View
224
Download
0
Category
Tags:
Preview:
Citation preview
IST 210 Web Application Security
IST 210 Introduction
Security is a process of authenticating users and controlling what a user can see or do
IST 210 3-tier architecture
WebBrowser
WebDB
ServerServer
IST 210
Some Internet Security Protocols Application Layer Security
Electronic mail security PGP (Pretty Good Privacy) S/MIME (Secure Multi-Purpose Internet Mail Extensions)
Transport Layer Security SSL/TLS (Secure Sockets Layer/Transport Layer Security ) SSH (Secure Shell )
Network Layer Security IP Security (IPsec)
Infrastructure protection DNSSEC (DNS Security Extensions) SNMPv3 security (Simple Network Management Protocol
Version 3)
IST 210
How do you measure security?
Does 128-bit encryption make you feel safer?
IST 210 The client Common web browser Communicates to server with HTTP (PUT,
POST, GET) HTML markup language for layout of pages Scripting languages built into client to
control client side content and communications with server dynamically
Cookies to store state
IST 210 The server Analyses HTTP requests from client
and responds accordingly. Either send plain HTML page Process query data and send back
dynamically produced page to client.
IST 210 The web server Common examples: Apache, IIS.
These servers and the host’s have their own security problems
Server side programming Perl, ASP (Jscript/VBScript), PHP, C
IST 210 The DBMS SQL DBMS
Microsoft SQL server Oracle MySQL DB2
These DBMS also have their own security problems
IST 210 Attacks On the server
Using “out of the box” security holes to gain escalated privileges, or execute commands on the server.
Make the server do something it is not supposed to do.
Examples ColdFusion, Showcode.asp,
FrontPage, etc. etc. etc.
IST 210 Attacks Through holes found using a common
security scanner Scanners simply request a fixed file name to
see if the file exists or not Assumes that exploitable files/server have
not been patched, can bring false positives Old techniques, but effective. EASY to protect against.
IST 210 Attacks On out of the box applications
Attacker can setup and audit the application in their own environment
If one goes down, they all do Targets of common scanners
IST 210 Attacks On custom applications
More difficult to audit “Black box” auditing techniques Looks for common stupid mistakes
IST 210 Case one IIS Security hole used to view ASP Database settings extracted SQL server live to internet Information from server-side
scripts used to connect to server
IST 210 Case two ASP not filtering input Able to directly manipulate SQL
query Manipulating the SQL query
extracts a valid cookie and creates the password
IST 210 The problems? Unfiltered user input User data not checked and can be
crafted to manipulate processing on the server to reveal file contents or bypass and gain access
Backdoor straight to the Crown Jewels
IST 210 The enablers Reliance on cryptography for security Security through obscurity Poor development Poor experience Limited resources Awareness Monitoring and plan
IST 210 The solution(s) Good initial setup Programming practices Internal Audits Awareness Updates, patches and hotfixes
IST 210 The solution(s) Intrusion detection Network design System architecture
IST 210
Moat / Main Gate Outer Perimeter Controlling Castle Access
Keep(Last Buildingin Castle to Fall)
Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters
Security Analogy
IST 210
Internet SecurityKeep
Internet
Mission CriticalSystems
InternalFirewall
DMZInternal Network
Outer Perimeter
Inner Perimeter Stronghold
Jewels
Crown
Recommended