Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Chapter 17: WEB COMPONENTS
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Muhammad Taimoor Khan
Software Freedom Day th September 2007 Asia Pacific Institute of Information Technology Colombo, Sri Lanka. Nazly Ahmed Scripting The Web.
Web Communication Client attempts to “pull” information from server – http message sent across Internet by TCP/IP* – packet switching used to route message.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.
Chapter 4 Application Security Knowledge and Test Prep
Web Services and Authentication
Hacking Web Server Defiana Arnaldy, M.Si
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
Hands-On Ethical Hacking and Network Defense
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
 2000 Deitel & Associates, Inc. All rights reserved. Chapter 24 – Web Servers (PWS, IIS, Apache, Jigsaw) Outline 24.1Introduction 24.2Microsoft Personal.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Lixin Tao, Li-Chiou Chen & Chienting Lin Pace University
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Web Components Chapter 17.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Security Issues in Unix OS Saubhagya Joshi Suroop Mohan Chandran.
Web Application Programming Carol Wolf Computer Science.
1 Web Server Administration Chapter 1 The Basics of Server and Web Server Administration.
1 HTML ( Hypertext MarkUP Language ) HTML is the lingua franca for publishing hypertext on the World Wide Web Define tags ….etc Allow to embed other scripting.
Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates.
Introduction to Internet Programming (Web Based Application)
11/16/2012ISC329 Isabelle Bichindaritz1 Web Database Application Development.
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Testing Case Study 360logica Software Testing Services.
Software Security Testing Vinay Srinivasan cell:
Chapter 4 Networking and the Internet. © 2005 Pearson Addison-Wesley. All rights reserved 4-2 Chapter 4: Networking and the Internet 4.1 Network Fundamentals.
Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Grid Chemistry System Architecture Overview Akylbek Zhumabayev.
An Intro to Webhackery Parisa Tabriz. How the web was born Stage 1 : Network Protocols Stage 2 : HTTP Stage 3 : Server Side Scripting Stage 4 : Client.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Security fundamentals Topic 8 Securing network applications.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
WEB SERVER SOFTWARE FEATURE SETS
Guide to Network Security 1 st Edition Chapter Eight Security of Web Applications.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
(ITI310) By Eng. BASSEM ALSAID SESSIONS 10: Internet Information Services (IIS)
MIS Week 5 Site:
Web Programming Language
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
World Wide Web policy.
PHP / MySQL Introduction
Hands-On Ethical Hacking and Network Defense
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities

Client Browser Operating System Secondary Software Server Web Server Operating System Secondary Software Network Protocol Transport Vulnerabilities

Web Browsers Internet Explorer > 90% market share Mozilla Derivatives < 5% market share Operating Systems Windows > 90% market share Macintosh < 5% market share Linux < 1% market share Secondary Software clients Browser add-ons Types of Clients

HyperText Transfer Protocol (HTTP) versions 1.0, 1.1 stateless TCP/IP protocol cookies basic authentication features transfer encodings keep-alive, pipelining Secure Socket Layers (SSL) encrypts connections identity verified by server certificate certificate issued by certification authority Browser Protocol

HTML rendering HTML 1.0, 2.0, 3.2, 4.01, XHTML 1.0, 1.1 XML + XSL CSS 1.0, 2.0 Embedded Dynamic Features JavaScript, Java, ActiveX Media Players, other Plug-Ins Browser Content

Social engineering Spoofing Can exploit DNS, or look-alike URLs Embedding Weaknesses Java, ActiveX security policy Plug-in Security Policy Buffer overflows Can affect browser, OS, or add-on software Could be “remote root exploit” Client Vulnerabilities

Scripting Weaknesses JavaScript security policy Cross site scripting (XSS) Attacks Targeted towards personal info site Often exploits unfiltered user input (comment areas, forums, etc) Inject malicious scripts which can steal cookies/other info Client Vulnerabilities

Privacy Policies Cookies Usage tracking Browser control over advertising Content Filtering Privacy/Content

Estimated 35 million servers on the web Includes virtual hosts Apache Microsoft IIS* Sun ONE* Types of Servers © 2003, Netcraft *Business sites more likely using commercial servers

Linux, BSD variants Windows flavor-of-the-week Solaris, other high-end Unixes Operating Systems

Database Servers MySQL, SQL Server, Oracle, DB2 Web Applications Implementation platforms Scripting PHP, Perl, Python, ASP, JSP, XSP Java Frameworks J2EE, WebSphere, WebLogic, WebObjects Other Frameworks.NET Secondary Services

Exploitable Web Applications Source of many serious targeted exploits Invalidated Parameters Broken Access Control Session Hijacking Cross-Site Scripting Flaws Command Injection Flaws Error Handling Problems Insecure Use of Cryptography Remote Administration Flaws Web and Application Server Misconfiguration Server Vulnerabilities

Other attacks Denial of Service Remote Root Exploits Network Topology, Protocols Worms Limited ability to enforce acceptable use policies Server Vulnerabilities

IIS Vulnerability, worm deployed July, 2001 Distributed denial of service (DDOS) attack Worm Example Code Red

Internet uses TCP/IP, UDP Connected Networks Routers Domain Name Servers (DNS) Firewalls Virtual Private Networks (VPN) Proxy Servers Load Balancers Networks

Availability Attacks on key routers Attacks on DNS Confidentiality Sniffing clear-text traffic Network Vulnerabilities

W3 Consortium - w3schools browser stats - Thawte - Cross-site scripting FAQ - Netcraft Web Server Survey - CERT - CAIDA Analysis of Code Red - OWASP Top 10 Vulnerabilities - Personal experience, 3+ years at: MacFixIt.com MacCentral.com VersionTracker.com Bibliography