Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc.

Published byEugenia Owens Modified over 8 years ago

Similar presentations

Presentation on theme: "Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc."— Presentation transcript:

1 Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc.

2 Agenda Security in general Web security How intruders are getting in What can we do to keep intruders out

3 Security and World Wide Web Contradiction of terms

4 Goal and Objective Goal is to provide secure services impenetrable to hackers, but allow access to public browsers

5 Today’s Situation Stats from CSI/FBI study 40% penetration from outside 89% with firewalls 60% with Intrusion Detection Systems 38% unauthorized access or misuse of web sites 21% did not know…

6

7 How do intruders get in? Password guessing Buffer overflows URL mangling Software vulnerabilities Backdoors Packet sniffing - passwords, account #, weak encryption Open services - port scanning

8 Buffer Overflow Example Code Red /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078% u0000%u00=a Impact - intruders can insert and execute arbitrary code

9 URL Mangling Intruder changes url or parameters sent to Web server Impact – view records, change data Example: http://www.yoursite.com/orderstatus?orderid= 1000http://www.yoursite.com/orderstatus?orderid= 1000- change to any other order id

10 URL Mangling (cont) Example: Since application would look like this: select * from orders where orderid=1000; Hacker could append to url: http://www.yoursite.com/orderstatus?orderid=1000;dele te+from+ordershttp://www.yoursite.com/orderstatus?orderid=1000;dele te+from+orders; To make sql: select * from orders where orderid=1000;delete from orders;

11 URL Mangling (cont) Example web page with news story and storyid=1 primary key url: http://www.yoursite.com/story?storyid=1 Modified url: http://www.yoursite.com/story?storyid=- 1+union+select+FileToClob(‘/etc/passwd’,’serve r’)+from+sysusers+where+username=USER

12 URL Mangling (cont) Web Datablade Specific /' union select WebExplode(' $1 ','') from sysusers where username=USER --/

13 Packet Sniffing Forms with user ID/password or other sensitive data should be SSL Do not use basic authentication, clear text user id and password for every request

14 Packet Sniffing Example

15 Security Implementations System architecture Fill application holes Limit database account permissions Traps Monitoring

16 System Architecture Secure the perimeter Limit open services Proxy web services URL sanity checks Hide server identity VPN access SSL

17 Filling Application Holes Web server patches Web application server patches Parameter checks Use stored procedures or functions where possible* Limit access to web application user*

18 Traps Set traps to catch and identify hackers in the act Multiple failed attempts before successful break-in Block intruders caught in the act

19 Monitoring Tools Intrusion Detection Systems Onaudit I-SPY sysmaster database

20 Application Tracing JDBC driver PROTOCOLTRACE,PROTOCOLTRACEFILE Custom traces statements in JDBC driver Onstat SQLDEBUG/SQLPRINT

21 Online Resources BugTraq http://online.securityfocus.com/ CERT http://www.cert.org/

22 Online Resources BugTraq http://online.securityfocus.com/ CERT http://www.cert.org/

23 Online Resources BugTraq http://online.securityfocus.com/ CERT http://www.cert.org/

24 Questions/Comments Contact: Michael Chaney ChainLink Networking Solutions, Inc. mikec@chainlink.com

Download ppt "Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc."

Similar presentations

CS5038 The Electronic Society

CS5038 The Electronic Society
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.

Dr. Kalpakis CMSC 421, Operating Systems. Fall 2008 URL: Security.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.

Hackers, Crackers, and Network Intruders: Heroes, villains, or delinquents? Tim McLaren Thursday, September 28, 2000 McMaster University.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.

Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Similar presentations

Ads by Google