Lecture 15 - Web Security



Similar documents
Web Application Threats and Vulnerabilities Web Server Hacking and Web Application Vulnerability

What is Web Security? Motivation

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

CS 356 Lecture 16 Denial of Service. Spring 2013

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Network Threats and Vulnerabilities. Ed Crowley

Web Application Security

The monsters under the bed are real World Tour

Figure 9-1: General Application Security Issues. Application Security: Electronic Commerce and . Chapter 9

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Homeland Security Red Teaming

Sitefinity Security and Best Practices

Where every interaction matters.

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Columbia University Web Security Standards and Practices. Objective and Scope

Client logo placeholder XXX REPORT. Page 1 of 37

Web Engineering Web Application Security Issues

CS5008: Internet Computing

Data Breaches and Web Servers: The Giant Sucking Sound

IJMIE Volume 2, Issue 9 ISSN:

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Executable Integrity Verification

Check list for web developers

Columbia University Web Application Security Standards and Practices. Objective and Scope

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Common Security Vulnerabilities in Online Payment Systems

6WRUP:DWFK. Policies for Dedicated IIS Web Servers Group. V2.1 policy module to restrict ALL network access

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

DISA's Application Security and Development STIG: How OWASP Can Help You. AppSec DC November 12, The OWASP Foundation

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Protecting Your Organisation from Targeted Cyber Intrusion

Attack Methodology Analysis: SQL Injection Attacks

elearning for Secure Application Development

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

Railo Installation on CentOS Linux 6 Best Practices

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Rational AppScan & Ounce Products

Last update: February 23, 2004

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Criteria for web application security check. Version

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

How Web Application Security Can Prevent Malicious Attacks

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

Introduction: 1. Daily 360 Website Scanning for Malware

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Ruby on Rails Secure Coding Recommendations

Juniper Networks Secure

Oracle Database Security. Nathan Aaron ICTN 4040 Spring 2006

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Certified Secure Web Application Secure Development Checklist

Kentico CMS security facts

Testing Web Applications for SQL Injection Sam Shober

ICTN Enterprise Database Security Issues and Solutions

Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

Barracuda Web Site Firewall Ensures PCI DSS Compliance

SAST, DAST and Vulnerability Assessments, = 4

Penetration Testing Report Client: Business Solutions June 15 th 2015

Powerful, customizable protection for web applications and websites running ModSecurity on Apache/Linux based web-servers

Magento Security and Vulnerabilities. Roman Stepanov

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Lecture 13 - Network Security

6WRUP:DWFK. Policies for Dedicated SQL Servers Group

DOS ATTACKS USING SQL WILDCARDS

Web App Security Audit Services

Mitigating Denial of Service Attacks. Why Crossing Fingers is Not a Strategy

NSA/DHS CAE in IA/CD 2014 Mandatory Knowledge Unit Checklist 4 Year + Programs

Protecting against DoS/DDoS Attacks with FortiWeb Web Application Firewall

Developing Secure Web Applications

OWASP AND APPLICATION SECURITY

Information Technology Policy

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Security threats and attackers are turning

Network Security and Firewall 1

Passing PCI Compliance How to Address the Application Security Mandates

5 Simple Steps to Secure Database Development

Web Security School Entrance Exam

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

2013 MONITORAPP Co., Ltd.

ABC LTD EXTERNAL WEBSITE AND INFRASTRUCTURE IT HEALTH CHECK (ITHC) / PENETRATION TEST

Linux MDS Firewall Supplement

Web Application Security

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Security in Network-Based Applications. ITIS 4166/5166 Network Based Application Development. Network Security. Agenda. References

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

A Roadmap for Securing IIS 5.0

New IBM Security Scanning Software Protects Businesses From Hackers

Web Vulnerability Assessment Report

Open Web Application Security Project Open source advocacy group > web security Projects dedicated to security on the web

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Advancements in Botnet Attacks and Malware Distribution

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Transcription:

CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 15 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

Web Server Entry point for clients To a variety of services Customized for clients (e.g., via cookies) Supported by complex backend applications (e.g., databases) Target of attackers Common protocol Supports a wide range of inputs Complex software interactions Running with high privilege Q: How does this impact? Vulnerabilities, Threats, Risks

Web Server Deployments Note the multiple application layers and connection to legacy code

Web Server Software E.g., IIS 7

Web Server Architecture Server Components Generic Services (E.g., SMTP, FTP, etc) Network Server Front-End (E.g., IIS) Application Layer (E.g., Active Server s) Legacy Application Database Layer (Pick your favorite)

Server-side Scripting Program placed directly in content, run at during request time and output returned in content MS active server pages (ASP) PHP mod_perl server-side JavaScript python,... Nice at generating output Dangerous if tied to user input

Dynamic Content Security Largely just applications Inasmuch as application are secure Command shells, interpreters, are dangerous Three things to prevent DC vulnerabilities Validate input Input often received as part of user supplied data E.g., cookie Limit program functionality Don t leave open ended-functionality Execute with limited privileges

Web Server Vulnerabilities Not surprisingly, these are numerous For IIS 5, focus was on function All services were ON by default Buffer overflow -- e.g., Code Red Interactions between components are complex HTTP input to database queries SQL Injection -- execute user input directly Web server permissions Web servers have broad access Deface web server -- modify server files Compromise system -- modify system files

What can be done? Checklist for IIS 5 windows.stanford.edu/docs/iissecchecklist.htm Gives an idea of what must be done for IIS Some examples Disable all unnecessary ISAPI filters [services] Delete DLLs [libraries] associated with disabled filters Website must never be on the system drive Only necessary services -- only SMTP Remove NTFS write permissions where possible Obscurity Don t use obvious names for script and code directories Set default website to extreme security IIS 7 does does many of these -- automate all?

Web Server as a Host Security Problem Adversary s Goal Integrity/Secrecy/Availability Get code running on your system That is under the adversary s control Ways to Execute Code Accessible interfaces Defense: minimize attack surface Vulnerable interfaces Defense: prevent various code injections: buffer overflows Privilege Attackers want this code to do as much as possible Defense: minimize its privilege

Canonical (common) DOS - Request Flood Attack: request flooding Overwhelm some resource with legitimate requests e.g., web-server, phone system Note: unintentional flood is called a flash crowd

DOS Prevention - Reverse-Turing Tests Turing test: measures whether a human can tell the difference between a human or computer (AI) Reverse Turning tests: measures whether a user on the internet is a person, a bot, whatever? CAPTCHA - completely automated public Turing test to tell computers and humans apart contorted image humans can read, computers can t image processing pressing SOA, making these harder Note: often used not just for DOS prevention, but for protecting free services (email accounts)

DOS Prevention - Puzzles Make the solver present evidence of work done If work is proven, then process request Note: only useful if request processing significantly more work than Puzzle design Must be hard to solve Easy to Verify Canonical Example Puzzle: given x-bits of input r and h(r), where h is a cryptographic hash function Solution: Invert h(r) Q: Assume you are given 108 bits of input for 128-bit hash input, how hard would it be to solve the puzzle?

Take Away The complexity of web server (and web client) systems makes ensuring their security complex A single interface (HTTP) enhances function Lots of services can be accessed which makes attack surface large The variety of inputs via this interface makes detecting malicious input very difficult Privileges available to injected code can be sufficient to take over system Servers are high profile targets Valuable info (credit cards, private user data) Represent an entity (denial of service)

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information