Presentation is loading. Please wait.

Presentation is loading. Please wait.

World Wide Web policy.

Published byAdam Pearson Modified over 6 years ago

Similar presentations

Presentation on theme: "World Wide Web policy."— Presentation transcript:

1 World Wide Web policy

2 Agenda Introduction Web Application Components Common Vulnerabilities
Improving security in Web applications

3 1. Introduction What does World Wide Web security mean?
Webmasters=> confidence that their site won’t be hacked or used as a gateway to get into their LANS Web users=> it is the ability to browse securely through the web But in general…

4 Introduction World Wide Web security Procedures Technologies Practices

5 2. Web Application Web Application is a client/server software application that interacts with users or other systems using HTTP(S) .

6 3. Some “Components” 3.1. Authentication 3.2. Browser Security
3.3. Scripts and Active Code 3.4. New Technologies : e.g. Ajax

7 3.1 Authentication Process of determining if a user or entity is who he/she claims to be. HTTP basic HTTP digest For secure authentication SSL ( Protect transactions in any of the TCP protocols such as HTTP, NNTP (News Transfer), FTP, among others.

8 Authentication Provides server authentication, client authentication,
confidentiality and integrity. Components SSL Record Protocol Handshaking Protocol

9 3.2 Browser Security User privacy Use a strong password.
Install the latest version of your web browser.

10 Browser Security Cookie Data file originated by a web server, with the client’s information (machine name, keystrokes the user types, etc) Types Per-session , secure Persistent , nonsecure Cookies = vulnerability ~ privacy Structure Of A Cookie Domain Flag Path Secure Expiration Name Value FALSE / Apache

11 Browser Security Increasing the level of security: For user:
Limit the cookies per web site. Allow cookies from the site that you are visiting for session. Disabled cookies if you are using a public computer.

12 Browser Security For Web designers:
Examine cookies that they are accepting to avoid malicious content. Avoid the use cookies for authentication. Store as little private or personal information from the user as possible.

13 3.3 Scripts and Active Code
Programs executed on the server side performing advanced operations. E.g: perl, c, php, etc Active Code Programs designed to perform detailed task on the client’s side. E.g: javaScript, Java Applets, ActiveX,…

14 Scripts and Active Code
Vulnerabilities Misusing interpreters: putting the script interpreter in the same place as the scripts directory. Web Server --> perl –e unlink ‘<*>’ Flawed memory management: is in the domain of programming languages that do not perform memory management internally such as c, c++.

15 Scripts and Active Code
Passing unchecked user input to command interpreters: user input is passed to a command shell, allowing remote users to execute shell commands on the web server. Opening files based on unchecked user input. When writing user inputs to disk.

16 Scripts and Active Code
Security Model Java Applets => sandbox JavaScript sandbox same origin policy object signing

17 Scripts and Active Code
ActiveX Is a binary code that extend the functionality of a web application; it can take any action as the user. Security is partially controlled by the web designer and a third party.  Security Options safe for initializing safe for scripting

18 3.4 AJAX (Asynchronous JavaScript and XML)
presentation management using XHTML, CSS, and the Document Object Model; Asynchronous data retrieval using XMLHttpRequest; and, JavaScript

19 Image from http://www. adaptivepath

20 AJAX Synchronous Asynchronous

21 4. Common Vulnerabilities
Cross Site Scripting (XSS) Cross Site Request Forgery (XSRF) Sql Injection

22 Common Vulnerabilities
Cross Site Scripting (XSS) An attacker inject malicious code, usually client-side scripts, into web applications from outside sources . Types - Stored - Reflected Due to lack of input/output filtering

23 Common Vulnerabilities
Reflected Cross Site Scripting: Image from Noxes:A Client-Side Solution for mitigating cross-site scripting attacks

24 Common Vulnerabilities
Cross Site Request Forgery (XSRF) Merely transmits unauthorized commands from a user the website trusts. It is related with the predictable of the structure of the application.

25 Common Vulnerabilities
Sql Injection An attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data

26 Common Vulnerabilities
Sql Injection SELECT * FROM users WHERE login = ‘Bush‘ AND password = '123' (If it returns something then login!) PHP/PostgreSql Server login syntax $sql = "SELECT * FROM users WHERE login = '" . $formusr . "' AND password = '" . $formpwd . "'";

27 Common Vulnerabilities
Sql Injection Injecting through Strings $formusr = ' or 1=1 – – $formpwd = anything Final query would look like this: SELECT * FROM users WHERE username = ' ' or 1=1 – – AND password = 'anything'

28 Thank you

Download ppt "World Wide Web policy."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Webgoat.

Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.

E-Commerce The technical side. LAMP Linux Linux Apache Apache MySQL MySQL PHP PHP All Open Source and free packages. Can be installed and run on most.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Similar presentations

Ads by Google