Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Slides:



Advertisements
Similar presentations
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Advertisements

Security Issues and Challenges in Cloud Computing
Barracuda Web Application Firewall
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Securing TCP/IP Chapter 6. Introduction to Transmission Control Protocol/Internet Protocol (TCP/IP) TCP/IP comprises a suite of four protocols The protocols.
Web server security Dr Jim Briggs WEBP security1.
Hacking Web Server Defiana Arnaldy, M.Si
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
The OWASP Foundation OWASP Chennai Phishing.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Norman SecureSurf Protect your users when surfing the Internet.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Web 2.0 Security James Walden Northern Kentucky University.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Web Application Firewall (WAF) RSA ® Conference 2013.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Software Security Testing Vinay Srinivasan cell:
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
International Telecommunication Union Geneva, 9(pm)-10 February 2009 ITU-T Security Standardization on Mobile Web Services Lee, Jae Seung Special Fellow,
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
VoIP Security in Service Provider Environment Bogdan Materna Chief Technology Officer Yariba Systems.
Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.
Overview Abstract Vulnerability: An Overview Cloud Computing Cloud-Specific Vulnerabilities Architectural Components and Vulnerabilities Conclusion.
Chapter 10 Security and Encryption. Objectives Explain the nature of a threat model Be able to construct a threat model Be aware of common threats to.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Robust Defenses for Cross-Site Request Forgery
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.
Web Portals Gateway To Information Or A Hole In Our Perimeter Defenses sm sm Deral Heiland – Layered Defense Research.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Guide to Network Security 1 st Edition Chapter Eight Security of Web Applications.
Network and Internet Security Prepared by Dr. Lamiaa Elshenawy
Web Security Introduction (Some of the slides were adapted from Oppliger’s online slides at
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
BUILD SECURE PRODUCTS AND SERVICES
Web Application Security
Web Application Protection Against Hackers and Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
Secure Software Confidentiality Integrity Data Security Authentication
Security in Networking
CSC 495/583 Topics of Software Security Intro to Web Security
Lecture 2 - SQL Injection
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Presentation transcript:

Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.

Web Security2 Security of web applications is critical. –Image and reputation –Financial loss –Potential lawsuits Web protocols are inherently insecure. Ways of securing web applications

Web Security3 HTTP revisited A request/response protocol between a web browser and a web server A request is in the form of an URL. Processing of a request: 1.The url is resolved by the DNS to get the IP address of the web server; 2.A TCP connection is established between the browser and the server at port 80; 3.The browser sends an HTTP request over this connection to the server.

Evolution of Web applications Early web applications –Web sites for posting information –static –Attacks: defacing, distributing malwares Later web applications are true online “applications”. –The Web has become a universal platform. –Interactive –User-contributed content –User-tailored content –Dynamic –Internet applications vs Intranet applications 4

Why are web applications vulnerable? Public access HTTP lacks strong security mechanisms. Many web application developers are not knowledgeable about security. Web applications often connect to back-end servers.  turning the web server into a jumping board for the attackers Lower layer vulnerabilities may impact the application layer. Web Security5

Threats against web applications Leakage of sensitive data –eavesdropping –industrial/military espionage System/service downtime –Denial of Service attacks False data –Invalid user input –Command injections –SQL injections Hijacked sessions (Figures 12-3, 12-4, 12-5) Spreading viruses and other malwares Impact on the physical systems 6

7

A survey of web vulnerabilities Conducted by Stuttard and Pinto Figure 1-3 –Broken authentication62% –Broken access controls71% –SQL injection32% –Cross-site scripting94% –Information leakage78% –Cross-site request forgery92% 8

9

Why is HTTPS not sufficient? SSL provides confidentiality, data integrity, and origin integrity. How? SSL does not stop attacks that directly target the server or client components of an application. Conclusion: SSL is not a cure-all for securing web applications. 10

Fundamental issue with web vulnerabilities Users are outside the application’s direct control. –Valid users with valid devices –Valid users with compromised devices –Malicious users with malicious devices Attackers may use crafted input to compromise the application, by interfering with its logic and behavior, therefore gaining unauthorized access to its data and functionality. 11

Crafted user input Attackers may use crafted input to compromise the application. –Interfere with any data transmitted btwn the client and the server (request params, cookies, HTTP headers, …) –Send requests in any sequence or submit parameters out of the anticipated order –Replay attacks –Use additional tools alongside or independently of the browser Conclusion: The Web application must assume that all input from the user is potentially malicious. 12

The expanding network perimeter The traditional concept of ‘network perimeter’ does not work. User devices are often outside the corporate network. –BYOD Web applications are the potential gateways for attacks. –A HTTP or HTTPS server must process all inbound requests. –A web server often connects to back-end servers. –A web application may involve cross-domain integration (e.g., mash-up, 3 rd -party widgets). 13

Summary While older vulnerabilities may have been patched, new vulnerabilities continue to be discovered and exploited. A recent trend is increased attacks against users or user devices. New technological advances may bring new vulnerabilities – cloud, social networks, etc. SSL is not a cure-all. 14