Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN 6710 - Section A – TR 9:30-10:45 CRN 10570 – Section B – TR 5:30-6:45.

Published byAmbrose Price Modified over 8 years ago

Similar presentations

Presentation on theme: "Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN 6710 - Section A – TR 9:30-10:45 CRN 10570 – Section B – TR 5:30-6:45."— Presentation transcript:

1 Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN 6710 - Section A – TR 9:30-10:45 CRN 10570 – Section B – TR 5:30-6:45

2 Security Security needs to be addressed at every level of IT Many of the security best practices for other areas overlap web application security For example, if your application stores username/passwords, then you would want to implement password complexity requirements and password expiration In larger businesses, these accounts are centrally managed, and we can offload that work to those other systems

3 Security - OWASP To help us tackle some of the common security concerns on the web, we are going to look at the “Open Web Application Security Project” (OWASP) http://www.owasp.org/ OWASP has a significant amount of information on common web security issues, how to identify them, and how to prevent them To get us started, we are going to look at their current Top 10 list (they update this every few years) https://www.owasp.org/index.php/Top_10_2013-Top_10

4 OWASP Top 10 - Injection Included in this category is SQL Injection SQL Injection occurs when someone can submit data to a page, either through a form, or through URL variables, and cause a SQL command to perform differently than it is designed to This could be something relatively minor, such as selecting more rows than you planned to output Or, it could be a major issue, such as deleting data from your database, or even deleting the database entirely

5 OWASP Top 10 - Injection To help prevent this, we need to ensure any data we are using a SQL query is properly validated and sanitized This often includes stripping or escaping characters that might be used in a SQL Injection attack To some degree, we can also attempt to limit the permissions of the account we are connected to our DB with to prevent some of the worst results of SQL Injection As with most of the Top 10 items, validating data is the #1 way of stopping the attack

6 OWASP Top 10 - Authentication This category includes issues with Authentication and Session Management Some common problems with authentication include Not hashing/encrypting the credentials Passing the credentials over an insecure connection (non https) Not forcing strong enough password complexity and not expiring passwords on a regular basis

7 OWASP Top 10 - Authentication On the session management side Session IDs are passed in the URL (bookmarked or link sharing can cause a breach in the security process) Sessions do not properly time out after an appropriate amount of time Session IDs aren’t changed on every successful log in Many of the session related issues are caused by having PHP not configured to store sessions properly

8 OWASP Top 10 - XSS Cross-Site Scripting (XSS) is considered one of the most widespread problems on the internet Just like in SQL Injection, proper input validation can be used to resolve almost all cases of XSS XSS is when a user can affect the content on the page with the content they submit to the page iframe Demo

9 OWASP Top 10 – Direct Access Insecure Direct Object References primarily refers to pages on your application being accessible without permission This partially leads back to proper session/authentication management, ensuring only authorized users can access a given page If a user can go directly to a URL without authenticating that should require authentication, this is an example of this problem Sometimes just changing URL variables can cause this issue

10 OWASP Top 10 - Misconfig Security Misconfiguration rounds out the first half of the top 10 list As we looked at last time, there are a lot of configuration options at the server level, and any number of these could be set incorrectly, causing the server or application to become attackable Generally, you want to limit the enabled features to only what you are using and make sure all the software you are using has all relevant security patches applied

11 Lab 8 – Web Security Create two (2) web pages Page 1 should contain an example of a form vulnerable to SQL Injection Page 2 should contain the exact same form with the vulnerability prevented Include the links to both pages and an example of what to enter to see a safe SQL Injection Ensure that I can see how the SQL Injection succeeds/fails

12 Next Week Tue Nov 17 Web Security (OWASP 6-10) Thu Nov 19 Lab/Term Project working day Reminders: Lab 8 – Web Security due on Dec 3 rd Term Project is due on Dec 10 th If you want to get partial credit for any assignments, the last day they will be accepted is Dec 3 rd at Midnight D2L will lock out submissions at that time

Download ppt "Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN 6710 - Section A – TR 9:30-10:45 CRN 10570 – Section B – TR 5:30-6:45."

Similar presentations

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts

Understand Database Security Concepts
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Similar presentations

Ads by Google