Web2.0 Secure Development Practice Bruce Xia

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Chapter 14 – Authentication Applications

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

SEC835 OWASP Top Ten Project.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Attacking Session Management Juliette Lessing

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

The 10 Most Critical Web Application Security Vulnerabilities

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Martin Kruliš by Martin Kruliš (v1.0)1.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

Web Security Overview Lohika ASC team 2009

Session 11: Security with ASP.NET

OWASP Zed Attack Proxy Project Lead

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

HTTP and Server Security James Walden Northern Kentucky University.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

Remotely authenticating against the Service Framework.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Web Applications Testing By Jamie Rougvie Supported by.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

UMBC’s WebAuth Robert Banz – UMBC

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

Deconstructing API Security

Fundamentals of Web DevelopmentRandy Connolly and Ricardo HoarFundamentals of Web DevelopmentRandy Connolly and Ricardo Hoar Fundamentals of Web DevelopmentRandy.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Automatic and Precise Client-Side Protection against CSRF Attacks.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Cookies Tutorial Cavisson Systems Inc..

Building Secure ColdFusion Applications

Web Application Vulnerabilities

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

API Security Auditing Be Aware,Be Safe

Vulnerability Chaining Every Low Issue Has its big impact

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Web Systems Development (CSC-215)

Riding Someone Else’s Wave with CSRF

Presentation transcript:

Web2.0 Secure Development Practice Bruce Xia

Agenda Background User Access Control Session Management Output Filtering Data Security and Misc

Background Phishing A.A. XSS Info leakage CSRF Web2.0 Top 5 Authentication and Authorization

Continue… Background User Access Control Session Management Output Filtering Data Security

Access Control (1)

Access Control (2) – Hiding UI is not a secure way to do authentication. – Do not use Javascript/VBscript to determine actions only.  Do not depend on client side control

Access Control (3) – Did not check if the resource is belong to the specific user.  Always check data ownership

=xxxxx&type=1 – HTTP request parameters in URL or in POST form data is easy to be modified. Access Control (4) from=LoginSuccess  Do not rely on any flag parameters

=xxxxx&type=1 (“from” was validated already in session) – Critical operations and external published URLs is not protected Access Control (5)  Protect critical operations (CSRF)

Access Control (6) &type=1 Ticket = SHA(username+secureKey) Ticket = SHA(username+secureKey+nonce) – Add nonce or timestamp in important actions request.  Protect for replay attack

Continue… Background User Access Control Session Management Output Filtering Data Security and Misc

Session Management  Clear sessions after login or logout  Cookie management – Protect for cookie value that only used by server – Life time setting – “Secure" and “HttpOnly" flag – Domain name and path

Continue… Background User Access Control Session Management Output Filtering Data Security and Misc

Output Filtering – XSS  Filtering user data by APIs – Output any user data, filter with proper encoding API. – JSON data encoding method.  Run code scan tool

Continue… Background User Access Control Session Management Output Filtering Data Security and Misc

 URL Redirection  Monitor unusual account activity  HTTPS – Verify CN – Verify date validity – CRL query  Save important data Phishing and Data Security

Information Leakage  POST method  HTTP Trace  Unify same message  Personal information

Information leakage  Do not include any sensitive information in error message / exception content

Misc  Use standard algorithms  AES with hash  DES, MD5  Math.random and java.util.Random  Page Charset

Summarize Phishing A.A. XSS Info leakage CSRF We’ve discussed

Thank you!