Security of Web Applications and Browsers: Challenges and Solutions

Size: px
Start display at page:

Download "Security of Web Applications and Browsers: Challenges and Solutions"

Transcription

1 Security of Web Applications and Browsers: Challenges and Solutions A Tutorial Proposal for ACM SAC 2015 By Dr. Hossain Shahriar Department of Computer Science Kennesaw State University Kennesaw, GA 30144, USA ACM SAC 2015 Tutorial Proposal Page 1 of 5

2 1. Title: Security of Web Applications and Browsers: Challenges and Solutions 2. Duration: Half day, 3 hours 3. Abstract We rely on web applications to perform many useful activities. Despite the awareness have raised since the past decade on vulnerabilities commonly discovered in the implementation of web applications, we still observe the presence of known vulnerabilities today. Worse that the browser platforms are posing extra challenges through extended functionalities or light weight extension applications that can not only access data from visited webpages and local machines, but also transfer them to remote hosts controlled by hackers. Given that a solid understanding of both application and browser platform security is essential to tame the unsecured web. In this tutorial we will provide an overview of some common vulnerabilities for web applications and browsers, followed by some common techniques useful to combat against security threats. In particular, we will discuss some well-known implementation level vulnerabilities (e.g., SQL Injection, Cross-Site Scripting, Clickjacking) along with a popular mitigation approach known as security testing. We then focus our discussion on the browser platform and explore some of its supported features for extension applications with their capabilities. We will highlight vulnerabilities arise from extensions followed by exploring malware extensions. Finally, we discuss some practices to securely implementing browser extensions and combat against malware extensions. 4. Motivation, target audience, and interest for the SAC community Most of discovered security breaches reported in various surveys (e.g., OWASP) have been shown to be related to implementation level weakness and some of the supported features of the underlying browser. The consequence of vulnerabilities could result in unwanted consequences such as bypassing of legitimate login procedure, hijacking of session information, deletion or alteration of sensitive data, execution of arbitrary code supplied by hackers, and passing of sensitive information to unwanted third parties. Given that this tutorial is intended to raise awareness and guide practitioners to prevent the consequences. The tutorial is intended for application designers and developers, security testers, security researchers, scientists, and graduate students. As the tutorial is addressing one of the most emerging and crucial issues in security and quality assurance, it demonstrates an extremely high degree of relevance and addresses a broad spectrum of potential attendees of ACM SAC The tutorial will benefit related stakeholders to understand the most common program security vulnerabilities. Moreover, it will allow relevant professionals to apply appropriate vulnerability mitigation techniques. 5. Outline of the tutorial The tutorial consists of three major parts. In the first part, we briefly discuss some of the most common vulnerabilities that are widely discovered in programs. We provide an idea on how the exploitations of four commonly discovered web security vulnerabilities (SQL injection, Crosssite scripting, Cross-site request forgery, clickjacking) can lead to many unwanted behaviors such as login bypassing. ACM SAC 2015 Tutorial Proposal Page 2 of 5

3 In the second part, we introduce the vulnerability detection process based on testing approach. We explore both black box and white box approaches. In particular, our discussion will focus on some key aspects to conduct the testing process such as test case generation method, source of test case, test case granularity, and vulnerability coverage. We discuss some of test case generation techniques in details followed by open issues. In the third part, we discuss the browser structure, particularly focusing on Mozilla, an open source browser widely used today. We provide an introduction of browser extension concept, outlining structure, with supporting application examples. We discuss vulnerabilities that may arise in extensions and show how they can be exploited. We then discuss malware extensions that can perform unwanted activities without the knowledge of the uses. Finally, we discuss some common programming practices that can be applied to prevent vulnerabilities in extensions as well as approaches to detect and prevent malware extensions. For each of the part, we provide estimated duration, subtopics as below in structure of contents followed by a list of the most relevant literatures. Structure of Contents Introduction (10 min) o Motivation and background Web application vulnerabilities (Part 1: 45 min) o SQL Injection o Cross-Site Scripting o Cross-Site Request Forgery o Clickjacking Security testing (Part 2: 40 min) o Taxonomy of web security testing o Test case generation technique o Static analysis based security testing Browser Vulnerabilities (Part 3: 45 min) o Browser security model and extension o Vulnerable and malware extension o Prevention and solutions Summary (10 min) References 1. H. Shahriar, K. Weldemariam, M. Zulkernine, and T. Lutellier, Effective detection of vulnerable and malicious browser extensions, Computers & Security, June 2014, Elsevier Science (to appear). 2. H. Shahriar, V. Devendran, and H. Haddad, "ProClick: A Framework for Testing Clickjacking Attacks in Web Applications," To appear in Proc. of 6 th ACM/SIGSAC International Conference on Security of Information and Networks (SIN 2013), Aksaray, Turkey, November 2013, pp ACM SAC 2015 Tutorial Proposal Page 3 of 5

4 3. H. Shahriar and M. Zulkernine, Mitigation of Program Security Vulnerabilities: Approaches and Challenges, ACM Computing Surveys (CSUR), Vol. 44, No. 3, Article 11, pp. 1-46, May H. Shahriar and M. Zulkernine, Trustworthiness Testing of Phishing Websites: A Behavior Model-based Approach, Future Generation Computer Systems, Vol. 28, Issue 8, October 2012, pp H. Shahriar and M. Zulkernine, Taxonomy and Classification of Automatic Monitoring of Program Security Vulnerability Exploitations, Journal of Systems and Software, Elsevier Science, Vol. 84, Issue 2, February 2011, pp H. Shahriar and M. Zulkernine, S 2 XS 2 : A Server Side Approach to Automatically Detect XSS Attacks, Proc. of the 9 th IEEE International Conference on Dependable, Autonomic and Secure Computing (DASC), Sydney, Australia, December 2011, pp H. Shahriar and M. Zulkernine, Client-Side Detection of Cross-Site Request Forgery Attacks, Proc. of the 21 st IEEE International Symposium on Software Reliability Engineering (ISSRE), San Jose, USA, November 2010, pp Specific goals and learning objectives After completing the tutorial, the participants are expected to do the followings: Explain the cause of web application security vulnerabilities and demonstrate the consequence of vulnerabilities with attack payloads, and generate new attack payloads Explain various features of browsers and extension, and develop small extensions having vulnerabilities, followed by exploiting them with suitable test cases Follow some secure programming principles to prevent vulnerabilities Choose appropriate defense techniques to detect vulnerabilities in applications and malware extensions Follow the best practices for deploying web applications and configuring browsers 7. Expected background of the audience Participants are expected to have some familiarity with languages for web application development including HTML, JavaScript, PHP, JSP, and XML. 8. Presenter bios Dr. Hossain Shahriar is currently an Assistant Professor of Computer Science at Kennesaw State University, Georgia, USA. His research interests include software security, web application security, software testing, mobile application security, and malware analysis. Dr. Shahriar is an expert on application security testing with extensive publications and industry experience. His research has attracted a number of awards including IEEE DASC 2011 Best Paper Award, Outstanding PhD Research Achievement Award 2011, and IEEE Kingston Section Research Excellence Award Dr. Shahriar presented tutorials in ACM SAC 2011 and IEEE ISSRE 2012, and has been invited to present a tutorial on web application security issues in ACM/SIGSAC SIN He has served as PC member in various international conferences related to computer and software security such as ACM SAC 2014 (Computer Security Track), ACM SAC 2015 Tutorial Proposal Page 4 of 5

5 ACM/SIGSAC SIN 2014, and IEEE ITNG He is also serving as an associate editor of the International Journal of Secure Software Engineering. Dr. Shahriar is currently a member of the ACM, ACM SIGAPP, and IEEE. 9. Audio Visual equipment needed for the presentation Projector for power point slide show would be sufficient. 10. Teaching materials on the topic by the presenter a. Tutorial in International Conference 1. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In ACM SAC 2014, Gyeongju, South Korea. 2. Security Vulnerabilities and Mitigation Techniques of Web Applications, In ACM/SIGSAC SIN 2013, Aksaray, Turkey. 3. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In IEEE ISSRE 2012, Dallas, TX, USA. 4. Mitigation of Program Security Vulnerabilities: Approaches and Challenges, In ACM SAC 2011, Taichung, Taiwan, March b) Invited talk/guest speaker seminar 1. Web Application Security Vulnerability: Mitigation Approaches and Challenges, CIISE, Concordia University, Quebec, Canada, February Web Security Vulnerabilities: Challenges, Approaches, and Future, The School of Informatics, The University of Edinburgh, Scotland, UK, March Web Security, School of Computing (Guest Lecture Seminar), Queen s University, Canada, November c) Academic courses 1. Computing Security (CS6040), Kennesaw State University, GA, USA. 2. Theory of Networking & Security (CS3550), Kennesaw State University, GA, USA. 3. Secure Software Development (CS4550), Kennesaw State University, GA, USA. ACM SAC 2015 Tutorial Proposal Page 5 of 5

Secure and Reliable Mobile Applications: Challenges and Approaches

Secure and Reliable Mobile Applications: Challenges and Approaches Secure and Reliable Mobile Applications: Challenges and Approaches A Tutorial Proposal for ACM SAC 2016 By Dr. Hossain Shahriar Department of Information Technology College of Computing and Software Engineering

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015

Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015 Improving Web Application Security by Eliminating CWEs Weijie Chen, China INFSY 6891 Software Assurance Professor Dr. Maurice Dawson 15 December 2015 1 P a g e ABSTRACT This study examined improving web

More information

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO

More information

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661

Adobe ColdFusion. Secure Profile Web Application Penetration Test. July 31, 2014. Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Adobe ColdFusion Secure Profile Web Application Penetration Test July 31, 2014 Neohapsis 217 North Jefferson Street, Suite 200 Chicago, IL 60661 Chicago Dallas This document contains and constitutes the

More information

CS++: Expanding CS Curriculum via Open Cybersecurity Courseware

CS++: Expanding CS Curriculum via Open Cybersecurity Courseware CS++: Expanding CS Curriculum via Open Cybersecurity Courseware Ying Xie State University GA, yxie2@ken nesaw.edu Hossain Shahriar State University GA, hshahria@ke nnesaw.edu Jing (Selena) He State University

More information

Application Security Testing

Application Security Testing Tstsec - Version: 1 09 July 2016 Application Security Testing Application Security Testing Tstsec - Version: 1 4 days Course Description: We are living in a world of data and communication, in which the

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft Finding and Preventing Cross- Site Request Forgery Tom Gallagher Security Test Lead, Microsoft Agenda Quick reminder of how HTML forms work How cross-site request forgery (CSRF) attack works Obstacles

More information

Information Security for Modern Enterprises

Information Security for Modern Enterprises Information Security for Modern Enterprises Kamal Jyoti 1. Abstract Many enterprises are using Enterprise Content Management (ECM) systems, in order to manage sensitive information related to the organization.

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

IJMIE Volume 2, Issue 9 ISSN: 2249-0558

IJMIE Volume 2, Issue 9 ISSN: 2249-0558 Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance

More information

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India Volume 5, Issue 12, December 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Investigation

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Recommended Practice Case Study: Cross-Site Scripting. February 2007 Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber

More information

Adobe Systems Incorporated

Adobe Systems Incorporated Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...

More information

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software

More information

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 1

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 1 CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 1 Attacking Clients Vulnerabilities in browsers May result in session hijacking, unauthorized actions, and disclosure

More information

CS 558 Internet Systems and Technologies

CS 558 Internet Systems and Technologies CS 558 Internet Systems and Technologies Dimitris Deyannis deyannis@csd.uoc.gr 881 Heat seeking Honeypots: Design and Experience Abstract Compromised Web servers are used to perform many malicious activities.

More information

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting SECURITY ADVISORY December 2008 Barracuda Load Balancer admin login Cross-site Scripting Discovered in December 2008 by FortConsult s Security Research Team/Jan Skovgren WARNING NOT FOR DISCLOSURE BEFORE

More information

The Key to Secure Online Financial Transactions

The Key to Secure Online Financial Transactions Transaction Security The Key to Secure Online Financial Transactions Transferring money, shopping, or paying debts online is no longer a novelty. These days, it s just one of many daily occurrences on

More information

Managing Web Security in an Increasingly Challenging Threat Landscape

Managing Web Security in an Increasingly Challenging Threat Landscape Managing Web Security in an Increasingly Challenging Threat Landscape Cybercriminals have increasingly turned their attention to the web, which has become by far the predominant area of attack. Small wonder.

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business 6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Doyourwebsitebot defensesaddressthe changingthreat landscape?

Doyourwebsitebot defensesaddressthe changingthreat landscape? WHITEPAPER Doyourwebsitebot defensesaddressthe changingthreat landscape? Don tletbotsturnaminorincident intoamegasecuritybreach 1.866.423.0606 Executive Summary The website security threat landscape has

More information

OWASP Top 10 Effectiveness of Web Application Firewalls

OWASP Top 10 Effectiveness of Web Application Firewalls OWASP Top 10 Effectiveness of Web Application Firewalls David Caissy About Me David Caissy Web App Penetration Tester Java Application Architect IT Security Trainer: Developers Penetration Testers 2 My

More information

Introduction: 1. Daily 360 Website Scanning for Malware

Introduction: 1. Daily 360 Website Scanning for Malware Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover

More information

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper

EXECUTIVE BRIEF. IT and Business Professionals Say Website Attacks are Persistent and Varied. In this Paper Sponsored by IT and Business Professionals Say Website Attacks are Persistent and Varied EXECUTIVE BRIEF In this Paper Thirty percent of IT and business professionals say their organization was attacked

More information

The risks borne by one are shared by all: web site compromises

The risks borne by one are shared by all: web site compromises The risks borne by one are shared by all: web site compromises Having your company web site hacked or compromised can be a costly experience for your organisation. There are immediate costs in responding

More information

HTTPParameter Pollution. ChrysostomosDaniel

HTTPParameter Pollution. ChrysostomosDaniel HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider

More information

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001

ETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001 001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110

More information

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web Presented by: Mike Grima Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web 1 OWASP Top 10 OWASP Testing Framework (Testing Guide)

More information

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked. This sample report is published with prior consent of our client in view of the fact that the current release of this web application is three major releases ahead in its life cycle. Issues pointed out

More information

Streamlining Web and Email Security

Streamlining Web and Email Security How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor

More information

Network Security Testing using MMT: A case study in IDOLE project

Network Security Testing using MMT: A case study in IDOLE project Network Security Testing using MMT: A case study in IDOLE project Vinh Hoa LA PhD Student Prof. Ana CAVALLI Supevisor Telecom SudParis Institut Mines Telecom France IDOLE project IDOLE: 3-year French project

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July 2008. Contents

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July 2008. Contents Contents MWR InfoSecurity Security Advisory pfsense DHCP Script Injection Vulnerability 25 th July 2008 2008-07-25 Page 1 of 10 Contents Contents 1 Detailed Vulnerability Description... 5 1.1 Technical

More information

Web Server Security and Survey on Web Application Security

Web Server Security and Survey on Web Application Security _ Web Server Security and Survey on Web Application Security Shaikh Bushra Almin, Department of Information Technology, PIIT, New Panvel. University of Mumbai, India. skbushra78691@gmail.com Abstract A

More information

Web application testing

Web application testing CL-WTS Web application testing Classroom 2 days Testing plays a very important role in ensuring security and robustness of web applications. Various approaches from high level auditing through penetration

More information

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006

Introduction to Web Application Security. Microsoft CSO Roundtable Houston, TX. September 13 th, 2006 Introduction to Web Application Security Microsoft CSO Roundtable Houston, TX September 13 th, 2006 Overview Background What is Application Security and Why Is It Important? Examples Where Do We Go From

More information

A DYNAMIC TOOL FOR DETECTION OF XSS ATTACKS IN A REAL-TIME ENVIRONMENT

A DYNAMIC TOOL FOR DETECTION OF XSS ATTACKS IN A REAL-TIME ENVIRONMENT A DYNAMIC TOOL FOR DETECTION OF XSS ATTACKS IN A REAL-TIME ENVIRONMENT K. G. Maheswari 1 and R. Anita 2 1 Department of MCA, Institute of Road and Transport Technology, Anna University, Erode, Tamil Nadu,

More information

Hack Proof Your Webapps

Hack Proof Your Webapps Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University

More information

ITU-IMPACT Training and Skills Development Course Catalogue

ITU-IMPACT Training and Skills Development Course Catalogue ITU-IMPACT Training and Skills Development Course Catalogue Management Track Technical Track Course Area Management Incident Response Digital Forensics Network Application Law Enforcement Foundation Management

More information

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats

More information

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities Protecting a business s IT infrastructure is complex. Take, for example, a retailer operating a standard multi-tier infrastructure

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Web application security: automated scanning versus manual penetration testing.

Web application security: automated scanning versus manual penetration testing. Web application security White paper January 2008 Web application security: automated scanning versus manual penetration testing. Danny Allan, strategic research analyst, IBM Software Group Page 2 Contents

More information

Hypervisor Security - A Major Concern

Hypervisor Security - A Major Concern International Journal of Information and Computation Technology. ISSN 0974-2239 Volume 3, Number 6 (2013), pp. 533-538 International Research Publications House http://www. irphouse.com /ijict.htm Hypervisor

More information

Common Security Vulnerabilities in Online Payment Systems

Common Security Vulnerabilities in Online Payment Systems Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited

More information

Enterprise-Grade Security from the Cloud

Enterprise-Grade Security from the Cloud Datasheet Website Security Enterprise-Grade Security from the Cloud Unmatched web application security experience, enhanced by real-time big data analytics, enables Incapsula to provide best-of-breed security

More information

Annex B - Content Management System (CMS) Qualifying Procedure

Annex B - Content Management System (CMS) Qualifying Procedure Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat

More information

Application Security Testing. Indian Computer Emergency Response Team (CERT-In)

Application Security Testing. Indian Computer Emergency Response Team (CERT-In) Application Security Testing Indian Computer Emergency Response Team (CERT-In) OWASP Top 10 Place to start for learning about application security risks. Periodically updated What is OWASP? Open Web Application

More information

Web Vulnerability Scanner by Using HTTP Method

Web Vulnerability Scanner by Using HTTP Method Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 4, Issue. 9, September 2015,

More information

Ethical Hacking Penetrating Web 2.0 Security

Ethical Hacking Penetrating Web 2.0 Security Ethical Hacking Penetrating Web 2.0 Security Contact Sam Bowne Computer Networking and Information Technology City College San Francisco Email: sbowne@ccsf.edu Web: samsclass.info 2 Two Hacking Classes

More information

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7 Active Content Filtering Bypass Advisory

More information

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION V 2.0 A S L I T S e c u r i t y P v t L t d. Page 1 Overview: Learn the various attacks like sql injections, cross site scripting, command execution

More information

IBM Rational AppScan: Application security and risk management

IBM Rational AppScan: Application security and risk management IBM Software Security November 2011 IBM Rational AppScan: Application security and risk management Identify, prioritize, track and remediate critical security vulnerabilities and compliance demands 2 IBM

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Rational AppScan & Ounce Products

Rational AppScan & Ounce Products IBM Software Group Rational AppScan & Ounce Products Presenters Tony Sisson and Frank Sassano 2007 IBM Corporation IBM Software Group The Alarming Truth CheckFree warns 5 million customers after hack http://infosecurity.us/?p=5168

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

CMP3002 Advanced Web Technology

CMP3002 Advanced Web Technology CMP3002 Advanced Web Technology Assignment 1: Web Security Audit A web security audit on a proposed eshop website By Adam Wright Table of Contents Table of Contents... 2 Table of Tables... 2 Introduction...

More information

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Securing Your Web Application against security vulnerabilities Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group Agenda Security Landscape Vulnerability Analysis Automated Vulnerability

More information

10 Things Every Web Application Firewall Should Provide Share this ebook

10 Things Every Web Application Firewall Should Provide Share this ebook The Future of Web Security 10 Things Every Web Application Firewall Should Provide Contents THE FUTURE OF WEB SECURITY EBOOK SECTION 1: The Future of Web Security SECTION 2: Why Traditional Network Security

More information

Indexed Terms: attacks, challenges, cloud computing, countermeasures, hacker, security

Indexed Terms: attacks, challenges, cloud computing, countermeasures, hacker, security Reviewing the Security Challenges and their Countermeasures in Cloud Computing Kamayani Assistant Professor, PG Dept of Computer Science, BBK DAV College for Women, Amritsar Email id: kamayani_anand@yahoo.com

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

Web Application Security 101

Web Application Security 101 dotdefender Web Application Security Web Application Security 101 1 Web Application Security 101 As the Internet has evolved over the years, it has become an integral part of virtually every aspect in

More information

Pentests more than just using the proper tools

Pentests more than just using the proper tools Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Penetration testing Introduction Evaluation scheme Security Analyses of web applications Internal Security

More information

State of Web Application Security

State of Web Application Security State of Web Application Security Executive Summary Sponsored by Cenzic & Barracuda Networks Independently conducted by Ponemon Institute LLC Publication Date: February 2011 Ponemon Institute Research

More information

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Web Application Attacks and Countermeasures: Case Studies from Financial Systems Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications

More information

Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST

Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Testing Web Application Scanner Tools Elizabeth Fong and Romain Gaucher NIST Verify Conference Washington, DC, October 30, 2007 Disclaimer: Any commercial product mentioned is for information only; it

More information

Defending against XSS,CSRF, and Clickjacking David Bishop

Defending against XSS,CSRF, and Clickjacking David Bishop Defending against XSS,CSRF, and Clickjacking David Bishop University of Tennessee Chattanooga ABSTRACT Whenever a person visits a website, they are running the risk of falling prey to multiple types of

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr

More information

Cross Site Scripting Prevention

Cross Site Scripting Prevention Project Report CS 649 : Network Security Cross Site Scripting Prevention Under Guidance of Prof. Bernard Menezes Submitted By Neelamadhav (09305045) Raju Chinthala (09305056) Kiran Akipogu (09305074) Vijaya

More information

Web Vulnerability Assessment Report

Web Vulnerability Assessment Report Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage

More information

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS SEPTEMBER 2015 MAZIN AHMED MAZIN@MAZINAHMED.NET @MAZEN160 Table of Contents Topic Page Number Abstract 3 Introduction 3 Testing Environment 4 Products

More information

N4SECURE SERVICES TECHNICAL DESCRIPTION PUBLIC NODE4 LIMITED 25/04/2016

N4SECURE SERVICES TECHNICAL DESCRIPTION PUBLIC NODE4 LIMITED 25/04/2016 N4SECURE SERVICES TECHNICAL DESCRIPTION PUBLIC NODE4 LIMITED 25/04/2016 INTRODUCTION N4Secure is a Threat Intelligence managed service. By monitoring network traffic, server traffic, scanning for internal

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS

SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS SQL INJECTION MONITORING SECURITY VULNERABILITIES IN WEB APPLICATIONS Manas Kumar 1, S. Senthil kumar 2 and D. Sarvanan 3 1 M.C.A. (Final Year) Abstract Sql injection: a recently discovered application

More information

Pentests more than just using the proper tools

Pentests more than just using the proper tools Pentests more than just using the proper tools Agenda 1. Information Security @ TÜV Rheinland 2. Security testing 3. Penetration testing Introduction Evaluation scheme Security Analyses of web applications

More information

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference...

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation... 1. Areas for Improvement... 2. Exit Conference... NEA OIG Report No. R-13-03 Table of Contents Results of Evaluation... 1 Areas for Improvement... 2 Area for Improvement 1: The agency should implement ongoing scanning to detect vulnerabilities... 2 Area

More information

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle

A Strategic Approach to Web Application Security The importance of a secure software development lifecycle A Strategic Approach to Web Application Security The importance of a secure software development lifecycle Rachna Goel Technical Lead Enterprise Technology Web application security is clearly the new frontier

More information

Project OWASP and two most frequent vulnerabilities in web applications

Project OWASP and two most frequent vulnerabilities in web applications Project OWASP and two most frequent vulnerabilities in web applications Filip Šebesta, Wilson Tuladhar 2010 Abstract With the rapid use of the Internet, there has been a rapid growth in websites and web

More information

OWASP Top Ten Tools and Tactics

OWASP Top Ten Tools and Tactics OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),

More information

Penetration Test Report

Penetration Test Report Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System

More information

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non

More information

Web attacks and security: SQL injection and cross-site scripting (XSS)

Web attacks and security: SQL injection and cross-site scripting (XSS) Web attacks and security: SQL injection and cross-site scripting (XSS) License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike

More information

A Novel Frame Work to Detect Malicious Attacks in Web Applications

A Novel Frame Work to Detect Malicious Attacks in Web Applications Technology, Volume-2, Issue-1, January-March, 2014, pp. 23-28, IASTER 2014, www.iaster.com, Online:2347-5099, Print:2348-0009 A Novel Frame Work to Detect Malicious Attacks in Web Applications N. Jayakanthan

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall

More information

Password Hacking Done Easy

Password Hacking Done Easy November 2006 Password Hacking Done Easy Ofer Maor CTO Agenda Introduction to the Modern Password Hacking Client-Side Threats Password Theft Demo Real Hacking Stories Questions & Answers 2 of 26 About

More information

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER OCIO-6013-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS

More information