Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization.

Slides:

Advertisements

Similar presentations

Advertisements

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Cross Site Scripting & SQL injection

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Chapter 9 - Control in Computerized Environment ATG 383 – Spring 2002.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Pro Exchange SPAM Filter An Exchange 2000 based spam filtering solution.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Windows.Net Programming Series Preview. Course Schedule CourseDate Microsoft.Net Fundamentals 01/13/2014 Microsoft Windows/Web Fundamentals 01/20/2014.

B USINESS LAYER SAMANVITHA RAMAYANAM 4 th MARCH 2010 CPE 691.

Introduction to the Enterprise Library. Sounds familiar? Writing a component to encapsulate data access Building a component that allows you to log errors.

OWASP Zed Attack Proxy Project Lead

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Prevent Cross-Site Scripting (XSS) attack

1 NETE4631 Mobile Cloud Computing Lecture Notes #10.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

A Security Review Process for Existing Software Applications

Copyright © 2012 Accenture All Rights Reserved.Copyright © 2012 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are.

CSC 2720 Building Web Applications Web Application Security.

Module 14: WCF Send Adapters. Overview Lesson 1: Introduction to WCF Send Adapters Lesson 2: Consuming a Web Service Lesson 3: Consuming Services from.

Standalone Java Application vs. Java Web Application

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Agenda 1.Implementation of CustomerService. CustomerService wrapper SOAP → ESB internal format Abstract → Concrete XML syntax ESB internal format → HTTP.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Dr. Azeddine Chikh IS444: Modern tools for applications development.

Documenting threats and vulnerabilities in a web services infrastructure Lieven Desmet DistriNet Research Group, Katholieke Universiteit Leuven, Belgium.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

1 Web Service Description Language (WSDL) 大葉大學資工系.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Core Indigo Patterns Ted Neward

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Building Secure Web Applications With ASP.Net MVC.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 JSP Application Models.

CSI 3125, Preliminaries, page 1 SERVLET. CSI 3125, Preliminaries, page 2 SERVLET A servlet is a server-side software program, written in Java code, that.

Web Services from 10,000 feet Part I Tom Perkins NTPCUG CertSIG XML Web Services.

CSC 2720 Building Web Applications Basic Frameworks for Building Dynamic Web Sites / Web Applications.

Web Services Architecture Presentation for ECE8813 Spring 2003 By: Mohamed Mansour.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Interstage BPM v11.2 1Copyright © 2010 FUJITSU LIMITED INTEGRATION.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

Java Web 应用开发： J2EE 和 Tomcat 蔡剑, Ph.D.. 本讲内容网络系统设计模式综合案例分析.

Cookies Tutorial Cavisson Systems Inc..

Web Application Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

API Security Auditing Be Aware,Be Safe

ASP.NET Web Forms and Web Services

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Security mechanisms and vulnerabilities in .NET

Web Applications Security INTRO

Design and Maintenance of Web Applications in J2EE

Offline Database Synchronization with SOAP and MySQL

Configuring Internet-related services

Presentation transcript:

Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Use to Implement: Input validation Page-Level authorization Session Management Audit Logging Avoid: Relying Only on Blacklist Validation Output Encoding in Filter Overly Generous Whitelist Validation XML Denial of Service Logging Arbitrary HTTP Parameters Avoid: Relying Only on Blacklist Validation Output Encoding in Filter Overly Generous Whitelist Validation XML Denial of Service Logging Arbitrary HTTP Parameters Intercepting Filter

Avoid: Physical Resource Mapping Unhandled Mappings in Multiplexed Resource Mapping strategy Logging of Arbitrary HTTP Parameters Duplicating Common Logic Across Multiple Front Controllers Avoid: Physical Resource Mapping Unhandled Mappings in Multiplexed Resource Mapping strategy Logging of Arbitrary HTTP Parameters Duplicating Common Logic Across Multiple Front Controllers Avoid: Invoking Commands Without Sufficient Authorization Avoid: Invoking Commands Without Sufficient Authorization Front Controller Use to Implement: Logical Resource Mapping Session Management Audit Logging Use to Implement: Logical Resource Mapping Session Management Audit Logging

Use to Implement: Whitelist Input Validation Flagging Tainted Variables Use to Implement: Whitelist Input Validation Flagging Tainted Variables Avoid: Context Auto- Population Strategy Assuming Security Context Reflects All Security Concerns Avoid: Context Auto- Population Strategy Assuming Security Context Reflects All Security Concerns Context Object

Use to Implement: Synchronization Tokens as Anti-CSRF Mechanism Page-level Authorization Use to Implement: Synchronization Tokens as Anti-CSRF Mechanism Page-level Authorization Avoid: Unauthorized Commands Avoid: Unauthorized Commands Avoid: Unhandled Commands Avoid: Unhandled Commands Avoid: XSLT and Xpath Vulnerabilities XML Denial of Service Disclosure of Information in Soap Faults Publishing WSDL files Avoid: XSLT and Xpath Vulnerabilities XML Denial of Service Disclosure of Information in Soap Faults Publishing WSDL files Application Controller

Use to Implement: Output Encoding in Custom Tag Helper Use to Implement: Output Encoding in Custom Tag Helper Avoid: XSLT and Xpath Vulnerabilities Unencoded User Supplied Data Avoid: XSLT and Xpath Vulnerabilities Unencoded User Supplied Data View Helper

Use to Implement: Output Encoding in Custom Tags Use to Implement: Output Encoding in Custom Tags Avoid: XSLT and Xpath Vulnerabiliites Avoid: XSLT and Xpath Vulnerabiliites Avoid: Skipping Authorization Check Within SubViews Avoid: Skipping Authorization Check Within SubViews Composite View

Avoid: Dispatching Error Pages Without a Default Error Handler Avoid: Dispatching Error Pages Without a Default Error Handler Service to Worker

Avoid: Using User Supplied Forward Values Assuming User’s Navigation History Avoid: Using User Supplied Forward Values Assuming User’s Navigation History Dispatcher View

Use to Implement: Whitelist Input Validation Use to Implement: Whitelist Input Validation Business Delegate

Avoid: Memory Leaks in Caching Avoid: Memory Leaks in Caching Avoid: Open Access to UDDIs Avoid: Open Access to UDDIs Service Locator

Use to Implement: Middle-tier Authorization Use to Implement: Middle-tier Authorization Avoid: Unauthenticated Client Calls Deserializing Objects from Untrusted Sources Avoid: Unauthenticated Client Calls Deserializing Objects from Untrusted Sources Session Facade

Avoid: Unauthenticated Client Calls Avoid: Unauthenticated Client Calls Application Service

Business Object

Avoid: Plaintext Transmission of Confidential Data Avoid: Plaintext Transmission of Confidential Data Composite Entity Avoid: Interpreter Injection Avoid: Interpreter Injection

Avoid: Plaintext Transmission of Confidential Data Avoid: Plaintext Transmission of Confidential Data Transfer Object

Transfer Object Assembler

Value List Handler

Avoid: Interpreter Injection Improper Resource Closing Unencrypted Connection String Storage Avoid: Interpreter Injection Improper Resource Closing Unencrypted Connection String Storage Data Access Object

Service Activator Avoid: Denial of Service in Message Queues Unauthenticated Messages Unauthorized Messages Dynamic SQL in Database Response Strategy Unvalidated Addresses in Response Strategy Avoid: Denial of Service in Message Queues Unauthenticated Messages Unauthorized Messages Dynamic SQL in Database Response Strategy Unvalidated Addresses in Response Strategy

Domain Store Avoid: Interpreter Injection Improper Closing of Resources Unencrypted Storage of Connection Strings Avoid: Interpreter Injection Improper Closing of Resources Unencrypted Storage of Connection Strings

Avoid: Sending stack trace and other detailed information in SOAP faults Publishing WSDL files Using DTDs Unauthenticated or unauthorized web service requests Using user-supplied data without input validation Excessively large XML messages Avoid: Sending stack trace and other detailed information in SOAP faults Publishing WSDL files Using DTDs Unauthenticated or unauthorized web service requests Using user-supplied data without input validation Excessively large XML messages Web Services Broker