Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Published byMagdalene Wilkerson Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011."— Presentation transcript:

1 Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

2 Web Security2 Security of web applications is critical. –Image and reputation –Financial loss –Potential lawsuits Web protocols are inherently insecure. Ways of securing web applications

3 Web Security3 HTTP revisited A request/response protocol between a web browser and a web server A request is in the form of an URL. Processing of a request: 1.The url is resolved by the DNS to get the IP address of the web server; 2.A TCP connection is established between the browser and the server at port 80; 3.The browser sends an HTTP request over this connection to the server.

4 Evolution of Web applications Early web applications –Web sites for posting information –static –Attacks: defacing, distributing malwares Later web applications are true online “applications”. –The Web has become a universal platform. –Interactive –User-contributed content –User-tailored content –Dynamic –Internet applications vs Intranet applications 4

5 Why are web applications vulnerable? Public access HTTP lacks strong security mechanisms. Many web application developers are not knowledgeable about security. Web applications often connect to back-end servers.  turning the web server into a jumping board for the attackers Lower layer vulnerabilities may impact the application layer. Web Security5

6 Threats against web applications Leakage of sensitive data –eavesdropping –industrial/military espionage System/service downtime –Denial of Service attacks False data –Invalid user input –Command injections –SQL injections Hijacked sessions (Figures 12-3, 12-4, 12-5) Spreading viruses and other malwares Impact on the physical systems 6

7 7

8 A survey of web vulnerabilities Conducted by Stuttard and Pinto 2007-2011 Figure 1-3 –Broken authentication62% –Broken access controls71% –SQL injection32% –Cross-site scripting94% –Information leakage78% –Cross-site request forgery92% 8

9 9

10 Why is HTTPS not sufficient? SSL provides confidentiality, data integrity, and origin integrity. How? SSL does not stop attacks that directly target the server or client components of an application. Conclusion: SSL is not a cure-all for securing web applications. 10

11 Fundamental issue with web vulnerabilities Users are outside the application’s direct control. –Valid users with valid devices –Valid users with compromised devices –Malicious users with malicious devices Attackers may use crafted input to compromise the application, by interfering with its logic and behavior, therefore gaining unauthorized access to its data and functionality. 11

12 Crafted user input Attackers may use crafted input to compromise the application. –Interfere with any data transmitted btwn the client and the server (request params, cookies, HTTP headers, …) –Send requests in any sequence or submit parameters out of the anticipated order –Replay attacks –Use additional tools alongside or independently of the browser Conclusion: The Web application must assume that all input from the user is potentially malicious. 12

13 The expanding network perimeter The traditional concept of ‘network perimeter’ does not work. User devices are often outside the corporate network. –BYOD Web applications are the potential gateways for attacks. –A HTTP or HTTPS server must process all inbound requests. –A web server often connects to back-end servers. –A web application may involve cross-domain integration (e.g., mash-up, 3 rd -party widgets). 13

14 Summary While older vulnerabilities may have been patched, new vulnerabilities continue to be discovered and exploited. A recent trend is increased attacks against users or user devices. New technological advances may bring new vulnerabilities – cloud, social networks, etc. SSL is not a cure-all. 14

Download ppt "Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011."

Similar presentations

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Barracuda Web Application Firewall

Barracuda Web Application Firewall
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.

Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
The OWASP Foundation OWASP Chennai 2007 Phishing.

The OWASP Foundation OWASP Chennai Phishing.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.

Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Similar presentations

Ads by Google