Presentation is loading. Please wait.

Presentation is loading. Please wait.

FORESEC Academy FORESEC Academy Security Essentials (II)

Published byMatilda Nichols Modified over 8 years ago

Similar presentations

Presentation on theme: "FORESEC Academy FORESEC Academy Security Essentials (II)"— Presentation transcript:

1 FORESEC Academy FORESEC Academy Security Essentials (II)

2 FORESEC Academy Agenda  Web communication  Web security protocols  Active content  Cracking web applications  Web application defenses

3 FORESEC Academy Everything You Always Wanted to Know About Web Communications...  Servers and Clients  HTTP and HTML

4 FORESEC Academy Everything You Always Wanted to Know About Web Communications(2)  Stateless Communications  Retrieving Information. GET, HEAD  Sending Information. POST, PUT

5 FORESEC Academy HTML Security  Reading HTML Source

6 FORESEC Academy HTML Security (2)  Hidden Fields  Server Side Includes

7 FORESEC Academy Common Gateway Interface (CGI)  Allows web pages to do something instead of just returning pages  Extends the capabilities of a web server  Creates many exposures on server - Leaking information - Performing unauthorized transactions - Executing unintended programs

8 FORESEC Academy Common Gateway Interface (CGI) (2)  Common Mistakes - Misuse of command interpreters - Bad memory management - Passing unchecked parameters to system

9 FORESEC Academy Cookies  HTTP is “stateless” - no context information  Cookies provide “state” and context  Can only hold information given to the browser by the server  Can only be exchanged with originating server or domain  Beware of cross-site sharing (e.g., DoubleClick)  Can block cookies if desired

10 FORESEC Academy What About Non-Persistent Cookies?  Non-persistent cookies = per-session cookies  Non-persistent cookies are not written to the browser file system - So they can't be edited and are therefore safe from session ID attacks. Right? -Wrongo!!!  Several possible methods - 1) Raw read/write from/to the client-side memory - 2) Adapt Mozilla browser source to edit cookies - 3) Write a Javascript app that lets you view page and edit - 4) Write a proxy that allows for editing of entire session passed back and forth from browser (Achilles)

11 FORESEC Academy SSL  Protocol for encrypting network traffic  Operates at Transport Layer  Operates on port 443  How it works - Client connects to server - Server indicates need for SSL - Client and server exchange crypto keys - Secure session begins  Not a guarantee of security

12 FORESEC Academy Secure Electronic Transactions (SET)  Developed by Visa, MasterCard, Microsoft, Netscape  Specific-purpose protocol  Secures credit and debit card transactions

13 FORESEC Academy Secure Electronic Transactions (SET) (2)  Services provided - Authentication - Confidentiality - Message Integrity - Linkage

14 FORESEC Academy Active Content  Programs that interact in a network environment  Java/ActiveX

15 FORESEC Academy Java and JavaScript  Java - executable code  JavaScript - instructions embedded in HTML  Security Model - Execution in a controlled environment (the “sandbox”) - Local apps have more access than network apps - Byte Code Verifier, Class Loader & Security Manager enforce security

Download ppt "FORESEC Academy FORESEC Academy Security Essentials (II)"

Similar presentations

Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.

PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
Internet Security Protocols

Internet Security Protocols
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
HTTP Cookies. CPSC 441 - Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.

HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.

Similar presentations

Ads by Google