Embed Size (px)
Citation preview
1
ECE 4112 Internetwork Security: Web Application Security
28 April 2005
John Owens
Shantan Pesaru
2
Overview
Define Web Applications Importance of Web Application Security Framework for secure Web Applications Attacks and vulnerabilities on Web
Applications Client/server verification (pros/cons) Secure Programming Tools (SPI Dynamics’ WebInspect, ISS)
3
Web Applications: What are they? An application generally comprised of a
collection of scripts that reside on a web server.
Interact with databases or other sources of dynamic content
Examples include: webmail, online banking, portal systems, etc.
4
Good Programming=Good Security
5
Importance of Web Application Security Web Apps are becoming more prevalent and
more sophisticated Critical to online transactions and information
processing Protecting privacy and following regulation
such as HIPAA and Sarbanes-Oxley
6
Framework for Web Application Security Framework for web developers to develop
secure code Involves identifying and implementing
responses to existent security issues S.W.A.T. (Secure Web Applications through
Testing)
7
Web Application Pitfalls
8
Types of Attacks and Vulnerabilities SQL Injection Attacks Improper input verification Default methods Form processing methods GET & POST / Querystring information “ELSE” programming Educated Guessing
9
Mechanisms of Vulnerability Discovery Server fingerprinting
Determine capabilities Determine technology
Using Error Messages IE – disable friendly error messages Deliberate access of wrong pages
Observing behavior in the presence of unexpected variables
10
Mechanisms of Vulnerability Protection Brute force lockouts Re-authenticate when necessary Encrypt databases (prevent download) Strong file/directory naming convention Session-based authentication and access Validate all input no matter how trivial TEST, TEST, TEST Don’t rely solely on the client Never pass in headers/auto-fill critical info
11
Client/Server Side Validation Scripts Pros
Immediate response Give server a break High user interaction
Cons Easily bypassed Puts security in user’s hands No database connectivity to verify authentication
data SOLUTION = Client + Server Redundancy
12
What you will do in the lab
Exploit vulnerabilities in a realistic web application to: Get accepted to Georgia Tech Register for classes before timeticket Get tuition paid for free and a check back Change your grades to something “more
appealing”
13
What you will do in the lab
14
What you will do in the lab
15
What you will do in the lab
16
What you will do in the lab
17
What you will do in the lab
18
What you will do in the lab
19
What you will do in the lab
20
QUESTIONS?
