Web application security I

  • Published on
    07-Aug-2015

  • View
    20

  • Download
    2

Embed Size (px)

Transcript

<ol><li> 1. Web Application Security CS200 PROJECT PRESENTATION INSTRUCTOR: DR. FERDOUS AHMED REFERENCE: HTTP://WWW.OWASP.ORG 1 Presented by: Md Syed Ahamad </li><li> 2. Project Role Theory Analysis Implementation 2 </li><li> 3. Topics Introduction Issues and solutions OWASP Problems analysis Vulnerabilities preventions Common Mistakes Ways of approach Vulnerabilities Scanner 3 </li><li> 4. Background Many sensitive task are done through web Online banking, online shopping etc. Database access System administration Web applications and web users are targets of many attacks Network based attacks Injection Broken Authentication and Session Managements Cross site scripting And many more 4 </li><li> 5. Introduction Web Application Web Browser communicates with Web Server to retrieve web pages. Web Application Security Deals specially with security of Web Applications Client Server structure 5 </li><li> 6. Fundamentals of Web Apps. Uniform Resource Locator(URL) uniquely identify the location of a web page tells about type of communication, OS type, the type of web app. code, and more. URL manipulation a web application attack 6 </li><li> 7. Fundamentals of Web Apps. HTTP designates how the web browser and the web server communicate with each other. Stateless protocol a request is sent and a response is received after a connection is established. Post Data Another portion of an HTTP request used when larger amounts of data need to be sent from the browser to the web server Cookies Small amount of data supplied by web server and stored by web browser 7 </li><li> 8. HTTP Request and Response Request get Response post 8 Attack HTTP smuggling Cache Poisioning </li><li> 9. Fundamentals of Web Apps. HTTPS HTTP wrapped with Secure Sockets Layer (SSL) encryption. Data sent is encrypted. Protects data in transit. 9 </li><li> 10. Fundamentals of Web Apps. 10 Firewall prevent unauthorized connections to protected network devices. Protect from network based attacks. Fail to protect web based attacks </li><li> 11. Issues Web based attacks OWASP An online Community dedicated to web application Security. It includes corporations, educational organizations, and individuals from around the world. OWASP Top 10 most important to discuss. to raise awareness about app. security by identifying some of the critical risks organisations. Analyse clearly and solve the problems. 11 </li><li> 12. Applications Security Risks Attackers use different path to harm you. These factors determine the overall risk. 12 </li><li> 13. My Risks OWASP Risk Rating Methodology 13 </li><li> 14. OWASP Top 10 A1 Injection A2 Broken Authentication and Session Managements A3 Cross Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function level Access Control A8 Cross Site Request Forgery (CSRF) A9 Using Known Vulnerable Components A10 Invalidated Redirects and forwards 14 </li><li> 15. A1 - Injection Injection flaws Sql, OS, LDAP etc. Data is sent to server as command and query. most prevalent and dangerous attacks on the Internet. 15 </li><li> 16. A1 - Injection Vulnerabilities Use of interpreter that clearly separates untrusted data, command or query Avoid dynamic query, use stored procedures, prepared statements. Use of Code checking tools, penetration testers. Preventions Use of safe API. Escape special characters. No special characters Positive or white list input validation. 16 </li><li> 17. A1 Injection Example Scenario #1 String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; Select data from table where emailinput=email_input; 17 </li><li> 18. A2 Broken Authentication and Session Management App. Related to session and authentication are not implemented correctly. Attackers try to compromise passwords, keys, or session tokens or user IDs. 18 </li><li> 19. A2 Broken Authentication and Session Management Vulnerabilities User IDs are not protected when stored using Hashing and encryption. guessed or overwritten through weak ac. Management. Session ID as exposed, dont time out, dont rotate after login etc. Preventions OWASPs Application Security Verification Standard (ASVS). simple interface for developers. Strong effort to avoid XSS flaws. 19 </li><li> 20. A2 Broken Authentication and Session Management Example Scenario #1: Airline reservations application supports URL rewriting, putting session IDs in the URL: http://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKH CJUN2JV?dest=Hawaii 20 </li><li> 21. A3 Cross Site Scripting Malicious code are injected to website. Stored, reflected and DOM based. 21 </li><li> 22. A3 Cross Site Scripting Vulnerabilities Input not properly escaped. Input validated. 22 </li><li> 23. A3 Cross Site Scripting Example The application uses untrusted data in the construction of the following HTML snippet without validation or escaping: (String) page += ""; The attacker modifies the CC parameter in his browser to: '&gt;'. 23 </li><li> 24. Way of approach SSL Website Vulnerability Scanner Types Network scanner Port scanner Web app. Security scanner 24 </li><li> 25. Vulnerability Scanner Acunetix Web Vulnerability Scanner Cenzic Hailstorm GFI LANguard Network Security Scanner Teneble Nessus 3 Nmap QualysGuard Retina Network Security Scanner SAINT Network Vulnerability Scanner 25 </li><li> 26. My Goal To implement a prevention mechanism. To implement a detection mechanism. 26 </li></ol>