Application Layer Security

Similar documents
Sichere Software vom Java-Entwickler

Web Application Security. Philippe Bogaerts

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Copyright

Welcome to the OWASP TOP 10


OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

1 About Web Security. What is application security? So what can happen? see [?]

Applications Security

Aguascalientes Local Chapter. Kickoff

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Solutions Business Manager Web Application Security Assessment

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Information Security. Gabriel Lawrence Director, IT Security UCSD

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Your Turn to Hack the OWASP Top 10!

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

C1: Define Security Requirements

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Application vulnerabilities and defences

Web Application Vulnerabilities: OWASP Top 10 Revisited

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Top 10 Web Application Vulnerabilities

COMP9321 Web Application Engineering

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

F5 Application Security. Radovan Gibala Field Systems Engineer

OWASP TOP OWASP TOP

CIS 4360 Secure Computer Systems XSS

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

P2_L12 Web Security Page 1

Combating Common Web App Authentication Threats

Secure Application Development. OWASP September 28, The OWASP Foundation

Bank Infrastructure - Video - 1

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

COMP9321 Web Application Engineering

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

TIBCO Cloud Integration Security Overview

Exploiting and Defending: Common Web Application Vulnerabilities

Web Application Threats and Remediation. Terry Labach, IST Security Team

Web Application Penetration Testing

Security Best Practices. For DNN Websites

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

The Top 6 WAF Essentials to Achieve Application Security Efficacy

GOING WHERE NO WAFS HAVE GONE BEFORE

CONTENTS. Recommendations. Prize Q & A

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

6-Points Strategy to Get Your Application in Security Shape

Cyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA

Certified Secure Web Application Engineer

Advanced Web Technology 10) XSS, CSRF and SQL Injection

WEB SECURITY: XSS & CSRF

DreamFactory Security Guide

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

OWASP TOP 10. By: Ilia

COMP9321 Web Application Engineering

EasyCrypt passes an independent security audit

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Simplifying Application Security and Compliance with the OWASP Top 10

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Curso: Ethical Hacking and Countermeasures

How to read security test report?

INNOV-09 How to Keep Hackers Out of your Web Application

Ruby on Rails Secure Coding Recommendations

Development Security Guide Oracle Banking Credit Facilities Process Management Release [July] [2018]

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Certified Secure Web Application Security Test Checklist

Development Security Guide Oracle Banking Virtual Account Management Release July 2018

Secure Development Guide

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

eb Security Software Studio

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

PRESENTED BY:

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

CSE484 Final Study Guide

Domino Web Server Security

Secure Coding, some simple steps help. OWASP EU Tour 2013

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

RiskSense Attack Surface Validation for Web Applications

CS 161 Computer Security

Web Security: Web Application Security [continued]

Vulnerabilities in online banking applications

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

Transcription:

Application Layer Security General overview Ma. Angel Marquez Andrade

Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side scripting pushes processing to the client The technologies have been standardized

Current web applications handle sensitive data and functionality: Access payroll information Sharing personal documents Enterprise reports and resource planning software Financial institutions E-commerce

CIA Confidentiality Integrity Availability Risks Loss of privacy. Unauthorized access to information. Identity Theft Information is no longer reliable or accurate. Fraud Business disruption, Loss of customer confidence, Loss of revenue

OWASP Top 10 focused on identifying the most common vulnerabilities, but were also designed around risk measures

OWASP Top 10 Application Security Risks Open Web Application Security Project (OWASP) Foundation is a non-profit organization. Enables organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted. Produces open-source documentation, tools, and standards. Facilitates conferences, local chapters, articles, and message forums.

OWASP Top 10 Application Security Risks Foreword: We can no longer afford to tolerate relatively simple security problems like those presented in the OWASP Top 10 digital infrastructures get increasingly complex and interconnected Insecure software is already undermining our critical infrastructure

Web sites of the past Repositories of static documents. Before there was no sensitive information, the server was already open to public view. Main problem: Vulnerabilities in server software. Site defacing, stealing server s storage and bandwidth.

Web applications Key Problems: Third party packages abstract developers from underlying technologies (less security awareness) Ready made code vulnerabilities affect many unrelated applications. Time constraints to develop the application Security through obscurity Increasing functionality demands

Present core security problem: Users can supply arbitrary input - users can interfere with request parameters, cookies, and HTTP headers. - users can send requests in any sequence. - users are not restricted to using the web browser only.

(SQL) A1-Injection SQL is a standard programming language for relational databases Consists of a data definition language and a data manipulation language SELECT FirstName, LastName FROM Persons WHERE Province = ' ON ' SELECT specifies columns of the queried tables FROM indicates the table(s) from which data is to be retrieved WHERE eliminates all rows for which the comparison is not true.

database.executequery( "SELECT FirstName, LastName FROM Salesperson WHERE State = '" + selectedstate + "'") SELECT FirstName, LastName FROM Salesperson WHERE State = ''; DROP TABLE Users; --' SELECT * FROM Users WHERE username='foo' AND password='bar' OR '1' = '1' comment

(SQL) A1-Injection An SQL query is concatenated with usercontrollabe data and submitted to a backend database. String query = "SELECT * FROM accounts WHERE custid='" + request.getparameter("id") +"'"; Preventing injection requires keeping untrusted data separate from commands and queries. All data could be stolen, modified, or deleted.

Attacking new users and stealing data beyond the database

Blind SQL injection CustomerHistory.html Check for customer with ID = INPUT Error home.html SELECT OrderID FROM Sales WHERE CustomerID = '' OR MID((SELECT table_name FROM INFORMATION_SCHEMA.tables LIMIT 1),1,1) = 'A'

Prevention Avoid returning detailed error messages, stack traces: Validate input: Casting (numeric or date) Blacklists vs. Whitelists (regular expressions/ only simple patterns ) Escaping input : SELECT OrderID FROM Sales WHERE CustomerID = ''' OR ''1'' = ''1' Parameterized queries: SELECT OrderID FROM Sales WHERE CustomerID =?

A4-Insecure Direct Object References

A4-Insecure Direct Object References An authorized user changes a parameter value (which directly refers to an object) to another object the user isn t authorized for. Automated crawler can find all directly accessible files in the system.

Prevention Authorization in database vs application Using per user or session indirect object references Take product records and store them in an array specific to that user. Credit card selection box : <select name=" choosephone"> <option value="1"> myphone3 </option> <option value="2"> myphone4 </option> </select> http://retailsite.cxx/catalog/productindex=123

Join Product and UserProduct tables on the ProductName column and filter by UserID. User ProductName Price ReleaseDate Anonymous myphone3 99.00 6/19/2009 Anonymous myphone4 199.00 7/24/2010

A8-Failure to Restrict URL Access Top 10 2013-A7-Missing Function Level Access Control Do not assume that users will be unaware of special or hidden URLs or APIs. Block access to all file types that your application should never serve (source files) /auth/addpassword probably there is: /auth/resetpassword /auth/getpassword /auth/updatepassword

A10-Unvalidated Redirects and Forwards www.site.cxx/login?page=myaccount www.site.cxx/login?page=www.evilsite.cxx Don t involve user parameters in destination. Or ensure that the supplied value is valid. Access unauthorized pages (where the user should be sent if a transaction is successful).

A3-Broken Authentication and Session Management Weak session identifiers The application returns the session token as part of the page URL Weak account management functions (account creation, change password, recover password). Example(Ebay account lockout DoS) Sessions do not timeout http://tickets.com/itinerary; jsessionid=2p0oc2jdpxm0 OQSNDLPSKHCJUN2JV?conf=ABB21

A6-Security Misconfiguration Development or default settings remain once deployed. Missing patches. Stack traces and other overly informative error messages.

A7-Insecure Cryptographic Storage Personal information is not properly encrypted or hashed, or missing salt(example). Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, etc ) Encyption keys are not stored securely(hard coding keys, and storing keys in unprotected stores ) or renewed properly.

A9-Insufficient Transport Layer Protection The site doesn t use SSL for all pages that require authentication (stolen cookie, eavesdropping, man-in-the-middle) Improperly configured SSL certificate generates warnings (users are confused)

A5-Cross Site Request Forgery (CSRF) & A2-Cross Site Scripting (XSS)

Thank you

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback