RKN 2015 Application Layer Short Summary
|
|
- Shanon Randall
- 5 years ago
- Views:
Transcription
1 RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET, HEAD, OPTIONS, TRACE not safe: POST, PUT, DELETE, PATCH Proxies: CONNECT method all except PATCH and POST are idempotent (mutliple calls yield same results) GET : used to retrieve information or content identified by URI HEAD : retrives the headers only (without content/body!) OPTIONS : returns the methods that a server provides ( Allow and Public header indicating allowed methods) TRACE : for debugging, echoes back the received request (XSS, cookie stealing, detects changes intermediate servers make, e.g. proxies) CONNECT : used for proxies, creates tunnel for TLS connection; client makes CONNECT request to proxy including target host and post, proxy just forwards the encrypted traffic POST : update, create, add resources PUT : create, replace resources (if there: replace it, otherwise: create it) DELETE : deletes a given resource PATCH: makes changes to an existing resource (body of methods describes the changes, > semantic web) everything COULD be transmitted via a POST (this is done for SOAP = Simple Object Access Protocol) HTTP Status codes the server can answer to requests with status codes e.g. 200 OK or 404 NOT FOUND server might also send a requested body along with the header RESTFUL (Representational State Transfer) for GET, POST, PUT, DELETE, PATCH Resources are represented via URIs e.g. could mean bill with ID 1200 applying appropriate methods replaces, deletes, creates or modified resources
2 (HATEOAS Hypermedia as the ENgine of Application State, stores information like RESTFUL URIs) HTTP /2.0 same functionality as HTTP /1.1, but optimised for speed SPDY, developed by Google to improve speed response to SPDY: standardisation effort resulting in HTTP /2.0 proposed standard published in Feb, 2015 (wow, only a few months ago) full binary instead of text! fully multiplexed, allows one TCP connection for multiple requests at the same time! push technologies, is able to give answers without explicit requests from the client (e.g. automatically sending CSS file over existing TCP connection) parallel page loading with one TCP connection data compression of HTTP headers AJAX (Asynchronous JavaScript and XML) does not need to be XML (JSON) and does not need to be asynchronous (although it s common usage ) XMLHttpRequest (via HTTP protocol) COMET Long Polling similar to standard AJAX HTMLHTTPRequest request remains open until data is available response to client client sends request for next data (if required) does NOT send data to client without any requests! Websockets fully bi directional communication HTTP header overhead removed! server can push messages to the client (even without requests!) part of HTML5 URI schemes: ws://site.net, wss://site.net (SECURE, using TLS) initiated via HTTP GET request Upgrade, Connection header fields: tell the server to upgrade the connection from plain HTTP to the websocket protocol (Upgrade: websocket, Connection: Upgrade) Origin header: domain the request was sent from Framing: WebSocket data not directly sent over TCP, messages are used, minimum framing is used (binary vs. Unicode encoding, fragmentation etc.), future extensions include multiplexing HTML5 Messaging postmessage: new in HTML5
3 enabled communication between different open windows/pages on the same machine e.g. a web page communicating with an embedded iframe due to SOP (same origin policy) this was not possible before postmessage however: security issues! Syntax: var popup = window.open(...), popup.postmessage( Hello!, ) message fields: data (message), origin (scheme://host:port), source (reference to source window (can post message back to this window) when receiving message: always check the origin!!! SOP (Same Origin Policy) security mechanism basic idea: exchange data with origin of web application only (not always possible in real world) example: banking.com vulnerable to XSS; attacker sends malicious link with XSS injection to victim; victim opens link, logs in > attacker gets login data SOP is used to make XSS etc. harder cross origin access is required for many things: images, scripts, APIs,... Forbidden: direct access to DOM, Cookies, windows from other origins direct HTTP requests (also AJAX) to other origins, except for: <img>, <script>, <iframe>, HTML5 postmessage ways around for arbitrary HTTP requests: AJAX Proxy, JSONP, CORS (cross origin resource sharing), CSP (content security policy) JSONP JSON with padding <script> element is allowed to request resource (e.g. JS library from other domain) this policy can be misused to execute code from other domains e.g. including simple RESTFUL data would cause an error in the browser (not executable) but: if a function is already defined in the web application (functioncall), then the server could return the JSON data padded with the functioncall code: the returned data is now valid JS and executed in the browser was developed when no cross origin AJAX request was possible due to SOP with JSONP any content can be injected into the page only GET method is supported also: on the server which has the API, you cannot control who has access to this API this behaviour was NOT intended when the <script> tag was designed (JSONP is not designed with security in mind ) This means: To prevent these types of attacks, two things must be done: 1. Protect the API on your server against misuse by attacker s page. 2. Protect the web application from injected code (XSS in this case). a. Remote the possibility to inject code
4 b. If everything fails: make sure that private information is NOT sent to the attacker s page (like session IDs) CORS (cross origin resource sharing) CORS was introduced to protect the server s API (1) idea: provide framework that allows to limit access to a certain API Scope: request source (origin), type of request (GET, PUT, etc.), allow credentials (cookies) CORS allows the operator to define who has access to the API all requests contain an ORIGIN header > the server simply parses this header and decides if this origin is trusted (otherwise drop request here) the answer includes a list of allowed domains (or * for everything) the client checks whether the domain matches and hands over answer to web application (e.g. JS code) > otherwise drop response CORS supports GET, HEAD, Post,... (many header fields explained in the slides, I hope he won t ask them at the exam ) but: CORS does not protect the web application from injecting code (2)! CSP (content security policy) idea: define a policy for your web application on the server browser enforces policy the policy is delivered to the client via the Content Security Policy HTTP header field create a sandbox for your web application (allow resources from specific sources, forbid plain communication, define allowed websocket targets, define trusted sources for resources) by defining a strict policy, XSS can be stopped injected code cannot talk to targets that are not defined in the policy file (evil targets) does not prevent (1), but does prevent (2)! So: CORS limits the access to an API, CSP can stop XSS. HTTP States HTTP is a stateless protocol! any request is considered as stand alone and unrelated to prior or later ones server does not maintain session information so, when getting a page, multiple HTTP requests to different resources are not related! thus, we need session IDs for maintaining sessions HTTP Session IDs a session ID is a unique identifier that is transmitted for each request and maintained through the session (until logout or timeout) a session can be tracked via this identified Session ID, Cookie
5 cookies are well known (privacy issues ) Requirements for session IDs: random(!), unique, large key space, not predictable, use a good session management framework (don t do it on your own!) the session ID MUST be protected at all costs! stealing the session ID means that the attacker has access to the whole session (like a user being logged in > attacker is logged in now without knowing login data!) Basic methods to protect session IDs: URL rewriting (session ID stored in URL) via Cookies (stored in headers) via other HTTP header (e.g. bearer token) via hidden fields in forms (stored in HTML page/body) security depends on the implementation there is no single secure methods many mistakes can be made! URL rewriting the session ID is stored inside the URL (url.com/index.php?sessionid=1234) must always be transmitted many security issues: session ID would be visible inside history, on the server (logs), on proxies, even on HTTP referer fields (other sites can see the URL, when user clicks on links!) Forms, hidden values POST, sends information to server user cannot see it directly (although in the source, but normal people don t know how to do that) URL does not contain session info any more contained in the body of a POST request every page must be dynamic, since session ID must be inserted by the server (for each user/session) Cookies within the HTTP headers cookies used for different purposes: session cookies persistent cookies third party cookies cookies are set via HTTP header by server browser stores cookie send it back, when revisiting the website data is within name value pairs browser knows then to send the cookie via cookie parameters
6 structure: Domain, Path, Exp Date (when not set: session cookie, valid until browser closes), Secure (browser only transmits cookie via HTTPS), httponly (don t allow scripts to access cookie via document.cookie), Domain and Path tell the browser when to send the cookie Third party: A page sets a cookie for another domain (e.g. ads, statistics) Supercookie: e.g. setting a cookie for.com (would send cookie to all pages with.com), browsers do not allow this Zombie cookie: recreated after deletion via another storage (flash, HTML5, etc.) before HTML5: the only way to do was local storage (limited to 4kb), with HTML5: web storage other cookies: flash cookies Cookie sessions problems not session relevant: tracking, privacy, flash cookies session stealing/hijacking/fixation XSS (later) Cross site request forgery (later) advantages: not logged, not copied by user, cashing,... Tokens (bearer tokens) cookies use the dedicated cookie HTTP headers protection against stealing, e.g. httponly option in cookie cookies get specific treatment in browsers (cookie store etc.) limitations via third party cookies if deactivated, browser cannot send cookie via AJAX, iframes etc. to other servers that all makes perfect sense (security), but in certain scenarios these limitations are a big problem solution: user another header in HTTP (not cookie) result: all limitations (httponly, browser storing cookies, third party cookies) do not apply! e.g. JS in WebView can easily access specific header and extract session ID Session ID could be displayed in WebView (easy to extract from native lib in a well defined procedure) therefore, in oauth 2.0: bearer tokens Third Party Cookies idea: website sets a permanent cookie, when revisiting the page in the future, the ID is sent again, track users for various purposes websites set cookies for other domains, which are all transmitted when these other domains are visited SOP: a domain IS NOT ALLOWED to set cookies for other domains e.g. example.com is not allowed to set a cookie for reddit.com how do third party cookies work then?
7 a webpage may include resources from other domains (such as scripts, images, content via iframes) these resources are fetched via HTTP requests, the external servers may provide cookies, which are set by the browser third party cookies can often be deactivated in browers Etags used for web cache validation typically a hash value (content of the resource) idea: Etag sent back as HTTP header, identified version of requested resource browser stores Etag for given resource when new request to same resource: browser sends header with If None Match:..., server compares current Etag with that of the browser sends back page if no match, otherwise HTTP status code 304 (NOT MODIFIED) is returned problem: server could assign a unique ID to a resource when a user visits the resource for the first time browser resends Etag when visiting the resource tracking (no cookies etc. needed, browser might not delete Etags when clearing the browser cache) might not be detectable by the user (no Etag store) P3P Policy Header idea: when cookies are set, P3P header is provided user (browser) knows the P3P policy of the website and can either accept/reject cookies implemented in Internet Explorer compares your own privacy settings with P3P header if there is no match: cookies are blocked problems: too complicated for the users not mandatory enforcement? Hijacking (stealing the session ID) prediction: knowing hot the session ID is calculated (should be random, but remember the OpenSSL bug in the pseudo random number generator ) brute force: just trying out session IDs until a valid is found (similar to cryptography, use are large session ID space) interception: unencrypted transmission (HTTPS at the beginning does not imply HTTPS later on ) Unencrypted transmission
8 with access to HTTP(S) traffic, the attacker is able to capture the session ID from your data therefore: use HTTPS (always!), use secure and httponly cookie options verify the certificate! however: the TRACE option (HTTP request) would allow to show the session ID XSS (Cross Site Scripting) idea: inject code in a web site, send malicious link to victim, get data from the victim has to bypass SOP protection: filter/escape user input, use a framework and scanners CSRF (Cross Site Request Forgery) exploits trust of website in browser not possible everywhere, requires that site does important things via the URL protection: check referer header, require a secret that is transmitted in every request, limit lifetime of session cookies
WEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationBrowser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationOctober 08: Introduction to Web Security
October 08: Introduction to Web Security Scribe: Rohan Padhye October 8, 2015 Web security is an important topic because web applications are particularly hard to secure, and are one of the most vulnerable/buggy
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationWeb Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs
Web Application with AJAX Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar University of Colorado, Colorado Springs CS 526 Advanced Internet and Web Systems Abstract Asynchronous JavaScript and XML or Ajax
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationComputer Security CS 426 Lecture 41
Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationSome Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More information7.2.4 on Media content; on XSS) sws2 1
Software and Web Security 2 Attacks on Clients (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked by malicious input web browser web server
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationCS Paul Krzyzanowski
Original Browser Static content on clients Servers were responsible for dynamic parts Computer Security 14. Web Security Security attacks were focused on servers Malformed URLs, buffer overflows, root
More informationComputer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 14. Web Security Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Original Browser Static content on clients Servers were responsible for
More informationCHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More information2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.
Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationAcknowledgments... xix
CONTENTS IN DETAIL PREFACE xvii Acknowledgments... xix 1 SECURITY IN THE WORLD OF WEB APPLICATIONS 1 Information Security in a Nutshell... 1 Flirting with Formal Solutions... 2 Enter Risk Management...
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationCOMET, HTML5 WEBSOCKETS OVERVIEW OF WEB BASED SERVER PUSH TECHNOLOGIES. Comet HTML5 WebSockets. Peter R. Egli INDIGOO.COM. indigoo.com. 1/18 Rev. 2.
COMET, HTML5 WEBSOCKETS OVERVIEW OF WEB BASED SERVER PUSH TECHNOLOGIES Peter R. Egli INDIGOO.COM 1/18 Contents 1. Server push technologies 2. HTML5 server events 3. WebSockets 4. Reverse HTTP 5. HTML5
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationSession 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes
Session 8 Deployment Descriptor 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/_status_codes
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationNetwork-based Origin Confusion Attacks against HTTPS Virtual Hosting
Network-based Origin Confusion Attacks against HTTPS Virtual Hosting Antoine Delignat-Lavaud, Karthikeyan Bhargavan Prosecco, Inria Paris-Rocquencourt 1 The Web Security Protocol Stack JavaScript runtime
More informationHTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys
HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationDon't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Steffens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions
More informationCSCE 120: Learning To Code
CSCE 120: Learning To Code Module 11.0: Consuming Data I Introduction to Ajax This module is designed to familiarize you with web services and web APIs and how to connect to such services and consume and
More informationContents. xvii xix xxiil. xxvii
Contents FOREWORD INTRODUCTION INDUSTRY ANALYSIS PREFACE ACKNOWLEDGMENTS BIOGRAPHY XV xvii xix xxiil XXV xxvii PART I CHAPTER 1 INTRODUCTION TO MOBILE SECURITY DEVELOPMENT Understanding Secure Web Development
More informationICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
More informationFounded the web application security lab
Robert RSnake Hansen - CEO SecTheory LLC Bespoke Boutique Internet Security Web Application/Browser Security Network/OS Security Advisory capacity to VCs/start-ups We solve tough problems. http://www.sectheory.com/
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationWAPT in pills: Self-paced, online, flexible access interactive slides. 4+ hours of video materials
The most practical and comprehensive training course on Web App Penetration testing WAPT in pills: Self-paced, online, flexible access 1000+ interactive slides 4+ hours of video materials Learn the most
More informationPerslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.
Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More information86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013
Vulnerabilities help make Web application attacks amongst the leading causes of data breaches +7 Million Exploitable Vulnerabilities challenge organizations today 86% of websites has at least 1 vulnerability
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationW3Conf, November 15 & 16, Brad Scott
The Future of Web Application Security W3Conf, November 15 & 16, 2011 Brad Hill @hillbrad bhill@paypal-inc.com Scott Stender @scottstender scott@isecpartners.com The History of Web App Security Attacker
More informationCS 155 Project 2. Overview & Part A
CS 155 Project 2 Overview & Part A Project 2 Web application security Composed of two parts Part A: Attack Part B: Defense Due date: Part A: May 5th (Thu) Part B: May 12th (Thu) Project 2 Ruby-on-Rails
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationIntroduction to Ethical Hacking
Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview
More informationHTTP Security. CSC 482/582: Computer Security Slide #1
HTTP Security CSC 482/582: Computer Security Slide #1 Topics 1. How HTTP works 2. HTTP methods, headers, and responses 3. URIs, URLs, and URNs 4. Statelessness 5. Cookies 6. More HTTP methods and headers
More informationSecurity for the Web. Thanks to Dave Levin for some slides
Security for the Web Thanks to Dave Levin for some slides The Web Security for the World-Wide Web (WWW) presents new vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), These share
More informationRESTful API Design APIs your consumers will love
RESTful API Design APIs your consumers will love Matthias Biehl RESTful API Design Copyright 2016 by Matthias Biehl All rights reserved, including the right to reproduce this book or portions thereof in
More informationCIT 480: Securing Computer Systems
CIT 480: Securing Computer Systems Web Security I Topics 1. HTTP 2. Transport Layer Security (TLS) 3. URLs 4. HTML and the DOM 5. Same Origin Policy 6. Cross-Site Attacks Web Transactions Web Server Web
More informationWeb Security: XSS; Sessions
Web Security: XSS; Sessions CS 161: Computer Security Prof. Raluca Ada Popa Mar 22, 2018 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh SQL Injection
More informationApplication Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.
Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers
More informationCS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
More informationDeveloping ASP.NET MVC Web Applications (486)
Developing ASP.NET MVC Web Applications (486) Design the application architecture Plan the application layers Plan data access; plan for separation of concerns, appropriate use of models, views, controllers,
More informationSecurity for the Web. Thanks to Dave Levin for some slides
Security for the Web Thanks to Dave Levin for some slides The Web Security for the World-Wide Web (WWW) presents new vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), These share
More informationSECURING APACHE : ATTACKS ON SESSION MANAGEMENT
SECURING APACHE : ATTACKS ON SESSION MANAGEMENT In this part of the series, we are going to concentrate on attacks on session management. Application-level attacks on the session is about obtaining or
More informationA Library and Proxy for SPDY
A Library and Proxy for SPDY Interdisciplinary Project Andrey Uzunov Chair for Network Architectures and Services Department of Informatics Technische Universität München April 3, 2013 Andrey Uzunov (TUM)
More informationIERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu
IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu Content for today Phase 4 preview From now please pay attention to the security issue of your website This
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationSecurity. SWE 432, Fall 2017 Design and Implementation of Software for the Web
Security SWE 432, Fall 2017 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Authorization oauth 2 Security Why is it important? Users data is
More informationshortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge
shortcut Your Short Cut to Knowledge The following is an excerpt from a Short Cut published by one of the Pearson Education imprints. Short Cuts are short, concise, PDF documents designed specifically
More information