Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security

Published byAugustine Holland Modified over 7 years ago

Similar presentations

Presentation on theme: "Web Application Security"— Presentation transcript:

1 Web Application Security
COSC380 Zach Haupin

2 Overview Defining the problem Common Vulnerabilities Prevention
Poor Session Management Cross-Site Scripting SQL Injection Prevention Software design practices Third-party tools

3 Defining the problem Born out of advent of dynamic scripting technologies like: Javascript ASP PHP Allow user input to interact with web site instead of just displaying static pages.

4 Common Vulnerabilities
Incorrect Authentication/Session Management XSS – Cross-Site Scripting SQL Injection

5 Common Vulnerabilities – Authentication/Session Management
Session Management – Storing unique information across multiple web pages. Most commonly done via cookies. I-mail session:

6 Common Vulnerabilities – Authentication/Session Management
Weak session-management scheme involves small integers that are sequential. Example – Cookie defines the web session as “1004”. By changing cookie to “1003”, personal information can be compromised.

7 Common Vulnerabilities – XSS – Cross-Site Scripting
XSS (sometimes called code injection) Takes advantage of applications that allow user input. User may be able to insert Javascript or shell commands inside of a text field that will be processed on the response page.

8 Common Vulnerabilities – SQL Injection
Data-driven applications vulnerable to SQL injection Applications that use SQL queries based on form information. Invalid or nonexistent data validation checks before SQL statement.

9 Common Vulnerabilities – SQL Injection
Data-driven applications vulnerable to SQL injection Example – Simple authentication system: SQL Injection Example

10 Prevention Architectural considerations Third-Party Tools
Properly-Segmented Network Firewalls Between Segments Input Validation Third-Party Tools Vulnerability Scanners

11 Prevention – Architectural Considerations
3-Tier/Layer design approach – minimize the attack surface UI/Interface Logic Data

12 Prevention – Architectural Considerations
Network Topology Isolating public networks from intranets Use of firewalls between network segments

13 Prevention – Third-Party Tools
Vulnerability Scanners Most will probe the web application for a set of known security holes. Nikto Aware of “over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. “ (Nikto Website)

14 Web Application Security Summary
Reason for concern Dynamic user input Common vulnerabilities XSS, Sessions, SQL Injection Best Defenses Application Design, 3rd party tools

Download ppt "Web Application Security"

Similar presentations

Webgoat.

Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Introduction to Web Application Security

Introduction to Web Application Security
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Expert System Approach on Web Vulnerability Analysis 20103272 / Jong Heon, PARK 20103616 / Hyun Woo, CHO CS548 Advanced Information Security Term Project.

Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google