The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

Slides:



Advertisements
Similar presentations
Web 2.0 Programming 1 © Tongji University, Computer Science and Technology. Web Web Programming Technology 2012.
Advertisements

SOCIAL WEB MEDIA privacy and data mining part 2 4/12/2010.
Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)
Enabling Secure Internet Access with ISA Server
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
Muhammad Taimoor Khan
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
How the web works: HTTP and CGI explained
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
Session Management A290/A590, Fall /25/2014.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
FORESEC Academy FORESEC Academy Security Essentials (II)
Computer Concepts 2014 Chapter 7 The Web and .
Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.
FTP (File Transfer Protocol) & Telnet
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
TCP/IP Protocol Suite 1 Chapter 22 Upon completion you will be able to: World Wide Web: HTTP Understand the components of a browser and a server Understand.
Java Omar Rana University of South Asia. Course Overview JAVA  C/C++ and JAVA Comparison  OOP in JAVA  Exception Handling  Streams  Graphics User.
Web application architecture
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CSE 190: Internet E-Commerce Lecture 5. Exam Material Lectures 1-4 (Presentation Tier) –3-tier architecture –HTML –Style sheets –Javascript –DOM –HTTP.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Database Programming Week 7 Session Management & Authentication.
The Module Road Map Assignment 1 Road Map We will look at… Internet / World Wide Web Aspects of their operation The role of clients and servers ASPX.
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Web Server.
 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Will New HTTP headers save us? John Wilander, OWASP/Omegapoint, IBWAS’10.
© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.
WEB TESTING
NodeJS Security Using PassportJS and HelmetJS:
Essential tools for implementing and testing websites
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
WWW and HTTP King Fahd University of Petroleum & Minerals
World Wide Web policy.
CISC103 Web Development Basics: Web site:
Web Development Web Servers.
Application layer 1 Principles of network applications 2 Web and HTTP
Lesson 4: Web Browsing.
Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
PHP / MySQL Introduction
Chapter 27 WWW and HTTP.
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
Lesson 4: Web Browsing.
HTTP Security Headers Explained
Presentation transcript:

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the application Input validationSession mgmtAuthentication AuthorizationConfig mgmtError handling Secure storageAuditing/logging Securing the network Router Firewall Switch Securing the host Patches/updatesAccountsPorts ServicesFiles/directoriesRegistry ProtocolsSharesAuditing/logging Firewall

The OWASP Foundation  HTTP is stateless and hence requests and responses to communicate between browser and server have no memory.  Most typical HTTP requests utilise either GET or POST methods  Scripting can occur on:  Server-Side (e.g. perl, asp, jsp)  Client-Side (javascript, flash, applets)  Web server file mappings allow the web server to handle certain file types using specific handlers (ASP, ASP.NET, Java, JSP,CFM etc)  Data is posted to the application through HTTP methods, this data is processed by the relevant script and result returned to the user’s browser Web Application Behaviour 2

The OWASP Foundation HTTP POST HTTP GET “GET” exposes sensitive authentication information in the URL  In Web Server and Proxy Server logs  In the http referer header  In Bookmarks/Favorites often ed to others “POST” places information in the body of the request and not the URL Enforce HTTPS POST For Sensitive Data Transport 3

The OWASP Foundation GET vs POST HTTP Request GET /search.jsp?name=blah&type=1 HTTP/1.0 User-Agent: Mozilla/4.0 Host: Cookie: SESSIONID=2KDSU72H9GSA289 GET request POST request POST /search.jsp HTTP/1.0 User-Agent: Mozilla/4.0 Host: Content-Length: 16 Cookie: SESSIONID=2KDSU72H9GSA289 name=blah&type=1 4

The OWASP Foundation What are HTTP Headers? HTTP headers are components of the message header of HTTP Requests and Responses HTTP headers define different aspects of an HTTP transaction HTTP headers are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence.

The OWASP Foundation Security HTTP Response Headers X-Frame-Options X-Xss-Protection X-Content-Type-Options Content Security Policy Access-Control-Allow-Origin HTTPS Strict Transport Security Cache-Control / Pragma

The OWASP Foundation Security HTTP Response headers X-Frame-Options 'SAMEORIGIN' - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. X-XSS-Protection '1; mode=block' - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) X-Content-Type-Options 'nosniff’ - stops the browser from guessing the MIME type of a file. X-Content-Security-Policy - A powerful mechanism for controlling which sites certain content types can be loaded from Access-Control-Allow-Origin - used to control which sites are allowed to bypass same origin policies and send cross-origin requests. Strict-Transport-Security - used to control if the browser is allowed to only access a site over a secure connection Cache-Control - used to control mandatory content caching rules

The OWASP Foundation X-Frame-Options Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM

The OWASP Foundation X-XSS-Protection Use the browser ’ s built in XSS Auditor X-XSS-Protection: [0-1](; mode=block)? X-XSS-Protection: 1; mode=block

The OWASP Foundation X-ContentType-Options Fixes mime sniffing attacks Only applies to IE, because only IE would do something like this X-Content-Type-Options = ‘ nosniff ’

The OWASP Foundation Content Security Policy Anti-XSS W3C standard Move all inline script and style into external files Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use Define a policy for the site regarding loading of content Chrome version 25 and later (50%) Firefox version 23 and later (30%) Internet Explorer version 10 and later (10%)

The OWASP Foundation Strict Transport Security Strict-transport-security: max-age= Do all of your subdomains support SSL? Strict-transport-security: max-age= ; includeSubdomains

The OWASP Foundation Disabling the Browser Cache Add the following as part of your HTTP Response Cache-Control: no-store, no-cache, must-revalidate Expires: -1

The OWASP Foundation HTTP Security Headers Tool Secure headers! Open source

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.