Web Application Security Assessment and Vulnerability Assessment.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Compliance on Demand. Introduction ComplianceKeeper is a web-based Licensing and Learning Management System (LLMS), that allows users to manage all Company,

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Maintaining and Updating Windows Server 2008

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

SiteLock Internet Security: Big Threats for Small Business.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

MiVoice Office v MiVoice Office v6.0 is mainly a service enhancement release, rather than a user feature rich enhancement release.

Security Scanning OWASP Education Nishi Kumar Computer based training

Web Application Testing with AppScan Terry Labach.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Acunetix Web Vulnerability Scanner

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.

Samuvel Johnson nd MCA B. Contents  Introduction to Real-time systems  Two main types of system  Testing real-time software  Difficulties.

GOOGLE HACKING FOR PENETRATION TESTERS Chris Chromiak SentryMetrics March 27 th, 2007.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Using Windows Firewall and Windows Defender

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Honeypot and Intrusion Detection System

Software Security Testing Vinay Srinivasan cell:

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

Time lag between discovering issue and resolving Difficult to find solutions and patches that can help resolve issue Service outages expensive and.

Universiti Utara Malaysia Chapter 3 Introduction to ASP.NET 3.5.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

Web Applications Testing By Jamie Rougvie Supported by.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

Microsoft Management Seminar Series SMS 2003 Change Management.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

TESTING FOR VULNERABILITIES AND APPLICATION SECURITY REVIEW George-Alexandru Andrei CTO BIT SENTINEL.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

WEB SERVER SOFTWARE FEATURE SETS

Role Of Network IDS in Network Perimeter Defense.

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

1 BCS 4 th Semester. Step 1: Download SQL Server 2005 Express Edition Version Feature SQL Server 2005 Express Edition SP1 SQL Server 2005 Express Edition.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Maintaining and Updating Windows Server 2008 Lesson 8.

Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

SQL Database Management

Javascript worms By Benjamin Mossé SecPro

Web Application Protection Against Hackers and Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Chapter 7: Identifying Advanced Attacks

Security Testing Methods

Penetration Test Debrief

HTML Level II (CyberAdvantage)

Lecture 2 - SQL Injection

BACHELOR’S THESIS DEFENSE

BACHELOR’S THESIS DEFENSE

6. Application Software Security

Presentation transcript:

Web Application Security Assessment and Vulnerability Assessment

Web Application Security Scanner Is your website hackable? 70% of the websites are at serious risk of being hacked Web applications attack accounts for up to 70% of all cyber attacks Website security is possibly the most overlooked aspect of securing the enterprise and should be a priority in any organization. Hackers are concentrating their efforts on web applications such as shopping carts, login pages, forms, dynamic contents and etc. Web applications are accessible 24 hours a day, 7 days a week and control valuable data since they often have direct access to the backend database such as customer database, credit card details and etc. Firewalls, SSL and locked-down servers are futile against web application hacking Any defense at network security level will provide no protection against web application attacks since they are launched on port 80 - which has to remain open. In addition, web applications are often tailor-made therefore tested less than off-the-shelf software and are more likely to have undiscovered vulnerabilities.

How Does Hacking Work?

Acunetix Web Vulnerability Scanner To safeguard your enterprise’s web applications from hackers, E-Spin represented Acunetix Web Vulnerability Scanner is the solution you needed! E-Spin represented Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing. In short, this powerful tool allows you to scan and automatically checks your web applications for SQL Injection, Cross Site Scripting (XSS) & other web vulnerabilities. Acunetix History Acunetix has pioneered the web application security scanning technology: Its engineers have focused on web security as early as 1997 and developed an engineering lead in web site analysis and vulnerability detection. How Acunetix Works? Acunetix WVS has the ability to scan for vulnerability in web applications, provide fixing recommendations and reporting tool to ensure web applications are less hackable or exploitable from hackers. The software will perform typical work of a hacker by trying to scan and execute various hacking methods(non-destructive methods) to exploit the web applications. As a result, it will list down all the success attempts and in what scenario in order to enable developers to record which applications are exploitable and facilitate them to close the application vulnerability. All in all, Acunetix WVS is a software that provides automatic or manual way to search for software vulnerability within web applications and reports it as well as recommend ways to fix the problem.

Acunetix WVS Key Features 1.AcuSensor Technology -New technology that allows you to identify more vulnerabilities than a traditional black box scanner whilst generating less false positives. -Faster locating and fixing of vulnerabilities, whilst providing more information about each vulnerability. For instance, source code line number, stack trace and affected SQL query. -Check for web application configuration. Example misconfiguration of web.config or php.ini 2.In depth checking for SQL Injection, XSS and Other Vulnerabilities -Known Static Methods:-Unknown Dynamic Methods: -Specific Web Applications known exploits-SQL Injection -Directory enumeration-Cross Site Scripting (XSS) -Known web server exploits-Directory and Link Traversal -Known web technology exploits (e.g php)-File Inclusion -Known network service exploits (e.g DNS, FTP)-Source Code Disclosure 3.Port Scanner and Network Alerts -Scan web server for open port -Also run network alert checks against network services running on open ports such as DNS cache poisoning, SNMP weak community strings, weak SSH ciphers, etc. 4.Detailed Reports -able to generate different official and technical report (can customize report)to meet different users requirement: from executive summary, vulnerability report, compliance (HIPPA, PCI, OWASP, SOX, WASC) pre and post comparison report, statistical reports, etc. 5.Advanced Penetration Tools -Allow penetration testers to tune web application security checks HTTP Editor:- construct HTTP/HTTPS requests and analyze the web server response HTTP Sniffer:- intercept, log and modify all HTTP/HTTPS traffic and reveal all data sent by web application HTTP Fuzzer:- perform sophisticated testing for buffer overflows and input validation Blind SQL Injector:- automated database data extraction tool that is perfect for making manual test that allows further testing for SQL Injections. 6.Scan Ajax and Web 2.0 Technologies - The Client Script Analyzer (CSA) engine allows comprehensive scan of the latest and most complex Ajax/Web 2.0 for vulnerabilities 7.Test Password Protected Areas and Web Forms -With automatic HTML form filler, it enables to fill in web forms and authenticate against web logins. The form filling process is stored and the sequence will be used when scanning. 8.Analyze Website against the Google Hacking Database -Google Hacking Database (GHDB) is a database queries used by hackers to identify sensitive data on your website such as portal logon pages. -Acunetix launches GHDB onto your website and identify loopholes before the hackers do

Benefits to Organization IT Security Greatly Enhanced. -Acunetix’s unmatched automated and flexible manual scan capabilities provide comprehensive or selective area scan -Able to have truly secure web application in place which has been tested against various hacking attack to avoid unnecessary exploitation that will jeopardize the organization’s image Time Saving - By using automated scanning, it off loads the ongoing routine scanning tasks (if administrator allowed to do so based on company configuration), hence administrator can focus his time to perform value added service like interpret the report and communicate the report finding. -In addition, administrator will be flexible enough to conduct a manual specific scan (based on methods) in order to confirm whether the vulnerabilities have been fixed. Reports -With Acunetix capable of generating various reports, IT security staff is empowered to be proactive in managing security measures and ongoing compliance audit and monitoring -Based on the true and transparent report on all web applications vulnerabilities, IT security staff are able to communicate those findings to respective parties for fixing, reporting and compliance purposes Compliance -Able to meet various legal and regulatory compliance SYSTEM REQUIREMENTS: -Windows XP, Vista, 2000, 2003 and 2008 server, Windows 7 -Internet Explorer 6 or higher -250 MB of hard disk space -1GB of RAM

Screenshot(s) In Depth checking for SQL Injection iew of remote desktops Acusensor Technology: Identifying more vulnerabilities

Screenshot(s) Port Scanner and Network Alert Detailed Report

Screenshot(s) Advanced Penetration Tools Analyze site against Google Hacking Database