Web Application Security Raymond Camden
What We Will Discuss… Identify and Protect Input Points Security Through Obscurity… Cross-site scripting Web Server Tips Resources Q & A
Input Points Web communication is stateless Page A passes information to Page B – URL parameters – Form fields – Cookies
Input Points – URL parameters Visible to the user Easy to change
Input Points – Form variables Like URL variables, form variables should be checked before being passed to SQL Don’t rely on JavaScript checking Hidden fields are harder to change, but not impossible
Input Points – Cookies Don’t store information in unencrypted form Treat them just like URL vars.
Security Through Obscurity… Is not really security! If you are going to do it, do it right. Keep includes and custom tags out of the web root. Encrypt URL values, give them weird names.
Cross-site scripting Again, it’s the input! User input displayed on screen, and in context For more info, see:
Web Server Tips Turn off Directory Browsing! Beware IIS and +.htr and ::$DATA This URL patches +.htr – s asp s asp Info on ::$DATA – &Method=Full
Resources Allaire’s Security Zone – Security Best Practices – &method=full
Q & A Contact Information: –