Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Web Application Security

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to Web Application Security"— Presentation transcript:

1 Introduction to Web Application Security
Rex Booth, CISSP, PMP Senior Manager, Grant Thornton LLP

2 Introduction: Rex Booth
Senior Manager at Grant Thornton 10+ years of IT experience Former web application developer Leads cybersecurity group for Grant Thornton's public sector practice Experience with information security from a variety of perspectives including developer, auditor, and ISSO

3 Agenda Why target web applications?
Web application attack surface overview Attack examples Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks Live Demonstration Best Practices and Remediation resources Questions

4 Why target web applications?
Incentives Valuable targets Financial Competitive advantage (corporate or national) Force multiplier Reputation / Prestige Absence of effective deterrents Soft targets: Weak or poorly implemented security Low cost of entry: cheap and easy access “Wild West” mentality regarding probability of detection, capture and punishment

5 Agenda Why target web applications?
Web application attack surface overview Attack examples Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks Live Demonstration Best Practices and Remediation resources Questions

6 Web application attack surface
3rd Party Trusts Client layer: HTML, JavaScript, Flash, etc Application layer: Business logic (.Net, Java, etc) Data layer: Access components, RDBMS Client layer: Code and functionality executed on the client-side Various vulnerabilities Two key points: Never trust client-supplied data Don’t introduce vulnerabilities by trying to offload cycles from the server to the client

7 Web application attack surface
3rd Party Trusts Client layer: HTML, JavaScript, Flash, etc Application layer: Business logic (.Net, Java, etc) Data layer: Access components, RDBMS Application layer: Expression and capture of business rules and business policy logic in code; Workflows based on the ordered tasks of passing documents or data from one participant (a person or a software system) to another; Do those expressions introduce vulnerabilities? Attacks on specific technology and poor implementation

8 Web application attack surface
3rd Party Trusts Client layer: HTML, JavaScript, Flash, etc Application layer: Business logic (.Net, Java, etc) Data layer: Access components, RDBMS Data layer: Likely the most valuable component of your application to your organization Less focused on code and logic, more focused on good implementation and maintenance, proper technology

9 Web application attack surface
3rd Party Trusts Client layer: HTML, JavaScript, Flash, etc Application layer: Business logic (.Net, Java, etc) Data layer: Access components, RDBMS 3rd Party Trusts: Critical to maintain awareness of system interactions Federal Sector C&A Interconnection Agreements Potential to affect all layers of the application Repeat the attack surfaces at the client, application and data layers for each 3rd party trust

10 Agenda Why target web applications?
Web application attack surface overview Attack examples Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks Live Demonstration Best Practices and Remediation resources Questions

11 Injection Attacks SQL injection is the most common web attack
An attacker inserts commands that are used to dynamically construct SQL queries Attacker may be able to view or modify any data in a database Severity can be equivalent to a full database compromise Other injections include XML, LDAP, code injection, remote file inclusions Any action that takes input from the user and uses it in a query or function

12 SQL Injection Scenario
You wish to edit your credit card number in your account profile on To verify your identity, the site asks for the last 4 digits of your credit card The application then passes your input to the following query SELECT * FROM credit_cards WHERE digits = ‘your_input’

13 SQL Injection Scenario
What if the attacker enters 1234’ OR ‘1’ = ‘1 The full query then becomes SELECT * FROM credit_cards WHERE digits = ‘1234’ OR ‘1’ = ‘1’; This query will always return true and, therefore, will return every card in the database.

14 Cross Site Scripting (XSS)
Affects the client web browser. Scripting code from URL or HTML Form gets rendered in the page sent by the server. 2 types of XSS Persistent / Stored: attack code gets stored in the application data store and affects all users who visit the page. Non-Persistent / Reflected: attack code does not get stored and can only affect 1 user at a time. One of the most prolific and dangerous vulnerabilities on the web.

15 Cross Site Scripting (XSS) Scenario
What if we change “shawn” to: “><script>alert(document.cookie)</script>

16 Cross Site Scripting (XSS) Scenario

17 Cross Site Request Forgery (CSRF)
Affects the client browser. The vulnerability allows an attacker to force the browser to fraudulently execute application functionality. Leverages the user’s authenticated session on the target application. Not *really* a vulnerability, rather an exploit of expected functionality.

18 Authentication and Authorization
Lack of authentication / authorization. Unauthorized data access. Unauthorized system functionality access. Predictable session identifiers. Session Fixation. Session Replay. Brute forcing of credentials.

19 Session Fixation Example
Session Fixation occurs when a session identifier is not refreshed after successful authentication The following sequence describes an application vulnerable to Session Fixation: When a user browses to they receive Cookie: my_cookie=abcdefg After logging in, the application elevates my_cookie=abcdefg from unauthenticated to authenticated status Why is this a problem? The initial value may have been sent over an unencrypted channel Attacker could use XSS to set a known value in the target browser The application may accept any value prior to authentication, making this even easier for an attacker

20 Business Logic Flaws Flaw in the design and/or implementation of the project design. Booking a ticket on a web application without paying. Registering an account without completing all required steps. Apply the same coupon/discount multiple times on the same order. Account lockout on auction sites. Setting your own pricing on a product. No way to detect this type of vulnerability using automated tools.

21 Host and 3rd Party Code Keeping up with patches Patch management
3rd party code dependency updates Host security Unused network services Password Policy Brute forcing Logging Hidden/Old/Unreferenced files Building a good relationship with SysAdmins

22 Agenda Why target web applications?
Web application attack surface overview Attack examples Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks Live Demonstration Best Practices and Remediation resources Questions

23 Agenda Why target web applications?
Web application attack surface overview Attack examples Client layer attacks Application layer attacks Data layer attacks 3rd party trust attacks Live Demonstration Best Practices and Remediation resources Questions

24 Best Practices Summary
Input validation and output encoding Strong authentication and password management Effective access controls Safe error handling and meaningful logging Protection of data at rest and in motion Proper system and database configuration See the OWASP Secure Coding Practices Quick Reference Guide for more information

25 Remediation Resources
Incorporating security into the SDLC Post-deployment remediation Two basic approaches: fix the underlying problem or get in between the threat and the asset The latter, including web application firewalls, are not a panacea, but can be useful

26 Questions Ask now or contact via

Download ppt "Introduction to Web Application Security"

Similar presentations

Webgoat.

Webgoat.
High level QA strategy for SQL Server enforcer

High level QA strategy for SQL Server enforcer
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © 2006 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March

Similar presentations

Ads by Google