Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Published byElinor Cox Modified over 9 years ago

Similar presentations

Presentation on theme: "COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week."— Presentation transcript:

1 COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2411

2 Assignment 2 2 COMP9321, 15s2, Week 9 The due date for assignment2 is (end of Mid Semester Break): Sunday, October 4 2015, 23:59:59. Demo: Week 10 (the week starting 5 October), during the lab times in UNSW, CSE, Calendar: http://www.cse.unsw.com/about-us/organisational-structure/student-services/calendar/

3 Assignment 3 3 COMP9321, 15s2, Week 9 Released…

4 Introduction to Web Application Security 4 COMP9321, 15s2, Week 9 Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc. Sydney, Australia and from the Open Web Application Security Project (OWASP) http://www.owasp.org

5 Introduction to Web Application Security 5 COMP9321, 15s2, Week 9 Warning The objective of this presentation is to show you common security loopholes appearing in Web applications. However, it is not meant to encourage you to attack web applications. Such actions are both a breach of the law in most countries, and of the CSE policy. Hence, by attempting any of the techniques presented in this lecture, you may be prosecuted by law enforcement and face expulsion from the university.

6 Securing your Web Application 6 COMP9321, 15s2, Week 9

7 Securing your Web Application: Threats! 7 COMP9321, 15s2, Week 9

8 Securing your Web Application: Threats! 8 COMP9321, 15s2, Week 9

9 Securing your Web Application: Threats! 9 COMP9321, 15s2, Week 9

10 Securing your Web Application: Threats! 10 COMP9321, 15s2, Week 9

11 Securing your Web Application: Requirements! 11 COMP9321, 15s2, Week 9

12 SQL Injection 12 COMP9321, 15s2, Week 9

13 SQL Injection 13 COMP9321, 15s2, Week 9 SQL injection: is a code injection technique. used to attack data-driven applications How: a malicious SQL statements are inserted into an entry field for execution.

14 SQL Injection 14 COMP9321, 15s2, Week 9 SQL injection: is a code injection technique. used to attack data-driven applications How: a malicious SQL statements are inserted into an entry field for execution.

15 SQL Injection: What is wrong? 15 COMP9321, 15s2, Week 9

16 SQL Injection: What is wrong? 16 COMP9321, 15s2, Week 9

17 SQL Injection: What is wrong? 17 COMP9321, 15s2, Week 9

18 SQL Injection: What is wrong? 18 COMP9321, 15s2, Week 9

19 SQL Injection: Summary! 19 COMP9321, 15s2, Week 9

20 SQL Injection: Prevention!! 20 COMP9321, 15s2, Week 9

21 Cross Site Scripting (XSS) 21 COMP9321, 15s2, Week 9

22 Cross Site Scripting (XSS) 22 COMP9321, 15s2, Week 9 Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

23 Cross Site Scripting (XSS) 23 COMP9321, 15s2, Week 9 Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

24 Cross Site Scripting (XSS): What is wrong? 24 COMP9321, 15s2, Week 9

25 Cross Site Scripting (XSS): What is wrong? 25 COMP9321, 15s2, Week 9 Suppose the victim is given this URL by the attacker (www.badguy.com):

26 Cross Site Scripting (XSS): What is wrong? 26 COMP9321, 15s2, Week 9 The web page would then be injected with the following script: Suppose the victim is given this URL by the attacker (www.badguy.com):

27 Cross Site Scripting (XSS): Summary! 27 COMP9321, 15s2, Week 9

28 Cross Site Scripting (XSS): Prevention!! 28 COMP9321, 15s2, Week 9

29 Cross Site Scripting (XSS): Prevention!! 29 COMP9321, 15s2, Week 9

30 Cross Site Request Forgery (CSRF) 30 COMP9321, 15s2, Week 9

31 Cross Site Request Forgery (CSRF) 31 COMP9321, 15s2, Week 9 Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts

32 Cross Site Request Forgery (CSRF) 32 COMP9321, 15s2, Week 9 Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software…

33 Cross Site Request Forgery (CSRF) 33 COMP9321, 15s2, Week 9 Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software… Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.

34 Cross Site Request Forgery (CSRF) 34 COMP9321, 15s2, Week 9

35 Cross Site Request Forgery (CSRF) 35 COMP9321, 15s2, Week 9

36 Cross Site Request Forgery (CSRF): Prevention!! 36 COMP9321, 15s2, Week 9 A CAPTCHA is a type of challenge- response test used in computing to determine whether or not the user is human.

37 Unvalidated Input 37 COMP9321, 15s2, Week 9

38 Unvalidated Input 38 COMP9321, 15s2, Week 9

39 Unvalidated Input 39 COMP9321, 15s2, Week 9

40 Unvalidated Input: Summary 40 COMP9321, 15s2, Week 9

41 Unvalidated Input: Prevention! 41 COMP9321, 15s2, Week 9

42 Broken Authentication 42 COMP9321, 15s2, Week 9

43 Broken Authentication 43 COMP9321, 15s2, Week 9

44 Fixing Authentication: How To?! 44 COMP9321, 15s2, Week 9

45 Fixing Authentication: Salting Passwords! 45 COMP9321, 15s2, Week 9 In cryptography, a salt is random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. e.g. the salt and the password can be concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) can be stored with the salt in a database.

46 Fixing Authentication: Salting Passwords! 46 COMP9321, 15s2, Week 9 Why add Salt? If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks to choosing to only storing the password’s hash: Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large. In probability theory, the birthday problem or birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. See: http://en.wikipedia.org/wiki/Birthday_paradoxhttp://en.wikipedia.org/wiki/Birthday_paradox

47 Fixing Authentication: Salting Passwords! 47 COMP9321, 15s2, Week 9 Why add Salt? If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks to choosing to only storing the password’s hash: Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large. An attacker can use a list of precomputed hashes to break passwords in seconds. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. See: http://en.wikipedia.org/wiki/Rainbow_table http://en.wikipedia.org/wiki/Rainbow_table

48 Fixing Authentication: Salting Passwords! 48 COMP9321, 15s2, Week 9 In order to solve these problems, a salt can be concatenated to the password before the digest operation. A salt is a random number of a fixed length. This salt must be different for each stored entry. It must be stored as clear text next to the hashed password. In this configuration, an attacker must handle a brute force attack on each individual password. The database is now birthday attack/rainbow crack resistant. …consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space.

49 Fixing Authentication: Salting Passwords! 49 COMP9321, 15s2, Week 9

50 Fixing Authentication: Salting Passwords! 50 COMP9321, 15s2, Week 9

51 Fixing Authentication: Salting Passwords! 51 COMP9321, 15s2, Week 9

52 Session Management 52 COMP9321, 15s2, Week 9

53 Session Management: Problem or Solution?! 53 COMP9321, 15s2, Week 9

54 Session Management: Problem or Solution?! 54 COMP9321, 15s2, Week 9

55 Session Management: Problem or Solution?! 55 COMP9321, 15s2, Week 9

56 Transport Layer Security 56 COMP9321, 15s2, Week 9

57 Transport Layer Security (e.g. HTTPS) 57 COMP9321, 15s2, Week 9

58 Transport Layer Security (e.g. HTTPS) 58 COMP9321, 15s2, Week 9

59 HTTPS: Basics… 59 COMP9321, 15s2, Week 9

60 HTTPS: Public-Key Cryptography 60 COMP9321, 15s2, Week 9

61 HTTPS: Shared-Key Cryptography 61 COMP9321, 15s2, Week 9

62 HTTPS: Hashing 62 COMP9321, 15s2, Week 9

63 HTTPS: Certificates 63 COMP9321, 15s2, Week 9

64 HTTPS: Signatures 64 COMP9321, 15s2, Week 9

65 HTTPS: How to? … Limitations?! 65 COMP9321, 15s2, Week 9 How to? Follow the steps at: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

66 Application Layer Security 66 COMP9321, 15s2, Week 9

67 References 67COMP9321, 15s2, Week 9 http://www.owasp.org https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

68 68COMP9321, 15s2, Week 9

Download ppt "COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week."

Similar presentations

Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
The OWASP Way Understanding the OWASP Vision and the Top Ten.

The OWASP Way Understanding the OWASP Vision and the Top Ten.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google