Web Application Guidelines
|
|
- Basil Barber
- 8 years ago
- Views:
Transcription
1 Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security in mind, most web applications face the open web, and web applications typically combine several technologies that until recently weren t necessary for all developers to be familiar with. These can include any combination of server configurations, the Hyper Text Transfer Protocol (HTTP), server-side code, browser standards, Hyper Text Markup Language (HTML), Cascading Style Sheets (CSS), and JavaScript. These reasons all contribute to one central idea web applications provide a very large attack surface. Table of Contents Table of Contents... 1 Sanitizing User Input... 2 Outputting Data from the User... 2 All Input is User Input... 3 OWASP PHP Sanitization Function and Filters... 4 Authentication Mechanisms... 4 Use NAU s Central Authentication System... 5 Hashing Passwords and Salt... 5 Sessions... 6 JavaScript Authentication... 7 Access and Control... 7 Securing, not Hiding... 7 Cross-Site Request Forgery... 8 Information Leakage... 9 HTML and JavaScript Comments... 9 Include Files... 9 Error Messages Use SSL Miscellaneous Third-party Code In-House Cryptography Securing Cookies... 11
2 Sanitizing User Input It is important to verify all data accepted from the client. This means taking all data that comes from the client or the client s browser and escaping or removing all data that does not conform to expected values. This is known as sanitization. For example, when creating a page that queries a database and displays information, the user might be directed to a url such as: In this scenario, the query string parameter id might relate a record from a database and display the results. It is necessary to ensure that the parameter id is exactly what is expected, most likely a positive integer. If a user were to enter a non-integer value for the id, the application should either modify the value before using it for any functions, or throw an exception and halt processing. Below are examples of some possible user inputs and how the web application could safely respond: OR a = a Exception: Invalid Integer Strip non-integer char: set `id=1` Exception: Invalid Integer Strip non-integer char: set `id=123` Strip non-integer char: set `id=1` Behave Normally One of the above cases could be used to leverage the application into leaking more data from the database than intended by the developer. When using SQL and a database most frameworks include a method of parameterizing the SQL statements. When possible utilize parameterized SQL queries and avoid performing string concatenation to generate the query. Outputting Data to the User As with input, it is important to sanitize any data that will be output to the user as well. Failure to do so may allow an attacker to modify the current page and inject html or JavaScript to compromise other users or damage the reputation of the University. For example, when creating a page that searches a database and returns relevant results, the user might be directed to a URL such as: In this scenario, the query string parameter query might be used in a search of the database and generate output such as:
3 Displaying 10 of 91 Search Results for computers : Computers: A Tutorial How to use computers The parameter query must be sanitized to prevent the user from attempting to manipulate the database and affecting server side components. It also must be sanitized to protect other users. In this example, code to output the above line may look similar to: echo <div id=\ headline\ >Displaying $count of $total Search Results for \ $keyword\ : </div>\r\n ; The script could be used to display cookie information if an attacker were to enter the following (including quotes): </div><div onload= alert(document.cookie); > This would cause the code to be interpreted as such: echo <div id=\ headline\ >Displaying $count of $total Search Results for \ </div><div onload=\ alert(document.cookie);\ >\ : </div>\r\n ; And would output the following in html: <div id=\headline >Displaying 10 of 91 Search Results for </div><div onload= alert(document.cookie); > : </div> A user who visits such a URL will be shown their cookies in an alert box. Instead of simply displaying the cookie information, the same methods could be used to quietly send the cookie information to a different server to be collected and reused, or to conduct operations on behalf of other users. To remediate this, all dynamic data being output should be sanitized based on the context of its use. Choose the appropriate contextual encoding or sanitizing method to meet the expected use of the dynamic data, for more information see the OWASP Cross Site Scripting (XSS) Prevention Cheat Sheet: ion_cheat_sheet All Input is User Input A common misconception is that cookies, HTTP POST data, <hidden> fields, useragent information, and other header information are secure forms of data. All of the
4 above forms of data reside in the user s browser and are in the control of the user. Cookies can be edited, form fields can be fabricated or modified, user-agents can be spoofed, and header information can be forged. The tools to accomplish this are readily available and easy to use many browsers come with some of them built in! This does not mean that these forms of input should not be used, but it does mean that they should be sanitized or validated safe before their use. It is crucial to note that JavaScript is also controlled by the user. It cannot be assumed that information passed to the server by JavaScript will not be tampered with, modified, or forged, and must be sanitized or validated safe. Checking user input using JavaScript from the client can save processing time and power and avoid a page refresh, but sanitization or validation must also be performed in the serverside code. OWASP PHP Sanitization Function and Filters The Open Web Application Security Project (OWASP) provides a set of sanitization filters available as a PHP function that can very quickly be incorporated into projects. It is secure, simple to implement, and available at: For Java Developers OWASP provides the OWASP Enterprise Security API: For C#/.Net (3.5 and prior)developers Microsoft provides the AntiXSS Libraries: For C#/.Net Developers (4.0 and later) Developers the Framework supports Contextual Based encoding through the HTTPUtility class: Authentication & Access Control Mechanisms Authentication lies in the heart of web application security and is often the prime target for attackers. If an attacker is able to break or bypass authentication, the attacker could potentially assume the identity of another user, obtain sensitive information, or leverage the attack to gain entry to another system.
5 Use NAU s Central Authentication System When possible, use NAU s Central Authentication Service (CAS). It is a single-signon service that provides users a way to login with just one account. It also provides confidence to developers in knowing exactly which user is logged into their system. For example, if a website uses its own registration and user management, being sure that user221 does not sign up as user447 can be difficult to determine. More info about the system as well as implementation documentation is available here: When it is not possible to use NAU s Central Authentication Service, there are some key guidelines that should be followed. Information in transit and information at rest both need to be secured in different ways. Information being transmitted from the user to a web application should always go through SSL ( Information stored should be stored in a secure database, rather than in flat-file format. NAU Information Technology Services (ITS) offers Oracle, MySQL, and MSSQL databases. Call the Solution Center for more information. Hashing Passwords and Salt When using CAS, developers don t have to worry about managing passwords. However, if it becomes necessary to do so, it is important that the passwords are stored properly. This means using a secure one-way hashing algorithm with long, unique salts. Examples of secure one-way hashing algorithms are SHA-256 and SHA-512. The password itself should never be stored, and instead a hash of the password can be used to compare login attempts with the user s actual password. Examples below demonstrate a secure implementation of checking login attempts against a database using PHP and MySQL. process_login.php: <?php // Include OWASP Sanitization filter available at: // include( includes/sanitization.inc ); $con = mysql_connect( mysql_server.com, David, strong_pass, my_app_db ); $sql = SELECT salt FROM `users` WHERE username= $username ; $result = mysql_query($con, $sql) ;
6 $salt = $result[ salt ]; // The salt for each user should be different and // randomly generated. // sanitize_paranoid_string() reduces a string to alpha- // numeric-only $username = sanitize_paranoid_string($_post[ username ]); // The password is not sanitized because it is hashed, // which will strip it of non-alpha-numeric characters before // it is used for anything. Notice the salt. $password = hash( sha256, $salt.$_post[ password ]); // It is important to remember that we store a hash of the // user s password in our database instead of the user s // actual password. Note the salt. $con = mysql_connect( mysql_server.com, David, strong_pass, my_app_db ); $sql = SELECT username FROM `users` WHERE username= $username AND password= $password ; //HASHED password on both ends $result = mysql_query($con, $sql) ; if(mysql_num_rows($result) >= 1) { //Log user in. login($username); } else { //Give user failure message echo Sorry, your username or password is incorrect. ; } mysql_close($con);?> In these examples, the developer used a value called a salt in their hashing. A salt is a string that is usually appended or prepended to a password before hashing. In short, a salt increases the length of the string that is hashed. When a different salt is used for each password, an attacker must generate a new list of passwords and corresponding hashes in order to guess the password from a hash. For more information on hashing, salts, and methods used to attack these, see the following links: Sessions
7 Users should be authenticated with sessions that interact with the server using session cookies or posted <hidden> fields. If cookies are used, the authentication cookies should contain a session string that the server understands and not the user s login information to validate the user. When a user is authenticated a new cookie should be generated and configured to operate on HTTPS only. As mentioned above, cookie information is available to any user to view and modify. This means that an attacker could easily change a cookie user from user123 to admin. For more information on Session Management, see the following links: JavaScript Authentication When it comes to authentication, it is especially important to remember that JavaScript cannot be trusted to act as it is written. This does not mean it cannot be used in login pages or to submit authentication, but data sent to the server this way must be sanitized and verified server-side just like any other input. Access and Control Access and control misconfigurations are some of the most common issues found in web applications. Vulnerabilities can range from exposing sensitive information to an attacker or allowing an attacker to perform actions on behalf of another user. Securing, not Hiding Securing and hiding resources have two very different meanings. For example, a login page might authenticate the user and then forward the user to: This is fine, but admin.php must also verify that the user is authenticated. Otherwise, any user could simply visit the above page directly without first authenticating. It cannot be assumed that users will not know a page exists. This may seem obvious, but it is often overlooked. For example, many web applications use flat-file databases, despite the inherent security risks and weaknesses in this method. Tools that guess at filenames on a server are common and will likely find
8 The same concept applies to backup files. Files such as mysql_config.php.old and site_backup.zip are prime targets for attackers since they could reveal credentials to the backend database or other sensitive information. Another more complex, but more common example involves a page: If this page expects POST information containing a new user s username, password, and but does not authenticate the user requesting the action, then there is nothing stopping an attacker from creating their own HTML form with those fields and using the HTTP POST method to send the information to add_user.php script. It is up to the developer to authorize the user to add another user before executing the code to do so. Proper session management mitigates these vulnerabilities, but only if the developer ensures that a user is authenticated and authorized to perform actions before acting. This applies to all pages that aren t meant to face the public and all pages that should require an authenticated user to perform actions. Cross-Site Request Forgery Cross-Site Request Forgery (CSRF) is an attack technique that involves a malicious web page that attempts to perform actions on behalf of the user against a remote resource. It can be performed with any tag, attribute, or property that instructs a browser to make a request for a resource on the web. This can be hidden in HTML or CSS in such a way that the malicious page shows no visual indication of the attack. For example, if a user were visiting: This page could include <iframe src=" </iframe> If the user visiting the malicious page were already authenticated to the request to change would be performed with the privileges of that user. CSRF attacks are not limited to GET requests. An attacker could create a web page that populates a form on the attacker s own websites and then automatically submits the form to with JavaScript. Some other examples of CSRF techniques include the following: <img src= /> <link rel="stylesheet" type="text/css" href=" >
9 <body style= background-image: > This list is far from comprehensive. CSRF attacks can be prevented by including a randomly generated token with every page that the server can verify when performing any action. This is sometimes called a synchronizer token, or anti-csrf token. The Open Web Application Security Project (OWASP) has provided a resource on securing web applications from CSRF attacks in this way: Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet GNU Citizen also provides excellent examples on preventing CSRF attacks: Information Leakage Information leakage can come in several forms and can be classified as anything that unintentionally reveals sensitive information to a user. This could include database passwords, personally identifiable information about users, file system information, and error messages. Below are some ways information is commonly leaked. HTML and JavaScript Comments Some developers are not aware that users can view comments, especially in JavaScript. Others assume that users simply won t think to check. Lastly, anyone can forget that comments with important information may have been left in the code. Information left for testing, debugging, reminding, or communicating with other developers can often be useful to an attacker. Any code or information sent to the user should be reviewed for comments including sensitive information. Include Files File includes are an excellent tool when building a web application. But it is important to keep track of and manage where these files are located and how they are exposed to the web. A page that includes include/mysql.inc may save time and keep the code clean, but if an attacker can view the file in plain text just by typing in:
10 then the web server may expose database credentials which would be immediately compromised. A developer might name the file mysql.inc.php so that the script would execute rather than display plain text. This is not the recommended solution, since an attacker could still execute any includes by manually viewing them. Instead, included files should not be made available to users through a URL. Apache users can put an.htaccess file in the include folder that restricts users from viewing the includes in a safe manner to prevent data leakage. IIS servers can be configured so that the web does not have permissions to view some files or directories. Another method would be to locate include files outside of the webserver path, but in a place that the webserver has read access. Error Messages Server error messages should be disabled and a generic custom error message page should be displayed to the user instead. There is no easier way to discover and exploit SQL injection vulnerabilities than to trigger an informative SQL error. When troubleshooting and debugging code, consider disabling access to the site for anyone besides developers before temporarily re-enabling error messages. Use TLS Lastly, any time a web application accepts or presents sensitive information, TLS should be used. This protects users from an attacker that may be monitoring traffic on the network. Server administrators should be able to provide more information about whether or not SSL/TLS is currently available for the server. Miscellaneous Some best practices don t necessarily fit in the above categories. Those are listed here. Use of the most recent, secure, versions of admin/php and others is considered a best practice as old versions tend to contain vulnerabilities. Third-party Code As a general rule, code from an outside source needs to be researched and checked for known vulnerabilities. This applies to any themes, plugins, extensions, frameworks, and even entire web applications. When vulnerabilities are discovered, measures to remove or mitigate the vulnerabilities should be taken. This may
11 include creating firewall signatures, modification of source code when applicable, or working with vendors to remediate the issues. Examples include, but are not limited to, WordPress and Drupal. These two applications in particular experienced a high level of exploited vulnerabilities in Updating to the latest patch/update as soon as possible is critical in mitigating risks. In-House Cryptography Do not develop custom cryptography for storing, transmitting, or in any securing information. Instead, use cryptographic functions and frameworks that have already been tried and tested. Securing Cookies In an ideal world, an attacker would not be in a position to access your users cookies. In this world however, it is necessary to set reasonable expiration dates on cookies, to destroy session cookies when they expire, and to never store sensitive information in cookies. New cookies should be generated when users switch between non-encrypted (HTTP) communications to encrypted (HTTPS) communications. Cookies which are transmitted over HTTPS should be configured for HTTPS only. Cookies should have their path and domains set as specifically as possible when applicable.
Criteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationIs Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security
Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not
More informationCSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities
CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications
More informationCheck list for web developers
Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation
More informationWhere every interaction matters.
Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper
More informationFINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES
Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that
More information1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications
1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won
More informationExternal Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION
External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security
More informationWhat is Web Security? Motivation
brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web
More informationLast update: February 23, 2004
Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to
More informationArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young
ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction
More informationSitefinity Security and Best Practices
Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management
More informationWHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats
WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top
More informationWeb Application Security Assessment and Vulnerability Mitigation Tests
White paper BMC Remedy Action Request System 7.6.04 Web Application Security Assessment and Vulnerability Mitigation Tests January 2011 www.bmc.com Contacting BMC Software You can access the BMC Software
More informationApplication Security Testing. Generic Test Strategy
Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication
More informationHow To Protect A Web Application From Attack From A Trusted Environment
Standard: Version: Date: Requirement: Author: PCI Data Security Standard (PCI DSS) 1.2 October 2008 6.6 PCI Security Standards Council Information Supplement: Application Reviews and Web Application Firewalls
More informationInformation Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified
Standard: Data Security Standard (DSS) Requirement: 6.6 Date: February 2008 Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified Release date: 2008-04-15 General PCI
More informationASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus
ASP.NET MVC Secure Coding 4-Day hands on Course Course Syllabus Course description ASP.NET MVC Secure Coding 4-Day hands on Course Secure programming is the best defense against hackers. This multilayered
More informationWeb application security
Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0
More informationSecure development and the SDLC. Presented By Jerry Hoff @jerryhoff
Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non
More informationProject 2: Web Security Pitfalls
EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course
More informationMagento Security and Vulnerabilities. Roman Stepanov
Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection
More informationNuclear Regulatory Commission Computer Security Office Computer Security Standard
Nuclear Regulatory Commission Computer Security Office Computer Security Standard Office Instruction: Office Instruction Title: CSO-STD-1108 Web Application Standard Revision Number: 1.0 Effective Date:
More informationSichere Software- Entwicklung für Java Entwickler
Sichere Software- Entwicklung für Java Entwickler Dominik Schadow Senior Consultant Trivadis GmbH 05/09/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART
More informationLecture 11 Web Application Security (part 1)
Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1)
More informationTesting the OWASP Top 10 Security Issues
Testing the OWASP Top 10 Security Issues Andy Tinkham & Zach Bergman, Magenic Technologies Contact Us 1600 Utica Avenue South, Suite 800 St. Louis Park, MN 55416 1 (877)-277-1044 info@magenic.com Who Are
More information(WAPT) Web Application Penetration Testing
(WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:
More informationHow to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering
How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration
More informationOWASP Top Ten Tools and Tactics
OWASP Top Ten Tools and Tactics Russ McRee Copyright 2012 HolisticInfoSec.org SANSFIRE 2012 10 JULY Welcome Manager, Security Analytics for Microsoft Online Services Security & Compliance Writer (toolsmith),
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V2.0, JULY 2015 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationA Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most
More informationDetecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008
Detecting Web Application Vulnerabilities Using Open Source Means OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008 Kostas Papapanagiotou Committee Member OWASP Greek Chapter conpap@owasp.gr
More informationAdobe Systems Incorporated
Adobe Connect 9.2 Page 1 of 8 Adobe Systems Incorporated Adobe Connect 9.2 Hosted Solution June 20 th 2014 Adobe Connect 9.2 Page 2 of 8 Table of Contents Engagement Overview... 3 About Connect 9.2...
More informationEnterprise Application Security Workshop Series
Enterprise Application Security Workshop Series Phone 877-697-2434 fax 877-697-2434 www.thesagegrp.com Defending JAVA Applications (3 Days) In The Sage Group s Defending JAVA Applications workshop, participants
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection 2
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationWeb applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh
Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP
More informationEssential IT Security Testing
Essential IT Security Testing Application Security Testing for System Testers By Andrew Muller Director of Ionize Who is this guy? IT Security consultant to the stars Member of OWASP Member of IT-012-04
More informationIntrusion detection for web applications
Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities
More informationEVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke
EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project
More informationSecurity features of ZK Framework
1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures
More informationWeb Application Security
Web Application Security Security Mitigations Halito 26 juni 2014 Content Content... 2 Scope of this document... 3 OWASP Top 10... 4 A1 - Injection... 4... 4... 4 A2 - Broken Authentication and Session
More informationSecure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda
Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current
More informationCreating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing
More information3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management
What is an? s Ten Most Critical Web Application Security Vulnerabilities Anthony LAI, CISSP, CISA Chapter Leader (Hong Kong) anthonylai@owasp.org Open Web Application Security Project http://www.owasp.org
More informationJVA-122. Secure Java Web Development
JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard
More informationDFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)
Title: Functional Category: Information Technology Services Issuing Department: Information Technology Services Code Number: xx.xxx.xx Effective Date: xx/xx/2014 1.0 PURPOSE 1.1 To appropriately manage
More informationPassing PCI Compliance How to Address the Application Security Mandates
Passing PCI Compliance How to Address the Application Security Mandates The Payment Card Industry Data Security Standards includes several requirements that mandate security at the application layer. These
More informationWeb Application Security Guidelines for Hosting Dynamic Websites on NIC Servers
Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers The Website can be developed under Windows or Linux Platform. Windows Development should be use: ASP, ASP.NET 1.1/ 2.0, and
More informationColumbia University Web Security Standards and Practices. Objective and Scope
Columbia University Web Security Standards and Practices Objective and Scope Effective Date: January 2011 This Web Security Standards and Practices document establishes a baseline of security related requirements
More informationData Breaches and Web Servers: The Giant Sucking Sound
Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant
More informationTop 10 Web Application Security Vulnerabilities - with focus on PHP
Top 10 Web Application Security Vulnerabilities - with focus on PHP Louise Berthilson Alberto Escudero Pascual 1 Resources The Top 10 Project by OWASP www.owasp.org/index.php/owasp_top_ten_project
More informationState of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell
Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection
More informationAcunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)
Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06
More informationWebapps Vulnerability Report
Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during
More informationThreat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP
Threat Modeling Categorizing the nature and severity of system vulnerabilities John B. Dickson, CISSP What is Threat Modeling? Structured approach to identifying, quantifying, and addressing threats. Threat
More informationBASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS
BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices
More informationChapter 1 Web Application (In)security 1
Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is
More informationWEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY
WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities
More informationelearning for Secure Application Development
elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security
More informationAPPLICATION SECURITY AND ITS IMPORTANCE
Table of Contents APPLICATION SECURITY AND ITS IMPORTANCE 1 ISSUES AND FIXES: 2 ISSUE: XSS VULNERABILITIES 2 ISSUE: CSRF VULNERABILITY 2 ISSUE: CROSS FRAME SCRIPTING (XSF)/CLICK JACKING 2 ISSUE: WEAK CACHE
More informationAnnual Web Application Security Report 2011
Annual Web Application Security Report 2011 An analysis of vulnerabilities found in external Web Application Security tests conducted by NTA Monitor during 2010 Contents 1.0 Introduction... 3 2.0 Summary...
More informationHack Proof Your Webapps
Hack Proof Your Webapps About ERM About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University
More informationWeb Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure
Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences
More informationCross-Site Scripting
Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some
More informationCyber Security Workshop Ethical Web Hacking
Cyber Security Workshop Ethical Web Hacking May 2015 Setting up WebGoat and Burp Suite Hacking Challenges in WebGoat Concepts in Web Technologies and Ethical Hacking 1 P a g e Downloading WebGoat and Burp
More informationThick Client Application Security
Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two
More informationRuby on Rails Secure Coding Recommendations
Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional
More informationPenetration Testing Report Client: Business Solutions June 15 th 2015
Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com
More informationOWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741
OWASP TOP 10 ILIA ALSHANETSKY @ILIAA HTTPS://JOIND.IN/15741 ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN
More informationBug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)
Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.
More informationApplication Security Policy
Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy
More informationExternal Network & Web Application Assessment. For The XXX Group LLC October 2012
External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution
More informationOWASP Secure Coding Practices Quick Reference Guide
OWASP Secure Coding Practices Quick Reference Guide Copyright and License Copyright 2010 The OWASP Foundation. This document is released under the Creative Commons Attribution ShareAlike 3.0 license. For
More informationStill Aren't Doing. Frank Kim
Ten Things Web Developers Still Aren't Doing Frank Kim Think Security Consulting Background Frank Kim Consultant, Think Security Consulting Security in the SDLC SANS Author & Instructor DEV541 Secure Coding
More informationSecure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.
Secure Coding External App Integrations Astha Singhal Product Security Engineer salesforce.com Tim Bach Product Security Engineer salesforce.com Safe Harbor Safe harbor statement under the Private Securities
More informationOWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair dave.wichers@owasp.
and Top 10 (2007 Update) Dave Wichers The Foundation Conferences Chair dave.wichers@owasp.org COO, Aspect Security dave.wichers@aspectsecurity.com Copyright 2007 - The Foundation This work is available
More informationApplication Security Vulnerabilities, Mitigation, and Consequences
Application Security Vulnerabilities, Mitigation, and Consequences Sean Malone, CISSP, CCNA, CEH, CHFI sean.malone@coalfiresystems.com Institute of Internal Auditors April 10, 2012 Overview Getting Technical
More informationApplication Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper
Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like
More informationTop Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia
Top Ten Web Application Vulnerabilities in J2EE Vincent Partington and Eelco Klaver Xebia Introduction Open Web Application Security Project is an open project aimed at identifying and preventing causes
More informationWeb Application Firewall on SonicWALL SRA
Web Application Firewall on SonicWALL SRA Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SRA 6.0. This document contains the following
More informationKentico CMS security facts
Kentico CMS security facts ELSE 1 www.kentico.com Preface The document provides the reader an overview of how security is handled by Kentico CMS. It does not give a full list of all possibilities in the
More informationThe Top Web Application Attacks: Are you vulnerable?
QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding
More informationPCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker
PCI-DSS and Application Security Achieving PCI DSS Compliance with Seeker www.quotium.com 1/14 Summary Abstract 3 PCI DSS Statistics 4 PCI DSS Application Security 5 How Seeker Helps You Achieve PCI DSS
More informationWeb Application Firewall on SonicWALL SSL VPN
Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following
More information05.0 Application Development
Number 5.0 Policy Owner Information Security and Technology Policy Application Development Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 5. Application Development
More informationHTTPParameter Pollution. ChrysostomosDaniel
HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider
More informationOut of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet
Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development
More informationStandard: Web Application Development
Information Security Standards Web Application Development Standard IS-WAD Effective Date TBD Email security@sjsu.edu # Version 2.0 Contact Mike Cook Phone 408-924-1705 Standard: Web Application Development
More informationSQL Injection January 23, 2013
Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2
More informationWeb Application Security Considerations
Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute
More informationTesting Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com
Testing Web Applications for SQL Injection Sam Shober SamShober@Hotmail.com Abstract: This paper discusses the SQL injection vulnerability, its impact on web applications, methods for pre-deployment and
More informationWeb Application Security. Srikumar Venugopal S2, Week 8, 2013
Web Application Security Srikumar Venugopal S2, Week 8, 2013 Before we start Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc.
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationWHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6
WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL Ensuring Compliance for PCI DSS 6.5 and 6.6 CONTENTS 04 04 06 08 11 12 13 Overview Payment Card Industry Data Security Standard PCI Compliance for Web Applications
More informationSecurity Testing with Selenium
with Selenium Vidar Kongsli Montréal, October 25th, 2007 Versjon 1.0 Page 1 whois 127.0.0.1? Vidar Kongsli System architect & developer Head of security group Bekk Consulting Technology and Management
More informationMatriXay WEB Application Vulnerability Scanner V 5.0. 1. Overview. (DAS- WEBScan ) - - - - - The best WEB application assessment tool
MatriXay DAS-WEBScan MatriXay WEB Application Vulnerability Scanner V 5.0 (DAS- WEBScan ) - - - - - The best WEB application assessment tool 1. Overview MatriXay DAS- Webscan is a specific application
More informationUsing Foundstone CookieDigger to Analyze Web Session Management
Using Foundstone CookieDigger to Analyze Web Session Management Foundstone Professional Services May 2005 Web Session Management Managing web sessions has become a critical component of secure coding techniques.
More informationWebCruiser Web Vulnerability Scanner User Guide
WebCruiser Web Vulnerability Scanner User Guide Content 1. Software Introduction...2 2. Key Features...3 2.1. POST Data Resend...3 2.2. Vulnerability Scanner...6 2.3. SQL Injection...8 2.3.1. POST SQL
More informationProtecting Your Organisation from Targeted Cyber Intrusion
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
More information