Module: Software Engineering of Web Applications

Slides:

Advertisements

Similar presentations

SecuBat: An Automated Web Vulnerability Detection Framework

Advertisements

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

Hands on Demonstration for Testing Security in Web Applications

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

A Framework for Automated Web Application Security Evaluation

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Computer Security and Penetration Testing

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Web Applications Testing By Jamie Rougvie Supported by.

1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Module: Software Engineering of Web Applications Chapter 3: user-input-validation testing of web applications 1.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Software Testing Training Online. Software testing is ruling the software business in current scenario. It provides an objective, independent view of.

How Angular Protects Us From XSS Attacks? XSS (Cross-Site Scripting) is one of the assaults that can influence your site. So as to adapt to the attack,

Database and Cloud Security

Group 18: Chris Hood Brett Poche

Web Application Security

Module: Software Engineering of Web Applications

CSCE 548 Student Presentation Ryan Labrador

Web Application Bug Hunting

An Introduction to Web Application Security

Security of Digital Signatures

Web Application Hacker’s Toolkit

TMG Client Protection 6NPS – Session 7.

Presentation by: Naga Sri Charan Pendyala

Module: Software Engineering of Web Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:

Chapter 7: Identifying Advanced Attacks

World Wide Web policy.

Static Detection of Cross-Site Scripting Vulnerabilities

Example – SQL Injection

Marking Scheme for Semantic-aware Web Application Security

Penetration Test Debrief

MIS Professor Sandvig MIS 324 Professor Sandvig

HTML Level II (CyberAdvantage)

Security of web applications.

Lecture 2 - SQL Injection

CS5123 Software Validation and Quality Assurance

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Module: Software Engineering of Web Applications user-input-validation testing of web applications

UIV User-input-validation (UIV) is the first barricade that protects a web application from application-level attacks such as buffer overflow, code-injection attack, hidden-field manipulation, and cross-site scripting. Attackers can launch these attacks by sending malicious inputs to a web application. UIV protects a web application against these attacks by rejecting malicious inputs. improving the quality of UIV is a key means of enhancing a web application’s security. These slides are designed to accompany module: Software Engineering of Web Applications

Problem Unfortunately, web-application developers usually forget to implement UIV, or implement defective UIV. As shown in a recent survey (Open Web Application Security Project, 2013), among the top 10 vulnerabilities of web applications, six vulnerabilities are induced by defective UIV. There is a strong need of an effective way to help improve the quality of UIV, thereby increasing web applications’ security. These slides are designed to accompany module: Software Engineering of Web Applications

UIV testing UIV testing is a common way in practice to improve the quality of UIV. There exist tools (Nikto2, 2008; Wikto, 2008; Acunetix Web Vulnerability Scanner, 2008; Fiddler, 2009; Burp Proxy, 2009; Tamperie, 2009) that test UIV of web applications. These existing tools can be classified into two major categories: crawler-based (Nikto2, 2008; Wikto, 2008; Acunetix Web Vulnerability Scanner, 2008) and proxy-based (Fiddler, 2009; Burp Proxy, 2009; Tamperie, 2009) UIV testing tools. These slides are designed to accompany module: Software Engineering of Web Applications

Crawler-based UIV testing tools Crawler-based UIV testing tools retrieve HTML pages automatically, and submit predefined test inputs to the server through these HTML pages. However, using only predefined test inputs may not be suitable to be used for a particular input field. These slides are designed to accompany module: Software Engineering of Web Applications

Example For example, consider that an input field in a web application may require a year value to be between 1999 and 2003. To test this input field, we shall enter possible boundary values such as 1998 or 2004. These boundary values may not exist in the predefined test inputs; hence, it may not be possible to check whether the web application can deal with the boundary values properly. These slides are designed to accompany module: Software Engineering of Web Applications

As a result, crawler-based testing tools cannot detect these semantics-related UIV defects. semantic-related UIV defects to refer to defects that are induced due to the lack of checking the semantics of inputs, and semantic-related test inputs are test inputs that can detect semantic-related UIV defects. These slides are designed to accompany module: Software Engineering of Web Applications

proxy-based UIV testing tools Different from crawler-based UIV testing tools, proxy-based UIV testing tools allow developers to edit HTML requests directly. These tools basically provide a manual testing approach, which keeps the maximum flexibility without providing any help on test input generation. These manual steps are tedious, and the creation of test inputs heavily depends on developers’ knowledge and experience. These slides are designed to accompany module: Software Engineering of Web Applications

Weber (2005), a senior security consultant, used Cross-Site Scripting (XSS) as an example to show how to test web applications for such vulnerabilities in practice using the proxy based UIV testing technique. First, a developer finds some proxy tools that can intercept HTTP requests. Second, the developer maps the site and its functionality by discussing with other developers and project managers. These slides are designed to accompany module: Software Engineering of Web Applications

Third, the developer identifies and lists input fields. Fourth, the developer writes test inputs manually. Finally, the developer starts testing with the proxy tools and adjusts test inputs These slides are designed to accompany module: Software Engineering of Web Applications