Topics. Why Web Application Security? Web Security
|
|
- Rhoda Horn
- 6 years ago
- Views:
Transcription
1 Web Security CSC 482/582: Computer Security Slide #1 Topics 1. Why web application security? 2. HTTP and web input types 3. Web Application Vulnerabilities 4. Client-side Attacks 5. Finding Web Vulnerabilities CSC 482/582: Computer Security Slide #2 Why Web Application Security? CSC 482/582: Computer Security Slide #3 1
2 Why Web Application Security? CSC 482/582: Computer Security Slide #4 Web Transactions Web Server Web Browser OS Network CSC 482/582: Computer Security Slide #5 HTTP: HyperText Transfer Protocol Simple request/respond protocol Request methods: GET, POST, HEAD, etc. Protocol versions: 1.0, 1.1 Stateless Each request independent of previous requests, i.e. request #2 doesn t know you auth d in #1. Applications responsible for handling state. CSC 482/582: Computer Security Slide #6 2
3 HTTP Request Method URL Protocol Version GET HTTP/1.1 Headers Host: User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/ Firefox/ Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Blank Line No Data for GET method CSC 482/582: Computer Security Slide #7 HTTP Response Protocol Version HTTP Response Code Blank Line HTTP/ OK Headers Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct :16:30 GMT <HTML>... (page data)... </HTML> Web Page Data CSC 482/582: Computer Security Slide #8 Different Perspectives Client Side HTTP requests may reveal private info. HTTP responses may reveal private info. HTTP responses may include malicious code (Java, ActiveX, Javascript) Server Side HTTP requests may contain malicious input. HTTP requests may have forged authentication. HTTP responses may be intercepted. CSC 482/582: Computer Security Slide #9 3
4 Web-based Input Client and Server Perspectives Types of Input URL parameters HTML Cookies Javascript Cross-Site Scripting CSC 482/582: Computer Security Slide #10 URL Format Whitespace marks end of separates userinfo from host? marks beginning of query string & separates query parameters %HH represents character with hex values ex: %20 represents a space CSC 482/582: Computer Security Slide #11 URL Parameters Client controls query-string Cannot limit values to those specified in form Any character can be URL-encoded Even if it doesn t need to be. Any valid format may be used to disguise true destination of URL CSC 482/582: Computer Security Slide #12 4
5 URL Obfuscation IP address representations Dotted quad (decimal, octal, hexadecimal) Hexadecimal without dots (with left padding) dword (32-bit int) Examples: (dotted quad) 0xDEDA83B7130E (hexadecimal + padding) (dword) CSC 482/582: Computer Security Slide #13 HTML Special Characters < begins a tag > ends a tag some browsers will auto-insert matching < & begins a character entity ex: < represents literal < character Quotes( and ) used to enclose attribute values CSC 482/582: Computer Security Slide #14 Character Set Encoding Default: ISO (Latin-1) Char sets dictate which chars are special UTF-8 allows multiple representations Force Latin-1 encoding of web page with: <META http-equiv= Content-Type content= text/html; charset=iso > CSC 482/582: Computer Security Slide #15 5
6 Hidden Fields <input type= hidden name= user value= james > Used to propagate data between HTTP requests since protocol is stateless Clearly visible in HTML source Form can be copied, modified to change hidden fields, then used to invoke script CSC 482/582: Computer Security Slide #16 Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb :59:00 GMT Client to Server Content-type: text/html Cookie: foo=bar CSC 482/582: Computer Security Slide #17 Web Input Summary Client Side Server Side URLs may not lead where they seem to. Cookies can be used to track your browsing. Pages may include malicious code (Java, ActiveX, Javascript) Cookies aren t confidential. Hidden fields aren t secret. Client may use own forms. URLs can have any format. POST data can have any format. Cookies can have any format. CSC 482/582: Computer Security Slide #18 6
7 Web Application Vulnerabilities CSC 482/582: Computer Security Slide #19 Common Vulnerability Types CSC 482/582: Computer Security Slide #20 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter. Discussed in detail in its own lecture. CSC 482/582: Computer Security Slide #21 7
8 Cross-Site Attacks Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker s choosing. XSS used to obtain session ID for Bank site (transfer money to attacker) Shopping site (buy goods for attacker) Key ideas Attacker sends malicious code to server. Victim s browser loads code from server and runs it. Discussed in detail in its own lecture. March 4, 2009 SIGCSE Insecure Remote File Inclusion Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. Dynamic code Includes in PHP, Java,.NET DTDs for XML documents Key Idea Attacker controls pathname for inclusion. CSC 482/582: Computer Security Slide #23 PHP Remote Inclusion Flaw A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <?php // index.php include('config.php'); include('include.php'); // Script body?> <?php //config.php $server_root = '/my/path';?> <?php //include.php include($server_root. '/someotherfile.php');?> GET /include.php?server_root= CSC 482/582: Computer Security Slide #24 8
9 Mitigating Remote File Inclusion 1. Turn off remote file inclusion. 2. Do not run code from uploaded files. 3. Do not use user-supplied paths. 4. Validate all paths before loading code. CSC 482/582: Computer Security Slide #25 Authentication Authentication is the process of determining a user s identity. Key Ideas HTTP is a stateless protocol. Every request must be authenticated. Use username/password on first request. Use session IDs on subsequent queries. March 4, 2009 SIGCSE Authentication Attacks Sniffing passwords Guessing passwords Identity management attacks Replay attacks Session ID fixation Session ID guessing CSC 482/582: Computer Security Slide #27 9
10 Identity Management Attacks Auth requires identity management User registration Password changes and resets Mitigations Use CAPTCHAs to protect registration. Don t use easy to guess secret questions. Don t allow attacker to reset address that new password is sent to. CSC 482/582: Computer Security Slide #28 Session ID Guessing Do session IDs show a pattern? How does changing username change ID? How do session IDs change with time? Brute forcing session IDs Use program to try 1000s of session IDs. Mitigating guessing attacks Use a large key space (128+ bits). Use a cryptographically random algorithm. CSC 482/582: Computer Security Slide #29 Mitigating Authentication Attacks Use SSL to prevent sniffing attacks. Require strong passwords. Use secure identity management. Use a secure session ID mechanism. IDs chosen at random from large space. Regenerate session IDs with each request. Expire session IDs in short time. CSC 482/582: Computer Security Slide #30 10
11 Access Control Access control determines which users have access to which system resources. Levels of access control Site URL Function Function(parameters) Data CSC 482/582: Computer Security Slide #31 Mitigating Broken Access Control 1. Check every access. 2. Use whitelist model at every layer. 3. Do not rely on client-level access control. 4. Do not rely on security through obscurity. CSC 482/582: Computer Security Slide #32 Improper Error Handling Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. Errors can provide too much data Stack traces SQL statements Subsystem errors User typos, such as passwords. CSC 482/582: Computer Security Slide #33 11
12 Example of Improper Error Handling mysql error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c.citem=90: Can't open file: 'nucleus_comment.myi' (errno: 145) Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/exalt2/public_html/username/nucleus/lib s/comments.php on line 124 CSC 482/582: Computer Security Slide #34 Mitigating Improper Error Handling 1. Catch all exceptions. 2. Check all error codes. 3. Wrap application with catch-all handler. 4. Send user-friendly message to user. 5. Store details for debugging in log files. 6. Don t log passwords or other sensitive data. CSC 482/582: Computer Security Slide #35 Insecure Storage Storing sensitive data without encrypting it, or using a weak encryption algorithm, or using a strong encryption system improperly. Problems Not encrypting sensitive data. Using home grown cryptography. Insecure use of weak algorithms. Storing keys in code or unprotected files. CSC 482/582: Computer Security Slide #36 12
13 Storage Recommendations Hash algorithms MD5 and SHA1 look insecure. Use SHA256. Encrypting data Use AES with 128-bit keys. Key generation Generate random keys. Use secure random source. CSC 482/582: Computer Security Slide #37 Mitigating Insecure Storage 1. Use well studied public algorithms. 2. Use truly random keys. 3. Store keys in protected files. 4. Review code to ensure that all sensitive data is being encrypted. 5. Check database to ensure that all sensitive data is being encrypted. CSC 482/582: Computer Security Slide #38 Insecure Communication Applications fail to encrypt sensitive data in transit from client to server and vice-versa. Need to protect User authentication and session data. Sensitive data (CC numbers, SSNs) Key Idea Use SSL for all authentication connections. CSC 482/582: Computer Security Slide #39 13
14 Mitigating Insecure Communication 1. Use SSL for all authenticated sessions. 2. Use SSL for all sensitive data. 3. Verify that SSL is used with automated vulnerability scanning tools. CSC 482/582: Computer Security Slide #40 Client-side Attacks Buffer Overflow 2004 iframe jpeg Remote Code ActiveX Flash Java Javascript CSC 482/582: Computer Security Slide #41 ActiveX Executable code downloaded from server Activated by HTML object tag. Native code binary format. Security model Digital signature authentication Zone-based access control No control once execution starts CSC 482/582: Computer Security Slide #42 14
15 Java Digital signature authentication Sandbox Sandbox Components Byte-code verifier Class loader Security manager Sandbox Limits Cannot read/write files. Cannot start programs. Network access limited to originating host. CSC 482/582: Computer Security Slide #43 MPack Browser Malware 1. User visits site. 2. Response contains iframe. 3. Iframe code causes browser to make request. 4. Request redirected to MPack server. 5. Server identifies OS and browser, sends exploit that will work for client configuration. 6. Exploit causes browser to send request for code. 7. Mpack downloader sent to user, begins d/ling other malware. CSC 482/582: Computer Security Slide #44 MPack Commercial underground PHP software Sold for $ Comes with one year technical support. Can purchase updated exploits for $ Infection Techniques Hacking into websites and adding iframes. Sending HTML mail with iframes. Typo-squatting domains. Use GoogleAds to draw traffic. CSC 482/582: Computer Security Slide #45 15
16 Client Protection Disable ActiveX and Java. Use NoScript to limit Javascript. Run browser with least privilege. Use a browser sandbox: VMWare Virtual Browser Appliance Protected Mode IE (Windows Vista) Goto sites directly instead of using links. Use plain text instead of HTML. Patch your browser regularly. Use a personal firewall. CSC 482/582: Computer Security Slide #46 Web Reconnaissance Google Hacking Index of +passwd Index of +password.txt filetype:htaccess user allinurl:_vti_bin shtml.exe Web Crawling Santy Worm used Google to find vulnerable servers. wget --mirror -o /mirror/w3 CSC 482/582: Computer Security Slide #47 Proxies and Vulnerability Scanners Achilles OWASP Web Scarab Paros Proxy SPI Dynamics WebInspect Edit Web Data URL Cookies Form Data Web Browser Web Proxy Web Server CSC 482/582: Computer Security Slide #48 16
17 Achilles Proxy Screenshot CSC 482/582: Computer Security Slide #49 Key Points All input can be dangerous URLs, Cookies, Executable content Consider both client and server security. SSL is not a panacea Confidentiality + integrity of data in transit. Input-based attacks can be delivered via SSL. Top Vulnerabilities Cross-Site Scripting SQL Injection Remote File Inclusion CSC 482/582: Computer Security Slide #50 References 1. Andreu, Professional Penetration Testing for Web Applications, Wrox, Daswaniet. al., Foundations of Security, Apress, Friedl, SQL Injection Attacks by Example, IBM, IBM X-Force 2010 Mid-Year Trend and Risk Report, OWASP, OWASP Top 10 for 2010, oject 6. Neils Provoset. al., The Ghost in the Browser: Analysis of Webbased Malware, Hotbots 07, s/provos.pdf, Samy, MySpace Worm Explanation, Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, Stuttartand Pinto, The Web Application Hacker s Handbook, Wiley, CSC 482/582: Computer Security Slide #51 17
CIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Web Security I Topics 1. HTTP 2. Transport Layer Security (TLS) 3. URLs 4. HTML and the DOM 5. Same Origin Policy 6. Cross-Site Attacks Web Transactions Web Server Web
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationInjection. CSC 482/582: Computer Security Slide #1
Injection Slide #1 Topics 1. Injection Attacks 2. SQL Injection 3. Mitigating SQL Injection 4. XML Injection Slide #2 Injection Injection attacks trick an application into including unintended commands
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCIT 380: Securing Computer Systems. Web Security II
CIT 380: Securing Computer Systems Web Security II Some slides from OWASP Top 10 2013 presentation under Creative Commons Attribute-ShareAlike 3.0 license (https://creativecommons.org/licenses/by-sa/3.0/)
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationHTTP Security. CSC 482/582: Computer Security Slide #1
HTTP Security CSC 482/582: Computer Security Slide #1 Topics 1. How HTTP works 2. HTTP methods, headers, and responses 3. URIs, URLs, and URNs 4. Statelessness 5. Cookies 6. More HTTP methods and headers
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationWeb Application Security GVSAGE Theater
Web Application Security GVSAGE Theater B2B Tech Expo Oct 29, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GSEC, GCIH, GGSC Network Security and Software Development
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationApplication Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.
Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationPenetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationKishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009
Securing Web Applications: Defense Mechanisms Kishin Fatnani Founder & Director K-Secure Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009 1 Agenda Current scenario in Web Application
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationCNIT 129S: Securing Web Applications. Ch 4: Mapping the Application
CNIT 129S: Securing Web Applications Ch 4: Mapping the Application Mapping Enumerate application's content and functionality Some is hidden, requiring guesswork and luck to discover Examine every aspect
More informationMobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing
Mobile Malfeasance Exploring Dangerous Mobile Code Jason Haddix, Director of Penetration Testing Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationHashCookies A Simple Recipe
OWASP London Chapter - 21st May 2009 HashCookies A Simple Recipe Take a cookie Add some salt Add a sequence number John Fitzpatrick Full paper at http://labs.mwrinfosecurity.com Structure What are hashcookies
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationThe security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationLab 5: Web Attacks using Burp Suite
Lab 5: Web Attacks using Burp Suite Aim The aim of this lab is to provide a foundation in performing security testing of web applications using Burp Suite and its various tools. Burp Suite and its tools
More informationCurso: Ethical Hacking and Countermeasures
Curso: Ethical Hacking and Countermeasures Module 1: Introduction to Ethical Hacking Who is a Hacker? Essential Terminologies Effects of Hacking Effects of Hacking on Business Elements of Information Security
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationPresented By Rick Deacon DEFCON 15 August 3-5, 2007
Hacking Social Lives: MySpace.com Presented By Rick Deacon DEFCON 15 August 3-5, 2007 A Quick Introduction Full-time IT Specialist at a CPA firm located in Beachwood, OH. Part-time Student at Lorain County
More informationThreat Landscape 2017
Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Threat
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationIntroduction to Ethical Hacking
Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationWebGoat Lab session overview
WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS INITIAL SETUP Tamper Data Hold alt to reveal the menu in
More informationSECURING APACHE : ATTACKS ON SESSION MANAGEMENT
SECURING APACHE : ATTACKS ON SESSION MANAGEMENT In this part of the series, we are going to concentrate on attacks on session management. Application-level attacks on the session is about obtaining or
More informationRuby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationTop 10 Web Application Vulnerabilities
Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationSecure Coding, some simple steps help. OWASP EU Tour 2013
Secure Coding, some simple steps help. OWASP EU Tour 2013 About Me Steven van der Baan - Dutch - 7Safe, part of PA Consulting Group - Developer - Pentester - Consultant - CISSP, OSCP It's amazing how
More informationDevelopment Security Guide Oracle Banking Virtual Account Management Release July 2018
Development Security Guide Oracle Banking Virtual Account Management Release 14.1.0.0.0 July 2018 Oracle Banking Virtual Account Management Development Security Guide Oracle Financial Services Software
More informationANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation
ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things Christian Frichot / David Taylor (Some of) Perth OWASP s Chapter Leads OWASP Wednesday 25 th May 2011 Copyright The OWASP
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationPHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.
PHP Security Kevin Schroeder Zend Technologies Copyright 2007, Zend Technologies Inc. Disclaimer Do not use anything you learn here for nefarious purposes Why Program Securely? Your job/reputation depends
More informationInjecting Security Controls into Software Applications. Katy Anton
Injecting Security Controls into Software Applications Katy Anton About me Software development background Principal Security Consultant - CA Technologies Veracode OWASP Bristol Chapter Leader Project
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Web Application: Testing Security Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 10) Web Application: Testing Security 1 Table of
More informationDevelopment Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]
Development Security Guide Oracle Banking Credit Facilities Process Management Release 14.1.0.0.0 [July] [2018] Security Guide Table of Contents 1. ABOUT THIS MANUAL... 1-1 1.1 INTRODUCTION... 1-1 1.2
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationFeaturing. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationIntegrity attacks (from data to code): Malicious File upload, code execution, SQL Injection
Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd,
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationepldt Web Builder Security March 2017
epldt Web Builder Security March 2017 TABLE OF CONTENTS Overview... 4 Application Security... 5 Security Elements... 5 User & Role Management... 5 User / Reseller Hierarchy Management... 5 User Authentication
More informationOWASP TOP 10. By: Ilia
OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB
More informationThe HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1
The HTTP protocol Fulvio Corno, Dario Bonino 08/10/09 http 1 What is HTTP? HTTP stands for Hypertext Transfer Protocol It is the network protocol used to delivery virtually all data over the WWW: Images
More informationBase64 The Security Killer
Base64 The Security Killer Kevin Fiscus NWN Corporation Session ID: DAS-203 Session Classification: Intermediate A Short (Made Up) Security Story Helix Pharmaceuticals is concerned about security Industrial
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationCSE 127 Computer Security
CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented
More information