Contents. xvii xix xxiil. xxvii

Size: px
Start display at page:

Download "Contents. xvii xix xxiil. xxvii"

Transcription

1 Contents FOREWORD INTRODUCTION INDUSTRY ANALYSIS PREFACE ACKNOWLEDGMENTS BIOGRAPHY XV xvii xix xxiil XXV xxvii PART I CHAPTER 1 INTRODUCTION TO MOBILE SECURITY DEVELOPMENT Understanding Secure Web Development What This Book Is What This Book Is Not Prerequisite Technologies Applying Architecture Tools to Security Creating Consistent Reusable Code from Project to Project Mobile Application Using HTML5, AJAX, and jquery Mobile Mobile App A Social Mashup Client Technologies Client Application Layout Server Application Evolution of Security Measures SQL Injection to XSS to CSRF Battle for Output Context :. New Technologies HTML5 Bad Practices Invite Holes " Security as Add-on ' ' - Lack of Information \ Lack of Consistency A New Mindset for Web Application Security

2 CHAPTER 2 WEB APPLICATION ATTACK SURFACE 15 Attack Vectors 15 Common Threats 16 SQL Injection 16 Cross-Site Scripting 17 Cross-Site Request Forgery 18 Session Hijacking 18 Defending Input and Output Streams; First Glance 19 GET Requests 19 POST Requests 20 COOKIE Data 21 Session Fixation 21 Cross-Site Request Forgery ^V Theory of Input Filtering and Output Escaping 25 Input Validation ^ ^ Input Filtering li 26 Output Escaping f 28 You Must Know Where Your Data Is Displayed 28 CHAPTER 3 P H P SECURITY ANTI-PATTERNS 37 Anti-Pattern #1 37 Not Matching Data Character Set to Filter Character Set 37 Not Designing with Content Security Policy Anti-Pattern 38 One Size Fits All Ann-Pattern 38 Misinformation Anti-Patterns 38 The Mantra Anti-Pattern 39 Critical Data Type Understanding and Analysis 40 Single Data Type Anti-Pattern 40 All Incoming HTTP Data Are Strings 45 Validation by Tvpe Process 47 Input Same as Output Anti-Pattern, =49 The Assumed Clean Anti-Pattern 50 Improper mysql real escape string () Usage, 50 Filtering versus Escaping versus Encoding 51 Only One Output Context Anti-Pattern 52 Lack of Planning Anti-Patterns 52 Lack of Consistency Anti-Patterns 52 Lack of Testing Anti-Patterns 53 Parameter Omission Anti-Pattern S3 Design Practices Anti-Patterns 56 No Clear Separation of HTML and PHP Code Anti-Pattern 56 Too Many Database Function Calls 57 Misleading Filtering Anti-Pattern 58 Too Many Quotes Anti-Pattern 58 Raw Request Variables as Application Variables 59 Common Direct URL Input Anti-Pattern 59 Poor Ernir Management Practices 60 Poor Cryptography Practices 61 Poor Cookie Expiration 62 Poor Session Management ^ 6 Overcoming Anti-Patterns: Patterns, Testing, Automation \3

3 CHAPTER 4 P H P ESSENTIAL SECURITY 65 A Consistent UTF-8 Character Set 65 UTF-8 in the Database 66 UTF-8 in the PHP AppHcation 66 UTF-8 in the CHent Browser 67 Clean Secure Data : - 67 Input Validation; Account for Size and Tvpe - 67 Escape Output: Account for Context ''. 67 Database Access Pattern - >, 68 Application Secrets Location Pattern 68 Error Processing Pattern 68 Error Logging Process Pattern. ib Authentication Pattern 69 Authorization Pattern 69 White Listing Acceptable Input PHP Security Design Best Practices Summary 70 Architect Application Character Set 70 Architect HTTP Request Patterns 70 Architect HTTP Cookie Usage 71 Architect Input Validation - 71 Architect Output Escaping 71 Architect Session Management 72 Protect Secret Files/Protect Included Files 72 Protect User Passwords 72 Protecting User Session Data ' 72 Protect against CSRF Attacks 73 Protect against SQL Injection Attacks 73 Protect against XSS Attacks : - 73 Protect against File System Attacks \\ 73 Proper Error Handling ' "'" 74 OWASP Recommendations for PHP 74 The CheckUst 74 Additional PHP Security Checklist - 75 Disable Dangerous PHP Functions v 7 5 Abstract Classes, Interfaces, Facades, Templates, Strategy, Factories, and Visitors 77 CHAPTER 5 P H P SECURITY TOOLS OVERVIEW 77 Object Language Support 77 Variable Variables; Power DRY 80 Native Function Support 81 Encoding Functions 81 DRY Enforcement Functions 83 Type Enforcement Functions 84 Filter Functions 85 Mobile Functions 88 Cryptography and Hashing Functions 89 Modern Crypto '\9 Modern Hashing ^ ^ 91 Modern Salting and Randomization, ^. 91 HTML Templating Support ' 92 How to Inline Heredoc Functions 92

4 Best Practices Tips Use Integer Values as Much as Possible Use Type Enforcement Everywhere You Can Enforce String Sizes and Numeric Ranges Politely Cut Strings before Filtering Keep Strings as Small as Possible for Filters and for SQL Tables Issues to Avoid Hie Reason for PDO Prepared Statements Deprecated Security Functions Modern Crypto versus Old Crypto : CHAPTER 6 U T F - 8 FOR P H P AND M Y S Q L Why UTF-8 :' UTF-8 Advantages UTF-8 Disadvantages How UTF-8 Affects Security li Complete PHP UTF-8 Setup i UTF-8 MySQL Database and Table Creation UTF-8 PDO Client Connection Manual UTF-8 PDO/MySQL Connection How To PHP UTF-8 Initialization and Installation UTF-8 Browser Setup Header Setup Meta-Tag Setup Form Setup PHP UTF-8 Multi-Byte Functions UTF-8 Input Validation Functions UTF-8 String Functions UTF-8 Output Functions UTF-8 Mail UTF-8 Configuration PHPUnit Testing Test PHP Internal Encoding Test PHP Output Encoding PHPUnit Test Class for Asserting UTF-8 Configuration CHAPTER 7 PROJECT LAYOUT TEMPLATE Every App Has Some Basic Similarities Project Layout Should Be Handled Consistently Select Query Wrapper Separation of HTML Static Resources The Completely Commented Files PHP PDO/UTF-8 Security Checklist { CHAPTER 8 SEPARATION OF CONCERNS b What Is Separation ot Concerns? Keep HTML as HTML Keep PHP Out of HTML Keep JavaScript Out of HTML Content Security Policy Keep CSS Out of JS Use of IDs and Classes in HTML Summary

5 CHAPTER 9 P H P AND P D O 129 PDO UTF-8 Connection 131 MySQL UTF-8 Database and Table Creation Support 132 PDO Prepared Statements 133 Prepared Statement Examples 133 Selecting Data and Placing into HTML and URL Context 135 PDO SELECT Queries and Class Objects 137 Quoting Values and Database Type Conversion 137 PDO Manual Quoting Example. 138 PDO and WHERE IN Statements 139 White Listing and PDO Quoting of Column Names 140 Summary ^ 141 CHAPTER 10 TEMPLATE STRATEGY PATTERNS 143 Template Pattern Enforces Process ^---^""'T^ Account Registration Template ^ 143 Account Registration Template Activation 145 Strategy Pattern for Output Escaping 147 Escaping Strategy Class 147 Improved Escaping Strategy Class 149 The Input Cleaner Class 152 Testing the Cleaner Class 156 Examples of Cleaner: :getkey() Validation Usage 158 CHAPTER 11 MODERN P H P ENCRYPTION 159 Using MCrypt for Two-Way Encryption 159 Encrypting Hashed Passwords with Blowfish 162 CHAPTER 12 PROFESSIONAL EXCEPTION AND ERROR HANDLING 165 Configuring PHP Error Environment 166 Secure php.ini and Error Log Files 166 Error Options Overview 167 Production Error Configuration for php.ini 168 Development Error Configuration for php.ini 168 PHP Error Level Constants 168 Exception Handling 169 Introduction to Exceptions 169 Trapping All Errors and Exceptions 174 Converting Errors to Exceptions 174 ErrorManager Class 176 Handle Fatal Errors with register_shutdown_f unction () 177 PART II SECURE SESSION MANAGEMENT 181 The SSL Landing Page 181 Secure Session Overview 182 Secure Session Management Checklist 182 Session Checklist Details \ 183 Setting Configuration and Setup 189 Detecting Session Tampering 191 Force Page Request over SSL 192 SSL Redirect 192 Protocol Relative Links 193

6 CHAPTER 14 SECURE SESSION STORAGE PHP Default Session Storage Overview -' Session Storage Life Cycle Session Locking AJAX and Session Locking Session Management Configuration Configure Security before Session_Start () Is Called Properly Destroy Session Encrypted Session Storage Encrypted Session Storage via MySQL Creating a Custom Session Handler in MySQL Encrypted Session Storage via File System Class SccureSessionFilc Details CHAPTER 15 SECURE FORMS AND ACCOUNT REGISTRATION Secure User Registration and Login Process Overview Unlimited Password Length, Unlimited Password Characters Secure Form Landing Pages Are over SSL Secure Form Nonce -Prevent CSRF Class NonceTracker Class NonceTracker Listing Class NonceTracker Detail Form Input Validation Overview Registration Form Registration Form Details Double Encryption of User Passwords Account Management Class AccountManager Details and Authorization Checks Verification and Activation System Future Proof Encryption Strength with Blowfish Rounds Secure Password Request Link Reauthorize on Privilege Elevation Session Management Class SessionManagement Details Secure Logout Details via SessionManager Privilege Elevation Protection System Secure Login Secure Login Form Secure Login Form Details Protect Pages via Authentication Check Secure Logout Page Secure Logout Page Details A Secure RememberMe Feature Closing Points CHAPTER 16 SECURE CLIENT SERVER FORM VALIDATION PHP UTF-8 Input Validation Server UTF-8 Validation Validating UTF-8 Names and s via RegEx PREG for PHP = PREG for JavaScript Server Side Regular Expressions JavaScript Validation via Regular Expressions jquery Validation via Regular Expressions ^

7 jquery Password Strength Meter 306 JavaScript and jquery Escaping and Filtering 308 Replace innerhtml with innertext 309 Embedded HTML HyperLinks Problems with innerhtml 310 Insecure JavaScript Functions 312 Preventing Double Form Submission Post-Redirect-Get Pattern for Form Processing The PRC Pattern 314 ThePRG Directive 315 Tracking Form Tokens to Prevent Double Submission 317 Controlling Form Page Caching and Page Expiration,..' 319 Main Cache-Control Settings 320 Microsoft Internet Explorer Extension ' 321 Timestamping AJAX GET Requests. ^ 321 Constructing Secure GET Request URLs 321 CHAPTER 17 SECURE FILE UPLOADING ^' 323 Basic Principles of Secure File Uploading 323 Authentication of File Uploads 324 Create White List of Allowable Types 324 File Extensions and Types Are Meaningless 324 Create a System-Generated File Name 324 Always Store Uploaded Files Outside Web Root 324 Enforce File Size Limits 324 Control File Permissions 325 Limit Number of Uploaded Files 325 Optional: Use CAPTCHA 325 Optional: Use Virus Scan 325 Secure File Uploading to Database 325 SQL Table.. ^ 326 HTML Form, Retrieving Uploaded Images 330 CHAPTER 18 SECURE J S O N REQUESTS ^. ' 333 Building Secure JSON Responses - ^' ^"^ 333 Correct and Incorrect JSON 333 Proper JSON Construction Depends on Array Construction 334 Safe Array Construction with PDO Records 336 Send and Receive JSON in PHP 337 SendJSON from PHP 337 Receive JSON in PHP 340 Parsing JSON Securely with JavaScript/jQuery ;.. - ' 34j jquery JSON Calls ' '. 342 Post and Parse JSON Response Example 342 PART III CHAPTER 19 GOOGLE MAPS, YOUTUBE, AND JQUERY MOBILE 347 Code Setup. 347 About the Code 348 Placing Videos inside Google Map InfoWindows 348 Creating InfoWindow Markers 349 HTML and jquery Mobile Layout 349

8 Separation of Concerns HTM L Fragments Description. L YouTube Elements Description Javascript File: gmap.js Map Functions. InfoWindow Marker vv'ith Playable Video j.. Map Marker Database Table VideoMap URL Table. v Data Repository Class: GMapData ', Processing Markers Generating Markers Inserting and Updating Markers Preparing Safe JSON Data CHAPTER 2 0 TWITTER AUTHENTICATION AND SSL curl Twitter vl.l via PHP,^ Step 1: Create a Twitter Application Step 2: Exchange Twitter Credentials for Access Token Step 3: Request Tweets Using Access Token Step 4: Activate Tweet Links TweetFetcher Class Fetching vl.l Tweets via TweetFetcher Getting Twitter oauth Token Setting SSL Verification for curl Retrieve Latest Tweets from Timeline Creating and Filtering Hyperlinks from Plain Text Filtering Bad Tweet Examples Examples of Secure Processing with processtweet () Using TweetFetcher CHAPTER 21 SECURE A J A X SHOPPING CART JQuery Mobile Store Up and Running The Mobile Store Add Items to Cart Remove Items from Cart Making the PayPal Purchase Beginning the PayPal Transaction Securely Posting to PayPal Completing the PayPal Purchase Conclusion CHAPTER 2 2 COMMON FACEBOOK CANVAS VULNERABILITY POINTS Saving Facebook RealTime Updates via PDO Reflecting JSON Coordinates I Reflecting Messages J; Reflecting URLs JavaScript and JQuery Filters Method Method 2 Methods JSONP Precaution APPENDIX INDEX v ^ \ ,

Pro ASP.NET MVC 2 Framework

Pro ASP.NET MVC 2 Framework Pro ASP.NET MVC 2 Framework Second Edition Steven Sanderson Apress TIB/UB Hannover 89 133 297 713 Contents at a Glance Contents About the Author About the Technical Reviewers Acknowledgments Introduction

More information

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19 CONTENTS IN DETAIL INTRODUCTION xiii 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 #1: Including Another File as a Part of Your Script... 2 What Can Go Wrong?... 3 #2:

More information

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response

More information

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

SECURE CODING ESSENTIALS

SECURE CODING ESSENTIALS SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design

More information

Full Stack Web Developer

Full Stack Web Developer Full Stack Web Developer S.NO Technologies 1 HTML5 &CSS3 2 JavaScript, Object Oriented JavaScript& jquery 3 PHP&MYSQL Objective: Understand the importance of the web as a medium of communication. Understand

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Advanced Joomla! Dan Rahmel. Apress*

Advanced Joomla! Dan Rahmel. Apress* Advanced Joomla! Dan Rahmel Apress* Contents About the Author About the Technical Reviewer Acknowledgments Introduction xvii...xix xxi xxiii Chapter 1: Streamlining the Authoring Process 1 Setting the

More information

RKN 2015 Application Layer Short Summary

RKN 2015 Application Layer Short Summary RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,

More information

Certified Secure Web Application Secure Development Checklist

Certified Secure Web Application Secure Development Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill

More information

PHP and MySQL Programming

PHP and MySQL Programming PHP and MySQL Programming Course PHP - 5 Days - Instructor-led - Hands on Introduction PHP and MySQL are two of today s most popular, open-source tools for server-side web programming. In this five day,

More information

Full Stack Web Developer

Full Stack Web Developer Full Stack Web Developer Course Contents: Introduction to Web Development HTML5 and CSS3 Introduction to HTML5 Why HTML5 Benefits Of HTML5 over HTML HTML 5 for Making Dynamic Page HTML5 for making Graphics

More information

Static Webpage Development

Static Webpage Development Dear Student, Based upon your enquiry we are pleased to send you the course curriculum for PHP Given below is the brief description for the course you are looking for: - Static Webpage Development Introduction

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application

More information

Certified Secure Web Application Security Test Checklist

Certified Secure Web Application Security Test Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill

More information

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication

More information

OWASP TOP 10. By: Ilia

OWASP TOP 10. By: Ilia OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB

More information

WICKED COOL PHP. by William Steinmetz with Brian Ward. Real-World ScriptA Tl1at Solve DifficMlt ProblelMA. PRESS San Francisco NO STARCH

WICKED COOL PHP. by William Steinmetz with Brian Ward. Real-World ScriptA Tl1at Solve DifficMlt ProblelMA. PRESS San Francisco NO STARCH WICKED COOL PHP Real-World ScriptA Tl1at Solve DifficMlt ProblelMA by William Steinmetz with Brian Ward NO STARCH PRESS San Francisco BRIEF CONTE TS Introduction XIII Chapter 1: The FAQs of life- The Scripts

More information

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/

More information

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application CNIT 129S: Securing Web Applications Ch 4: Mapping the Application Mapping Enumerate application's content and functionality Some is hidden, requiring guesswork and luck to discover Examine every aspect

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

Developing ASP.NET MVC Web Applications (486)

Developing ASP.NET MVC Web Applications (486) Developing ASP.NET MVC Web Applications (486) Design the application architecture Plan the application layers Plan data access; plan for separation of concerns, appropriate use of models, views, controllers,

More information

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends

More information

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007 Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1

More information

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate

More information

Fundamentals of Web Development. Web Development. Fundamentals of. Global edition. Global edition. Randy Connolly Ricardo Hoar

Fundamentals of Web Development. Web Development. Fundamentals of. Global edition. Global edition. Randy Connolly Ricardo Hoar Connolly Hoar This is a special edition of an established title widely used by colleges and universities throughout the world. Pearson published this exclusive edition for the benefit of students outside

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

Web development using PHP & MySQL with HTML5, CSS, JavaScript

Web development using PHP & MySQL with HTML5, CSS, JavaScript Web development using PHP & MySQL with HTML5, CSS, JavaScript Static Webpage Development Introduction to web Browser Website Webpage Content of webpage Static vs dynamic webpage Technologies to create

More information

DreamFactory Security Guide

DreamFactory Security Guide DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit

More information

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,

More information

1 About Web Security. What is application security? So what can happen? see [?]

1 About Web Security. What is application security? So what can happen? see [?] 1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi

More information

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security. Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language

More information

WHY CSRF WORKS. Implicit authentication by Web browsers

WHY CSRF WORKS. Implicit authentication by Web browsers WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication

More information

IN PRACTICE. Daniele Bochicchio Stefano Mostarda Marco De Sanctis. Includes 106 practical techniques MANNING

IN PRACTICE. Daniele Bochicchio Stefano Mostarda Marco De Sanctis. Includes 106 practical techniques MANNING IN PRACTICE Daniele Bochicchio Stefano Mostarda Marco De Sanctis Includes 106 practical techniques MANNING contents preface xv acknowledgments xvii about this book xix about the authors xxiii about the

More information

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -

More information

Contents in Detail. Foreword by Xavier Noria

Contents in Detail. Foreword by Xavier Noria Contents in Detail Foreword by Xavier Noria Acknowledgments xv xvii Introduction xix Who This Book Is For................................................ xx Overview...xx Installation.... xxi Ruby, Rails,

More information

Assignment 6: Web Security

Assignment 6: Web Security COS 432 November 20, 2017 Information Security Assignment 6: Web Security Assignment 6: Web Security This project is due on Monday, December 4 at 11:59 p.m.. Late submissions will be penalized by 10% per

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment

More information

Information Security CS 526 Topic 8

Information Security CS 526 Topic 8 Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

CORE PHP CURRICULUM. Introductory Session Web Architecture Overview of PHP Platform Origins of PHP in the open source community

CORE PHP CURRICULUM. Introductory Session Web Architecture Overview of PHP Platform Origins of PHP in the open source community CORE PHP CURRICULUM What you will Be Able to Achieve During This Course This course will enable you to build real-world, dynamic web sites. If you've built websites using plain HTML, you realize the limitation

More information

Combating Common Web App Authentication Threats

Combating Common Web App Authentication Threats Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App

More information

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in 1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

CSC 482/582: Computer Security. Cross-Site Security

CSC 482/582: Computer Security. Cross-Site Security Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential

More information

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu Content for today Phase 4 preview From now please pay attention to the security issue of your website This

More information

A Guide to Understand, Install and Use Pie Register WordPress Registration Plugin

A Guide to Understand, Install and Use Pie Register WordPress Registration Plugin A Guide to Understand, Install and Use Pie Register WordPress Registration Plugin 1 P a g e Contents 1. Introduction... 5 2. Who is it for?... 6 3. Community v/s PRO Version... 7 3.1. Which version is

More information

Project 2: Web Security

Project 2: Web Security EECS 388 September 30, 2016 Intro to Computer Security Project 2: Web Security Project 2: Web Security This project is due on Thursday, October 13 at 6 p.m. and counts for 8% of your course grade. Late

More information

An analysis of security in a web application development process

An analysis of security in a web application development process An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3

More information

Secure Coding and Code Review. Berlin : 2012

Secure Coding and Code Review. Berlin : 2012 Secure Coding and Code Review Berlin : 2012 Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code Top Problems

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

All India Council For Research & Training

All India Council For Research & Training WEB DEVELOPMENT & DESIGNING Are you looking for a master program in web that covers everything related to web? Then yes! You have landed up on the right page. Web Master Course is an advanced web designing,

More information

Business Logic Security

Business Logic Security Business Logic Security Ilia Alshanetsky @iliaa https://joind.in/14863 whois: Ilia Alshanetsky PHP Core Developer since 2001 Release Master of 4.3, 5.1 and 5.2 Author of Guide to PHP Security Author/Co-Author

More information

Course 834 EC-Council Certified Secure Programmer Java (ECSP)

Course 834 EC-Council Certified Secure Programmer Java (ECSP) Course 834 EC-Council Certified Secure Programmer Java (ECSP) Duration: 3 days You Will Learn How To Apply Java security principles and secure coding practices Java Security Platform, Sandbox, JVM, Class

More information

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA) EPRI Software Development 2016 Guide for Testing Your Software Software Quality Assurance (SQA) Usability Testing Sections Installation and Un-Installation Software Documentation Test Cases or Tutorial

More information

En#ty Authen#ca#on and Session Management

En#ty Authen#ca#on and Session Management En#ty Authen#ca#on and Session Management Jim Manico @manicode OWASP Volunteer - Global OWASP Board Member - OWASP Cheat- Sheet Series, Top Ten Proac=ve Controls, OWASP Java Encoder and HTML Sani=zer Project

More information

F5 Big-IP Application Security Manager v11

F5 Big-IP Application Security Manager v11 F5 F5 Big-IP Application Security Manager v11 Code: ACBE F5-ASM Days: 4 Course Description: This four-day course gives networking professionals a functional understanding of the BIG- IP LTM v11 system

More information

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent

More information

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),

More information

Acknowledgments... xix

Acknowledgments... xix CONTENTS IN DETAIL PREFACE xvii Acknowledgments... xix 1 SECURITY IN THE WORLD OF WEB APPLICATIONS 1 Information Security in a Nutshell... 1 Flirting with Formal Solutions... 2 Enter Risk Management...

More information

Lecture Overview. IN5290 Ethical Hacking

Lecture Overview. IN5290 Ethical Hacking Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp

More information

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp

More information

Information Security CS 526 Topic 11

Information Security CS 526 Topic 11 Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

An Introduction to JavaScript & Bootstrap Basic concept used in responsive website development Form Validation Creating templates

An Introduction to JavaScript & Bootstrap Basic concept used in responsive website development Form Validation Creating templates PHP Course Contents An Introduction to HTML & CSS Basic Html concept used in website development Creating templates An Introduction to JavaScript & Bootstrap Basic concept used in responsive website development

More information

EasyCrypt passes an independent security audit

EasyCrypt passes an independent security audit July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

I, J, K. Lightweight directory access protocol (LDAP), 162

I, J, K. Lightweight directory access protocol (LDAP), 162 Index A Access Control, 183 Administration console, 17 home page, 17 managing instances, 19 managing requests, 18 managing workspaces, 19 monitoring activity, 19 Advanced security option (ASO), 58, 262

More information

70-486: Developing ASP.NET MVC Web Applications

70-486: Developing ASP.NET MVC Web Applications 70-486: Developing ASP.NET MVC Web Applications Candidates for this exam are professional developers who use Microsoft Visual Studio 20120157 and Microsoft.NET FrameworkASP.NET to design and develop web

More information

P2_L12 Web Security Page 1

P2_L12 Web Security Page 1 P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction

More information

GOING WHERE NO WAFS HAVE GONE BEFORE

GOING WHERE NO WAFS HAVE GONE BEFORE GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session

More information

CSE484 Final Study Guide

CSE484 Final Study Guide CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.

More information

The requirements were developed with the following objectives in mind:

The requirements were developed with the following objectives in mind: FOREWORD This document defines four levels of application security verification. Each level includes a set of requirements for verifying the effectiveness of security controls that protect web applications

More information

Application Design and Development: October 30

Application Design and Development: October 30 M149: Database Systems Winter 2018 Lecturer: Panagiotis Liakos Application Design and Development: October 30 1 Applications Programs and User Interfaces very few people use a query language to interact

More information

Exploiting and Defending: Common Web Application Vulnerabilities

Exploiting and Defending: Common Web Application Vulnerabilities Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,

More information

PHP. MIT 6.470, IAP 2010 Yafim Landa

PHP. MIT 6.470, IAP 2010 Yafim Landa PHP MIT 6.470, IAP 2010 Yafim Landa (landa@mit.edu) LAMP We ll use Linux, Apache, MySQL, and PHP for this course There are alternatives Windows with IIS and ASP Java with Tomcat Other database systems

More information

WEB SECURITY: XSS & CSRF

WEB SECURITY: XSS & CSRF WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Advanced Web Technology 10) XSS, CSRF and SQL Injection Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018] Development Security Guide Oracle Banking Credit Facilities Process Management Release 14.1.0.0.0 [July] [2018] Security Guide Table of Contents 1. ABOUT THIS MANUAL... 1-1 1.1 INTRODUCTION... 1-1 1.2

More information

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Development Security Guide Oracle Banking Virtual Account Management Release July 2018 Development Security Guide Oracle Banking Virtual Account Management Release 14.1.0.0.0 July 2018 Oracle Banking Virtual Account Management Development Security Guide Oracle Financial Services Software

More information

Welcome to the OWASP TOP 10

Welcome to the OWASP TOP 10 Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA

More information

PHP WITH ANGULAR CURRICULUM. What you will Be Able to Achieve During This Course

PHP WITH ANGULAR CURRICULUM. What you will Be Able to Achieve During This Course PHP WITH ANGULAR CURRICULUM What you will Be Able to Achieve During This Course This course will enable you to build real-world, dynamic web sites. If you've built websites using plain HTML, you realize

More information

Web Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext

More information

Web Application Security

Web Application Security Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

OU Mashup V2. Display Page

OU Mashup V2. Display Page OU Mashup V2 OU Mashup v2 is the new iteration of OU Mashup. All instances of OU Mashup implemented in 2018 and onwards are v2. Its main advantages include: The ability to add multiple accounts per social

More information

2 Webpage Markup with HTML HTML5 Page Structure Creating a Webpage HTML5 Elements and Entities

2 Webpage Markup with HTML HTML5 Page Structure Creating a Webpage HTML5 Elements and Entities Contents Preface Introduction xix xxiii 1 The Web: An Overview 1 1.1 Web Is Part of the Internet.................. 1 1.2 IP Addresses and Domain Names............... 3 1.2.1 Domain Name System................

More information

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web Security SWE 432, Fall 2017 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Authorization oauth 2 Security Why is it important? Users data is

More information

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13 Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and

More information

Standard 1 The student will author web pages using the HyperText Markup Language (HTML)

Standard 1 The student will author web pages using the HyperText Markup Language (HTML) I. Course Title Web Application Development II. Course Description Students develop software solutions by building web apps. Technologies may include a back-end SQL database, web programming in PHP and/or

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login

More information