Open Source Apache <WAF> Web Application Firewall
|
|
- Lewis Houston
- 8 years ago
- Views:
Transcription
1 Open Source Apache <WAF> Web Application Firewall Ivan Bütler - E1 Compass Security AG ivan.buetler@csnc.ch Switzerland - Germany Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
2 E1 - Who am I ^ Ivan Bütler, Uznach ^ Speaker at Blackhat 2008 Las Vegas ^ Born ^ Founder of Compass Security AG ^ Founder of Swiss Cyber Storm II ^ Passionate Security Researcher ^ Husband of Cornelia and father of Tim and Nick (6 & 8) ^ Proud Swiss Citizen Seite 2
3 Compass Security AG - Team Seite 3
4 Compass Security - Overview.... Seite 4
5 Goals of this Talk Understanding the demand for a Web App Firewall Howto build an Open Source Apache Entry Server Understanding the Components Understanding Pros & Cons Understanding Pitfalls Seite 5
6 Attacking for Fun and Profit Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
7 Direct Attacks Where do you expect the attackers? BLOCKED PASSED BLOCKED Seite 7
8 Indirect Attacks (I) Man in the Middle Phishing Seite 8
9 Indirect Attacks (II) Malware Mobile Devices W-LAN Bypassing Perimeter Protection Seite 9
10 Level 1: Reverse Proxy Level 2: Web Application Firewall Level 3: Entry Server Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
11 Situations without a Reverse Proxy Direct Access to the Public Web Applications More firewall ports opened Applications directly accessible Seite 11
12 Reverse Proxy Setup Reverse Proxy Access to Public Web Applications Reverse Proxy Applications protected Seite 12
13 Reverse Proxy Setup Reverse Proxy Allow to hide different applications behind a single server Single point of entry WebSphere http Browser https Reverse Proxy http IIS Server Cert http WebLogic Seite 13
14 OWASP Top 10 (Q4 2007) A1 A2 A3 A4 A5 A6 A7 A8 A9 A10 Cross Site Scripting Injection Flaws (SQLi) Malicious File Execution (RFI) Insecure Direct Object Reference Cross Site Request Forgery Information Leakage Broken Auth & Session Management Insecure Cryptographic Storage Insecure Communications Failure to restrict URL Access Seite 14
15 Commercial Products? United Security Providers (USP) SES Phion/Visonys AirLock AdNovum Nevis Web IBM Tivoli Access Manager (a.k.a. WebSEAL) NetContinuum Application Security Gateway Cisco ACE Web Application Firewall Microsoft ISA Server... (this is not a complete list!) Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
16 Open Source Entry Server Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
17 Cooking Recipe Apache Core Web Server Apache Firewall Module mod_security Apache Content Rewriting Module mod_replace Visit Swiss Cyber Storm ( Apache Entry Server Module mod_but Visit Swiss Cyber Storm ( Apache Forensic Module Within Apache Core: mod_forensic & mod_unique_id Seite 17
18 Demo Setup Reverse Proxy Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
19 Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 19
20 Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy SSLEngine On SSLProxyEngine On SSLCertificateFile SSLCertificateKeyFile SSLProtocol conf/server.crt conf/server.key +TLSv1 +SSLv3 -SSLv2 SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP SSLOptions +StdEnvVars +ExportCertData SSLSessionCache shm:ssl/ssl_scache(512000) SSLSessionCacheTimeout Seite 20
21 Reverse Proxy: SSL Termination Apache mod_ssl & mod_proxy ProxyPass /app1 ProxyPassReverse /app1 ProxyPass /app2 ProxyPassReverse /app2 Seite 21
22 Reverse Proxy: SSL Termination How do you deny weak browsers from your application? Hardenend Cipher Suite Within Application Hardening CipherSuite in httpd.conf SSLCipherSuite RC4-SHA:RC4-MD5:AES256-SHA:AES128- SHA:DES-CBC3-SHA:!SSLv2:!EXP I do not recommend hardened Cipher Suites! Error messages on SSL are not user friendly! Therefore.. I recommend application level checks using mod_headers Human friendly error message generated by the backend application when the browser does not fulfill the cipher strength RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e Evaluate the SSL_CIPHER within the application behind the proxy Seite 22
23 Reverse Proxy: SSL Termination RequestHeader append SSL_PROTOCOL "%{SSL_PROTOCOL}e RequestHeader append SSL_SESSION_ID "%{SSL_SESSION_ID}e RequestHeader append SSL_CIPHER "%{SSL_CIPHER}e RequestHeader append SSL_CIPHER_ALGKEYSIZE "%{SSL_CIPHER_ALGKEYSIZE}e RequestHeader append SSL_CIPHER_EXPORT "%{SSL_CIPHER_EXPORT}e RequestHeader append SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}e RequestHeader append SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}e" Seite 23
24 Reverse Proxy: Content Rewriting Problem Backend Application includes absolute href links Example: Backend Application secures the cookies Domain restrictions Path restrictions Expiration restrictions Backend Application other protocol than reverse proxy Fixup http to https links Absolute url s Redirections, Location headers (302 Temporary Moved) Why not using mod_rewrite? Because mod_rewrite does not allow to parse and search/replace the body of a http request or response Seite 24
25 Reverse Proxy: Content Rewriting Why not using mod_substitute? Within apache core since Perform search and replace operations on response bodies but does not have support for response headers, request headers or request bodies Therefore, I recommend mod_replace Request Header Replacement Request Body Replacement Response Header Replacement Response Body Replacement ReplaceFilterDefine myproxy1 CaseIgnore ReplacePattern myproxy1 "glocken.hacking-lab.com" " " ReplacePattern myproxy1 "https" "http" HeaderReplacePattern myproxy1 Location "glocken.hacking-lab.com" " " HeaderReplacePattern myproxy1 Location "https" "http" HeaderReplacePattern myproxy1 Set-Cookie "Secure" "" SetOutputFilter myproxy1 Seite 25
26 Demo Web Firewall mod_security Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
27 Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 27
28 Reverse Proxy: Intrusion Detection Apache mod_security2 LoadModule security2_module modules/mod_security2.so Basic configuration options SecRuleEngine On SecRequestBodyAccess On SecResponseBodyAccess Off.... Include conf/modsecurity2/*.conf Configure SecDefaultAction SecDefaultAction "phase:2,log,deny,status:403,t:lowercase,t:replac enulls,t:compresswhitespace" Seite 28
29 Reverse Proxy: Forensic Logging Correlation across tier (Simplified illustration) Seite 29
30 Reverse Proxy: Forensic Logging Who generates the Request ID (alias Unique_ID)? Apache mod_unique_id Default Log Option in httpd.conf (without mod_unique_id) LogFormat "%h %l %u %t \"%r\" %>s %b" common Web Application Firewall Log Option (with mod_unique_id) LogFormat "%{forensic-id}n %h %l %u %t \"%r\" %>s %b" common ForensicLog logs/forensic.log Sending the Unique_ID as HTTP Request Header to Backend! RequestHeader append UNIQUE_ID "%{UNIQUE_ID}e" Seite 30
31 Reverse Proxy: Forensic Logging Unique ID in access.log SYq7yX8AAQEAAGOqIicAAAAA [05/Feb/2009:11:13: ] "GET /webapp/but/echorequest HTTP/1.1" Unique ID in forensic.log grep SYq7yX8AAQEAAGOqIicAAAAA forensic.log ========================================================================= +SYq7yX8AAQEAAGOqIicAAAAA GET /webapp/but/echorequest HTTP/1.1 Host: User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv%3a ) Gecko/ Firefox/ Accept:text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language:en-us,en;q=0.5 Accept- Encoding:gzip,deflate Accept-Charset:ISO ,utf-8;q=0.7,*;q=0.7 Keep- Alive:300 Connection:keepalive Cookie:MOD_BUT=wCUN+1DgcvG7qDM+KI+9YXveU+5bwygb Cache-Control:max-age=0 -SYq7yX8AAQEAAGOqIicAAAAA Seite 31
32 Demo Session Management mod_but Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
33 Reverse Proxy Small Feature List SSL Termination Content Rewriting Intrusion Detection & Prevention Forensic Logging Secure Session Management Pre-Authentication & Single-Sign On Service Authorization Seite 33
34 Reverse Proxy: Session Management Without a Session Store (Cookie Store) Reverse Proxy Applications protected Seite 34
35 Reverse Proxy: Session Management With Session Store (Session Hiding) Reverse Proxy Applications protected Seite 35
36 Reverse Proxy: Pre-Authentication Zones Public Zone: Login Server (anonymous access) Private Zone: E-Business Applications (authentication is required) FW FW Internet Entry Tier Authenticated requests only Application Not authenticated requests Login Service Seite 36
37 Reverse Proxy: Pre-Authentication Client MOD_BUT DLS (Delegated Login Service) LDAP Backend Application /application Redirect Login Page POST LOGIN DATA authenticate() get LOGIN DATA for Backend App Username/Password for Backend App LOGIN into Backend App Login ok LOGON=ok OK Seite 37
38 MOD_BUT Logon Cookie Messages from Login Server to MOD_BUT LOGON=ok MOD_BUT_USERNAME=<$user> MOD_BUT_AUTH_STRENGTH=0,1,2 MOD_BUT_SERVICE_LIST=regexp MOD_BUT_BACKEND_SESSION bname=a; bvalue=b; bclearance=c; Seite 38
39 Reverse Proxy: Service Authorization Service Authorization The user grants permission for certain, but not all URL s behind the Reverse Proxy Example User is authorized for /upload User is authorized for /admin User is not authorized for /enterpriseadmin Login Server sends a control cookie to the Reverse Proxy Set-Cookie: LOGON=ok Set-Cookie: MOD_BUT_USERNAME=$username Set-Cookie: MOD_BUT_SERVICE_LIST=(^/12001(.*)) Set-Cookie: MOD_BUT_AUTH_STRENGTH=0,1,2 Seite 39
40 Reverse Proxy: DLS DLS = Delegated Login Service Some applications have their own login component Outlook Web Access Wiki The DLS authenticates on behalf of the user Seite 40
41 MOD_BUT Features Session Store Pre-Authentication Step-Up Authentication (Authorization Level) Service Authorization Delegated Login Server Support Cookie Pass Through Seite 41
42 The Secure Document Exchange Solution Who uses mod_but? Seite 42
43 MOD_BUT TODO [ ] Rewrite SHM handling and data structures, eliminate SHM stuff from callers mod_but_cookiestore.c mod_but_session.c mod_but_shm.c Goals: increased performance, lower shared memory usage, more robust interfaces, thread-safety Seite 43
44 Some differences to Airlock? Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
45 Airlock URL Encryption URL-Encryption Effective against Forceful Browsing URLs and parameters are protected Hides Technology and Topology Works dynamically, no specific configuration necessary GET MCHJOIAODKJPNOPOEPOBJONBPFCFCNBOEIPICACIPNAKIIKLFMEIM EGBFGFGMIBDLEipe4PixkUbKsXFBnb6YodmYPJyK66k1Ochxjrr6+Zaziy20 FxB+Sz1hUm8OchL/IREKvKVzlNKSRuiig7sh7jwI4y2xFNltX98GQFYkGq7fb HtzBKtOCQtQ0AviT1pJlP1I+xG5baW/3zx/IuHD9dpJ4I0J92oN9wa5gcs8JXQ 7lkcG2HsV8EiPKbt7wFR2h HTTP/1.1 Seite 45
46 Airlock Smart Form Protection Smart Form Protection Cryptographic protection of HTML forms Only allowed input is accepted (Airlock remembers form fields ) Automatic protection of hidden and selection fields Seite 46
47 Load Balancing High Availability Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
48 Failover (London New York) Central Session Store (High Availability) Login Service London Backend Application London Entry Server London Central Session Store Entry Server New York Login Service New York Backend Application New York Seite 48
49 Entry Server & AJAX Security Implications Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
50 AJAX Request/Response New engine built-in newer browsers! Interactive GUI Asynchronous processing ; not every action needs to be started by pressing the submit button Asynchronous processing ; AJAX updates the browser window (content) Source: Wikipedia Seite 50
51 XMLHttpRequest (XHR) XmlHttpRequest is a browser API to perform background HTTP requests from JavaScript Invented by Microsoft in 2000 IE 5.0 / 6.0: COM/ActiveX object Microsoft.XmlHttp ActiveX must be enabled IE 7.0, Firefox, Opera, Safari and other browsers: Native JavaScript object XmlHttpRequest ActiveX not required Portable Seite 51
52 XMLHttpRequest (XHR) Seite 52
53 Data Exchange Formats Upstream Data Format Downstream Data Format Seite 53
54 Upstream Data Formats Possible data formats: GET parameters POST parameters XML SOAP Some server-side API is provided Often maps to server-side objects and their functions AJAX calls in this case are like remote method invocations Seite 54
55 Upstream: HTTP GET Parameters HTTP GET GET /dyn/req?call=foo&arg=bar HTTP/ Seite 55
56 Upstream: HTTP POST Parameters HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/x-www-form-urlencoded... call=foo&arg=bar Seite 56
57 Upstream: XML HTTP POST POST /dyn/req HTTP/1.1 Content-Type: text/xml... <?xml version="1.0" encoding="utf-8"?> <request connectionid="cxooiqm"> <call type="foo"> <argument name="bar">true</argument> </call> </request> Seite 57
58 Upstream: SOAP HTTP POST POST /dyn/req HTTP/1.1 Content-Type: application/soap-xml... <?xml version="1.0" encoding="utf-8"?> <Envelope xmlns=" /soap/envelope"> <Body>... </Body> </Envelope> Seite 58
59 Downstream: XML HTTP/ OK Content-Type: text/xml... <?xml version="1.0" encoding="utf-8"?> <response> <result type="login"> <status>false</status> <msg>username or password invalid.</msg> </result> </response> Seite 59
60 Downstream: JavaScript HTTP/ OK Content-Type: text/javascript... LibJs.user='nobody'; LibJs.groups=['member','nobody','wnc5Xh']; $L('kYP64i'). render([$e('h1',{classname: 'Compiled',attributes:{},children:[$T(LibJ s.compiler.fromascii('hello world!'))]... LibJs.Server. oncomplete(1664); Seite 60
61 Downstream: JSON HTTP/ OK Content-Type: text/x-json... {"menu": { "id": "file", "popup": { "menuitem": [ {"value": "New", "onclick": "NewDoc()"}, {"value": "Open", "onclick": "OpenDoc()"}, {"value": "Close", "onclick": "CloseDoc()"} ]}}} Seite 61
62 Downstream: Custom HTTP/ OK Content-Type: text/x-gwt... {OK}["53723","84268","78357","27843"] Seite 62
63 New: The Entry Server Problem What is a valid request? Look at JavaScript code and guess what it might call and what the parameters might be Infeasible! JavaScript way too dynamic! Filter patterns and AJAX How to detect HTML injection in XML? How to detect XSS in JavaScript/JSON? How to sign an AJAX response? Every AJAX application is very different No "standard" like HTML <form> Impossible without support from application! Seite 63
64 Appendix Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel Fax team@csnc.ch
65 Apache Compilation with mod_replace Copy Module into Filters Directory cp mod_replace.c./httpd /modules/filters Add the following line to./httpd /modules/filters/config.m4 APACHE_MODULE(replace, replace filter module,,, most) Change to $APACHE_SRC and to a autoconf cd./httpd / autoconf Check if the enable-replace is available cd./httpd /./configure -help grep replace Seite 65
66 Apache Compilation Compile Apache with mod_replace cd./httpd /./configure \ --prefix=/opt/applic/http \ --enable-so \ --enable-ssl \ --enable-proxy \ --enable-rewrite \ --enable-substitute \ --enable-replace \ --enable-headers \ --enable-unique-id \ --enable-log-forensic \ --enable-expire \ --enable-replace Seite 66
Hacking for Fun and Profit
Hacking for Fun and Profit W3Lc0me to Th3 Fu1ur How to break stuff How to trade How to hide Help! Page 1 Knowing the enemy Page 2 E1 - Who am I ^ Ivan Bütler, Uznach, 31.12.1970 ^ Speaker at Blackhat 2008
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationi2b2: Security Baseline
i2b2: Security Baseline Contents Introduction... 3 CentOS Security Configuration... 4 SSL Configuration... 5 Database Configuration Files... 6 Revision History... 11 2 Introduction This document outlines
More informationImplementation of Web Application Firewall
Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationGlobalSign Enterprise Solutions Google Apps Authentication User Guide
GlobalSign Enterprise Solutions Google Apps Authentication User Guide Using EPKI for Google Apps for Business Single Sign-on and Secure Document Sharing v.1.1 1 Table of Contents Table of Contents... 2
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationSophos UTM Web Application Firewall for Microsoft Exchange connectivity
How to configure Sophos UTM Web Application Firewall for Microsoft Exchange connectivity This article explains how to configure your Sophos UTM 9.2 to allow access to the relevant Microsoft Exchange services
More informationCentraSite SSO with Trusted Reverse Proxy
CentraSite SSO with Trusted Reverse Proxy Introduction Single-sign-on (SSO) via reverse proxy is the preferred SSO method for CentraSite. Due to its flexibility the reverse proxy approach allows to apply
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationSmart Card APDU Analysis
Smart Card APDU Analysis Black Hat Briefings 2008 Las Vegas Ivan "e1" Buetler ivan.buetler@csnc.ch Compass Security AG - Switzerland Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationSecurity Evaluation CLX.Sentinel
Security Evaluation CLX.Sentinel October 15th, 2009 Walter Sprenger walter.sprenger@csnc.ch Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel.+41 55-214 41 60 Fax+41 55-214 41
More informationIntroduction to the EIS Guide
Introduction to the EIS Guide The AirWatch Enterprise Integration Service (EIS) provides organizations the ability to securely integrate with back-end enterprise systems from either the AirWatch SaaS environment
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationHardening of SAP HTTP- and Webservices
Hardening of SAP HTTP- and Webservices Sebastian Schinzel (Slides shamelessly stolen from by colleague Frederik Weidemann) Virtual Forge GmbH University of Mannheim Hardening of SAP HTTP- and Webservices
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationCookbook Secure Failover for Tomcat Application Server Use Apache, mod_proxy, mod_security, mod_ssl to offer secure application delivery
Cookbook Secure Failover for Tomcat Application Server Use Apache, mod_proxy, mod_security, mod_ssl to offer secure application delivery [vijay.sarvepalli@ericavijay.net] Vijay Sarvepalli Introduction
More informationWeb Application Firewall on SonicWALL SSL VPN
Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationOracle9i Application Server: Options for Running Active Server Pages. An Oracle White Paper July 2001
Oracle9i Application Server: Options for Running Active Server Pages An Oracle White Paper July 2001 Oracle9i Application Server: Options for Running Active Server Pages PROBLEM SUMMARY...3 INTRODUCTION...3
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationHP ALM. Software Version: 12.50. External Authentication Configuration Guide
HP ALM Software Version: 12.50 External Authentication Configuration Guide Document Release Date: December 2015 Software Release Date: December 2015 Legal Notices Warranty The only warranties for HP products
More informationHardening of SAP HTTP- and Webservices
Hardening of SAP HTTP- and Webservices Frederik Weidemann Nürnberg 20.10.2010 Virtual Forge GmbH frederik.weidemann (at) virtualforge.de Copyright The Foundation Permission is granted to copy, distribute
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationWeb Application Firewall on SonicWALL SRA
Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following
More informationDEPLOYMENT GUIDE Version 1.0. Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server
DEPLOYMENT GUIDE Version 1.0 Deploying the BIG-IP LTM with Apache Tomcat and Apache HTTP Server Table of Contents Table of Contents Deploying the BIG-IP LTM with Tomcat application servers and Apache web
More informationTable of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3
Open-Xchange Authentication & Session Handling Table of Contents 1.Introduction...3 2.System overview/implementation...4 2.1.Overview... 4 2.1.1.Access to IMAP back end services...4 2.1.2.Basic Implementation
More informationDEPLOYMENT GUIDE Version 1.1. Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5
DEPLOYMENT GUIDE Version 1.1 Deploying the BIG-IP LTM v10 with Citrix Presentation Server 4.5 Table of Contents Table of Contents Deploying the BIG-IP system v10 with Citrix Presentation Server Prerequisites
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationDEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5
DEPLOYMENT GUIDE DEPLOYING THE BIG-IP LTM SYSTEM WITH CITRIX PRESENTATION SERVER 3.0 AND 4.5 Deploying F5 BIG-IP Local Traffic Manager with Citrix Presentation Server Welcome to the F5 BIG-IP Deployment
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationInternet Banking System Web Application Penetration Test Report
Internet Banking System Web Application Penetration Test Report Kiev - 2014 1. Executive Summary This report represents the results of the Bank (hereinafter the Client) Internet Banking Web Application
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationWhite Paper Secure Reverse Proxy Server and Web Application Firewall
White Paper Secure Reverse Proxy Server and Web Application Firewall 2 Contents 3 3 4 4 8 Losing control Online accessibility means vulnerability Regain control with a central access point Strategic security
More informationEQUELLA. Clustering Configuration Guide. Version 6.2
EQUELLA Clustering Configuration Guide Version 6.2 Document History Document No. Reviewed Finalised Published 1 18/03/2014 18/03/2014 18/03/2014 March 2014 edition. Information in this document may change
More informationThe course will be run on a Linux platform, but it is suitable for all UNIX based deployments.
Linux Apache Web Server Administration Course Description: The Linux Apache Web Server Administration course is aimed at technical staff who will be responsible for installing, configuring and maintaining
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationClientless SSL VPN Users
Manage Passwords, page 1 Username and Password Requirements, page 3 Communicate Security Tips, page 3 Configure Remote Systems to Use Clientless SSL VPN Features, page 3 Manage Passwords Optionally, you
More informationWeb Security Testing Cookbook*
Web Security Testing Cookbook* Systematic Techniques to Find Problems Fast Paco Hope and Ben Walther O'REILLY' Beijing Cambridge Farnham Koln Sebastopol Tokyo Table of Contents Foreword Preface xiii xv
More informationTopics in Web Application Security BlackHat Seattle, 2003. 2002 by WhiteHat Security, Inc.
Topics in Web Application Security BlackHat Seattle, 2003 Introductions Jeremiah Grossman Founder and CEO, WhiteHat Security Bill Pennington Senior Engineer, WhiteHat Security Agenda Web Server Fingerprinting
More informationRequirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module
Collax SSL VPN Howto This howto describes the easy configuration of a Collax server as SSL VPN gateway in order to enable external access to selected applications in the company network. Except for a common
More informationDIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access
DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access With IDENTIKEY Server / Axsguard IDENTIFIER Integration Guidelines Disclaimer Disclaimer of Warranties and Limitations
More informationDetecting and Exploiting XSS with Xenotix XSS Exploit Framework
Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.
More informationWindows Attack - Gain Enterprise Admin Privileges in 5 Minutes
Windows Attack - Gain Enterprise Admin Privileges in 5 Minutes Compass Security AG, Daniel Stirnimann Compass Security AG Glärnischstrasse 7 Postfach 1628 CH-8640 Rapperswil Tel +41 55-214 41 60 Fax +41
More informationThomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch
Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch What
More informationWeb Application Firewalls: When Are They Useful? OWASP AppSec Europe May 2006. The OWASP Foundation http://www.owasp.org/
Web Application Firewalls: When Are They Useful? OWASP AppSec Europe May 2006 Ivan Ristic Thinking Stone ivanr@webkreator.com +44 7766 508 210 Copyright 2006 - The OWASP Foundation Permission is granted
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationAgenda. How to configure
dlaw@esri.com Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context of ArcGIS Server/Portal for ArcGIS Access Authentication Authorization: securing web services
More informationAccess Gateway Guide Access Manager 4.0 SP1
Access Gateway Guide Access Manager 4.0 SP1 May 2014 www.netiq.com/documentation Legal Notice THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS
More informationApache Server Implementation Guide
Apache Server Implementation Guide 340 March Road Suite 600 Kanata, Ontario, Canada K2K 2E4 Tel: +1-613-599-2441 Fax: +1-613-599-2442 International Voice: +1-613-599-2441 North America Toll Free: 1-800-307-7042
More informationUse FortiWeb to Publish Applications
Tech Brief Use FortiWeb to Publish Applications Replacing Microsoft TMG with a FortiWeb Web Application Firewall Version 0.2, 27 June 2014 FortiWeb Release 5.2.0 Introduction This document is intended
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationCyber Security Workshop Ethical Web Hacking
Cyber Security Workshop Ethical Web Hacking May 2015 Setting up WebGoat and Burp Suite Hacking Challenges in WebGoat Concepts in Web Technologies and Ethical Hacking 1 P a g e Downloading WebGoat and Burp
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationApplication Gateway with Apache
Application Gateway with Apache Multi-backend scenarios Nghia Nguyen SAP NetWeaver RIG Americas, SAP Labs, LLC Introduction Session Objectives and Requirements Use Cases and Scenarios Limitations Configuring
More informationWeb Application Firewall
Web Application Firewall Getting Started Guide August 3, 2015 Copyright 2014-2015 by Qualys, Inc. All Rights Reserved. Qualys and the Qualys logo are registered trademarks of Qualys, Inc. All other trademarks
More informationContemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited
Contemporary Web Application Attacks Ivan Pang Senior Consultant Edvance Limited Agenda How Web Application Attack impact to your business? What are the common attacks? What is Web Application Firewall
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationDesign and Implementation of Web Forward Proxy with
Design and Implementation of Web Forward Proxy with Shibboleth Authentication KOMURA Takaaki SANO Hiroaki Kyoto University Kyoto University Library DEMIZU Noritoshi OCTOPATH corporation MAKIMURA Ken OCTOPATH
More informationImplementing SSL Offload with JAGUAR Ver.1.0
JAG C TB SSL Offload v1.0 E Implementing SSL Offload with JAGUAR Ver.1.0 T e c h n i c a l B r i e f What is SSL Offload with JAGUAR 5000 Reverse Proxy? JAGUAR 5000 can change HTTP Web Server s service
More informationSetup Corporate (Microsoft Exchange) Email. This tutorial will walk you through the steps of setting up your corporate email account.
Setup Corporate (Microsoft Exchange) Email This tutorial will walk you through the steps of setting up your corporate email account. Microsoft Exchange Email Support Exchange Server Information You will
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationHP Cloud Service Automation Deployment Architectures
Technical white paper HP Cloud Service Automation Deployment Architectures Details of the content Table of contents Purpose... 2 Enterprise Deployment... 2 All-in-One CSA... 3 All-in-One CSA with remote
More informationConfiguring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy
Configuring Remote HANA System Connection for SAP Cloud for Analytics via Apache HTTP Server as Reverse Proxy Author: Gopal Baddela, Senior BI Architect Archius Copyright Archius 2016 1 Table of Contents
More information1. Introduction 2. Getting Started 3. Scenario 1 - Non-Replicated Cluster 4. Scenario 2 - Replicated Cluster 5. Conclusion
1. Introduction... 1 1.1. Non-Replicated Cluster... 1 1.2. Replicated Cluster... 2 1.3. Mixing Both Options... 3 2. Getting Started... 5 3. Scenario 1 - Non-Replicated Cluster... 6 3.1. JOSSO Agent Configuration...
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationTIBCO Spotfire Platform IT Brief
Platform IT Brief This IT brief outlines features of the system: Communication security, load balancing and failover, authentication options, and recommended practices for licenses and access. It primarily
More informationEthical Hacking as a Professional Penetration Testing Technique
Ethical Hacking as a Professional Penetration Testing Technique Rochester ISSA Chapter Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net 2 Background Founder of Durkee Consulting since 1996
More informationCollax Web Security. Howto. This howto describes the setup of a Web proxy server as Web content filter.
Collax Web Security Howto This howto describes the setup of a Web proxy server as Web content filter. Requirements Collax Business Server Collax Security Gateway Collax Platform Server including Collax
More informationHow to: Install an SSL certificate
How to: Install an SSL certificate Introduction This document will talk you through the process of installing an SSL certificate on your server. Once you have approved the request for your certificate
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationUse Enterprise SSO as the Credential Server for Protected Sites
Webthority HOW TO Use Enterprise SSO as the Credential Server for Protected Sites This document describes how to integrate Webthority with Enterprise SSO version 8.0.2 or 8.0.3. Webthority can be configured
More informationAuthentication Methods
Authentication Methods Overview In addition to the OU Campus-managed authentication system, OU Campus supports LDAP, CAS, and Shibboleth authentication methods. LDAP users can be configured through the
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationSophos Mobile Control SaaS startup guide. Product version: 6
Sophos Mobile Control SaaS startup guide Product version: 6 Document date: January 2016 Contents 1 About this guide...4 2 About Sophos Mobile Control...5 3 What are the key steps?...7 4 Change your password...8
More informationHow-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X
How-to-Guide: Reverse Proxy and Load Balancing for SAP Mobile Platform 3.X Active Global Support North America Document History: Document Version Authored By Description 1.0 Kiran Kola Architect Engineer
More informationIntegrating Web Application Security into the IT Curriculum
Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University Topics 1. 2. 3. 4. Why should we teach web application security? What material do we need to cover?
More informationAstaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client
Astaro Security Gateway V8 Remote Access via SSL Configuring ASG and Client 1. Introduction This guide contains complementary information on the Administration Guide and the Online Help. If you are not
More information2013 MONITORAPP Co., Ltd.
01 Cloud Computing Overview Intelligent Web Application Firewall For Cloud Infrastructure Introduction 2013 MONITORAPP Co., Ltd. 01 Cloud Computing Overview Cloud-based Web Firewall Overview The new form
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationIJMIE Volume 2, Issue 9 ISSN: 2249-0558
Survey on Web Application Vulnerabilities Prevention Tools Student, Nilesh Khochare* Student,Satish Chalurkar* Professor, Dr.B.B.Meshram* Abstract There are many commercial software security assurance
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationWeb Intrusion Detection with ModSecurity. Ivan Ristic <ivanr@webkreator.com>
Web Intrusion Detection with ModSecurity Ivan Ristic Aim of This Talk Discuss the state of Web Intrusion Detection Introduce ModSecurity Introduce an open source web application
More informationJava Web Application Security
Java Web Application Security RJUG Nov 11, 2003 Durkee Consulting www.rd1.net 1 Ralph Durkee SANS Certified Mentor/Instructor SANS GIAC Network Security and Software Development Consulting Durkee Consulting
More informationDeploying F5 with Microsoft Active Directory Federation Services
F5 Deployment Guide Deploying F5 with Microsoft Active Directory Federation Services This F5 deployment guide provides detailed information on how to deploy Microsoft Active Directory Federation Services
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationApplication Security Best Practices. Wally LEE <wally.lee@scs.com.sg> Principal Consultant
Application Security Best Practices Wally LEE Principal Consultant 17/18 March 2009 Speaker Profile Wally LEE CISSP BS7799 Lead Auditor Certified Ultimate Hacking Instructor Certified
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More information