Web Application Security



Similar documents
Adobe Systems Incorporated

Development. Resilient Software. Secure and. Mark S. Merkow Lakshmikanth Raghavan. CRC Press. Taylor& Francis Croup. Taylor St Francis Group,

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Where every interaction matters.

Magento Security and Vulnerabilities. Roman Stepanov

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hack Proof Your Webapps

Testing the OWASP Top 10 Security Issues

elearning for Secure Application Development

Chapter 1 Web Application (In)security 1

OWASP Top Ten Tools and Tactics

(WAPT) Web Application Penetration Testing

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Criteria for web application security check. Version

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

The Top Web Application Attacks: Are you vulnerable?

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Essential IT Security Testing

Sitefinity Security and Best Practices

OWASP TOP 10 ILIA

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Development Processes (Lecture outline)

What is Web Security? Motivation

JVA-122. Secure Java Web Development

Programming Flaws and How to Fix Them

Web Application Security Assessment and Vulnerability Mitigation Tests

Pentests more than just using the proper tools

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Secure development and the SDLC. Presented By Jerry

Web Security Testing Cookbook*

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Enterprise Application Security Workshop Series

Security Metrics. A Beginner's Guide. Caroline Wong. Mc Graw Hill. Singapore Sydney Toronto. Lisbon London Madrid Mexico City Milan New Delhi San Juan

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

OWASP AND APPLICATION SECURITY

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

APPLICATION SECURITY AND ITS IMPORTANCE

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Last update: February 23, 2004

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Rational AppScan & Ounce Products

MANAGED SECURITY TESTING

Check list for web developers

Pentests more than just using the proper tools

Web application security

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

Web application testing

Web Application Security

Data Breaches and Web Servers: The Giant Sucking Sound

05.0 Application Development

Columbia University Web Security Standards and Practices. Objective and Scope

Web Application Penetration Testing

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Cloud Security:Threats & Mitgations

Attack Vector Detail Report Atlassian

Security features of ZK Framework

Gateway Apps - Security Summary SECURITY SUMMARY

Intrusion detection for web applications

Web Application Guidelines

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Lecture 11 Web Application Security (part 1)

Detecting and Defending Against Security Vulnerabilities for Web 2.0 Applications

Hacking de aplicaciones Web

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Thomas Röthlisberger IT Security Analyst

Top Ten Web Application Vulnerabilities in J2EE. Vincent Partington and Eelco Klaver Xebia

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Application Vulnerability Testing with Nessus

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

TEAM Academy Catalog. 187 Ballardvale Street, Wilmington, MA

Sichere Webanwendungen mit Java

Integrating Security Testing into Quality Control

Web Application Report

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Sichere Software- Entwicklung für Java Entwickler

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Promoting Application Security within Federal Government. AppSec DC November 13, The OWASP Foundation

SQuAD: Application Security Testing

CYBER TRENDS & INDUSTRY PENETRATION TESTING. Technology Risk Supervision Division Monetary Authority of Singapore

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Transcription:

Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto

Contents ACKNOWLEDGMENTS INTRODUCTION xiii xv PART I Primer 1 Welcome to the Wide World of Web Application Security 3 Misplaced Priorities and the Need for a New Focus 4 Network Security versus Application Security: The Parable of the Wizard and the Magic Fruit Trees 6 Real-World Parallels 7 Thinking like a Defender 9 The OWASP Top Ten List 11 #1, Injection 13 #2. Cross-Site Scripting (XSS) 13 #3. Broken Authentication and Session Management 14 #4. Insecure Direct Object References 15 #5. Cross-Site Request Forgery 15 vii

Viii Web Application Security: A Beginner's Guide #6. Security Misconfiguration 16 #7. Insecure Cryptographic Storage 16 #8. Failure to Restrict URL Access 17 #9. Insufficient Transport Layer Protection 18 #10. Unvalidated Redirects and Forwards 19 Wrapping Up the OWASP Top Ten 19 Secure Features, Not Just Security Features 20 Final Thoughts 21 2 Security Fundamentals 23 Input Validation 24 Blacklist Validation 25 Whitelist Validation 27 More Validation Practices 30 The Defense-in-Depth Approach 31 Attack Surface Reduction 32 Attack Surface Reduction Rules ofthumb 34 Classifying and Prioritizing Threats 35 STRIDE 36 IMF 38 CIA 39 Common Weakness Enumeration (CWE) 41 DREAD 42 Common Vulnerability Scoring System (CVSS) 44 PART II Web Application Security Principles 3 Authentication Access Control Overview Authentication Fundamentals 56 Proving Your Identity 57 Two-Factor and Three-Factor Authentication 60 Web Application Authentication 61 Password-Based Authentication Systems 61 Built-in HTTP Authentication 61 Single Sign-On Authentication 64 Custom Authentication Systems 67 Validating Credentials 69 Securing Password-Based Authentication 70 Attacks Against Passwords 70 The Importance ofpassword Complexity 74 Password Best Practices 76 53 54

Contents ix Secure Authentication Best Practices 80 When and Where to Perform Authentication 80 Securing Web Authentication Mechanisms 84 4 Authorization 91 Access Control Continued 92 Authorization 93 Session Management 93 Authorization Fundamentals 94 Authorization Goals 96 Detailed Authorization Check Process 96 Types of Permissions 102 Authorization Layers 103 Controls by Layer 108 Custom Authorization Mechanisms 116 Client-Side Attack 120 TOCTTOU Exploit 121 Web Authorization Best Practices 123 Attacks Against Authorization 127 Session Management Fundamentals 130 What's a Session? 130 How to Manage Session State? 133 Why Do We Need Session Management? 134 Attacks Against Sessions 135 SSL and HTTPS 136 Jetty: Session Predictability in the Real World 138 Attacks Against Session State 140 Securing Web Application Session Management 140 Session Management Best Practices 141 5 Browser Security Principles: The Same-Origin Policy 149 Defining the Same-Origin Policy 150 An Important Distinction: Client-Side vs. Server-Side 152 AWorld Without the Same-Origin Policy 154 Exceptions to the Same-Origin Policy 155 HTML <script> Element 155 JSONandJSONP 156 iframes and JavaScript document.domain 158 Adobe Flash Player Cross-Domain Policy File 161 Microsoft Silverlight 164 XMLHttpRequest (Ajax) and Cross-Origin Resource Sharing 164 XDomainRequest 166 Final Thoughts on the Same-Origin Policy 166

X Web Application Security: A Beginner's Guide 6 Browser Security Principles: Cross-Site Scripting and Cross-Site Request Forgery 169 Cross-Site Scripting 170 Cross-Site Scripting Explained 171 Reflected XSS 177 POST-Based Reflected XSS 180 Stored XSS 182 Local XSS 184 Another Variation: HTML Injection 186 XSS Defense: Encoding Output 188 XSS Defense: Sanitizing Input 191 XSS Defense: Using a Reduced Markup Language 193 XSS Defense-in-Depth: HttpOnly 194 XSS Defense-in-Depth: Content Security Policy (CSP) 196 Final Thoughts on Cross-Site Scripting 197 Cross-Site Request Forgery 197 Cross-Site Request Forgery Explained 199 HTTP GET and the Concept of Safe Methods 201 Ineffective CSRF Defense: Relying on POST 202 Ineffective CSRF Defense: Checking the Referer Header 202 Ineffective CSRF Defense: URL Rewriting 204 Better CSRF Defense: Shared Secrets 205 Better CSRF Defense: Double-Submitted Cookies 206 Prevent XSS 207 Reauthentication 208 What Being "Logged In" Means 208 Final Thoughts on Cross-Site Request Forgery 210 7 Database Security Principles 213 Structured Query Language (SQL) Injection 215 SQL Injection Effects and Confidentiality-Integrity-Availability 217 The Dangers of Detailed Errors 223 Blind SQL Injection: No Errors Required 227 Solving the Problem: Validating Input 230 Regular Expressions 232 Solving the Problem: Escaping Input 233 Setting Database Permissions 238 Single Account Security 238 Separate Accounts for Separate Roles 240 Stored Procedure Security 242 The Stored-Procedures-Only Approach: Reducing Permissions Even Further... 243 SQL Injection in Stored Procedures 244

Contents XI Insecure Direct Object References 246 No Technical Knowledge Required 246 Insecure Direct Object References and... Confidentiality-Integrity-Availability 248 Solving the Problem: Pre- or Post-Request Authorization Checks 249 Final Thoughts on Insecure Direct Object References 251 8 File Security Principles 253 Keeping Your Source Code Secret 254 Static Content and Dynamic Content 256 Revealing Source Code 258 Interpreted versus Compiled Code 259 Backup File Leaks 260 Include-File Leaks 264 Keep Secrets Out of Static Files 265 Exposing Sensitive Functionality 268 Security Through Obscurity 271 Forceful Browsing 271 Forceful Browsing and Insecure Direct Object References 272 Directory Enumeration 273 Redirect Workflow Manipulation 276 Directory Traversal 278 etc/passwd 279 More Directory Traversal Vulnerabilities 280 Canonicalization 282 PART III Secure Development and Deployment 9 Secure Development Methodologies 287 Baking Security In 288 The Earlier, the Better 288 The Penetrate-and-Patch Approach 291 The Holistic Approach to Application Security 293 Training 294 Threat Modeling 296 Secure Coding Libraries 301 Code Review 303 Security Testing 306 Security Incident Response Planning 309 Industry Standard Secure Development Methodologies and Maturity Models 311 The Microsoft Security Development Lifecycle (SDL) 311 OWASP Comprehensive Lightweight Application Security Process (CLASP)... 312 The Software Assurance Maturity Model (SAMM) 314

Xli Web Application Security: A Beginner's Guide The Building Security In Maturity Model (BSIMM) 315 Conclusions on Secure Development Methodologies and Maturity Models... 316 Epilogue The Wizard, the Giant, and the Magic Fruit Tfees: A Happy Ending 319 Index 321

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information