Presentation is loading. Please wait.

Presentation is loading. Please wait.

Intro to Web Application Security

Published byKimberly Gray Modified over 6 years ago

Similar presentations

Presentation on theme: "Intro to Web Application Security"— Presentation transcript:

1 Intro to Web Application Security

2 Francis Al Victoriano iHostCodex, CEO Project-AG, Co-Founder
OWASP Panay Chapter, President Panay Chapter, Director for Membership

3 The Web Apps Multimedia Email System Search Engine Online Banking
Online Shopping Social Network

4 Typical Web Setup Client OS/Web Server Database Server PHP PERL PYTHON
Apache IIS Nginx MariaDB PostgreSQL Request PHP PERL Client PYTHON OS/Web Server Database Server Response Custom Code

5 Simply, Web Application Security is...
What is WebAppSec? Simply, Web Application Security is... “The securing of web applications”

6 Why we need Security?

7 Non-Stop Attacks

8 Key Focus Confidentiality Integrity Availability

9 Information Leakage or Lost
Technical/Business Impact Compromised Information Leakage or Lost Reputational Damage Money Lost

10 98% of businesses have experienced a Web Application Attack in the
Cost of Web Application Attacks Costs of technical support and responses to incidents $1,277,618 Costs from the disruption to normal operations $613,636 Losses in revenue due to customer-facing services being unavailable $538,745 Costs associated with lost user productivity $382,555 Costs of damage or theft of IT infrastructure & assests $374,655 TOTAL $3,137,209 98% of businesses have experienced a Web Application Attack in the last year

11 Essentials Terminologies
Threat An action or event that has the potential to compromise and/or violate security Vulnerability A weakness (software,, hardware or procedural) that provides potential attackers with an unauthorized path into your environment. Exploit A defined way to breach the security of an IT system through vulnerability Countermeasures Mitigates a potential risk..

12 Common Web Vulnerabilities
1 Injection 2 Broken Authentication and Session Management 3 XSS (Cross Site Scripting) 4 Missing Function Level Access Control 5 Cross Site Request Forgery

13 Injection Injection Threat Impact
Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. Threat Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators. Impact Entire database can usually be read or modified, or denial of access. Injection can sometimes lead to complete host takeover.

14 SQL Injection Example SELECT user_id FROM user_data
WHERE user_name = '' or 1=1 --' AND user_password = '1234'; // … String query = "SELECT user_id FROM user_data WHERE " + user_name = '" + req.getParameter("user") + "' AND user_password = '" + req.getParameter("password") +"'";

15 Prevent Injection Encode all user input before passing it to the interpreter. (White List Validation) Use an interface that supports bind variables Always minimize database privileges to reduce the impact of a flaw

16 Impact Broken Authentication and Session Management
Attacker uses leaks or flaws in the authentication or session management functions (e.g., exposed accounts, passwords, session IDs) to impersonate users. Threat Consider anonymous external attackers, as well as users with their own accounts, who may attempt to steal accounts from others. Impact User accounts compromised or user sessions hijacked

17 Broken Authentication Example
1 User sends credentials Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions Site uses URL rewriting (i.e., put session in URL) 2 3 User clicks on a link to in a forum Hacker checks referrer logs on and finds user’s JSESSIONID 4 5 Hacker uses JSESSIONID and takes over victim’s account

18 Prevent Broken Authentication
Meet all the requirements on OWASP ASVS Examine all the Authentication-Relation functions Strong efforts to avoid XSS Flaws which can steal the sessions id’s

19 XSS (Cross Site Scripting)
XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. Threat Consider anyone who can send untrusted data to the system, including external users, internal users, and administrators.. Impact Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc.

20 XSS Pattern Simple Patterns
<SCRIPT>javascript:alert('XSS');</SCRIPT> <IMG SRC=javascript:alert('XSS')> <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

21 Reflected XSS Browser Server Database Web Application URL Website HTML
Bug! Web Application Victim Request Website Server Response

22 Subsequent Victim Request
Persistent XSS URL Initial Request Browser Server Database HTML Bug! Web Application URL Subsequent Victim Request Website Server Response

23 Prevent XSS All user supplied input is properly escaped
Perform White List Input Validation on user input Use Content Security Policy (CSP)

24 Missing Function Level Access Control Impact
Attacker, who is an authorized system user, simply changes the URL or a parameter to a privileged function. Is access granted? Anonymous users could access private functions that aren’t protected. Threat Anyone with network access can send your application a request. Could anonymous users access private functionality or regular users a privileged function? Impact Such flaws allow attackers to access unauthorized functionality. Administrative functions are key targets for this type of attack.

25 Missing Function Level Access Control Explained
1 /user/getAccounts 2 He modifies it to another directory (role) /admin/getAccounts, or /manager/getAccounts 3 Attacker views more accounts than just their own

26 Prevent Missing Function Access Level Control
Restrict access to authenticated users Enforce role based permission Whitelist your ip in administration panel

27 Cross Site Request Forgery (CSRF)
A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. Threat Consider anyone who can load content into your users’ browsers, and thus force them to submit a request to your website. Impact Attackers can trick victims into performing any state changing operation the victim is authorized to perform, e.g., updating account details, making purchases , transfer funds, logout and even login.

28 Cross Site Request Forgery Explained
GET / HTTP/1.1 Host: evil.org Browser bank.com Login Bug! Web App Web App Response HTTP/ OK ... <html> <img src=“ ?to=hacker&amount=1000$“/> </html> CSRF-Attack GET/transfer?to=hacker &amount=1000$ HTTP/1.1 Host: bank.com 1000$

29 Make sure your application has no XSS holes
Prevent Cross Site Request Forgery Add a secret, not automatically submitted, token to all sensitive requests Make sure your application has no XSS holes Requiring the user to re-authenticate, or prove they are a user (e.g., via a CAPTCHA)

30 TIPS ON SECURING WEB APPLICATIONS

31 Define Secure Coding Standards
Validate all input parameters to prevent attacks Sanitized application response HTTP trust issues Keep sensitive session values on the server to prevent client-side modification Use Encryption Session management Access restriction Build a centralised module for application auditing and reporting.

32 Identify the key security objectives. Identify all vulnerabilities.
Performed Threat Modeling Identify the key security objectives. Create an overview of the application by itemising the important characteristics of that application Deconstruct the application to identify the features and modules that have a security impact, and that need to be evaluated. Identify all threats Identify all vulnerabilities.

33 Web Application Penetration Testing
Testing and Quality Assurance Web Application Penetration Testing Code Review

34 Design Web Application Security Architecture
Secured Web Server Secured Application Server Secured Database Server

35 The Maintenance & Support
Application Log Review Version Control and a Separate Environment for Development

36 Web Application Firewall (WAF)
Network Security Server Sometimes rejects legitimate requests („False Positives“) or fails to recognize illegal requests („False Negative“) Firewall IDS/IPS WAF Web App Guidelines Ruleset Whitelist Blacklist Heuristics Defines legal/ illegal Requests Rejects illegal requests

37 Reminders! 1. Client Side Protection
Don’t trust client’s input (Validate all inputs) Encode all user supplied input 2. Server Side Protection White List Validation (Server Side Code) Use Web Application Firewall 3. User Follow all the security hardening guide Test you system

38 What next for Developers?
Application Security Requirements Application Security Architecture Standard Security Controls Secure Development Lifecycle Application Security Education OWASP ASVS OWASP Education Project OWASP Developer’s Guide, Prevention Cheat Sheets OWASP Software Assurance Maturity Model (SAMM). OWASP Enterprise Security API (ESAPI) project

39 Contact US Visit our site

40 Thank You

Download ppt "Intro to Web Application Security"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OWASP Web Vulnerabilities and Auditing

OWASP Web Vulnerabilities and Auditing
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
The OWASP Foundation OWASP Top 10 2010 Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.

The OWASP Foundation OWASP Top Kuai Hinojosa Software Security Consultant at Cigital OWASP Global Education Committee OWASP.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.

Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides.

CSCD 303 Essential Computer Security Winter 2014 Lecture 12 – XSS, SQL Injection and CRSF Reading: See links - End of Slides.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Similar presentations

Ads by Google