Web Application Security
|
|
- Isabel Watts
- 8 years ago
- Views:
Transcription
1 Web Application Security Security Mitigations Halito 26 juni 2014
2 Content Content... 2 Scope of this document... 3 OWASP Top A1 - Injection A2 - Broken Authentication and Session Management A3 - Cross-Site Scripting (XSS) A4 - Insecure Direct Object References A5 - Security Misconfiguration A6 - Sensitive Data Exposure A7 Missing Function Level Access Control A8 - Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 - Unvalidated Redirects and Forwards Other security mitigations Remote file include File upload Anti-automation / Mail Bombing
3 Scope of this document Securing a web application is more than only securing the infrastructure, the application itself must also have security. If we take the metaphor of a house, the fence and the guard dog in the yard are infrastructure mitigations, but if we leave the front door of the house open then the overall security is not that good. We need to secure the house itself. This document describes that security who is contained in the application itself. In security requirements or reviews the OWASP Top 10 is used as a guideline for good security. Of course these are the most frequent security leaks, but this doesn t cover everything. In this document we start by describing the mitigations taken to secure the risks listed in the OWASP Top 10. In the next section we describe other security mitigations taken to further secure Halito. 3
4 OWASP Top 10 A1 - Injection Injection flaws occur when an application sends untrusted data to an interpreter. Injection flaws are very prevalent, particularly in legacy code. They are often found in SQL, LDAP, Xpath or NoSQL queries; OS commands; XML parsers, SMTP Headers, program arguments, etc. SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. This input can contain code fragments, changing the intent of the query. LDAP, XPath, NoSQL queries, XML parsers are not used in Halito. The fix for SQL injection is Query binding or Prepared Statements. All SQL statements use Query binding throughout the whole web application, meaning the generated front-end site as well as the management console on the back-end. User input is used as parameters in the queries. Query binding or Prepared Statements will prevent that the query reveals too much information. But still malicious input can be inserted into the database. So for each type of input field there are specific input validations implemented to ensure or limit malicious user input is stored. The input validations are described in detail in the XSS section. 4
5 A2 - Broken Authentication and Session Management Account credentials and session tokens are often not properly protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities. Authentication A registration form can be protected by a password. It is very important that the POST of this registration form is sent through HTTPS, otherwise the password is send in clear text. The back-end site also uses the same login form. The login form does a POST request and the autocomplete is off. The number of login attempts for 1 user is limited to 5 attempts. The password will be verified by several validations: The password length Password complexity The password will be encrypted and stored in the database using a BCRYPT algorithm. The password reset mechanism works with a separate flow with unique time-based reset links. Generation of the session token At this moment Halito uses the standard session mechanism of PHP. The sessions are stored in cookies and NOT as a URL parameter. The sessions are stored in files on the server. The generation and the remove of the sessions will change in the future. Halito is changing his infrastructure and deployment to a more scalable, cloud-related environment. The sessions will then be managed in a database. To achieve this a custom session handler will be written that will generate his own random session ids (which will be longer than the default PHP session tokens) and a custom clean-up of these sessions. Logout mechanism Each page contains a logout button. When this logout button is pressed, the session is cleaned and destroyed in 3 steps: 1. All session values are removed 2. The session ID cookie is removed 3. The session object is destroyed Session time-out 5
6 If the user doesn t logout and closes his browsers, the session will not be closed on the server. There is a need for a mechanism that will remove session that are inactive for a certain amount of time. Halito uses the Debian cron job to automatically clean up the sessions. If a session is inactive for 24 minutes than it s marked to be removed. Audit trail Each login attempt is logged. We log each attempt and each password request or password reset with a timestamp and ip-address. The logs are stored in a database and backups are always available. A3 - Cross-Site Scripting (XSS) XSS (Cross site scripting) flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites or redirect the user to malicious sites. Halito creates a dynamic event website and the organizer can add various types of fields. For each type of field there is input validation implemented. In the table below you find a description of these validations: Type Validation rules Tekstveld Maximum input length of 255 characters Delimiter must be excluded White- and blacklist characters (use OWASP ESAPI Validation framework) Tekstveld1 (textarea) Maximum input length of the size (number of characters) of a small paragraph. The development team will determine the exact size Delimiter must be excluded White- and blacklist characters (use OWASP Keuzelijst Radioknoppen Aanvinkvakje ESAPI Validation framework) Field types that use restricted values send option ID s to the application back-end. The real selected value is not send. Validate if the received option ID exists for this specific registration form. The incoming value will be compared with only the registered options for that specific form of another event. If the received option ID is not found for this form in this event, input is ignored. See validation rules of Keuzelijst See validation rules of Keuzelijst 6
7 Aantal (keuzelijst See validation rules of Keuzelijst met numerieke waardes) Geslacht See validation rules of Keuzelijst Land See validation rules of Keuzelijst Inschrijving mailen See validation rules of Keuzelijst Weergeven in See validation rules of Keuzelijst gastenlijst Numeriek veld Only allowing 0 9 Maximum input length is 10 numbers Delimiter must be excluded Regular expression which validates the pattern Maximum input length is 128 characters Datum The date is selected by a calendar picker. When the application back-end receives a date, it is immediately converted to a type of date. If this input isn t a correct date, a validation error is thrown. Geboortedatum See datum validation rules Can t be in the future Telefoon These are 3 separate numeric fields. Also standard telephone number validations are checked. Tijdsveld (uu:mm) This field consists of 2 dropdown boxes. The hour dropdown will only accept numeric values between 00 and 23 The minute dropdown will only accept numeric values between 00 and 59 Bestand Aanvullende tekst zonder invulveld (label) Registratie code See separate item on File upload See tekstveld validation rules Registratie code are generated by the application backend. The registratie code is checked for this user in this event. All other values result in a validation error or will be ignored. Data on HTML pages that is retrieved from the database will be output encoding using the ESAPI library. To prevent encoding problems in XSS prevention Halito explicitly list the encoding of the web pages, so the browser doesn t have to auto detect. The encoding UTF-8 is set in the HTTP header as well as in the HTML page. A4 - Insecure Direct Object References A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without authorization. 7
8 Halito uses the OWASP ESAPI RandomAccessReferenceMap to hide internal implementations. It is used for redirect URL, but also in s containing links to the event site. A5 - Security Misconfiguration Security misconfiguration can happen at any level of an application stack, including the platform, web server, application server, framework, and custom code. Developers and network administrators need to work together to ensure that the entire stack is configured properly. Most of the security misconfiguration is infrastructure based: is all software up to date, are all patches installed, default accounts and passwords removed, etc. For the web application itself the biggest issue is information leaking, mostly through error messages. For example SQL error messages can be good indicators to find out if the web application is vulnerable for SQL injection. It is important not to show errors to the user. So the SQL error will be written to a log file, but the user will be redirected to a general error page, not revealing any SQL error. Error conditions are handled in the code to avoid that the platform handles conditions, exposing the technology stack. All unexpected or severe application errors result in a redirect to a general error page to ensure that no specific information is leaked. A6 - Sensitive Data Exposure In most cases Halito will not handle sensitive data like credit card numbers, health records and lots of personal information. Of course it all depends on how the event organizer designs his site. This issue is mostly about weak key generation and management, weak algorithm. SSL will protect data in transit, meaning that data is encrypted when sending it from the user to the back-end server. SSL isn t standard in Halito, but SSL is always strongly recommended to clients. By using SSL no data is transmitted in clear text over the internet. Also extra counter measurements can be taken like securing the cookie, so the cookie is only send over an encrypted connection. The event site has a login page with a password. This password is encrypted and the mechanism is described in item A2 Broken Authentication and Session management. 8
9 A7 Missing Function Level Access Control Applications do not always protect application functions properly. Sometimes, function level protection is managed via configuration, and the system is misconfigured. Sometimes, developers must include the proper code checks, and they forget. In the generated event site there is no function level access control implemented, because there isn t any data that needs specific permissions. In the management console that creates and administers the event site, there are 4 types of roles: Low: Administrators for a specific project Normal: Administrators for a specific project, who can create other administrators for that specific project Agency: Administrators for a specific company that can create new projects High: Halito administrators A8 - Cross-Site Request Forgery (CSRF) A CSRF (Cross Site Request Forgery) attack forces a logged-on victim s browser to send a forged HTTP request, including the victim s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim s browser to generate requests. The vulnerable application thinks these are legitimate requests from the victim. Several measurements are taken mitigate this risk, not everyone will fully block CSRF attacks but will make it more difficult. All Halito forms use POST actions The session time-out is set to 30 minutes to limit the window of opportunity An anti-csrf token is used, created by the ESAPI library HTTP Referrer can be helpful to mitigate CSRF, but it s not a full solution because the referrer can easily be spoofed. The HTTP Referrer is checked to see if no one is linking to our forms. All unusual HTTP referrer are logged in the database. CAPTCHA is also a countermeasure for CSRF, but it s not user-friendly to include a CAPTCHA on each form. The registration form, which is open for internet, can be configured with a CAPTCHA on it. 9
10 A9 Using Components with Known Vulnerabilities Virtually every application has these issues because most development teams don t focus on ensuring their components/libraries are up to date. In many cases, the developers don t even know all the components they are using, never mind their versions. Component dependencies make things even worse. Halito uses PHP version Apache Http Server version MySQL version CodeIgniter version Php admin OpenSSL These versions don t have any vulnerabilities listed at This site takes his CVE vulnerability data from the following places: National Vulnerability Database (NVD) xml feeds provided by National Institute of Standards and Technology Exploits from Vendor statements and additional vendor supplied data Metasploit modules Every month the development team checks the CVEDetail site to see if the used software is still secure. CVEDetail can search on Vendor, Product and Version combination. By using Vendor, Product and Version (like for example 5%) a detailed list of that exact software version can be acquired. Because Halito uses continuous and agile development the team releases at a very regular base (say each 3 weeks) a new version in production. Updates and patches of software libraries go to production much faster. A10 - Unvalidated Redirects and Forwards- Applications frequently redirect users to other pages, or use internal forwards in a similar manner. Sometimes the target page is specified in an unvalidated parameter, allowing attackers to choose the destination page. 10
11 Redirects and forwards are not used much in Halito, only for the login page and for uploading documents. If the redirect URL is added to the request parameters, there are 2 ways to secure the redirect: using indirect mapping and whitelisting all the possible redirect URLs. If a redirect URL is not in the whitelist on the back-end, that means the URL is tampered with and Halito should go to the general error page. If the request parameter isn t shown as a URL but as a random string. The attacker will not know what the value of the request parameter means. The random string will be mapped in the back-end to the correct redirect URL, not exposing the indirect mapping to the attacker. Both the login page and the upload for documents implement indirect mapping. 11
12 Other security mitigations Remote file include Remote File Inclusion is about trying to execute malicious code on the server. The development platforms use external referenced code, usually by URL. The developer uses the code directly from a file. If the input of the user is used to construct the name of the file, it s a problem. Halito doesn t use include statements without user input. The following checklist is regularly checked during code reviews. Disable allow_url_fopen and allow_url_include in php.ini and consider building PHP locally to not include this functionality. Disable register_globals and use E_STRICT to find uninitialized variables Ensure that all file and streams functions (stream_*) are carefully vetted. Ensure that the user input is not supplied any function which takes a filename argument, including: include() include_once() require() require_once() fopen() imagecreatefromxxx() file() file_get_contents() copy() delete() unlink() upload_tmp_dir() $_FILES move_uploaded_file() Be extremely cautious if data is passed to system() eval() passthru() or ` (the backtick operator). File upload The event organizer can create an input field that can upload a file. File upload can be a serious risk to the application. Certainly because the uploaded files are accessible through the front-end application. The file upload option is disabled by default. Only on demand of the event organizer this option will be accessible, to restrict usage of this option. This will lower the risks. But if file upload is needed, there are extra steps taken to make file upload saver. File extensions are white listed in the application code. There is a minimum file size of 5 kb because small size files can lead to denial of service attacks. There is a maximum file size of 4 MB. Check the content type of the file (MIME Type) The file name length should be limited to 128 characters. The upload directory has a htaccess file that redirects to a secure page 12
13 The upload directory is be monitored by a virus scanner to ensure no virus or malware is uploaded. For each file that is uploaded, the given file name is saved and sanitized to display to the user if he wants to see his file uploads. On the application side an indirect reference is used in the URL, so the file name isn t exposed to the user. Internally the indirect reference is mapped to the filename. OWASP ESAPI has a RandomAccessReferenceMap that is used in these cases. Optional step: rename the uploaded file. Anti-automation / Mail Bombing Websites are made to be used by humans manually. When a computer program will start to run automated tests this might lead to scenario s that harm the application. Or these automated tests are used to brute-force passwords for example. The registration form is the most vulnerable for this kind of attack, due to it s easy to access through the internet. By default a CAPTCHA is set to this form. If the event organizer has a big problem with the CAPTCHA it can be turned off, but not without getting a disclaimer. Rate limit is enforced by a Zion Security Web application firewall. Clickjacking and FrameBusting An attacker loads a transparent iframe over the target site, so that the user will press the malicious buttons instead of the real one. An attacker can steal a user s authentication credentials and access their resources Halito doesn t use iframes so there is no issue. 13
Where every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationOWASP AND APPLICATION SECURITY
SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationAnnex B - Content Management System (CMS) Qualifying Procedure
Page 1 DEPARTMENT OF Version: 1.5 Effective: December 18, 2014 Annex B - Content Management System (CMS) Qualifying Procedure This document is an annex to the Government Web Hosting Service (GWHS) Memorandum
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationMembers of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems
Soteria Health Check A Cyber Security Health Check for SAP systems Soteria Cyber Security are staffed by SAP certified consultants. We are CISSP qualified, and members of the UK Cyber Security Forum. Security
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationWHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6 Ensuring compliance for PCI DSS 6.5 and 6.6 Page 2 Overview Web applications and the elements surrounding them
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationSix Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business
6 Six Essential Elements of Web Application Security Cost Effective Strategies for Defending Your Business An Introduction to Defending Your Business Against Today s Most Common Cyber Attacks When web
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationIntroduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3
Table of Contents Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3 Information Gathering... 3 Vulnerability Testing... 7 OWASP TOP 10 Vulnerabilities:... 8 Injection
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationRuby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationColumbia University Web Application Security Standards and Practices. Objective and Scope
Columbia University Web Application Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Application Security Standards and Practices document establishes a baseline
More informationWeb Application Security Guidelines for Hosting Dynamic Websites on NIC Servers
Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationWeb Application Guidelines
Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security
More informationWeb Application Hacking (Penetration Testing) 5-day Hands-On Course
Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationWEB APPLICATION SECURITY
WEB APPLICATION SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationState of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell
Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection
More informationWeb Application Firewall on SonicWALL SSL VPN
Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationHardening Joomla 1. HARDENING PHP. 1.1 Installing Suhosin. 1.2 Disable Remote Includes. 1.3 Disable Unneeded Functions & Classes
1. HARDENING PHP Hardening Joomla 1.1 Installing Suhosin Suhosin is a PHP Hardening patch which aims to protect the PHP engine and runtime environment from common exploits, such as buffer overflows in
More informationWeb Application Penetration Testing
Web Application Penetration Testing 2010 2010 AT&T Intellectual Property. All rights reserved. AT&T and the AT&T logo are trademarks of AT&T Intellectual Property. Will Bechtel William.Bechtel@att.com
More informationWeb Application Attacks and Countermeasures: Case Studies from Financial Systems
Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc Overview Information Security Briefing Web Applications
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationWeb Application Report
Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012
More informationNational Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research
National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationWeb Application Vulnerability Testing with Nessus
The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information
More informationKentico CMS security facts
Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection 2
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationIntrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More informationCracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference
Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance
More informationStatistics Whitepaper
White paper Statistics Whitepaper Web Application Vulnerability Statistics 2010-2011 Alex Hopkins whitepapers@contextis.com February 2012 Context Information Security 30 Marsh Wall, London, E14 9TP +44
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationREDCap General Security Overview
REDCap General Security Overview Introduction REDCap is a web application for building and managing online surveys and databases, and thus proper security practices must instituted on the network and server(s)
More informationTECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS
TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS Technical audits in accordance with Regulation 211/2011 of the European Union and according to Executional Regulation 1179/2011 of the
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationWith so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up.
1 2 Why do we care about web application security? With so many web applications, universities have a huge attack surface often without the IT security budgets or influence to back it up. We constantly
More informationSecure Programming Lecture 12: Web Application Security III
Secure Programming Lecture 12: Web Application Security III David Aspinall 6th March 2014 Outline Overview Recent failures More on authorization Redirects Sensitive data Cross-site Request Forgery (CSRF)
More informationAttack Vector Detail Report Atlassian
Attack Vector Detail Report Atlassian Report As Of Tuesday, March 24, 2015 Prepared By Report Description Notes cdavies@atlassian.com The Attack Vector Details report provides details of vulnerability
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationWeb Application Firewall on SonicWALL SRA
Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following
More informationFortiWeb Web Application Firewall. Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE
FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS requirement 6.6 SOLUTION GUIDE Overview Web applications and the elements surrounding them have not only become a key part of every company
More informationQuality Assurance version 1
Quality Assurance version 1 Introduction Quality assurance (QA) is a standardised method that ensures that everything works as it was intended to work and looks as it was intended to look. It should force
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationCloud Security:Threats & Mitgations
Cloud Security:Threats & Mitgations Vineet Mago Naresh Khalasi Vayana 1 What are we gonna talk about? What we need to know to get started Its your responsibility Threats and Remediations: Hacker v/s Developer
More informationOWASP Application Security Building and Breaking Applications
OWASP Application Security Building and Breaking Applications Rochester OWASP Chapter - Durkee Consulting, Inc. info@rd1.net Who's? Principal Security Consultant Durkee Consulting Inc. Founder of Rochester
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationWeb Application Attacks And WAF Evasion
Web Application Attacks And WAF Evasion Ahmed ALaa (EG-CERT) 19 March 2013 What Are We Going To Talk About? - introduction to web attacks - OWASP organization - OWASP frameworks - Crawling & info. gathering
More informationTop Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes
More informationTop 10 Web Application Security Vulnerabilities - with focus on PHP
Top 10 Web Application Security Vulnerabilities - with focus on PHP Louise Berthilson Alberto Escudero Pascual 1 Resources The Top 10 Project by OWASP www.owasp.org/index.php/owasp_top_ten_project
More informationHacking de aplicaciones Web
HACKING SCHOOL Hacking de aplicaciones Web Gabriel Maciá Fernández Fundamentos de la web CLIENTE SERVIDOR BROWSER HTTP WEB SERVER DATOS PRIVADOS BASE DE DATOS 1 Interacción con servidores web URLs http://gmacia:pass@www.ugr.es:80/descarga.php?file=prueba.txt
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationGuidelines for Web applications protection with dedicated Web Application Firewall
Guidelines for Web applications protection with dedicated Web Application Firewall Prepared by: dr inŝ. Mariusz Stawowski, CISSP Bartosz Kryński, Imperva Certified Security Engineer INTRODUCTION Security
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationExecutive Summary On IronWASP
Executive Summary On IronWASP CYBER SECURITY & PRIVACY FOUNDATION 1 Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open
More informationWeb Engineering Web Application Security Issues
Security Issues Dec 14 2009 Katharina Siorpaes Copyright 2009 STI - INNSBRUCK www.sti-innsbruck.at It is NOT Network Security It is securing: Custom Code that drives a web application Libraries Backend
More informationREDCap Technical Overview
REDCap Technical Overview Introduction REDCap is a web application for building and managing online surveys and databases. This document delineates many of the broader technical aspects of REDCap, such
More informationProject 2: Web Security Pitfalls
EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course
More informationApplication Security Vulnerabilities, Mitigation, and Consequences
Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationA Survey on Security and Vulnerabilities of Web Application
A Survey on Security and Vulnerabilities of Web Application Gopal R. Chaudhari, Prof. Madhav V. Vaidya Department of Information Technology, SGGS IE & T, Nanded, Maharashtra, India-431606 Abstract Web
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationOverview of the Penetration Test Implementation and Service. Peter Kanters
Penetration Test Service @ ABN AMRO Overview of the Penetration Test Implementation and Service. Peter Kanters ABN AMRO / ISO April 2010 Contents 1. Introduction. 2. The history of Penetration Testing
More information