Upload
araf-karsh-hamid
View
295
Download
6
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Secure Java Coding PracticesAraf Karsh Hamid
June, 2006
Rich Internet Applications History Architecture Nothing New
Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Secure Java Coding Practices
Agenda
Rich Internet Apps – History
AJAX Vs. Traditional Web Applications
Rich Internet Apps
Security
Threats, Vulnerabilities & Defense
Web Application Firewalls
Web Application Security Concerns
Security
Threats, Vulnerabilities & Defense
Web Security
Web Application Firewalls
Web Application Security &
Secure Java Coding Practices
1. Unvalidated Inputs2. Cross-Site Scripting (XSS)3. Injection Flaws4. Improper Error Handling5. Broken Authentication and Session
Management6. Insecure Direct Object References7. Cross-Site Request Forgery (CSRF)8. Security Misconfiguration9. Insecure Cryptographic Storage10.Failure to Restrict URL Access11.Insufficient Transport Layer Protection
Top 10 Web Vulnerabilities
Attacker can change any value of the input submitted to the Web Server
Re-validate all the inputs at the server
Take only the necessary information (user input) from a for submission
Un-validated Input
Un-validated Input (Problem)
Unvalidated Input (Fixed)
Attacker Injects code into the input data Hide malicious code with Unicode
Counter measures Input validations Input length check
Cross Site Scripting
Cross Site Scripting (Problem)
Cross Site Scripting (Fixed)
Attacker Can inject System commands Can inject other SQL Can override access checks
Examples Add more commands “; select * from users;” Override access “’ OR 1=1;”
Counter Measures Use prepared statements in SQL Run with limited privileges Filter / validate the input
SQL Injection
SQL Injection (Problem)
SQL Injection (Fixed)
Attacker Gets system information Gets Database information
Examples Stack (Thread) Traces Database dump
Counter Measures Sanitize the error message Avoid sending stack traces to end user. Customize error pages (HTTP errors 404 etc)
Improper Error Handling
Improper Error Handling (Problem)
Improper Error Handling (Fixed)
Questions?