World Wide Web policy.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Chapter 17: WEB COMPONENTS
EECS 354 Network Security Cross Site Scripting (XSS)
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Interface Technology (CSE2030)
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to Application Penetration Testing
INTRODUCTION TO WEB DATABASE PROGRAMMING
FORESEC Academy FORESEC Academy Security Essentials (II)
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
JavaScript, Fourth Edition
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
1 Welcome to CSC 301 Web Programming Charles Frank.
Dynamic web content HTTP and HTML: Berners-Lee’s Basics.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 Securing Network Services. 2 How TCP Works Set up connection between port on source host to port on destination host Each connection consists of sequence.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Internet Applications (Cont’d) Basic Internet Applications – World Wide Web (WWW) Browser Architecture Static Documents Dynamic Documents Active Documents.
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering
National College of Science & Information Technology.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Computer & Network Security
Web Programming Language
Introduction to Information Security
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
WWW and HTTP King Fahd University of Petroleum & Minerals
API Security Auditing Be Aware,Be Safe
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
PHP / MySQL Introduction
Less Known Web Application Vulnerabilities
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Chapter 27 WWW and HTTP.
Web Servers / Deployment
Security+ All-In-One Edition Chapter 15 – Web Components
Web Security CS 136 Computer Security Peter Reiher March 11, 2010
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Architecture of the web
Presentation transcript:

World Wide Web policy

Agenda Introduction Web Application Components Common Vulnerabilities Improving security in Web applications

1. Introduction What does World Wide Web security mean? Webmasters=> confidence that their site won’t be hacked or used as a gateway to get into their LANS Web users=> it is the ability to browse securely through the web But in general…

Introduction World Wide Web security Procedures Technologies Practices

2. Web Application Web Application is a client/server software application that interacts with users or other systems using HTTP(S) .

3. Some “Components” 3.1. Authentication 3.2. Browser Security 3.3. Scripts and Active Code 3.4. New Technologies : e.g. Ajax

3.1 Authentication Process of determining if a user or entity is who he/she claims to be. HTTP basic HTTP digest For secure authentication SSL (https://...) Protect transactions in any of the TCP protocols such as HTTP, NNTP (News Transfer), FTP, among others.

Authentication Provides server authentication, client authentication, confidentiality and integrity. Components SSL Record Protocol Handshaking Protocol

3.2 Browser Security User privacy Use a strong password. Install the latest version of your web browser.

Browser Security Cookie Data file originated by a web server, with the client’s information (machine name, keystrokes the user types, etc) Types Per-session , secure Persistent , nonsecure Cookies = vulnerability ~ privacy Structure Of A Cookie Domain Flag Path Secure Expiration Name Value www.redhat.com FALSE / 1154029490 Apache 64.3.40.151.16018996349247480

Browser Security Increasing the level of security: For user: Limit the cookies per web site. Allow cookies from the site that you are visiting for session. Disabled cookies if you are using a public computer.

Browser Security For Web designers: Examine cookies that they are accepting to avoid malicious content. Avoid the use cookies for authentication. Store as little private or personal information from the user as possible.

3.3 Scripts and Active Code Programs executed on the server side performing advanced operations. E.g: perl, c, php, etc Active Code Programs designed to perform detailed task on the client’s side. E.g: javaScript, Java Applets, ActiveX,…

Scripts and Active Code Vulnerabilities Misusing interpreters: putting the script interpreter in the same place as the scripts directory. http://www.victim.com/cgi-bin/perl.exe?-e+%27unlink+%3C*%3E%27 Web Server --> perl –e unlink ‘<*>’ Flawed memory management: is in the domain of programming languages that do not perform memory management internally such as c, c++.

Scripts and Active Code Passing unchecked user input to command interpreters: user input is passed to a command shell, allowing remote users to execute shell commands on the web server. Opening files based on unchecked user input. When writing user inputs to disk.

Scripts and Active Code Security Model Java Applets => sandbox JavaScript sandbox same origin policy object signing

Scripts and Active Code ActiveX Is a binary code that extend the functionality of a web application; it can take any action as the user. Security is partially controlled by the web designer and a third party.  Security Options safe for initializing safe for scripting

3.4 AJAX (Asynchronous JavaScript and XML) presentation management using XHTML, CSS, and the Document Object Model; Asynchronous data retrieval using XMLHttpRequest; and, JavaScript

Image from http://www. adaptivepath

AJAX Synchronous Asynchronous

4. Common Vulnerabilities Cross Site Scripting (XSS) Cross Site Request Forgery (XSRF) Sql Injection

Common Vulnerabilities Cross Site Scripting (XSS) An attacker inject malicious code, usually client-side scripts, into web applications from outside sources . Types - Stored - Reflected Due to lack of input/output filtering

Common Vulnerabilities Reflected Cross Site Scripting: Image from Noxes:A Client-Side Solution for mitigating cross-site scripting attacks

Common Vulnerabilities Cross Site Request Forgery (XSRF) Merely transmits unauthorized commands from a user the website trusts. It is related with the predictable of the structure of the application.

Common Vulnerabilities Sql Injection An attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data

Common Vulnerabilities Sql Injection SELECT * FROM users WHERE login = ‘Bush‘ AND password = '123' (If it returns something then login!) PHP/PostgreSql Server login syntax $sql = "SELECT * FROM users WHERE login = '" . $formusr . "' AND password = '" . $formpwd . "'";

Common Vulnerabilities Sql Injection Injecting through Strings $formusr = ' or 1=1 – – $formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.