Web Application Security Raymond Camden

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CIS 451: ASP Sessions and Applications Dr. Ralph D. Westfall January, 2009.
Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Using CGIDEV2 Examples. Web Resources Partner Scott Klement
FORESEC Academy FORESEC Academy Security Essentials (II)
Client-Side programming with JavaScript 3
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
WEB FORM DESIGN. Creating forms for a web page For your web project you have to design a form for inclusion on your web site (the form information should.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.
By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Robinson_CIS_285_2005 HTML FORMS CIS 285 Winter_2005 Instructor: Mary Robinson.
Security Testing Case Study 360logica Software Testing Services.
Internet Browsing the world. Browse Internet Course contents Overview: Browsing the world Lesson 1: Internet Explorer Lesson 2: Save a link for future.
1 Accelerated Web Development Course JavaScript and Client side programming Day 2 Rich Roth On The Net
Chapter 8 Cookies And Security JavaScript, Third Edition.
Oracle Application Express Security. © 2009 Oracle Corporation Authentication Out-of-the-Box Pre-Configured Schemes LDAP Directory credentials Oracle.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
How to safely use Facebook. Ken Loveday. TIPS FOR PROTECTING PERSONAL INFORMATION FACEBOOK LOGIN  Required Info  Name   Password  Birthday.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Website Development with PHP and MySQL Saving Data.
ColdFusion Security Michael Smith President TeraTech, Inc ColdFusion, Database & VB custom development
CGI Programming. What is it? CGI –Common Gateway Interface Standard way to pass information back to the Web Server –GET Query String –POST Standard Input.
1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Application.cfm tips and Tricks Michael Smith President TeraTech, Inc ColdFusion, database & VB custom development and training.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
Crash Course in Web Hacking
1 Building FORMS In When a visitor enters information into a web form displayed in a web browser and clicks the submit button, the information is sent.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Web Development 101 Presented by John Valance
Group 19 Juan O’Connell Justin Rand ECE 4112 Group 19 May 1, 2007 Georgia Institute of Technology College of Engineering School of Electrical and Computer.
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
WEB FORM DESIGN. Creating forms for a web page For your web project you have to design a form for inclusion on your web site (the form information should.
Form Processing Week Four. Form Processing Concepts The principal tool used to process Web forms stored on UNIX servers is a CGI (Common Gateway Interface)
Since you’ll need a place for the user to enter a search query. Every form must have these basic components: – The submission type defined with the method.
Web Technologies Lecture 6 State preservation. Motivation How to keep user data while navigating on a website? – Authenticate only once – Store wish list.
 A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests.
Java Programming: Advanced Topics 1 Building Web Applications Chapter 13.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Unit 4 Working with data. Form Element HTML forms are used to pass data to a server. A form can contain input elements like text fields, checkboxes, radio-buttons,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
MapServer In its most basic form, MapServer is a CGI program that sits inactive on your Web server. When a request is sent to MapServer, it uses.
NMD202 Web Scripting Week9.
Session Tracking Techniques
PHP Forms and Databases.
Presentation transcript:

Web Application Security Raymond Camden

What We Will Discuss… Identify and Protect Input Points Security Through Obscurity… Cross-site scripting Web Server Tips Resources Q & A

Input Points Web communication is stateless Page A passes information to Page B – URL parameters – Form fields – Cookies

Input Points – URL parameters Visible to the user Easy to change

Input Points – Form variables Like URL variables, form variables should be checked before being passed to SQL Don’t rely on JavaScript checking Hidden fields are harder to change, but not impossible

Input Points – Cookies Don’t store information in unencrypted form Treat them just like URL vars.

Security Through Obscurity… Is not really security! If you are going to do it, do it right. Keep includes and custom tags out of the web root. Encrypt URL values, give them weird names.

Cross-site scripting Again, it’s the input! User input displayed on screen, and in context For more info, see:

Web Server Tips Turn off Directory Browsing! Beware IIS and +.htr and ::$DATA This URL patches +.htr – s asp s asp Info on ::$DATA – &Method=Full

Resources Allaire’s Security Zone – Security Best Practices – &method=full

Q & A Contact Information: –