Download presentation
Presentation is loading. Please wait.
Published byMatilda Nichols Modified over 9 years ago
1
FORESEC Academy FORESEC Academy Security Essentials (II)
2
FORESEC Academy Agenda Web communication Web security protocols Active content Cracking web applications Web application defenses
3
FORESEC Academy Everything You Always Wanted to Know About Web Communications... Servers and Clients HTTP and HTML
4
FORESEC Academy Everything You Always Wanted to Know About Web Communications(2) Stateless Communications Retrieving Information. GET, HEAD Sending Information. POST, PUT
5
FORESEC Academy HTML Security Reading HTML Source
6
FORESEC Academy HTML Security (2) Hidden Fields Server Side Includes
7
FORESEC Academy Common Gateway Interface (CGI) Allows web pages to do something instead of just returning pages Extends the capabilities of a web server Creates many exposures on server - Leaking information - Performing unauthorized transactions - Executing unintended programs
8
FORESEC Academy Common Gateway Interface (CGI) (2) Common Mistakes - Misuse of command interpreters - Bad memory management - Passing unchecked parameters to system
9
FORESEC Academy Cookies HTTP is “stateless” - no context information Cookies provide “state” and context Can only hold information given to the browser by the server Can only be exchanged with originating server or domain Beware of cross-site sharing (e.g., DoubleClick) Can block cookies if desired
10
FORESEC Academy What About Non-Persistent Cookies? Non-persistent cookies = per-session cookies Non-persistent cookies are not written to the browser file system - So they can't be edited and are therefore safe from session ID attacks. Right? -Wrongo!!! Several possible methods - 1) Raw read/write from/to the client-side memory - 2) Adapt Mozilla browser source to edit cookies - 3) Write a Javascript app that lets you view page and edit - 4) Write a proxy that allows for editing of entire session passed back and forth from browser (Achilles)
11
FORESEC Academy SSL Protocol for encrypting network traffic Operates at Transport Layer Operates on port 443 How it works - Client connects to server - Server indicates need for SSL - Client and server exchange crypto keys - Secure session begins Not a guarantee of security
12
FORESEC Academy Secure Electronic Transactions (SET) Developed by Visa, MasterCard, Microsoft, Netscape Specific-purpose protocol Secures credit and debit card transactions
13
FORESEC Academy Secure Electronic Transactions (SET) (2) Services provided - Authentication - Confidentiality - Message Integrity - Linkage
14
FORESEC Academy Active Content Programs that interact in a network environment Java/ActiveX
15
FORESEC Academy Java and JavaScript Java - executable code JavaScript - instructions embedded in HTML Security Model - Execution in a controlled environment (the “sandbox”) - Local apps have more access than network apps - Byte Code Verifier, Class Loader & Security Manager enforce security
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.