Web Application Attacks and Countermeasures: Case Studies from Financial Systems



Similar documents
Where every interaction matters.

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

What is Web Security? Motivation

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Comprehensive Security for Internet-of-Things Devices With ARM TrustZone

The Top Web Application Attacks: Are you vulnerable?

Magento Security and Vulnerabilities. Roman Stepanov

APPLICATION SECURITY AND ITS IMPORTANCE

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

Web application security

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Last update: February 23, 2004

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Sitefinity Security and Best Practices

OWASP Top Ten Tools and Tactics

Hack Proof Your Webapps

WEB ATTACKS AND COUNTERMEASURES

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

(WAPT) Web Application Penetration Testing

Guidelines for Web applications protection with dedicated Web Application Firewall

Web Application Penetration Testing

Table of Contents. Page 2/13

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Testing the OWASP Top 10 Security Issues

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

05.0 Application Development

Rational AppScan & Ounce Products

Web Application Security. Radovan Gibala Senior Field Systems Engineer F5 Networks

Adobe Systems Incorporated

OWASP AND APPLICATION SECURITY

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Information Technology Policy

Passing PCI Compliance How to Address the Application Security Mandates

Check list for web developers

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

Using Free Tools To Test Web Application Security

WEB APPLICATION SECURITY

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Excellence Doesn t Need a Certificate. Be an. Believe in You AMIGOSEC Consulting Private Limited

Web Application Security Assessment and Vulnerability Mitigation Tests

Criteria for web application security check. Version

HTTPParameter Pollution. ChrysostomosDaniel

Secure Web Development Teaching Modules 1. Threat Assessment

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

elearning for Secure Application Development

Certified Secure Web Application Security Test Checklist

JVA-122. Secure Java Web Development

Network Security Exercise #8

Reducing Application Vulnerabilities by Security Engineering

CYBERTRON NETWORK SOLUTIONS

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Common Security Vulnerabilities in Online Payment Systems

Introduction:... 1 Security in SDLC:... 2 Penetration Testing Methodology: Case Study... 3

Data Breaches and Web Servers: The Giant Sucking Sound

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Web Application Security

Application Security Testing. Generic Test Strategy

Members of the UK cyber security forum. Soteria Health Check. A Cyber Security Health Check for SAP systems

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

IJMIE Volume 2, Issue 9 ISSN:

Mean Time to Fix (MTTF) IT Risk s Dirty Little Secret Joe Krull, CPP, CISSP, IAM, CISA, A.Inst.ISP, CRISC, CIPP

Overview of the Penetration Test Implementation and Service. Peter Kanters

Chapter 1 Web Application (In)security 1

Recommended Practice Case Study: Cross-Site Scripting. February 2007

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

White Paper Secure Reverse Proxy Server and Web Application Firewall

Attack Vector Detail Report Atlassian

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

Network Security Audit. Vulnerability Assessment (VA)

OWASP TOP 10 ILIA

Web Application Security Considerations

Web Engineering Web Application Security Issues

Web Application Vulnerabilities and Avoiding Application Exposure

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

STOPPING LAYER 7 ATTACKS with F5 ASM. Sven Müller Security Solution Architect

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Layered security in authentication. An effective defense against Phishing and Pharming

CSUSB Web Application Security Standard CSUSB, Information Security & Emerging Technologies Office

Web Application Security

The Key to Secure Online Financial Transactions

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Course Content: Session 1. Ethics & Hacking

Transcription:

Web Application Attacks and Countermeasures: Case Studies from Financial Systems Dr. Michael Liu, CISSP, Senior Application Security Consultant, HSBC Inc

Overview Information Security Briefing Web Applications in Financial Systems User-Oriented Attacks and Countermeasures General Advices for Secure Internet Surfing

Information Security Briefing Access Control Application Security Business Continuity and Disaster Recovery Planning Cryptography Information Security and Risk Management Legal, Regulations, Compliance and Investigations Operations Security Physical (Environmental) Security Security Architecture and Design Telecommunications and Network Security

Web Applications in Financial Systems Application Level View of A Financial System Web Applications are facing directly external attacks. Customer Browsers Front End Web Applications Web applications understand the most application logic. Messaging Application Back end applications rely on front end web applications to implement many security controls. Back End Business Logic Applications Backend Databases

Web Applications in Financial Systems The Reality of Web Application Implementation: It is common that a web application is found to have unexpected features during security testing phase. Some unexpected behaviour have minor impact on the security posture of the application, others may cause severe damages if exploited. Expected Features Actual Features Functional Testing Focus Security Testing Focus

Understanding Web Applications in Financial Systems The Real World Hack, According to WhiteHat Security Inc. : 83% of websites have at least one serious vulnerability. 2,500 web servers are successfully hacked each day and 70% of these attacks exploit application vulnerabilities. Traditional Network level security solutions (firewalls, network vulnerability scanners) are ineffective in the world of custom web applications.

Understanding Web Applications in Financial Systems HTTPS = Secure? www.microsoft.com = www.mícrosoft.com?

Understanding Web Applications in Financial Systems Web Application Attack Types (From OWASP) CSRF Cache Poisoning Code Injection Command Injection Comment Injection Attack Cross Site Tracing Cross-Site Request Forgery (CSRF) Cross-User Defacement Cross-site Scripting (XSS) Cryptanalysis Custom Special Character Injection Direct Dynamic Code Evaluation Direct Static Code Injection Double Encoding SQL Injection Server-Side Includes (SSI) Injection Session Prediction Session fixation Session hijacking attack Setting Manipulation Special Element Injection Man-in-the-browser attack Man-in-the-middle attack Mobile code: invoking untrusted mobile code Mobile code: non-final public field Mobile code: object hijack

User-Oriented Attacks and Countermeasures Attack Methods to Compromise User Authentication User Credentials Legitimate User 1.1 Eavesdrop on the network traffic 2. Provide Credential Front End Web Server 1.2 Eavesdrop on Computer 1. Send Scam Email 2. Input Credential directly /Replay Captured Data 1. Dictionary Man-in-The-Middle Attack Phishing Eavesdropping Online Guessing Attacker

User-Oriented Attacks and Countermeasures Some Controls to protect user authentication Secure Socket Layer (SSL) Random Password Character Challenge Smart Card One Time Password

User-Oriented Attacks and Countermeasures Digital Stamp for anti-phishing Short Message Service Challenge for anti-impersonating Digital Fingerprinting for antiimpersonating Randomized Virtual Keyboard to counter keylogger

User-Oriented Attacks and Countermeasures Attack Methods to Compromise User Internet Sessions 1: Logon to the web application 5: The malicious action is executed silently Legitimate User Legitimate Web Server 4: Lure the user to visit the malicious page Malicious Web Page 3: Construct a web page that can trigger the crafted URL when visited Attacker 2: Craft a URL that cause an action of the legitimate application

Session Attacks To Prevent Session Hijacking: User s best practises: Logoff immediately after using a web application Do not allow your browser to save username/passwords, and do not allow sites to remember your login Do not use the same browser to access sensitive applications and to surf freely the Internet; if you have to do both things at the same machine, do them with separate browsers.

General Advices for Secure Internet Surfing Deploy a personal firewall and antivirus/antimalware applications Keep up with the software security patches Run non-admin account with Internet surfing Try to read email in plaintext mode Restrict scripting code and any form of mobile code from the Internet Always logoff explicitly from sensitive applications Don t access sensitive applications while surfing the Internet in the same browser window Try not to use mobile banking applications (It is far less secure than you think at this stage!)

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information