Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.

Published byFrank Gallagher Modified over 8 years ago

Similar presentations

Presentation on theme: "Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical."— Presentation transcript:

1 Intro to Web Application Security

2 iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical Hacker -Web Developer Francis Al Victoriano

3 The Web Apps Email System Search Engine Social Network Multimedia Online Banking Online Shopping

4 Typical Web Setup OS/Web Server Database Server Client HTTP (cleartext) or HTTPS HTTP (cleartext) or HTTPS PHP PERL PYTHON Apache IIS Nginx Apache IIS Nginx MariaDB PostgreSQL MariaDB PostgreSQL Custom Code Custom Code

5 What is WebAppSec? Simply, Web Application Security is... “The securing of web applications”

6 Why we need Security?

7 Essentials Terminologies Threat An action or event that has the potential to compromise and/or violate security Vulnerability Existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event compromising the security of the system Exploit A defined way to breach the security of an IT system through vulnerability

8 Technical/Business Impact Compromised Information Leakage or Lost Reputational Damage Money Lost

9 Common Web Vulnerabilities 1 Injection 2 XSS (Cross Site Scripting) 3 Cross Site Request Forgery

10 Injection Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. Threat Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators. Impact Injection can result in data loss or corruption, lack of accountability, or denial of access.Injection can sometimes lead to complete host takeover. Injection

11 SQL Injection Example SELECT user_id FROM user_data WHERE user_name = '' or 1=1 --' AND user_password = '1234 '; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'"; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'"; // …

12 Prevent Injection Encode all user input before passing it to the interpreter. (White List Validation) Use an interface that supports bind variables Always minimize database privileges to reduce the impact of a flaw

13 XSS XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. Threat Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.. Impact Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. XSS (Cross Site Scripting)

14 Reflected XSS Server Browser DatabaseDatabase Web Application Bug!Bug! URLURL HTMLHTML Victim Request WebsiteWebsite Server Response

15 Server Browser DatabaseDatabase Web Application Bug!Bug! WebsiteWebsite Server Response HTMLHTML URLURL Initial Request URLURL Subsequent Victim Request Persistent XSS

16 XSS Pattern Simple Patterns  javascript:alert('XSS'); 

17 Prevent XSS Don‘t include user supplied input in your output! Output Encode all user supplied input Perform White List Input Validation on user input

18 Cross Site Request Forgery A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Threat Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Impact Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases, logout and even login. Cross Site Request Forgery (CSRF)

19 bank.com Web App Web App Browser Bug!Bug! evil.org Web App Web App LoginLogin 1000$1000$ RequestRequest GET / HTTP/1.1 Host: www.evil.org GET / HTTP/1.1 Host: www.evil.org ResponseResponse HTTP/1.1 200 OK...... <img src=“http://bank.com/transfer ?to=hacker&amount=1000$“/>... HTTP/1.1 200 OK...... <img src=“http://bank.com/transfer ?to=hacker&amount=1000$“/>... CSRF-AttackCSRF-Attack GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com Cross Site Request Forgery Explained

20 Prevent Cross Site Request Forgery Add a secret, not automatically submitted, token to all sensitive requests Make sure your application has no XSS holes Requiring the user to re- authenticate, or prove they are a user (e.g., via a CAPTCHA)

21 TIPS ON SECURING WEB APPLICATIONS

22 Define Secure Coding Standards Validate all input parameters to prevent attacksSanitized application responseHTTP trust issuesKeep sensitive session values on the server to prevent client-side modificationUse EncryptionSession managementAccess restrictionBuild a centralised module for application auditing and reporting.

23 Performed Threat Modeling Identify the key security objectives. Create an overview of the application by itemising the important characteristics of that application Deconstruct the application to identify the features and modules that have a security impact, and that need to be evaluated. Identify all threats Identify all vulnerabilities.

24 Testing and Quality Assurance Web Application Penetration Testing Code Review

25 Design Web Application Security Architecture Secured Web Server Secured Application Server Secured Database Server

26 The Maintenance & Support Application Log Review Version Control and a Separate Environment for Development

27 Server Network Security Firewall IDS/IPS Web App Web App WAF Guidelines Ruleset Whitelist Blacklist Heuristics Defines legal/ illegal Requests Rejects illegal requests Sometimes rejects legitimate requests („False Positives“) or fails to recognize illegal requests („False Negative“) Web Application Firewall (WAF)

28 Reminders! 1. Client Side Protection Don’t trust client’s input (Validate all inputs) Encode all user supplied input 2. Server Side Protection White List Validation (Server Side Code) Use Web Application Firewall 3. User Follow all the security hardening guide Test you system

29 What next for Developers? Application Security Requirements Application Security Architecture Standard Security Controls Secure Development Lifecycle Application Security Education OWASP ASVS OWASP Developer’s Guide, Prevention Cheat Sheets OWASP Developer’s Guide, Prevention Cheat Sheets OWASP Enterprise Security API (ESAPI) project OWASP Software Assurance Maturity Model (SAMM). OWASP Education Project

30 Thank You

Download ppt "Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Expert System Approach on Web Vulnerability Analysis 20103272 / Jong Heon, PARK 20103616 / Hyun Woo, CHO CS548 Advanced Information Security Term Project.

Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Similar presentations

Ads by Google