Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc.

Slides:



Advertisements
Similar presentations
CS5038 The Electronic Society
Advertisements

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Web Server Administration TEC 236 Securing the Web Environment.
Security Issues and Challenges in Cloud Computing
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Business Data Communications, Fourth Edition Chapter 10: Network Security.
Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Firewall Vulnerabilities Presented by Vincent J. Ohm.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Application Penetration Testing
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
CERN’s Computer Security Challenge
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development
INTRUDERS BY VISHAKHA RAUT TE COMP OUTLINE INTRODUCTION TYPES OF INTRUDERS INTRUDER BEHAVIOR PATTERNS INTRUSION TECHNIQUES QUESTIONS ON INTRUDERS.
Module 7: Advanced Application and Web Filtering.
1 Network Firewalls CSCI Web Security Spring 2003 Presented By Yasir Zahur.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
1 © 2004, Cisco Systems, Inc. All rights reserved. Wireless LAN (network) security.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Introduction Web analysis includes the study of users’ behavior on the web Traffic analysis – Usage analysis Behavior at particular website or across.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
General Information: This document was created for use in the "Bridges to Computing" project of Brooklyn College. You are invited and encouraged to use.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Common System Exploits Tom Chothia Computer Security, Lecture 17.
(A CORPORATE NETWORK APPROACH)
Secure Software Confidentiality Integrity Data Security Authentication
Introduction to SQL Server 2000 Security
Identity & Access Management
AppExchange Security Certification
Firewalls and Security
Security.
Intrusion Detection system
Operating System Concepts
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc.

Agenda Security in general Web security How intruders are getting in What can we do to keep intruders out

Security and World Wide Web Contradiction of terms

Goal and Objective Goal is to provide secure services impenetrable to hackers, but allow access to public browsers

Today’s Situation Stats from CSI/FBI study 40% penetration from outside 89% with firewalls 60% with Intrusion Detection Systems 38% unauthorized access or misuse of web sites 21% did not know…

How do intruders get in? Password guessing Buffer overflows URL mangling Software vulnerabilities Backdoors Packet sniffing - passwords, account #, weak encryption Open services - port scanning

Buffer Overflow Example Code Red /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078% u0000%u00=a Impact - intruders can insert and execute arbitrary code

URL Mangling Intruder changes url or parameters sent to Web server Impact – view records, change data Example: http:// change to any other order id

URL Mangling (cont) Example: Since application would look like this: select * from orders where orderid=1000; Hacker could append to url: te+from+ordershttp:// te+from+orders; To make sql: select * from orders where orderid=1000;delete from orders;

URL Mangling (cont) Example web page with news story and storyid=1 primary key url: Modified url: 1+union+select+FileToClob(‘/etc/passwd’,’serve r’)+from+sysusers+where+username=USER

URL Mangling (cont) Web Datablade Specific /' union select WebExplode(' $1 ','') from sysusers where username=USER --/

Packet Sniffing Forms with user ID/password or other sensitive data should be SSL Do not use basic authentication, clear text user id and password for every request

Packet Sniffing Example

Security Implementations System architecture Fill application holes Limit database account permissions Traps Monitoring

System Architecture Secure the perimeter Limit open services Proxy web services URL sanity checks Hide server identity VPN access SSL

Filling Application Holes Web server patches Web application server patches Parameter checks Use stored procedures or functions where possible* Limit access to web application user*

Traps Set traps to catch and identify hackers in the act Multiple failed attempts before successful break-in Block intruders caught in the act

Monitoring Tools Intrusion Detection Systems Onaudit I-SPY sysmaster database

Application Tracing JDBC driver PROTOCOLTRACE,PROTOCOLTRACEFILE Custom traces statements in JDBC driver Onstat SQLDEBUG/SQLPRINT

Online Resources BugTraq CERT

Online Resources BugTraq CERT

Online Resources BugTraq CERT

Questions/Comments Contact: Michael Chaney ChainLink Networking Solutions, Inc.