Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security Raymond Camden

Published byJemimah Rice Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Security Raymond Camden"— Presentation transcript:

1 Web Application Security Raymond Camden jedimaster@allaire.com

2 What We Will Discuss… Identify and Protect Input Points Security Through Obscurity… Cross-site scripting Web Server Tips Resources Q & A

3 Input Points Web communication is stateless Page A passes information to Page B – URL parameters – Form fields – Cookies

4 Input Points – URL parameters Visible to the user Easy to change

5 Input Points – Form variables Like URL variables, form variables should be checked before being passed to SQL Don’t rely on JavaScript checking Hidden fields are harder to change, but not impossible

6 Input Points – Cookies Don’t store information in unencrypted form Treat them just like URL vars.

7 Security Through Obscurity… Is not really security! If you are going to do it, do it right. Keep includes and custom tags out of the web root. Encrypt URL values, give them weird names.

8 Cross-site scripting Again, it’s the input! User input displayed on screen, and in context For more info, see: http://www.cert.org/advisories/CA-2000-02.html

9 Web Server Tips Turn off Directory Browsing! Beware IIS and +.htr and ::$DATA This URL patches +.htr – http://www.microsoft.com/technet/security/bulletin/m s00-031.asp http://www.microsoft.com/technet/security/bulletin/m s00-031.asp Info on ::$DATA – http://www.allaire.com/handlers/index.cfm?ID=8729 &Method=Full

10 Resources Allaire’s Security Zone – http://www.allaire.com/developer/SecurityZone/ Security Best Practices – http://www.allaire.com/handlers/index.cfm?id=10956 &method=full

11 Q & A Contact Information: – jedimaster@allaire.com jedimaster@allaire.com

Download ppt "Web Application Security Raymond Camden"

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CIS 451: ASP Sessions and Applications Dr. Ralph D. Westfall January, 2009.

CIS 451: ASP Sessions and Applications Dr. Ralph D. Westfall January, 2009.
Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.

Forms Review. 2 Using Forms tag  Contains the form elements on a web page  Container tag tag  Configures a variety of form elements including text.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
Using CGIDEV2 Examples. Web Resources Partner 400 Scott Klement

Using CGIDEV2 Examples. Web Resources Partner Scott Klement
FORESEC Academy FORESEC Academy Security Essentials (II)

FORESEC Academy FORESEC Academy Security Essentials (II)
Client-Side programming with JavaScript 3

Client-Side programming with JavaScript 3

Similar presentations

Ads by Google