FORESEC Academy FORESEC Academy Security Essentials (II)

Slides:



Advertisements
Similar presentations
Overview Environment for Internet database connectivity
Advertisements

Chapter 17: WEB COMPONENTS
PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.
Cryptography and Network Security
Secure Socket Layer.
Internet Security Protocols
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
HTTP Cookies. CPSC Application Layer 2 User-server state: cookies Many major Web sites use cookies Four components: 1) cookie header line of HTTP.
Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Definitions, Definitions, Definitions Lead to Understanding.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Chapter 8 Web Security.
INTRODUCTION TO WEB DATABASE PROGRAMMING
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Agenda Web Development Chapter 7 Review Class Discussion Issues.
HTTP; The World Wide Web Protocol
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
MIS 301 Information Systems in Organizations Dave Salisbury ( )
FTP (File Transfer Protocol) & Telnet
Chapter 4: Core Web Technologies
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Rensselaer Polytechnic Institute Shivkumar Kalvanaraman, Biplab Sikdar 1 The Web: the http protocol http: hypertext transfer protocol Web’s application.
1 Computer Communication & Networks Lecture 28 Application Layer: HTTP & WWW p Waleed Ejaz
CS 493/693: Distributed Systems Programming V. “Juggy” Jagannathan CSEE, West Virginia University March 21, 2005.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
10/13/2015 ©2006 Scott Miller, University of Victoria 1 Content Serving Static vs. Dynamic Content Web Servers Server Flow Control Rev. 2.0.
18-jan-962. ETH-W4 (ra)1 security on the Web l security l authentication l privacy.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
2-1 WEB DATABSE INTERFACING Colorado Technical University IT420.
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
1 Welcome to CSC 301 Web Programming Charles Frank.
Introduction to ASP.NET1. 2 Web applications in general Web applications are divided into two parts –The server part –The client part The server part.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
W orld W ide W eb Client/Server design using TCP/IP Incorporates Other Client/Server Systems –ftp –gopher –mail Server runs on port 80, named httpd, exchanges.
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.
1 MSCS 237 Overview of web technologies (A specific type of distributed systems)
TCP/IP (Transmission Control Protocol / Internet Protocol)
Web Pages with Features. Features on Web Pages Interactive Pages –Shows current date, get server’s IP, interactive quizzes Processing Forms –Serach a.
Saving State on the WWW. The Issue  Connections on the WWW are stateless  Every time a link is followed is like the first time to the server — it has.
Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.
Fall 2000C.Watters1 World Wide Web and E-Commerce Clients & Client Side Processing.
JS (Java Servlets). Internet evolution [1] The internet Internet started of as a static content dispersal and delivery mechanism, where files residing.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
National College of Science & Information Technology.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
ArcGIS for Server Security: Advanced
Section 6.3 Server-side Scripting
WWW and HTTP King Fahd University of Petroleum & Minerals
World Wide Web policy.
WEB API.
Amit Kulkarni February 17, 2004
Information Retrieval and Web Design
Presentation transcript:

FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy Agenda  Web communication  Web security protocols  Active content  Cracking web applications  Web application defenses

FORESEC Academy Everything You Always Wanted to Know About Web Communications...  Servers and Clients  HTTP and HTML

FORESEC Academy Everything You Always Wanted to Know About Web Communications(2)  Stateless Communications  Retrieving Information. GET, HEAD  Sending Information. POST, PUT

FORESEC Academy HTML Security  Reading HTML Source

FORESEC Academy HTML Security (2)  Hidden Fields  Server Side Includes

FORESEC Academy Common Gateway Interface (CGI)  Allows web pages to do something instead of just returning pages  Extends the capabilities of a web server  Creates many exposures on server - Leaking information - Performing unauthorized transactions - Executing unintended programs

FORESEC Academy Common Gateway Interface (CGI) (2)  Common Mistakes - Misuse of command interpreters - Bad memory management - Passing unchecked parameters to system

FORESEC Academy Cookies  HTTP is “stateless” - no context information  Cookies provide “state” and context  Can only hold information given to the browser by the server  Can only be exchanged with originating server or domain  Beware of cross-site sharing (e.g., DoubleClick)  Can block cookies if desired

FORESEC Academy What About Non-Persistent Cookies?  Non-persistent cookies = per-session cookies  Non-persistent cookies are not written to the browser file system - So they can't be edited and are therefore safe from session ID attacks. Right? -Wrongo!!!  Several possible methods - 1) Raw read/write from/to the client-side memory - 2) Adapt Mozilla browser source to edit cookies - 3) Write a Javascript app that lets you view page and edit - 4) Write a proxy that allows for editing of entire session passed back and forth from browser (Achilles)

FORESEC Academy SSL  Protocol for encrypting network traffic  Operates at Transport Layer  Operates on port 443  How it works - Client connects to server - Server indicates need for SSL - Client and server exchange crypto keys - Secure session begins  Not a guarantee of security

FORESEC Academy Secure Electronic Transactions (SET)  Developed by Visa, MasterCard, Microsoft, Netscape  Specific-purpose protocol  Secures credit and debit card transactions

FORESEC Academy Secure Electronic Transactions (SET) (2)  Services provided - Authentication - Confidentiality - Message Integrity - Linkage

FORESEC Academy Active Content  Programs that interact in a network environment  Java/ActiveX

FORESEC Academy Java and JavaScript  Java - executable code  JavaScript - instructions embedded in HTML  Security Model - Execution in a controlled environment (the “sandbox”) - Local apps have more access than network apps - Byte Code Verifier, Class Loader & Security Manager enforce security

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.