Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru.

Published byPenelope Tiffany Mills Modified over 9 years ago

Similar presentations

Presentation on theme: "1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru."— Presentation transcript:

1 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru

2 2 Overview Define Web Applications Importance of Web Application Security Framework for secure Web Applications Attacks and vulnerabilities on Web Applications Client/server verification (pros/cons) Secure Programming Tools (SPI Dynamics’ WebInspect, ISS)

3 3 Web Applications: What are they? An application generally comprised of a collection of scripts that reside on a web server. Interact with databases or other sources of dynamic content Examples include: webmail, online banking, portal systems, etc.

4 4 Good Programming=Good Security

5 5 Importance of Web Application Security Web Apps are becoming more prevalent and more sophisticated Critical to online transactions and information processing Protecting privacy and following regulation such as HIPAA and Sarbanes-Oxley

6 6 Framework for Web Application Security Framework for web developers to develop secure code Involves identifying and implementing responses to existent security issues S.W.A.T. (Secure Web Applications through Testing)

7 7 Web Application Pitfalls

8 8 Types of Attacks and Vulnerabilities SQL Injection Attacks Improper input verification Default methods Form processing methods GET & POST / Querystring information “ELSE” programming Educated Guessing

9 9 Mechanisms of Vulnerability Discovery Server fingerprinting  Determine capabilities  Determine technology Using Error Messages  IE – disable friendly error messages  Deliberate access of wrong pages Observing behavior in the presence of unexpected variables

10 10 Mechanisms of Vulnerability Protection Brute force lockouts Re-authenticate when necessary Encrypt databases (prevent download) Strong file/directory naming convention Session-based authentication and access Validate all input no matter how trivial TEST, TEST, TEST Don’t rely solely on the client Never pass in headers/auto-fill critical info

11 11 Client/Server Side Validation Scripts Pros  Immediate response  Give server a break  High user interaction Cons  Easily bypassed  Puts security in user’s hands  No database connectivity to verify authentication data SOLUTION = Client + Server Redundancy

12 12 What you will do in the lab Exploit vulnerabilities in a realistic web application to:  Get accepted to Georgia Tech  Register for classes before timeticket  Get tuition paid for free and a check back  Change your grades to something “more appealing”

13 13 What you will do in the lab

14 14 What you will do in the lab

15 15 What you will do in the lab

16 16 What you will do in the lab

17 17 What you will do in the lab

18 18 What you will do in the lab

19 19 What you will do in the lab

20 20 QUESTIONS?

Download ppt "1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru."

Similar presentations

Module XIV SQL Injection

Module XIV SQL Injection
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do
Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.

Team - CA CSCI 5234 Web Security.  Collect and document information of ecommerce security mechanisms.  Using: wiki engine for collaboration.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.

MOBILE DEVICE SECURITY. WHAT IS MOBILE DEVICE SECURITY? Mobile Devices  Smartphones  Laptops  Tablets  USB Memory  Portable Media Player  Handheld.
Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.

Validation Controls. Validation Server Controls These are a special type of Web server control. They significantly reduce some of the work involved in.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google