Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web2.0 Secure Development Practice Bruce Xia

Published byNorah Wright Modified over 9 years ago

Similar presentations

Presentation on theme: "Web2.0 Secure Development Practice Bruce Xia"— Presentation transcript:

1 Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com

2 Agenda Background User Access Control Session Management Output Filtering Data Security and Misc

3 Background Phishing A.A. XSS Info leakage CSRF Web2.0 Top 5 Authentication and Authorization

4 Continue… Background User Access Control Session Management Output Filtering Data Security

5 Access Control (1)

6 Access Control (2) – Hiding UI is not a secure way to do authentication. – Do not use Javascript/VBscript to determine actions only.  Do not depend on client side control

7 Access Control (3) – Did not check if the resource is belong to the specific user. http://www.xxxx.com/mblog/delete.php?userID=98522&blogID=5843258546&rnd=0.6626736132893711  Always check data ownership

8 www.abc.com/adduser.php?from=LoginSuccess&username=xxxx&pass =xxxxx&type=1 – HTTP request parameters in URL or in POST form data is easy to be modified. Access Control (4) from=LoginSuccess  Do not rely on any flag parameters

9 www.abc.com/adduser.php?from=LoginSuccess&username=xxxx&pass =xxxxx&type=1 (“from” was validated already in session) – Critical operations and external published URLs is not protected Access Control (5)  Protect critical operations (CSRF)

10 Access Control (6) www.abc.com/adduser.php?from=LoginSuccess&username=xxxx&pass=xxxxx &type=1 Ticket = SHA(username+secureKey) Ticket = SHA(username+secureKey+nonce) – Add nonce or timestamp in important actions request.  Protect for replay attack

11 Continue… Background User Access Control Session Management Output Filtering Data Security and Misc

12 Session Management  Clear sessions after login or logout  Cookie management – Protect for cookie value that only used by server – Life time setting – “Secure" and “HttpOnly" flag – Domain name and path

13 Continue… Background User Access Control Session Management Output Filtering Data Security and Misc

14 Output Filtering – XSS  Filtering user data by APIs – Output any user data, filter with proper encoding API. – JSON data encoding method.  Run code scan tool

15 Continue… Background User Access Control Session Management Output Filtering Data Security and Misc

16  URL Redirection  Monitor unusual account activity  HTTPS – Verify CN – Verify date validity – CRL query  Save important data Phishing and Data Security

17 Information Leakage  POST method  HTTP Trace  Unify same message  Personal information

18 Information leakage  Do not include any sensitive information in error message / exception content

19 Misc  Use standard algorithms  AES with hash  DES, MD5  Math.random and java.util.Random  Page Charset

20 Summarize Phishing A.A. XSS Info leakage CSRF We’ve discussed

21 Thank you! brucexym@gmail.com

Download ppt "Web2.0 Secure Development Practice Bruce Xia"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google