Presentation is loading. Please wait.

Presentation is loading. Please wait.

IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.

Published bySabrina Wilkins Modified over 9 years ago

Similar presentations

Presentation on theme: "IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do."— Presentation transcript:

1 IST 210 Web Application Security

2 IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do

3 IST 210 3-tier architecture Web Browser Web DB Server

4 IST 210 Some Internet Security Protocols Application Layer Security Electronic mail security PGP (Pretty Good Privacy) S/MIME (Secure Multi-Purpose Internet Mail Extensions) Transport Layer Security SSL/TLS (Secure Sockets Layer/Transport Layer Security ) SSH (Secure Shell ) Network Layer Security IP Security (IPsec) Infrastructure protection DNSSEC (DNS Security Extensions) SNMPv3 security (Simple Network Management Protocol Version 3)

5 IST 210 How do you measure security? Does 128-bit encryption make you feel safer?

6 IST 210 The client Common web browser Communicates to server with HTTP (PUT, POST, GET) HTML markup language for layout of pages Scripting languages built into client to control client side content and communications with server dynamically Cookies to store state

7 IST 210 The server Analyses HTTP requests from client and responds accordingly. Either send plain HTML page Process query data and send back dynamically produced page to client.

8 IST 210 The web server Common examples: Apache, IIS. These servers and the host’s have their own security problems Server side programming Perl, ASP (Jscript/VBScript), PHP, C

9 IST 210 The DBMS SQL DBMS Microsoft SQL server Oracle MySQL DB2 These DBMS also have their own security problems

10 IST 210 Attacks On the server Using “out of the box” security holes to gain escalated privileges, or execute commands on the server. Make the server do something it is not supposed to do. Examples ColdFusion, Showcode.asp, FrontPage, etc. etc. etc.

11 IST 210 Attacks Through holes found using a common security scanner Scanners simply request a fixed file name to see if the file exists or not Assumes that exploitable files/server have not been patched, can bring false positives Old techniques, but effective. EASY to protect against.

12 IST 210 Attacks On out of the box applications Attacker can setup and audit the application in their own environment If one goes down, they all do Targets of common scanners

13 IST 210 Attacks On custom applications More difficult to audit “Black box” auditing techniques Looks for common stupid mistakes

14 IST 210 Case one IIS Security hole used to view ASP Database settings extracted SQL server live to internet Information from server-side scripts used to connect to server

15 IST 210 Case two ASP not filtering input Able to directly manipulate SQL query Manipulating the SQL query extracts a valid cookie and creates the password

16 IST 210 The problems? Unfiltered user input User data not checked and can be crafted to manipulate processing on the server to reveal file contents or bypass and gain access Backdoor straight to the Crown Jewels

17 IST 210 The enablers Reliance on cryptography for security Security through obscurity Poor development Poor experience Limited resources Awareness Monitoring and plan

18 IST 210 The solution(s) Good initial setup Programming practices Internal Audits Awareness Updates, patches and hotfixes

19 IST 210 The solution(s) Intrusion detection Network design System architecture

20 IST 210 Moat / Main Gate Outer Perimeter Controlling Castle Access Keep (Last Building in Castle to Fall) Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters Security Analogy

21 IST 210 Internet Security Keep Internet Mission Critical Systems Internal Firewall DMZ Internal Network Outer Perimeter Inner Perimeter Stronghold Jewels Crown

Download ppt "IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do."

Similar presentations

Lecture plan Information retrieval (from week 11)

Lecture plan Information retrieval (from week 11)
HTTP Request/Response Process 1.Enter URL (http://server.com) in your browser’s address bar. 2.Your browser uses DNS to look up IP address of server.com.

HTTP Request/Response Process 1.Enter URL ( in your browser’s address bar. 2.Your browser uses DNS to look up IP address of server.com.
1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.

1 Web Servers / Deployment Alastair Dawes Original by Bhupinder Reehal.
 2004 Prentice Hall, Inc. All rights reserved. Chapter 21 – Web Servers (IIS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System.

 2004 Prentice Hall, Inc. All rights reserved. Chapter 21 – Web Servers (IIS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System.
 2003 Prentice Hall, Inc. All rights reserved. Chapter 21 – Web Servers (IIS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System.

 2003 Prentice Hall, Inc. All rights reserved. Chapter 21 – Web Servers (IIS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3 System.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.

B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
Web Server Administration

Web Server Administration
Introduction to Web Database Processing

Introduction to Web Database Processing
Introduction to Active Server Pages

Introduction to Active Server Pages
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
Multiple Tiers in Action

Multiple Tiers in Action
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,

IST346:  Web Services. Today’s Agenda  Learn the basics of how the Web works  Understand various web service architectures  Address scaling, security,
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Similar presentations

Ads by Google