTTP protocol Fulvio Corno, Dario Bonino 08/10/09 http 1 What is HTTP? HTTP stands for Hypertext Transfer Protocol It is the network protocol used to delivery virtually all data over the WWW: Images
More informationWriting Servlets and JSPs p. 1 Writing a Servlet p. 1 Writing a JSP p. 7 Compiling a Servlet p. 10 Packaging Servlets and JSPs p.
Preface p. xiii Writing Servlets and JSPs p. 1 Writing a Servlet p. 1 Writing a JSP p. 7 Compiling a Servlet p. 10 Packaging Servlets and JSPs p. 11 Creating the Deployment Descriptor p. 14 Deploying Servlets
More informationSession 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes
Session 8 Deployment Descriptor 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/_status_codes
More informationDistributed Multitiered Application
Distributed Multitiered Application Java EE platform uses a distributed multitiered application model for enterprise applications. Logic is divided into components https://docs.oracle.com/javaee/7/tutorial/overview004.htm
More information112-WL. Introduction to JSP with WebLogic
Version 10.3.0 This two-day module introduces JavaServer Pages, or JSP, which is the standard means of authoring dynamic content for Web applications under the Java Enterprise platform. The module begins
More informationDefense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation
Defense-in-Depth Against Malicious Software Speaker name Title Group Microsoft Corporation Agenda Understanding the Characteristics of Malicious Software Malware Defense-in-Depth Malware Defense for Client
More informationWeb Programming Paper Solution (Chapter wise)
Introduction to web technology Three tier/ n-tier architecture of web multitier architecture (often referred to as n-tier architecture) is a client server architecture in which presentation, application
More informationServlet and JSP: A Beginner's Tutorial First Edition
Servlet and JSP: A Beginner's Tutorial First Edition Budi Kurniawan 2 Servlet and JSP: A Beginner's Tutorial First Edition: May 2016 ISBN: 9781771970327 Copyright 2016 by Brainy Software Inc. Cover image
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationCore Syllabus. Version 2.6 C OPERATE KNOWLEDGE AREA: OPERATION AND SUPPORT OF INFORMATION SYSTEMS. June 2006
Core Syllabus C OPERATE KNOWLEDGE AREA: OPERATION AND SUPPORT OF INFORMATION SYSTEMS Version 2.6 June 2006 EUCIP CORE Version 2.6 Syllabus. The following is the Syllabus for EUCIP CORE Version 2.6, which
More informationWEB TECHNOLOGIES CHAPTER 1
WEB TECHNOLOGIES CHAPTER 1 WEB ESSENTIALS: CLIENTS, SERVERS, AND COMMUNICATION Modified by Ahmed Sallam Based on original slides by Jeffrey C. Jackson THE INTERNET Technical origin: ARPANET (late 1960
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationSecuring Apache Tomcat. AppSec DC November The OWASP Foundation
Securing Apache Tomcat AppSec DC November 2009 Mark Thomas Senior Software Engineer & Consultant SpringSource mark.thomas@springsource.com +44 (0) 2380 111500 Copyright The Foundation Permission is granted
More informationSetting Up the Development Environment
CHAPTER 5 Setting Up the Development Environment This chapter tells you how to prepare your development environment for building a ZK Ajax web application. You should follow these steps to set up an environment
More informationOracle - Developing Applications for the Java EE 7 Platform Ed 1 (Training On Demand)
Oracle - Developing Applications for the Java EE 7 Platform Ed 1 (Training On Demand) Code: URL: D101074GC10 View Online The Developing Applications for the Java EE 7 Platform training teaches you how
More informationNotes From The field
Notes From The field tools and usage experiences Jarkko Holappa Antti Laulajainen Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the License.
More informationAuthor - Ashfaque Ahmed
Complimentary material for the book Software Engineering in the Agile World (ISBN: 978-1983801570) published by Create Space Independent Publishing Platform, USA Author - Ashfaque Ahmed Technical support
More informationCHAPTER 7 WEB SERVERS AND WEB BROWSERS
CHAPTER 7 WEB SERVERS AND WEB BROWSERS Browser INTRODUCTION A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More informationSession 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers
Session 9 Deployment Descriptor Http 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/http_status_codes
More informationOracle Business Intelligence Publisher. 1 Oracle Business Intelligence Publisher Certification. Certification Information 10g Release 3 (
Oracle Business Intelligence Publisher Certification Information 10g Release 3 (10.1.3.4.1) E12692-06 July 2009 This document outlines the certified hardware and software configurations for Oracle Business
More information5 IT security hot topics How safe are you?
5 IT security hot topics How safe are you? Why this whitepaper? We meet many people in IT, of various levels of experience and fields of work. This whitepaper is written for everybody who wants to read
More information6 Computer Networks 6.1. Foundations of Computer Science Cengage Learning
6 Computer Networks 6.1 Foundations of Computer Science Cengage Learning Objectives After studying this chapter, the student should be able to: 6.2 Describe network criteria, physical structures and categories
More informationMigrating traditional Java EE applications to mobile
Migrating traditional Java EE applications to mobile Serge Pagop Sr. Channel MW Solution Architect, Red Hat spagop@redhat.com Burr Sutter Product Management Director, Red Hat bsutter@redhat.com 2014-04-16
More informationVision of J2EE. Why J2EE? Need for. J2EE Suite. J2EE Based Distributed Application Architecture Overview. Umair Javed 1
Umair Javed 2004 J2EE Based Distributed Application Architecture Overview Lecture - 2 Distributed Software Systems Development Why J2EE? Vision of J2EE An open standard Umbrella for anything Java-related
More informationAppendix A GLOSSARY SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC.
Appendix A GLOSSARY SYS-ED/ COMPUTER EDUCATION TECHNIQUES, INC. Action Applet Bidirectional support Block Built-in macro Canvas CGI - Common Gateway Interface Character set Dependency view Dialog box Encryption
More informationTable of Contents. Introduction... xxi
Introduction... xxi Chapter 1: Getting Started with Web Applications in Java... 1 Introduction to Web Applications... 2 Benefits of Web Applications... 5 Technologies used in Web Applications... 5 Describing
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationJ2EE Interview Questions
1) What is J2EE? J2EE Interview Questions J2EE is an environment for developing and deploying enterprise applications. The J2EE platform consists of a set of services, application programming interfaces
More informationSterling Selling and Fulfillment Suite Developer Toolkit FAQs
Sterling Selling and Fulfillment Suite Developer Toolkit FAQs Sterling Order Management Sterling Configure, Price, Quote Sterling Warehouse Management System September 2012 Copyright IBM Corporation, 2012.
More informationWeb Applications Security. Radovan Gibala F5 Networks
Applications Security Radovan Gibala F5 Networks How does the current situation look like? Application Trends and Drivers ification of applications Intelligent browsers and applications Increasing regulatory
More informationCS 43: Computer Networks. Layering & HTTP September 7, 2018
CS 43: Computer Networks Layering & HTTP September 7, 2018 Last Class: Five-layer Internet Model Application: the application (e.g., the Web, Email) Transport: end-to-end connections, reliability Network:
More informationSession 8. Introduction to Servlets. Semester Project
Session 8 Introduction to Servlets 1 Semester Project Reverse engineer a version of the Oracle site You will be validating form fields with Ajax calls to a server You will use multiple formats for the
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationWeb Application Security GVSAGE Theater
Web Application Security GVSAGE Theater B2B Tech Expo Oct 29, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GSEC, GCIH, GGSC Network Security and Software Development
More informationSentences Installation Guide. Sentences Version 4.0
Sentences Installation Guide Sentences Version 4.0 A publication of Lazysoft Ltd. Web: www.sentences.com Lazysoft Support: support@sentences.com Copyright 2000-2012 Lazysoft Ltd. All rights reserved. The
More informationFast Track to Java EE 5 with Servlets, JSP & JDBC
Duration: 5 days Description Java Enterprise Edition (Java EE 5) is a powerful platform for building web applications. The Java EE platform offers all the advantages of developing in Java plus a comprehensive
More informationIntroduction. Enterprise Java Instructor: Please introduce yourself Name Experience in Java Enterprise Edition Goals you hope to achieve
Enterprise Java Introduction Enterprise Java Instructor: Please introduce yourself Name Experience in Java Enterprise Edition Goals you hope to achieve Course Description This course focuses on developing
More informationJ2EE Development. Course Detail: Audience. Duration. Course Abstract. Course Objectives. Course Topics. Class Format.
J2EE Development Detail: Audience www.peaksolutions.com/ittraining Java developers, web page designers and other professionals that will be designing, developing and implementing web applications using
More informationChapter 1 GETTING STARTED. SYS-ED/ Computer Education Techniques, Inc.
Chapter 1 GETTING STARTED SYS-ED/ Computer Education Techniques, Inc. Objectives You will learn: WSAD. J2EE business topologies. Workbench. Project. Workbench components. Java development tools. Java projects
More informationPenetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationX100 ARCHITECTURE REFERENCES:
UNION SYSTEMS GLOBAL This guide is designed to provide you with an highlevel overview of some of the key points of the Oracle Fusion Middleware Forms Services architecture, a component of the Oracle Fusion
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationCLIENT SERVER ARCHITECTURE:
CLIENT SERVER ARCHITECTURE: Client-Server architecture is an architectural deployment style that describe the separation of functionality into layers with each segment being a tier that can be located
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationWhatever it takes. Fixing SQLIA and XSS in the process. Diploma Thesis Outline Presentation, Florian Thiel
Whatever it takes Fixing SQLIA and XSS in the process Diploma Thesis Outline Presentation, Florian Thiel Seminar Beiträge zum Software Engineering, FU Berlin, 11/06/2008 OWASP Top 10 2007 1. XSS 2. Injection
More informationConfiguring BIG-IP ASM v12.1 Application Security Manager
Course Description Configuring BIG-IP ASM v12.1 Application Security Manager Description The BIG-IP Application Security Manager course gives participants a functional understanding of how to deploy, tune,
More informationChapter 10 Web-based Information Systems
Prof. Dr.-Ing. Stefan Deßloch AG Heterogene Informationssysteme Geb. 36, Raum 329 Tel. 0631/205 3275 dessloch@informatik.uni-kl.de Chapter 10 Web-based Information Systems Role of the WWW for IS Initial
More informationTopics Augmenting Application.cfm with Filters. What a filter can do. What s a filter? What s it got to do with. Isn t it a java thing?
Topics Augmenting Application.cfm with Filters Charles Arehart Founder/CTO, Systemanage carehart@systemanage.com http://www.systemanage.com What s a filter? What s it got to do with Application.cfm? Template
More informationNolij Transfer 6 Migration Planning & Preparation. Danielle Whitney Services Product Manager
Nolij Transfer 6 Migration Planning & Preparation Danielle Whitney Services Product Manager Introduction Preparation and Planning is key to every successful Nolij Transfer project. In this session we will
More informationWorld Wide Web, etc.
World Wide Web, etc. Alex S. Raw data-packets wouldn t be much use to humans if there weren t many application level protocols, such as SMTP (for e-mail), HTTP & HTML (for www), etc. 1 The Web The following
More informationChapter 4: Networking and the Internet. Figure 4.1 Network topologies. Network Classifications. Protocols. (continued)
Chapter 4: Networking and the Internet Computer Science: An Overview Eleventh Edition by J. Glenn Brookshear Chapter 4: Networking and the Internet 4.1 Network Fundamentals 4.2 The Internet 4.3 The World
More informationChapter 4: Networking and the Internet
Chapter 4: Networking and the Internet Computer Science: An Overview Eleventh Edition by J. Glenn Brookshear Copyright 2012 Pearson Education, Inc. Chapter 4: Networking and the Internet 4.1 Network Fundamentals
More informationCORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks
Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents What is CORS?...3 How to Test?...4 CORS Checker Script...6 References...9 2 P a g e What is CORS? CORS
More informationBuilding next-gen Web Apps with WebSocket. Copyright Kaazing Corporation. All rights reserved.
Building next-gen Web Apps with WebSocket Copyright 2011 - Kaazing Corporation. All rights reserved. Who am I? Graham Gear Solution Architect, with Kaazing, purveyors of HTML5 enabling tech Based in London,
More information1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)
Oracle Security Alert #28 Dated: 06 Feburary 2002 Updated: 05 July 2002 1. Oracle mod_plsql v3.0.9.8.2 in Oracle9i Application Server (Oracle9iAS ) a) Potential buffer overflow-related security vulnerabilities
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationAppeon Installation Guide for WebSphere
Appeon Installation Guide for WebSphere Appeon 6.5 for PowerBuilder WINDOWS DOCUMENT ID: DC00809-01-0650-01 LAST REVISED: November 2010 Copyright 2010 by Appeon Corporation. All rights reserved. This publication
More informationOutside the Box: Networks and The Internet
Outside the Box: Networks and The Internet Don Mason Associate Director Copyright 2011 National Center for Justice and the Rule of Law All Rights Reserved Inside vs. Outside Inside the Box What the computer
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationOracle WebLogic Server 11g: Administration Essentials
Oracle University Contact Us: +33 (0) 1 57 60 20 81 Oracle WebLogic Server 11g: Administration Essentials Duration: 5 Days What you will learn This Oracle WebLogic Server 11g: Administration Essentials
More informationServlet Fudamentals. Celsina Bignoli
Servlet Fudamentals Celsina Bignoli bignolic@smccd.net What can you build with Servlets? Search Engines E-Commerce Applications Shopping Carts Product Catalogs Intranet Applications Groupware Applications:
More informationApplication Design and Development: October 30
M149: Database Systems Winter 2018 Lecturer: Panagiotis Liakos Application Design and Development: October 30 1 Applications Programs and User Interfaces very few people use a query language to interact
More informationInside vs. Outside. Inside the Box What the computer owner actually has possession of 1/18/2011
Outside the Box: Networks and The Internet Don Mason Associate Director Copyright 2011 National Center for Justice and the Rule of Law All Rights Reserved Inside vs. Outside Inside the Box What the computer
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationW H IT E P A P E R. Salesforce Security for the IT Executive
W HITEPAPER Salesforce Security for the IT Executive Contents Contents...1 Introduction...1 Background...1 Settings Related to Security and Compliance...1 Password Settings... 1 Session Settings... 2 Login
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationIntroduction To Web Architecture
Introduction To Web Architecture 1 Session Plan Topic Estimated Duration Distributed computing 20 min Overview of Sun Microsoft Architecture 15 min Overview of Microsoft Architecture 15 min Summary 15
More informationPHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages
Security Summary Server-Side Web Languages Uta Priss School of Computing Napier University, Edinburgh, UK Copyright Napier University Security Summary Slide 1/15 Outline PHP-security Software lifecycle
More informationSSC - Web applications and development Introduction and Java Servlet (I)
SSC - Web applications and development Introduction and Java Servlet (I) Shan He School for Computational Science University of Birmingham Module 06-19321: SSC Outline Outline of Topics What will we learn
More informationAdvance Java. Configuring and Getting Servlet Init Parameters per servlet
Advance Java Understanding Servlets What are Servlet Components? Web Application Architecture Two tier, three tier and N-tier Arch. Client and Server side Components and their relation Introduction to
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationAutomating the Top 20 CIS Critical Security Controls
20 Automating the Top 20 CIS Critical Security Controls SUMMARY It s not easy being today s CISO or CIO. With the advent of cloud computing, Shadow IT, and mobility, the risk surface area for enterprises
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationAdvanced Software Engineering
Agent and Object Technology Lab Dipartimento di Ingegneria dell Informazione Università degli Studi di Parma Advanced Software Engineering JSR 168 Prof. Agostino Poggi JSR 168 Java Community Process: http://www.jcp.org/en/jsr/detail?id=168
More informationClearPath Secure Java Overview For ClearPath Libra and Dorado Servers
5/18/2007 Page 1 ClearPath Secure Java Overview For ClearPath Libra and Dorado Servers Technical Presentation 5/18/2007 Page 2 Agenda ClearPath Java for Core Business Transformation Overview Architectural
More informationITSY 2330 Intrusion Detection Course Syllabus
ITSY 2330 Intrusion Detection Course Syllabus Instructor Course Reference Number (CRN) Course Description: Course Prerequisite(s) Course Semester Credit Hours (SCH) (Lecture, Lab) Name: Hung Le Tel: Office:
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationIntroduction to Java Servlets. SWE 432 Design and Implementation of Software for the Web
Introduction to Java Servlets James Baldo Jr. SWE 432 Design and Implementation of Software for the Web Web Applications A web application uses enabling technologies to 1. make web site contents dynamic
More information