 Chirita Ionel  Application Security  OWASP Chapter board member.

Slides:



Advertisements
Similar presentations
E-Commerce CMM503 – Lecture 8 Stuart Watt Room C2.
Advertisements

Enabling Secure Internet Access with ISA Server
Chapter 17: WEB COMPONENTS
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
OWASP Xenotix XSS Exploit Framework
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
ASP.NET Web Application Security Hannes Preishuber ppedv AG
The Way to Protect The Smartest Way to Protect Websites and Web Apps from Attacks.
Barracuda Web Application Firewall
Chapter 9 Comparing Web Technologies. Agenda Browser Hypertext Markup Language (HTML) Common Gateway Interface Web Application Server Plug-in.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
How the web works: HTTP and CGI explained
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction to z/OS Basics © 2006 IBM Corporation Chapter 13: z/OS HTTP Server.
Multiple Tiers in Action
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Internet Information Server Team Members: Hung Duong Hak Gauv Eric Luc David Nguyen Larry Tan.
Introduction to the new mainframe © Copyright IBM Corp., All rights reserved. Chapter 13: z/OS HTTP Server.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Hands-On Ethical Hacking and Network Defense
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Module 1: Installing Internet Information Services 5.0.
Workshop 3 Web Application Security Li Weichao March
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers.
Session 11: Security with ASP.NET
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Evaluation of Security Scanners for Web Application Presented By: Sunint Kaur Khalsa ( ) Sarabjeet Kaur Saini( )
JavaScript, Fourth Edition
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Fundamentals of Database Chapter 7 Database Technologies.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
PostalOne! / FAST Data Exchange - Vision 02/15/05.
HTML. Principle of Programming  Interface with PC 2 English Japanese Chinese Machine Code Compiler / Interpreter C++ Perl Assembler Machine Code.
Chapter 8 Cookies And Security JavaScript, Third Edition.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
CensorNet Ltd An introduction to CensorNet Professional On-premise web filtering & management An introduction to CensorNet Professional On-premise web.
Web Database Programming Week 7 Session Management & Authentication.
Integrating and Troubleshooting Citrix Access Gateway.
Construction Planning and Prerequisite
1 Chapter Overview Defining Operators Creating Jobs Configuring Alerts Creating a Database Maintenance Plan Creating Multiserver Jobs.
Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Ad Hoc VO Akylbek Zhumabayev Images. Node Discovery vs. Registration VO Node Resource User discover register Resource.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.
WEB SERVER SOFTWARE FEATURE SETS
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
ProductExchange 2013 SP1Exchange 2013 RTMExchange 2010 SP3Exchange 2007 SP3 Outlook 2013 SP1 or later MAPI over HTTP Outlook Anywhere Outlook Anywhere.
Display Page (HTML/CSS)
Feeling RESTful? Well, first we’ll define a Web Service –A web page meant to be consumed by a computer via an autonomous program as opposed to a web browser.
Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.
CITA 352 Chapter 10 Hacking Web Servers. Understanding Web Applications Writing a program without bugs –Nearly impossible –Some bugs create security vulnerabilities.
ASP – Web Programming Class  Ravi Anand. ASP – Active Server Pages What is ASP? - Microsoft Technology - Can Run using IIS/PWS/Others - Helps us create.
Smashing WebGoat for Fun and Research: Static Code Scanner Evaluation Josh Windsor & Dr. Josh Pauli.
BUILD SECURE PRODUCTS AND SERVICES
TMG Client Protection 6NPS – Session 7.
Federation made simple
World Wide Web policy.
Securing the Network Perimeter with ISA 2004
PHP / MySQL Introduction
The Application Lifecycle
الخطوات المطلوب القيام بها قبل انشاء الموقع
Presentation transcript:

 Chirita Ionel  Application Security  OWASP Chapter board member

 Wide Coverage  Fast scans  Low number of false positives  Low number of false negatives  Scalability  Easy to use  Permanent vulnerability database updates  To be Cheap !?

 Hardware Requirements & support  Protocol support  Authentication  Session management  Crawling  Data Parsing  Testing  Command and control  Reporting

 Thick client vs cloud

Transport support  HTTP1.0 & HTTP1.1  SSL/TLS  HTTP keep alive  HTTP compression  HTTP user agent configuration Proxy support  HTTP1.0 & HTTP1.1 proxy  Socks 4 proxy  Socks 5 proxy  PAC file support

 Basic  Digest  HTTP negotiate – NTLM & Kerberos  Html form-based  Automated  Scripted  Non-automated  Single sign on  Client SSL certificates  Other

 Session management capabilities  Start a new session  Detect if the session is expired  Reacquire session token  Session management token type support  HTTP cookies  HTTP parameters  HTTP URL path  Session token detection  Session token refresh policy

 Define starting URL  Define additional hostname or exclusions for specific criteria  Support automated from submission  Detect error pages and custom 404 pages  Redirect support

 HTML  JavaScript  VBScript  XML  Plaintext  ActiveX Objects  Flash

 Schedule scans  Pause / resume  Real-time status of running scans  Run multiple scans simultaneously  GUI, CLI and web based interface  Extensibility & interoperability

 Executive summary  Technical detailed report  Delta reports  Compliance report  Customization  Report data file format

 Why do you mean by “best” ?  Or the cheapest ?

 By Larry Suto

 … running each vendor's scanner against each of the vendor's test sites and comparing the results

 By Chirita Ionel