Hack Proof Your Webapps

Similar documents

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

The Top Web Application Attacks: Are you vulnerable?

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Magento Security and Vulnerabilities. Roman Stepanov

elearning for Secure Application Development

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Where every interaction matters.

Check list for web developers

OWASP TOP 10 ILIA

Web application security

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

OWASP AND APPLICATION SECURITY

APPLICATION SECURITY AND ITS IMPORTANCE

Web Application Report

Rational AppScan & Ounce Products

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

OWASP Top Ten Tools and Tactics

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Application Security

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Intrusion detection for web applications

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Testing the OWASP Top 10 Security Issues

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

Web Application Security 101

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Web Application Security Assessment and Vulnerability Mitigation Tests

Sitefinity Security and Best Practices

Integrating Security Testing into Quality Control

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Secure development and the SDLC. Presented By Jerry

What is Web Security? Motivation

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Web-Application Security

Certified Secure Web Application Security Test Checklist

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Thomas Röthlisberger IT Security Analyst

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Enterprise Application Security Workshop Series

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Certified Secure Web Application Secure Development Checklist

Lecture 11 Web Application Security (part 1)

JVA-122. Secure Java Web Development

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Cloud Security Framework (CSF): Gap Analysis & Roadmap

Adobe Systems Incorporated

CS5008: Internet Computing

Last update: February 23, 2004

Barracuda Web Site Firewall Ensures PCI DSS Compliance

Criteria for web application security check. Version

MANAGED SECURITY TESTING

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Chapter 1 Web Application (In)security 1

DFW INTERNATIONAL AIRPORT STANDARD OPERATING PROCEDURE (SOP)

Table of Contents. Page 2/13

Guidelines for Web applications protection with dedicated Web Application Firewall

05.0 Application Development

CYBERTRON NETWORK SOLUTIONS

Attack and Penetration Testing 101

Web Application Guidelines

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Chapter 4 Application, Data and Host Security

IJMIE Volume 2, Issue 9 ISSN:

Hacking de aplicaciones Web

Ruby on Rails Secure Coding Recommendations

Six Essential Elements of Web Application Security. Cost Effective Strategies for Defending Your Business

Web Application Vulnerability Testing with Nessus

Cross Site Scripting in Joomla Acajoom Component

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Security features of ZK Framework

(WAPT) Web Application Penetration Testing

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Security Testing with Selenium

MatriXay WEB Application Vulnerability Scanner V Overview. (DAS- WEBScan ) The best WEB application assessment tool

Universities and Schools Under Cyber-Attack: How to Protect Your Institution of Excellence

Barracuda Web Application Firewall vs. Intrusion Prevention Systems (IPS) Whitepaper

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Web Application Security

Ethical Hacking Penetrating Web 2.0 Security

Ethical Hacking as a Professional Penetration Testing Technique

Gateway Apps - Security Summary SECURITY SUMMARY

Transcription:

Hack Proof Your Webapps

About ERM

About the speaker Web Application Security Expert Enterprise Risk Management, Inc. Background Web Development and System Administration Florida International University Bachelors and Masters of Science Massachusetts Institute of Technology

Overview General Security review Hacking statistics Security as a layered process Web programming layer Web vulnerability review Cross-site scripting SQL Injection Other vulnerabilities Security strategies Rules for deployment Writing code for unknown risks Mitigation strategies Questions

Statistics

Security as a layered process Network Server-Network Web application SSL (https) Session Privacy Input Validation Data Protection Server-base

Common types of attacks Cenzic Vulnerability Trend Report, March 2013

Cross-Site Scripting (XSS) Code injection via improper escaping (mixing code and content): + <script>...</script> COMPROMISED

SQL Injection Improper escaping of user input leads to DB manipulation https://xkcd.com/327/

Cross-Site Request Forgery (CSRF) Exploit active user sessions to launch blind attack Victim 1 Authenticated session Legitimate site 2 Send malicious link 3 Follow link Background request 4 Malicious site triggers action on legitimate site without consent Attacker Malicious site

Session hijacking (information leakage) User's information stored in server in session Session ID is transmitted to user as a Cookie Server Impersonation Session ID acts as a key to the information stored in server about user Session ID Man-in-the-middle (MITM) can usurp user by supplying stolen Session ID Attacker Malicious user can piggy-back on unattended workstation Client

Rules for secure web development 1. Never trust user input 2. Never mix code and content 3. Never, ever trust user input

Validating user input Javascript is not a proper validation tool Useful to assist the user Should not be a requirement Validate against whitelist of possible values Sanitation is not necessary if proper validation in place Proper error handling is vital to user interaction SQL Injection Denial of Service Code Execution Information disclosure

Separate code and content SQL Injection Cross-Site Scripting Content is the syntactical language for the exchange, such as HTML, JSON, XML, etc. Code is the language of the embedded technology: SQL Javascript Use libraries or frameworks to assemble SQL queries and HTML pages.

SSL and secure cookies prevent MITM Session information can only be truly protected with SSL Use strong encryption (AES 256) Enforce redirection from port 80 to SSL Use secure cookies to avoid accidental sharing over non-ssl Use HttpOnly flag for cookies to avoid being read by browser scripts Authentication Information disclosure Man-In- The-Middle Session hijacking

Mitigation through organization Cross-Site Request Forgery Information disclosure Unknown bugs Use HTTP methods correctly GET requests should not have side effects Use POST (even in AJAX) for any request with a side effect Clean web-accessible directory Maintain library files outside of the web root to avoid disclosure Deploy development and staging environments Use consistent coding practices

CSRF Techniques Use HTTP POST for any action with side effects Check the Referer HTTP header against whitelist of allowed clients Use nonce tokens to validate each request

Your go to advisors for all matters in information security. 800 S Douglas Road #940 Coral Gables, FL 33134 Phone: 305-447-6750 Email: info@emrisk.com www.emrisk.com/videos www.emrisk.com