Module: Software Engineering of Web Applications Chapter 3: user-input-validation testing of web applications 1.

Slides:

Advertisements

Similar presentations

SecuBat: An Automated Web Vulnerability Detection Framework

Advertisements

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

 The Citrix Application Firewall prevents security breaches, data loss, and possible unauthorized modifications to Web sites that access sensitive business.

Hands on Demonstration for Testing Security in Web Applications

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.

Software Security Lecture 5 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 30 Slide 1 Security Engineering.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Web Application Security Assessment and Vulnerability Assessment.

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

By: Razieh Rezaei Saleh.  Security Evaluation The examination of a system to determine its degree of compliance with a stated security model, security.

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

A Framework for Automated Web Application Security Evaluation

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Computer Security and Penetration Testing

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.

Web Applications Testing By Jamie Rougvie Supported by.

1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.

Building Secure Web Applications With ASP.Net MVC.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Adapted from  2012 Prentice Hall, Inc. All rights reserved. 5 th ed: Chapter 2 and th ed: 4.11 SY306 Web and Databases for Cyber Operations.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.

Role Of Network IDS in Network Perimeter Defense.

OWASP ASVS Levels1234 Tools Manual Test and Review Manual Design Review At higher levels in ASVS,the use of tools is encouraged. But to be effective,the.

Presented by Deepak Varghese Reg No: Introduction Application S/W for server load balancing Many client requests make server congestion Distribute.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Module: Software Engineering of Web Applications

CSCE 548 Student Presentation Ryan Labrador

Web Application Hacker’s Toolkit

TMG Client Protection 6NPS – Session 7.

Module: Software Engineering of Web Applications

Presentation by: Naga Sri Charan Pendyala

Module: Software Engineering of Web Applications

Marking Scheme for Semantic-aware Web Application Security

HTML Level II (CyberAdvantage)

Security of web applications.

Lecture 2 - SQL Injection

CS5123 Software Validation and Quality Assurance

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Module: Software Engineering of Web Applications Chapter 3: user-input-validation testing of web applications 1

UIV User-input-validation (UIV) is the first barricade that protects a web application from application-level attacks such as buffer overflow, code-injection attack, hidden- field manipulation, and cross-site scripting. Attackers can launch these attacks by sending malicious inputs to a web application. UIV protects a web application against these attacks by rejecting malicious inputs. improving the quality of UIV is a key means of enhancing a web application’s security. These slides are designed to accompany module: Software Engineering of Web Applications2

Problem Unfortunately, web-application developers usually forget to implement UIV, or implement defective UIV. As shown in a recent survey (Open Web Application Security Project, 2013), among the top 10 vulnerabilities of web applications, six vulnerabilities are induced by defective UIV. There is a strong need of an effective way to help improve the quality of UIV, thereby increasing web applications’ security. These slides are designed to accompany module: Software Engineering of Web Applications3

UIV testing UIV testing is a common way in practice to improve the quality of UIV. There exist tools (Nikto2, 2008; Wikto, 2008; Acunetix Web Vulnerability Scanner, 2008; Fiddler, 2009; Burp Proxy, 2009; Tamperie, 2009) that test UIV of web applications. These existing tools can be classified into two major categories: crawler-based (Nikto2, 2008; Wikto, 2008; Acunetix Web Vulnerability Scanner, 2008) and proxy-based (Fiddler, 2009; Burp Proxy, 2009; Tamperie, 2009) UIV testing tools. These slides are designed to accompany module: Software Engineering of Web Applications4

Crawler-based UIV testing tools Crawler-based UIV testing tools retrieve HTML pages automatically, and submit predefined test inputs to the server through these HTML pages. However, using only predefined test inputs may not be suitable to be used for a particular input field. These slides are designed to accompany module: Software Engineering of Web Applications5

Example For example, consider that an input field in a web application may require a year value to be between 1999 and To test this input field, we shall enter possible boundary values such as 1998 or These boundary values may not exist in the predefined test inputs; hence, it may not be possible to check whether the web application can deal with the boundary values properly. These slides are designed to accompany module: Software Engineering of Web Applications6

As a result, crawler-based testing tools cannot detect these semantics-related UIV defects. semantic-related UIV defects to refer to defects that are induced due to the lack of checking the semantics of inputs, and semantic-related test inputs are test inputs that can detect semantic-related UIV defects. These slides are designed to accompany module: Software Engineering of Web Applications7

proxy-based UIV testing tools Different from crawler-based UIV testing tools, proxy-based UIV testing tools allow developers to edit HTML requests directly. These tools basically provide a manual testing approach, which keeps the maximum flexibility without providing any help on test input generation. These manual steps are tedious, and the creation of test inputs heavily depends on developers’ knowledge and experience. These slides are designed to accompany module: Software Engineering of Web Applications8

Weber (2005), a senior security consultant, used Cross-Site Scripting (XSS) as an example to show how to test web applications for such vulnerabilities in practice using the proxy based UIV testing technique. First, a developer finds some proxy tools that can intercept HTTP requests. Second, the developer maps the site and its functionality by discussing with other developers and project managers. These slides are designed to accompany module: Software Engineering of Web Applications9

Third, the developer identifies and lists input fields. Fourth, the developer writes test inputs manually. Finally, the developer starts testing with the proxy tools and adjusts test inputs These slides are designed to accompany module: Software Engineering of Web Applications10