Web Application Security

Similar documents
AppSec USA 2014 Denver, Colorado Security Header Injection Module (SHIM)

Security starts in the head(er)

Recent Advances in Web Application Security

Protecting Web Applications and Users

Secure development and the SDLC. Presented By Jerry

Introduction to Computer Security

APPLICATION SECURITY AND ITS IMPORTANCE

Real World Java Web Security

TYPO3 Security. Jochen Weiland CertiFUNcation 2016

Computer Networks. Lecture 7: Application layer: FTP and HTTP. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

Sichere Webanwendungen mit Java

The Hyper-Text Transfer Protocol (HTTP)

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

(WAPT) Web Application Penetration Testing

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

Relax Everybody: HTML5 Is Securer Than You Think

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar DKK. Læs mere og tilmeld dig på

CGI Programming. Examples

sessionx Desarrollo de Aplicaciones en Red Web Applications History (1) Content History (2) History (3)

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

A Study of What Really Breaks SSL HITB Amsterdam 2011

Department of Computing Imperial College London. BrowserAudit. A web application that tests the security of browser implementations

HTTP Response Splitting

Hypertext for Hyper Techs

What is Web Security? Motivation

ASV Scan Report Vulnerability Details. UserVoice Inc.

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Check list for web developers

Cyber Security Workshop Ethical Web Hacking

Lecture 8a: WWW Proxy Servers and Cookies

Recent Web Security Technology. Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Simon Fraser University. Web Security. Dr. Abhijit Sen CMPT 470

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Criteria for web application security check. Version

Zeitgemäße Webserver-Konfiguration. Ein Serviervorschlag

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Secure Coding in Node.js

Experian Secure Transport Service

CONTENT of this CHAPTER

HTTP Protocol. Bartosz Walter

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

of HTTP Headers Dirk Licence:

Chapter 1 Web Application (In)security 1

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Playing with Web Application Firewalls


Next Generation Clickjacking

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

Application Security Best Practices. Wally LEE Principal Consultant

Lecture 8a: WWW Proxy Servers and Cookies

v7.7.3 Release Notes for Websense Content Gateway

Chapter 5 Configuring the Remote Access Web Portal

Demystifying cache. Kristian Lyngstøl Product Specialist Varnish Software AS

DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES

Web Application and API Security The Latest Trends and Threats. 03/19/15 Sean Leach

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

The Web History (I) The Web History (II)

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

Securing the SSL/TLS channel against man-in-the-middle attacks: Future technologies - HTTP Strict Transport Security and Pinning of Certs

Chapter 6 Virtual Private Networking Using SSL Connections

PROTECTING DATA IN TRANSIT WITH ENCRYPTION IN M-FILES

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Hacking cookies in modern web applications and browsers

PHP code audits. OSCON 2009 San José, CA, USA July 21th 2009

Internet Technologies Internet Protocols and Services

Enterprise Application Security Workshop Series

Preparing for the Cross Site Request Forgery Defense

Java Web Application Security

API documentation - 1 -

Web Security: SSL/TLS

Web Security Testing Cookbook*

IJMIE Volume 2, Issue 9 ISSN:

Form Processing and Workflows

Web-Application Security

WWW. World Wide Web Aka The Internet. dr. C. P. J. Koymans. Informatics Institute Universiteit van Amsterdam. November 30, 2007

Lecture 11 Web Application Security (part 1)

Web application security

ICAWEB502A Create dynamic web pages

Security Testing For RESTful Applications

DEERFIELD.COM. DNS2Go Update API. DNS2Go Update API

Evolution of the WWW. Communication in the WWW. WWW, HTML, URL and HTTP. HTTP Abstract Message Format. The Client/Server model is used:

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

By Bardia, Patit, and Rozheh

An Insight into Cookie Security

Cache Configuration Reference

A Tale of the Weaknesses of Current Client-Side XSS Filtering

A Tale of the Weaknesses of Current Client-side XSS Filtering

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Advanced XSS. Nicolas Golubovic

Network: several computers who can communicate. bus. Main example: Ethernet (1980 today: coaxial cable, twisted pair, 10Mb 1000Gb).

Dissecting CSRF Attacks & Defenses. Mike Shema October 16, 2013

Last update: February 23, 2004

Online Data Services. Security Guidelines. Online Data Services by Esri UK. Security Best Practice

Web Service Reference

<Insert Picture Here> Oracle Web Cache 11g Overview

HTML5. Eoin Keary CTO BCC Risk Advisory.

Web. Services. Web Technologies. Today. Web. Technologies. Internet WWW. Protocols TCP/IP HTTP. Apache. Next Time. Lecture # Apache.

A Standard Modest WebSite

Transcription:

Web Application Security The OWASP Foundation Securing the application Input validation Authorization Session mgmt Config mgmt Authenticatio n Error handling Web server App server DB server Secure storage Auditing/loggin g Firewall Apps Host Firewall Apps Host Database Host Securing the network Router Firewall Switch Securing the host Patches/update s Accounts Ports Services Files/directories Registry Protocols Shares Auditing/loggin g

Web Application Behaviour The OWASP Foundation HTTP is stateless and hence requests and responses to communicate between browser and server have no memory. Most typical HTTP requests utilise either GET or POST methods Scripting can occur on: Server-Side (e.g. perl, asp, jsp) Client-Side (javascript, flash, applets) Web server file mappings allow the web server to handle certain file types using specific handlers (ASP, ASP.NET, Java, JSP,CFM etc) Data is posted to the application through HTTP methods, this data is processed by the relevant script and result returned to the user s browser 2

HTTP POST HTTP GET The OWASP Foundation GET exposes sensitive authentication information in the URL In Web Server and Proxy Server logs In the http referer header In Bookmarks/Favorites often emailed to others POST places information in the body of the request and not the URL Enforce HTTPS POST For Sensitive Data Transport 3

GET vs POST HTTP Request GET request GET /search.jsp? name=blah&type=1 HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Cookie: SESSIONID=2KDSU72H9GSA 289 <CRLF> POST request POST /search.jsp HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Content-Length: 16 Cookie: SESSIONID=2KDSU72H9GSA 289 <CRLF> name=blah&type=1 <CRLF>

What are HTTP Headers? HTTP headers are components of the message header of HTTP Requests and Responses HTTP headers define different aspects of an HTTP transaction HTTP headers are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. http://en.wikipedia.org/wiki/ List_of_HTTP_header_fields

Security HTTP Response Headers X-Frame-Options X-Xss-Protection X-Content-Type-Options Content Security Policy Access-Control-Allow-Origin HTTPS Strict Transport Security Cache-Control / Pragma

Security HTTP Response headers X-Frame-Options 'SAMEORIGIN' - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. X-XSS-Protection '1; mode=block' - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) X-Content-Type-Options 'nosniff - stops the browser from guessing the MIME type of a file. X-Content-Security-Policy - A powerful mechanism for controlling which sites certain content types can be loaded from Access-Control-Allow-Origin - used to control which sites are allowed to bypass same origin policies and send cross-origin requests. Strict-Transport-Security - used to control if the browser is allowed to only access a site over a secure connection Cache-Control - used to control mandatory content caching rules

X-Frame-Options Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM

X-XSS-Protection Use the browser s built in XSS Auditor X-XSS-Protection: [0-1](; mode=block)? X-XSS-Protection: 1; mode=block

X-ContentType- Options The OWASP Foundation Fixes mime sniffing attacks Only applies to IE, because only IE would do something like this X-Content-Type-Options = nosniff

Content Security Policy Anti-XSS W3C standard http://www.w3.org/tr/csp/ Move all inline script and style into external files Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use Define a policy for the site regarding loading of content Chrome version 25 and later (50%) Firefox version 23 and later (30%) Internet Explorer version 10 and later (10%)

Strict Transport Security Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includesubdomains

Disabling the Browser Cache Add the following as part of your HTTP Response Cache-Control: no-store, no-cache, must-revalidate Expires: -1

HTTP Security Headers Tool Secure headers! Open source https://github.com/twitter/secureheaders

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information