Annual Web Application Security Report 2011
|
|
- Lynne Wells
- 8 years ago
- Views:
Transcription
1 Annual Web Application Security Report 2011 An analysis of vulnerabilities found in external Web Application Security tests conducted by NTA Monitor during 2010
2 Contents 1.0 Introduction Summary Number of vulnerabilities found Occurrences of risk levels Risk levels Top five high risks Top five medium risks Sector Analysis Recommendations made on the basis of this report s findings General Advice About NTA Monitor Contact details for NTA Monitor Ltd NTA Monitor Ltd 2010 Page 2
3 1.0 Introduction NTA s Annual Web Application Security Report 2011 highlights significant trends and identifies the most common vulnerabilities discovered through web application testing undertaken on behalf of clients in both the public and private sector across a wide range of industry sectors. The report analyses data gathered from all application tests completed between 1 January and 31 December Risk levels high, medium, low and informational - are defined as: High Medium Low Informational Allows unauthorised external users to obtain system access. The vulnerability is widely known and actively exploited by hackers. Allows external users to disrupt services, permits users to obtain unauthorised access or could provide access to unauthorised external users if incorrectly configured. Provides information that could be valuable to a hacker. Issues that are not directly security exposures, but result in non-optimal Internet performance for users. Informational occurrences typically indicate poor security housekeeping and knowledge of how some Internet mechanisms work. The report s findings present the average risks found, rather than total numbers, in order to provide a consistent overview of the risk levels and occurrences, offering a benchmark for comparison. Data is also presented by sector, enabling those using this report to benchmark their organisation against their peers. Comparisons will also be drawn where appropriate between the findings of this report (referred to as the 2011 report) and the 2010 report, which analysed the results of vulnerability tests conducted during NTA Monitor Ltd 2010 Page 3
4 2.0 Summary Results highlighted a marked jump in the average number of vulnerabilities found per web application up from 14 in 2009 to 15.6 in The total number of flaws identified per test substantially increased too. In 2010, 70% of tests had more than 11 flaws compared with just 47% in Analysis of the test results showed a slight drop in the overall total occurrence of high risk issues in web application tests down from 28% in 2009 to 25% in 2010 but a significant rise in medium risk threats up from 62% in 2009 to 79% in On average, each web application test contained 0.4 high risks, 3.5 medium risks, 8.7 low risks and 2.9 informational risks. SQL injection and cross-site scripting (XSS) were the most common flaws found in web applications in Data from web application tests showed that more than a quarter (27%) of threats identified as high risk were categorised as SQL injection, while 21% of medium risk issues were classified as XSS. Other frequently occurring threats to information security included a lack of patching (16%), Denial of Service (DoS) vulnerabilities affecting Apache web servers (13%), cross-site request forgery (CSRF) (4%), no, or poor, encryption (4%) and issues around password management (4%). Evaluating the test results by industry sector, IT & Telecoms was found to be the least secure with above average high and medium risks (0.6 and 4.1 respectively), and slightly above average total number of vulnerabilities at 16.7 per test. The sector seen to be the most secure according to test data was finance, which had below average high (0.1), medium (2.5) and total number of risks (13.7) per web application test. Figure 1 shows the percentage ratio of risk levels found from all tests conducted by NTA Monitor. Figure 1 Risk levels found in web application tests % 32% 26% 34% High Medium Low Informational NTA Monitor Ltd 2010 Page 4
5 3.0 Number of vulnerabilities found An average of 15.6 vulnerabilities was found per test. The number of issues identified ranged from one to 69 issues in a test. In 2010, testing identified more applications containing a higher number of vulnerabilities than in Of the applications tested, 30% had between one and 10 issues, 47% contained between 11 and 20 flaws, 17% had vulnerabilities, 6% had issues and 1% contained 41+ issues. Figure 2 shows the percentage comparison with Figure 2 Vulnerabilities found per test 41 +* Number % % of tests 2010 % of tests 2009
6 4.0 Occurrences of risk levels On average, 0.4 high risks per application test was found, with high risks accounting for just 3% of the total vulnerabilities discovered across all tests. An average of 3.5 medium level risks was found per test and, overall, medium risks accounted for 23% of all vulnerabilities found. The majority of risks (56%) were of a low risk level and an average of 8.7 low level risks was found, while an average of 2.9 informational vulnerabilities was identified in each test, accounting for 19% of all vulnerabilities. Figure 3 compares the average number of risk levels found per test with last year s results. Figure 3 Average vulnerabilities found per test (all sectors) High Medium Risk Low Informational Total Average number NTA Monitor Ltd 2010 Page 6
7 5.0 Risk levels During 2010, a quarter of web applications tested found at least one high risk vulnerability. Of those tests, 17% found one high risk issue and 8% found more than one high risk vulnerability. High-level risks represent a significant security threat to an organisation because it could allow unauthorised external users to obtain system access. These flaws are often widely known and exploited by attackers. 79% of tests found one or more medium-level risk a significant rise of 17% on The presence of any medium level vulnerability can mean that external users may be able to disrupt services or permit them to obtain unauthorised access. While 98% and 97% of tests contained low and informational risks respectively, which although may not present an immediate security threat to an organisation, could provide information that may be valuable to an attacker, or result in poor Internet performance for users. Informational occurrences tend to indicate inconsistent security housekeeping and lack of knowledge in how some Internet mechanisms work. Analysing the data in detail, the most common high and medium risk flaws have been identified as follows. NTA Monitor Ltd 2010 Page 7
8 5.1 Top five high risks 1. Web application has SQL Injection vulnerability (27%) (not featured) SQL Injection is a result of insufficient input validation on the server side. Often form fields or URL parameters controlled by the user are inserted into dynamic SQL queries on the server-side. If these user-controlled elements are not sanitised it could lead to arbitrary SQL code execution on the backend database. The scope of exploitation is limited to the permissions and access of the database user in use by the application at the time of exploitation. This is why it is important to use a non-privileged database user account and to strip the user of permissions not required for correct application functionality (i.e. INSERT, DELETE, MODIFY). 2. Patch Management (16%) (not featured) The operating system(s) are running out-of-date software packages (ie service pack eg Windows). As each service pack typically contains many service patches, the server may be at risk. With this information, an attacker can perform a denial of service or even compromise the IT systems. 3. Cross-site scripting (6%) (not featured) The web server is vulnerable to an attack known as cross-site scripting (XSS), which enables a hostile web site to cause malicious code, such as JavaScript commands, to be executed in a user s browser and gather information such as session IDs and cookies, which could provide access to the user s account. This vulnerability could enable users who unwittingly click on a malicious link to leak private information to attackers. XSS is considered to be high risk if the web application allows users to store data on the server by entering information through web forms. The vulnerability is much less significant if your site does not have this functionality. 4. Cross-site request forgery (CSRF) (4%) (not featured) CSRF (cross-site request forgery) allows an attacker to submit data on behalf of an authenticated user, without their knowledge. A CSRF, although similar-sounding in name to cross-site scripting (XSS), is a very different form of attack. Where cross-site scripting exploits the trust a user has in a web site, a CSRF exploits the trust a web site has in a user by forging a request from a trusted user. These attacks are often less popular (so there are fewer resources available), more difficult to defend against than XSS attacks, and, therefore, more dangerous. Depending on the forms affected, an attacker could hijack user accounts by changing addresses and then using the forgotten password form to reset or gain access to the account, change passwords, add user accounts, escalate account privileges etc. 5. Password issues (4%) (not featured) A range of password management issues can affect the security of a system in an organisation. Users may be able to change their passwords to ones that are weak and guessable, for example , which increases the chance of unauthorised access to their account. Alternatively, some organisations may not be filtering meta characters from a chosen password. When changing the password, it is possible to include characters with special meaning such as semi-colons in the password field. Failing to filter out such characters could leave an organisation open to piggy-backing attacks where attackers submit data using the intended method but embed commands in this data, which will be executed by back-end systems. NTA Monitor Ltd 2010 Page 8
9 5.2 Top five medium risks 1. Web application has cross-site scripting vulnerability (XSS) (21%) (#1) Cross-site scripting enables a hostile web site to cause malicious code such as JavaScript commands to be executed in a user s browser and gather information such as session IDs and cookies. This vulnerability could enable users who unwittingly click on a malicious link to leak private information to attackers. 2. Denial of Service (DoS Apache) (13%) (#2) The Apache web server is vulnerable to a denial of service attack where a remote attacker can send a specially crafted GET request, containing a false content-length: header, which can cause the connection from attacker to web server to remain open, and un-responsive. This can be used as an attack to consume server resources. An attacker could exploit this flaw to take up all available connections to the web server, thereby denying access to legitimate clients. Due to the nature of this attack, far less bandwidth is consumed than with a conventional attack as it relies on the web server running out of resources, not the Internet gateway bandwidth being saturated. This is due to a combination of default 'TimeOut' and 'MaxClients' server settings and overall server design. 3. No account lockout mechanism (10%) (#3) User accounts are not locked out after several incorrect login attempts. This means that an attacker, given a valid username, could perform a brute force attack on the password i.e. repeatedly guess the password until he finds the correct one. 4. Static session ID is used before and after authentication (5%) (not featured) The session ID issued by an application remains static pre and post login. That is, the user is given the same specific session ID before and after authentication with the web application. Because the session ID stays the same even after the authentication, it is thereby eliminating the need for an attacker to obtain the value of a session ID that an authenticated user could have afterwards. Therefore, if an attacker manages to find a way to fix the session ID of a user, they can authenticate as that user without needing to know the user s username and password. 5. No, or weak, encryption (4%) (not featured) Allowing access to secure areas over plain HTTP can result in users sending account information or sensitive and confidential data unencrypted. This data being sent in the clear may be at risk of being intercepted by attackers/sniffers. NTA Monitor Ltd 2010 Page 9
10 6.0 Sector analysis Evaluating the test results by industry sector, IT & Telecoms was found to be the least secure with above average high and medium risks (0.6 and 4.1 respectively), and slightly above average total number of vulnerabilities at 16.7 per test. The services sector was also found to be as insecure having well above average total number of vulnerabilities at 18.4 per test, high numbers of medium risk vulnerabilities at 5.4, but average high risk flaws. Central and local government organisations, however, have seen a marked improvement in information security from Although local government had above average high risk vulnerabilities at 0.6 per test, the average total number of vulnerabilities per test was just 12.2 compared with 19.3 in And risks classified as a medium threat were well below average too at 2.6 (compared with the all sector average of 3.5). No high risks were indentified in web applications being run by central government departments, but average total numbers of vulnerabilities per test were running at well above sector average at The sector seen to be the most secure according to test data was finance, which had below average high (0.1), medium (2.5) and total number of risks (13.7) per web application test. Figure 4 highlights the average ratio of risk levels for each industry sector, compared with the all sector average. Some sectors have been categorised slightly differently for Figures 5 and 6 (over the page) compare this year s industry sector data with 2009, using historic sector categorisation. Figure 4 Average number of risks found per test per sector 2010 Central Government Education Finance IT & Telecom Law Local gov - council Manufacturing NHS Non-profit Police High Medium Low Info Publishing Retail Services - other Utility Total average NTA Monitor Ltd 2010 Page 10
11 Figure 5 C om parison of average num ber of vulnerabilities per sector 2009 / Government Finance Charities/Non profit Services IT & Telecoms Manufacturing Legal Utilities Total average
12 Figure 6 Changes in risks found per sector from 2009 to Government Finance Charities/Non Profit Services IT & Telecoms Manufacturing Legal Utilities Total average High Medium Low Informational NTA Monitor Ltd 2010 Page 12
13 7.0 Recommendations made on the basis of this report s findings To address SQL issues, it is important that all user input is parameterised (where possible). Most databases and languages support parameterised queries (i.e. PREPARE for MySQL? and PreparedStatement? for Java). If prepared statements are not possible, it is important that all META characters (i.e. single quote) input be sanitised before being allowed to pass to the backend database (i.e. htmlspecialchars with ENT_QUOTES for PHP) It is recommended that systems are updated with the latest service pack and patches. It is also suggested that a patch management policy to update IT systems on a frequent basis is put in place To avoid XSS, all areas of an application must be checked and sanitised against invalid character input where user input is required. All Meta characters and HTML tags (i.e. < >) should be restricted where possible before allowing it to the backend Switching from a persistent authentication method (e.g. a cookie or http authentication) to a transient authentication method (e.g. a hidden field provided on every form) will help prevent CSRF attacks. A similar approach is to include a secret, user-specific token in forms that is verified in addition to the cookie. Contrary to popular belief, using POST instead of GET does not offer sufficient protection. JavaScript can be used to forge POST requests with ease. But, requests that perform an action should always use POST. It is therefore recommended that a random token be applied to each form to provide form-based security and to prevent rogue form submission Tighter restrictions must be placed on password length and more stringent controls on what users can choose as their password are applied. This will help users protect their account more effectively. It would also be beneficial to provide some online documentation on choosing secure passwords. In addition, characters allowed in the password and all other fields submitted using web forms should be reviewed, taking care to filter out any characters, which may cause back-end systems to execute unwanted commands If web servers are running a version of Apache Web Server that is vulnerable to a denial of service, appropriate patches should be applied or servers upgraded to the latest version It is recommended locking accounts out after around three consecutive failed logon attempts. This will prevent attackers from being able to brute force accounts. To avoid locking an account out indefinitely, best practice is lock a user out for a substantial amount of time eg between 30 mins and two hours after three incorrect attempts. There is a good chance that this won t affect the user, but it will certainly hamper an attacker s progress It is recommended that an old session ID is expired and a new session ID is issued after successful authentication Access to sensitive or confidential information should only be allowed over SSL. It is particularly important to ensure login form details are submitted to an HTTPS URL.
14 7.2 General Advice This is a non-exhaustive list of recommendations for improving web application security Regular independent testing In order to ensure that your website s visitors can use the site securely, it is essential to conduct regular, independent web application testing Staff involvement Educating and training staff on Internet security issues can make a significant difference to the number of holes in your network security. For instance, some risks discovered in this report, such as permitting users to choose insecure passwords, can be completed by any individual, and one who knows little about network security will not consider the consequences of their action Clear and up to date security policy Develop, publicise and update a clear security policy. Make sure that as staff and the business change everyone is aware of measures that they can personally take to maintain network and Internet security. Adherence to the company security policy should be tied in with staff contracts and disciplinary procedures Configuration Configure all systems according to the security design and use a standard build for all perimeter systems types. This ensures that all systems are hardened to the same standard. If a flaw is identified in one system, a tested patch can be readily applied to all identical systems Ongoing vigilance Maintain awareness of latest threats, software flaws and countermeasures. Monitor security newsgroups and subscribe to security alert and vendor mailing lists Management focus Allocate sufficient management time, focus and control to ensure that preventative actions are carried out on an ongoing basis to minimise security flaws at all levels. Provide sufficient staff resources to address vulnerabilities that threaten your business. Good housekeeping results in good security and as a large proportion of the risks discovered were an informational risk level, this indicates that security housekeeping is poor Security SLAs When choosing new Internet or managed service providers, insert a security SLA (Service Level Agreement) into the contract. This should define what risk level and time-to-fix the vendor would commit to for the systems managed on your behalf. At the very least, the vendor should agree to fix security holes identified by your staff or independent security advisors. NTA Monitor Ltd 2010 Page 14
15 About NTA Monitor NTA Monitor was the first UK commercial independent provider of information security testing, auditing and consultancy services. With 15 years of experience, NTA Monitor provides a broad range of services to over 650 clients globally. With an increasing emphasis being placed on corporate governance and compliance, NTA is an ideal security partner to help organisations adhere to best practice guidelines and standards. NTA is a founder member of the CREST and CESG CHECK schemes and has continually maintained the highest CHECK Green level. NTA can provide CESG CLAS consultants and is able to deliver services through the NPIA and OGC Buying Solutions frameworks. NTA is also an Approved Scanning Vendor (ASV) under the PCI DSS, which governs security standards for the payment card industry. The company provides a range of security services, which are headlined below. The results detailed in this report are taken from the Web Application Security Test service. EXTERNAL IT SECURITY INTERNAL IT SECURITY CONSULTANCY, POLICY & RISK RM Vulnerability Test Web Application Test PCI Compliance Assessment IPSec / SSL VPN Security Test Citrix Gateway Security Test Webmail Security Test (OWA etc) Wireless Infrastructure Test BlackBerry Audit Laptop Security Review Social Engineering War Dialling Network Architecture Test & Audit Code of Connection IT Health Check Database Testing Configuration & Rulebase Review Data Leakage Prevention VoIP Security Audit VLAN Switch Review Desktop Security Review Removable Media Review Physical Security Review IT Risk Assessment / Gap Analysis Compliance (ISO, PCI, CoCo, SoX) Security Policy & Procedure Vulnerability Toolset Training Web Stress Test Code Review Forensics Consultancy CHECK & CLAS Contact details for NTA Monitor Ltd UK Office 14 Ashford House, Beaufort Court, Medway City Estate, Rochester, Kent, ME2 4FA. Telephone: +44 (0) Fax: +44 (0) marketing@nta-monitor.com Website: Malaysian Office B21-7, Block B, Jaya One, 72 (A), Jalan Universiti, Petaling Jaya, Selangor, Malaysia Telephone: Fax: sales-dept@nta-monitor.com.my NTA Monitor Ltd 2010 Page 15
How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationRuby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationA Decision Maker s Guide to Securing an IT Infrastructure
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationPenetration Test Report
Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationCMP3002 Advanced Web Technology
CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationNetwork Test Labs (NTL) Software Testing Services for igaming
Network Test Labs (NTL) Software Testing Services for igaming Led by committed, young and dynamic professionals with extensive expertise and experience of independent testing services, Network Test Labs
More informationHow to complete the Secure Internet Site Declaration (SISD) form
1 How to complete the Secure Internet Site Declaration (SISD) form The following instructions are designed to assist you in completing the SISD form that forms part of your Merchant application. Once completed,
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationTop Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationWeb Application Security
Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationQuickBooks Online: Security & Infrastructure
QuickBooks Online: Security & Infrastructure May 2014 Contents Introduction: QuickBooks Online Security and Infrastructure... 3 Security of Your Data... 3 Access Control... 3 Privacy... 4 Availability...
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationClient logo placeholder XXX REPORT. Page 1 of 37
Client logo placeholder XXX REPORT Page 1 of 37 Report Details Title Xxx Penetration Testing Report Version V1.0 Author Tester(s) Approved by Client Classification Confidential Recipient Name Title Company
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationState of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell
Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection
More informationAcunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
More informationUsing Free Tools To Test Web Application Security
Using Free Tools To Test Web Application Security Speaker Biography Matt Neely, CISSP, CTGA, GCIH, and GCWN Manager of the Profiling Team at SecureState Areas of expertise: wireless, penetration testing,
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationWeb Application Firewall on SonicWALL SRA
Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationGuide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing
Guide for the attention of developers/hosts for merchant websites on the minimum level of security for bank card data processing Foreword This guide in no way intends to replace a PCI DSS certification
More informationIntegrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com
SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration
More informationEthical Hacking as a Professional Penetration Testing Technique
Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationExternal Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
More informationVisa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices
This document is to be used to verify that a payment application has been validated against Visa U.S.A. Payment Application Best Practices and to create the Report on Validation. Please note that payment
More informationWindows Remote Access
Windows Remote Access A newsletter for IT Professionals Education Sector Updates Issue 1 I. Background of Remote Desktop for Windows Remote Desktop Protocol (RDP) is a proprietary protocol developed by
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationCyber Essentials Scheme
Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these
More informationHTTPParameter Pollution. ChrysostomosDaniel
HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider
More informationRational AppScan & Ounce Products
IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168
More informationStatistics Whitepaper
White paper Statistics Whitepaper Web Application Vulnerability Statistics 2010-2011 Alex Hopkins whitepapers@contextis.com February 2012 Context Information Security 30 Marsh Wall, London, E14 9TP +44
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationsafe and sound processing online card payments securely
safe and sound processing online card payments securely Executive summary The following information and guidance is intended to provide key payment security advice to new or existing merchants who trade
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationWorking Practices for Protecting Electronic Information
Information Security Framework Working Practices for Protecting Electronic Information 1. Purpose The following pages provide more information about the minimum working practices which seek to ensure that
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationSecurity features of ZK Framework
1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationBarracuda Web Site Firewall Ensures PCI DSS Compliance
Barracuda Web Site Firewall Ensures PCI DSS Compliance E-commerce sales are estimated to reach $259.1 billion in 2007, up from the $219.9 billion earned in 2006, according to The State of Retailing Online
More informationWeb Application Firewall on SonicWALL SSL VPN
Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationWeb Vulnerability Assessment Report
Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationWeb Application Security
E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationWe are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review
We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review The security threat landscape is constantly changing and it is important to periodically review a business
More informationHow To Fix A Web Application Security Vulnerability
Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of
More informationThe purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.
This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out
More informationIT HEALTHCHECK TOP TIPS WHITEPAPER
WHITEPAPER PREPARED BY MTI TECHNOLOGY LTD w: mti.com t: 01483 520200 f: 01483 520222 MTI Technology have been specifying and conducting IT Healthcheck s across numerous sectors including commercial, public
More informationSpigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS
Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against
More informationCYBERTRON NETWORK SOLUTIONS
CYBERTRON NETWORK SOLUTIONS CybertTron Certified Ethical Hacker (CT-CEH) CT-CEH a Certification offered by CyberTron @Copyright 2015 CyberTron Network Solutions All Rights Reserved CyberTron Certified
More informationIntegrating Security Testing into Quality Control
Integrating Security Testing into Quality Control Executive Summary At a time when 82% of all application vulnerabilities are found in web applications 1, CIOs are looking for traditional and non-traditional
More informationTable of Contents. Page 2/13
Page 1/13 Table of Contents Introduction...3 Top Reasons Firewalls Are Not Enough...3 Extreme Vulnerabilities...3 TD Ameritrade Security Breach...3 OWASP s Top 10 Web Application Security Vulnerabilities
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection 2
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationInformation Technology Policy
Information Technology Policy Enterprise Web Application Firewall ITP Number ITP-SEC004 Category Recommended Policy Contact RA-ITCentral@pa.gov Effective Date January 15, 2010 Supersedes Scheduled Review
More information