Web Application Guidelines

Size: px
Start display at page:

Download "Web Application Guidelines"

Transcription

1 Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security in mind, most web applications face the open web, and web applications typically combine several technologies that until recently weren t necessary for all developers to be familiar with. These can include any combination of server configurations, the Hyper Text Transfer Protocol (HTTP), server-side code, browser standards, Hyper Text Markup Language (HTML), Cascading Style Sheets (CSS), and JavaScript. These reasons all contribute to one central idea web applications provide a very large attack surface. Table of Contents Table of Contents... 1 Sanitizing User Input... 2 Outputting Data from the User... 2 All Input is User Input... 3 OWASP PHP Sanitization Function and Filters... 4 Authentication Mechanisms... 4 Use NAU s Central Authentication System... 5 Hashing Passwords and Salt... 5 Sessions... 6 JavaScript Authentication... 7 Access and Control... 7 Securing, not Hiding... 7 Cross-Site Request Forgery... 8 Information Leakage... 9 HTML and JavaScript Comments... 9 Include Files... 9 Error Messages Use SSL Miscellaneous Third-party Code In-House Cryptography Securing Cookies... 11

2 Sanitizing User Input It is important to verify all data accepted from the client. This means taking all data that comes from the client or the client s browser and escaping or removing all data that does not conform to expected values. This is known as sanitization. For example, when creating a page that queries a database and displays information, the user might be directed to a url such as: In this scenario, the query string parameter id might relate a record from a database and display the results. It is necessary to ensure that the parameter id is exactly what is expected, most likely a positive integer. If a user were to enter a non-integer value for the id, the application should either modify the value before using it for any functions, or throw an exception and halt processing. Below are examples of some possible user inputs and how the web application could safely respond: OR a = a Exception: Invalid Integer Strip non-integer char: set `id=1` Exception: Invalid Integer Strip non-integer char: set `id=123` Strip non-integer char: set `id=1` Behave Normally One of the above cases could be used to leverage the application into leaking more data from the database than intended by the developer. When using SQL and a database most frameworks include a method of parameterizing the SQL statements. When possible utilize parameterized SQL queries and avoid performing string concatenation to generate the query. Outputting Data to the User As with input, it is important to sanitize any data that will be output to the user as well. Failure to do so may allow an attacker to modify the current page and inject html or JavaScript to compromise other users or damage the reputation of the University. For example, when creating a page that searches a database and returns relevant results, the user might be directed to a URL such as: In this scenario, the query string parameter query might be used in a search of the database and generate output such as:

3 Displaying 10 of 91 Search Results for computers : Computers: A Tutorial How to use computers The parameter query must be sanitized to prevent the user from attempting to manipulate the database and affecting server side components. It also must be sanitized to protect other users. In this example, code to output the above line may look similar to: echo <div id=\ headline\ >Displaying $count of $total Search Results for \ $keyword\ : </div>\r\n ; The script could be used to display cookie information if an attacker were to enter the following (including quotes): </div><div onload= alert(document.cookie); > This would cause the code to be interpreted as such: echo <div id=\ headline\ >Displaying $count of $total Search Results for \ </div><div onload=\ alert(document.cookie);\ >\ : </div>\r\n ; And would output the following in html: <div id=\headline >Displaying 10 of 91 Search Results for </div><div onload= alert(document.cookie); > : </div> A user who visits such a URL will be shown their cookies in an alert box. Instead of simply displaying the cookie information, the same methods could be used to quietly send the cookie information to a different server to be collected and reused, or to conduct operations on behalf of other users. To remediate this, all dynamic data being output should be sanitized based on the context of its use. Choose the appropriate contextual encoding or sanitizing method to meet the expected use of the dynamic data, for more information see the OWASP Cross Site Scripting (XSS) Prevention Cheat Sheet: https://www.owasp.org/index.php/xss_(cross_site_scripting)_prevent ion_cheat_sheet All Input is User Input A common misconception is that cookies, HTTP POST data, <hidden> fields, useragent information, and other header information are secure forms of data. All of the

4 above forms of data reside in the user s browser and are in the control of the user. Cookies can be edited, form fields can be fabricated or modified, user-agents can be spoofed, and header information can be forged. The tools to accomplish this are readily available and easy to use many browsers come with some of them built in! This does not mean that these forms of input should not be used, but it does mean that they should be sanitized or validated safe before their use. It is crucial to note that JavaScript is also controlled by the user. It cannot be assumed that information passed to the server by JavaScript will not be tampered with, modified, or forged, and must be sanitized or validated safe. Checking user input using JavaScript from the client can save processing time and power and avoid a page refresh, but sanitization or validation must also be performed in the serverside code. OWASP PHP Sanitization Function and Filters The Open Web Application Security Project (OWASP) provides a set of sanitization filters available as a PHP function that can very quickly be incorporated into projects. It is secure, simple to implement, and available at: https://www.owasp.org/index.php/owasp_php_filters For Java Developers OWASP provides the OWASP Enterprise Security API: https://www.owasp.org/index.php/easpi For C#/.Net (3.5 and prior)developers Microsoft provides the AntiXSS Libraries: For C#/.Net Developers (4.0 and later) Developers the Framework supports Contextual Based encoding through the HTTPUtility class: Authentication & Access Control Mechanisms Authentication lies in the heart of web application security and is often the prime target for attackers. If an attacker is able to break or bypass authentication, the attacker could potentially assume the identity of another user, obtain sensitive information, or leverage the attack to gain entry to another system.

5 Use NAU s Central Authentication System When possible, use NAU s Central Authentication Service (CAS). It is a single-signon service that provides users a way to login with just one account. It also provides confidence to developers in knowing exactly which user is logged into their system. For example, if a website uses its own registration and user management, being sure that user221 does not sign up as user447 can be difficult to determine. More info about the system as well as implementation documentation is available here: When it is not possible to use NAU s Central Authentication Service, there are some key guidelines that should be followed. Information in transit and information at rest both need to be secured in different ways. Information being transmitted from the user to a web application should always go through SSL (https://). Information stored should be stored in a secure database, rather than in flat-file format. NAU Information Technology Services (ITS) offers Oracle, MySQL, and MSSQL databases. Call the Solution Center for more information. Hashing Passwords and Salt When using CAS, developers don t have to worry about managing passwords. However, if it becomes necessary to do so, it is important that the passwords are stored properly. This means using a secure one-way hashing algorithm with long, unique salts. Examples of secure one-way hashing algorithms are SHA-256 and SHA-512. The password itself should never be stored, and instead a hash of the password can be used to compare login attempts with the user s actual password. Examples below demonstrate a secure implementation of checking login attempts against a database using PHP and MySQL. process_login.php: <?php // Include OWASP Sanitization filter available at: // https://www.owasp.org/index.php/owasp_php_filters include( includes/sanitization.inc ); $con = mysql_connect( mysql_server.com, David, strong_pass, my_app_db ); $sql = SELECT salt FROM `users` WHERE username= $username ; $result = mysql_query($con, $sql) ;

6 $salt = $result[ salt ]; // The salt for each user should be different and // randomly generated. // sanitize_paranoid_string() reduces a string to alpha- // numeric-only $username = sanitize_paranoid_string($_post[ username ]); // The password is not sanitized because it is hashed, // which will strip it of non-alpha-numeric characters before // it is used for anything. Notice the salt. $password = hash( sha256, $salt.$_post[ password ]); // It is important to remember that we store a hash of the // user s password in our database instead of the user s // actual password. Note the salt. $con = mysql_connect( mysql_server.com, David, strong_pass, my_app_db ); $sql = SELECT username FROM `users` WHERE username= $username AND password= $password ; //HASHED password on both ends $result = mysql_query($con, $sql) ; if(mysql_num_rows($result) >= 1) { //Log user in. login($username); } else { //Give user failure message echo Sorry, your username or password is incorrect. ; } mysql_close($con);?> In these examples, the developer used a value called a salt in their hashing. A salt is a string that is usually appended or prepended to a password before hashing. In short, a salt increases the length of the string that is hashed. When a different salt is used for each password, an attacker must generate a new list of passwords and corresponding hashes in order to guess the password from a hash. For more information on hashing, salts, and methods used to attack these, see the following links: Sessions

7 Users should be authenticated with sessions that interact with the server using session cookies or posted <hidden> fields. If cookies are used, the authentication cookies should contain a session string that the server understands and not the user s login information to validate the user. When a user is authenticated a new cookie should be generated and configured to operate on HTTPS only. As mentioned above, cookie information is available to any user to view and modify. This means that an attacker could easily change a cookie user from user123 to admin. For more information on Session Management, see the following links: JavaScript Authentication When it comes to authentication, it is especially important to remember that JavaScript cannot be trusted to act as it is written. This does not mean it cannot be used in login pages or to submit authentication, but data sent to the server this way must be sanitized and verified server-side just like any other input. Access and Control Access and control misconfigurations are some of the most common issues found in web applications. Vulnerabilities can range from exposing sensitive information to an attacker or allowing an attacker to perform actions on behalf of another user. Securing, not Hiding Securing and hiding resources have two very different meanings. For example, a login page might authenticate the user and then forward the user to: This is fine, but admin.php must also verify that the user is authenticated. Otherwise, any user could simply visit the above page directly without first authenticating. It cannot be assumed that users will not know a page exists. This may seem obvious, but it is often overlooked. For example, many web applications use flat-file databases, despite the inherent security risks and weaknesses in this method. Tools that guess at filenames on a server are common and will likely find

8 The same concept applies to backup files. Files such as mysql_config.php.old and site_backup.zip are prime targets for attackers since they could reveal credentials to the backend database or other sensitive information. Another more complex, but more common example involves a page: If this page expects POST information containing a new user s username, password, and but does not authenticate the user requesting the action, then there is nothing stopping an attacker from creating their own HTML form with those fields and using the HTTP POST method to send the information to add_user.php script. It is up to the developer to authorize the user to add another user before executing the code to do so. Proper session management mitigates these vulnerabilities, but only if the developer ensures that a user is authenticated and authorized to perform actions before acting. This applies to all pages that aren t meant to face the public and all pages that should require an authenticated user to perform actions. Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) is an attack technique that involves a malicious web page that attempts to perform actions on behalf of the user against a remote resource. It can be performed with any tag, attribute, or property that instructs a browser to make a request for a resource on the web. This can be hidden in HTML or CSS in such a way that the malicious page shows no visual indication of the attack. For example, if a user were visiting: This page could include <iframe </iframe> If the user visiting the malicious page were already authenticated to the request to change would be performed with the privileges of that user. CSRF attacks are not limited to GET requests. An attacker could create a web page that populates a form on the attacker s own websites and then automatically submits the form to with JavaScript. Some other examples of CSRF techniques include the following: <img src= /> <link rel="stylesheet" type="text/css" >

9 <body style= background-image: > This list is far from comprehensive. CSRF attacks can be prevented by including a randomly generated token with every page that the server can verify when performing any action. This is sometimes called a synchronizer token, or anti-csrf token. The Open Web Application Security Project (OWASP) has provided a resource on securing web applications from CSRF attacks in this way: https://www.owasp.org/index.php/cross- Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet GNU Citizen also provides excellent examples on preventing CSRF attacks: Information Leakage Information leakage can come in several forms and can be classified as anything that unintentionally reveals sensitive information to a user. This could include database passwords, personally identifiable information about users, file system information, and error messages. Below are some ways information is commonly leaked. HTML and JavaScript Comments Some developers are not aware that users can view comments, especially in JavaScript. Others assume that users simply won t think to check. Lastly, anyone can forget that comments with important information may have been left in the code. Information left for testing, debugging, reminding, or communicating with other developers can often be useful to an attacker. Any code or information sent to the user should be reviewed for comments including sensitive information. Include Files File includes are an excellent tool when building a web application. But it is important to keep track of and manage where these files are located and how they are exposed to the web. A page that includes include/mysql.inc may save time and keep the code clean, but if an attacker can view the file in plain text just by typing in:

10 then the web server may expose database credentials which would be immediately compromised. A developer might name the file mysql.inc.php so that the script would execute rather than display plain text. This is not the recommended solution, since an attacker could still execute any includes by manually viewing them. Instead, included files should not be made available to users through a URL. Apache users can put an.htaccess file in the include folder that restricts users from viewing the includes in a safe manner to prevent data leakage. IIS servers can be configured so that the web does not have permissions to view some files or directories. Another method would be to locate include files outside of the webserver path, but in a place that the webserver has read access. Error Messages Server error messages should be disabled and a generic custom error message page should be displayed to the user instead. There is no easier way to discover and exploit SQL injection vulnerabilities than to trigger an informative SQL error. When troubleshooting and debugging code, consider disabling access to the site for anyone besides developers before temporarily re-enabling error messages. Use TLS Lastly, any time a web application accepts or presents sensitive information, TLS should be used. This protects users from an attacker that may be monitoring traffic on the network. Server administrators should be able to provide more information about whether or not SSL/TLS is currently available for the server. Miscellaneous Some best practices don t necessarily fit in the above categories. Those are listed here. Use of the most recent, secure, versions of admin/php and others is considered a best practice as old versions tend to contain vulnerabilities. Third-party Code As a general rule, code from an outside source needs to be researched and checked for known vulnerabilities. This applies to any themes, plugins, extensions, frameworks, and even entire web applications. When vulnerabilities are discovered, measures to remove or mitigate the vulnerabilities should be taken. This may

11 include creating firewall signatures, modification of source code when applicable, or working with vendors to remediate the issues. Examples include, but are not limited to, WordPress and Drupal. These two applications in particular experienced a high level of exploited vulnerabilities in Updating to the latest patch/update as soon as possible is critical in mitigating risks. In-House Cryptography Do not develop custom cryptography for storing, transmitting, or in any securing information. Instead, use cryptographic functions and frameworks that have already been tried and tested. Securing Cookies In an ideal world, an attacker would not be in a position to access your users cookies. In this world however, it is necessary to set reasonable expiration dates on cookies, to destroy session cookies when they expire, and to never store sensitive information in cookies. New cookies should be generated when users switch between non-encrypted (HTTP) communications to encrypted (HTTPS) communications. Cookies which are transmitted over HTTPS should be configured for HTTPS only. Cookies should have their path and domains set as specifically as possible when applicable.

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

Application Security Testing. Indian Computer Emergency Response Team (CERT-In)

Application Security Testing. Indian Computer Emergency Response Team (CERT-In) Application Security Testing Indian Computer Emergency Response Team (CERT-In) OWASP Top 10 Place to start for learning about application security risks. Periodically updated What is OWASP? Open Web Application

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Web Application Security Assessment and Vulnerability Mitigation Tests

Web Application Security Assessment and Vulnerability Mitigation Tests White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software

More information

Project 2: Web Security Pitfalls

Project 2: Web Security Pitfalls EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered

More information

OWASP Top 10: Effectiveness of Web Application Firewalls. David Caissy AppSec Asia 2016 Wuhan, China

OWASP Top 10: Effectiveness of Web Application Firewalls. David Caissy AppSec Asia 2016 Wuhan, China OWASP Top 10: Effectiveness of Web Application Firewalls David Caissy AppSec Asia 2016 Wuhan, China Agenda Commercial vs Open Source Web Application Firewalls (WAF) Bypassing WAF Filtering Effectiveness

More information

Lecture 11 Web Application Security (part 1)

Lecture 11 Web Application Security (part 1) Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)

More information

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement:

Application Reviews and Web Application Firewalls Clarified. Information Supplement: PCI Data Security Standard (PCI DSS) Requirement: Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls

More information

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI

More information

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Nuclear Regulatory Commission Computer Security Office Computer Security Standard Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

Sichere Software- Entwicklung für Java Entwickler

Sichere Software- Entwicklung für Java Entwickler Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Testing the OWASP Top 10 Security Issues

Testing the OWASP Top 10 Security Issues Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP) Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage

More information

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you

More information

Enterprise Application Security Workshop Series

Enterprise Application Security Workshop Series Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants

More information

Data Breaches and Web Servers: The Giant Sucking Sound

Data Breaches and Web Servers: The Giant Sucking Sound Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant

More information

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2 Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and

More information

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project

More information

Passing PCI Compliance How to Address the Application Security Mandates

Passing PCI Compliance How to Address the Application Security Mandates Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

Hack Proof Your Webapps

Hack Proof Your Webapps Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Web Application Security

Web Application Security Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

Webapps Vulnerability Report

Webapps Vulnerability Report Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Introduction. Attacks Against Websites 2. Reflected XSS. Cross-site scripting (XSS) Solution for injection: sanitization.

Introduction. Attacks Against Websites 2. Reflected XSS. Cross-site scripting (XSS) Solution for injection: sanitization. Introduction Attacks Against Websites 2 Tom Chothia Computer Security, Lecture 12 More on Web Attacks: Cross site scripting attacks (XSS) Cross-site request forgery (CSRF) OWASP top 10 web attacks. Cross-site

More information

OWASP Top 10 Effectiveness of Web Application Firewalls

OWASP Top 10 Effectiveness of Web Application Firewalls OWASP Top 10 Effectiveness of Web Application Firewalls David Caissy About Me David Caissy Web App Penetration Tester Java Application Architect IT Security Trainer: Developers Penetration Testers 2 My

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Essential IT Security Testing

Essential IT Security Testing Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04

More information

Application Security Policy

Application Security Policy Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy

More information

APPLICATION SECURITY AND ITS IMPORTANCE

APPLICATION SECURITY AND ITS IMPORTANCE Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE

More information

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection

More information

Still Aren't Doing. Frank Kim

Still Aren't Doing. Frank Kim Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding

More information

Kentico CMS security facts

Kentico CMS security facts Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the

More information

External Network & Web Application Assessment. For The XXX Group LLC October 2012

External Network & Web Application Assessment. For The XXX Group LLC October 2012 External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution

More information

Annual Web Application Security Report 2011

Annual Web Application Security Report 2011 Annual Web Application Security Report 2011 An analysis of vulnerabilities found in external Web Application Security tests conducted by NTA Monitor during 2010 Contents 1.0 Introduction... 3 2.0 Summary...

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741

OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN

More information

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06

More information

Application Security Vulnerabilities, Mitigation, and Consequences

Application Security Vulnerabilities, Mitigation, and Consequences Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

5 Mistakes to Avoid on Your Drupal Website

5 Mistakes to Avoid on Your Drupal Website 5 Mistakes to Avoid on Your Drupal Website Table of Contents Introduction.... 3 Architecture: Content.... 4 Architecture: Display... 5 Architecture: Site or Functionality.... 6 Security.... 8 Performance...

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes

More information

Certified Secure Web Application Secure Development Checklist

Certified Secure Web Application Secure Development Checklist www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill

More information

OWASP Secure Coding Practices Quick Reference Guide

OWASP Secure Coding Practices Quick Reference Guide OWASP Secure Coding Practices Quick Reference Guide Copyright and License Copyright 2010 The OWASP Foundation. This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For

More information

Standard: Web Application Development

Standard: Web Application Development Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development

More information

Developing ASP.NET MVC 4 Web Applications Online Training

Developing ASP.NET MVC 4 Web Applications Online Training Course Outline Plan the Application Layers Plan data access Plan for separation of concern Appropriate use of models, views, and controllers Choose between client-side and server-side processing Design

More information

Top 10 Web Application Security Vulnerabilities - with focus on PHP

Top 10 Web Application Security Vulnerabilities - with focus on PHP Top 10 Web Application Security Vulnerabilities - with focus on PHP Louise Berthilson Alberto Escudero Pascual 1 Resources The Top 10 Project by OWASP www.owasp.org/index.php/owasp_top_ten_project

More information

WebCruiser Web Vulnerability Scanner User Guide

WebCruiser Web Vulnerability Scanner User Guide WebCruiser Web Vulnerability Scanner User Guide Content 1. Software Introduction...2 2. Key Features...3 2.1. POST Data Resend...3 2.2. Vulnerability Scanner...6 2.3. SQL Injection...8 2.3.1. POST SQL

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like

More information

5 Simple Steps to Secure Database Development

5 Simple Steps to Secure Database Development E-Guide 5 Simple Steps to Secure Database Development Databases and the information they hold are always an attractive target for hackers looking to exploit weaknesses in database applications. This expert

More information

Columbia University Web Security Standards and Practices. Objective and Scope

Columbia University Web Security Standards and Practices. Objective and Scope Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

HTTPParameter Pollution. ChrysostomosDaniel

HTTPParameter Pollution. ChrysostomosDaniel HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider

More information

Web Application Firewall on SonicWALL SRA

Web Application Firewall on SonicWALL SRA Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following

More information

SQL Injection January 23, 2013

SQL Injection January 23, 2013 Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2

More information

Using Foundstone CookieDigger to Analyze Web Session Management

Using Foundstone CookieDigger to Analyze Web Session Management Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.

More information

CMP3002 Advanced Web Technology

CMP3002 Advanced Web Technology CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...

More information

Cyber Security Workshop Ethical Web Hacking

Cyber Security Workshop Ethical Web Hacking Cyber Security Workshop Ethical Web Hacking May 2015 Setting up WebGoat and Burp Suite Hacking Challenges in WebGoat Concepts in Web Technologies and Ethical Hacking 1 P a g e Downloading WebGoat and Burp

More information

Web Application Security Considerations

Web Application Security Considerations Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute

More information

Project OWASP and two most frequent vulnerabilities in web applications

Project OWASP and two most frequent vulnerabilities in web applications Project OWASP and two most frequent vulnerabilities in web applications Filip Šebesta, Wilson Tuladhar 2010 Abstract With the rapid use of the Internet, there has been a rapid growth in websites and web

More information

Web Application Security. Srikumar Venugopal S2, Week 8, 2013

Web Application Security. Srikumar Venugopal S2, Week 8, 2013 Web Application Security Srikumar Venugopal S2, Week 8, 2013 Before we start Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc.

More information

Protecting Your Organisation from Targeted Cyber Intrusion

Protecting Your Organisation from Targeted Cyber Intrusion Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

More information

Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com

Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Abstract: This paper discusses the SQL injection vulnerability, its impact on web applications, methods for pre-deployment and

More information