Web app security
-
Upload
araf-karsh-hamid -
Category
Technology
-
view
286 -
download
6
description
Transcript of Web app security
![Page 1: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/1.jpg)
Secure Java Coding PracticesAraf Karsh Hamid
June, 2006
![Page 2: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/2.jpg)
Rich Internet Applications History Architecture Nothing New
Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Secure Java Coding Practices
Agenda
![Page 3: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/3.jpg)
Rich Internet Apps – History
![Page 4: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/4.jpg)
AJAX Vs. Traditional Web Applications
Rich Internet Apps
![Page 5: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/5.jpg)
Security
Threats, Vulnerabilities & Defense
Web Application Firewalls
Web Application Security Concerns
Security
![Page 6: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/6.jpg)
Threats, Vulnerabilities & Defense
![Page 7: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/7.jpg)
Web Security
Web Application Firewalls
![Page 8: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/8.jpg)
Web Application Security &
Secure Java Coding Practices
![Page 9: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/9.jpg)
1. Unvalidated Inputs2. Cross-Site Scripting (XSS)3. Injection Flaws4. Improper Error Handling5. Broken Authentication and Session
Management6. Insecure Direct Object References7. Cross-Site Request Forgery (CSRF)8. Security Misconfiguration9. Insecure Cryptographic Storage10.Failure to Restrict URL Access11.Insufficient Transport Layer Protection
Top 10 Web Vulnerabilities
![Page 10: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/10.jpg)
Attacker can change any value of the input submitted to the Web Server
Re-validate all the inputs at the server
Take only the necessary information (user input) from a for submission
Un-validated Input
![Page 11: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/11.jpg)
Un-validated Input (Problem)
![Page 12: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/12.jpg)
Unvalidated Input (Fixed)
![Page 13: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/13.jpg)
Attacker Injects code into the input data Hide malicious code with Unicode
Counter measures Input validations Input length check
Cross Site Scripting
![Page 14: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/14.jpg)
Cross Site Scripting (Problem)
![Page 15: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/15.jpg)
Cross Site Scripting (Fixed)
![Page 16: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/16.jpg)
Attacker Can inject System commands Can inject other SQL Can override access checks
Examples Add more commands “; select * from users;” Override access “’ OR 1=1;”
Counter Measures Use prepared statements in SQL Run with limited privileges Filter / validate the input
SQL Injection
![Page 17: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/17.jpg)
SQL Injection (Problem)
![Page 18: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/18.jpg)
SQL Injection (Fixed)
![Page 19: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/19.jpg)
Attacker Gets system information Gets Database information
Examples Stack (Thread) Traces Database dump
Counter Measures Sanitize the error message Avoid sending stack traces to end user. Customize error pages (HTTP errors 404 etc)
Improper Error Handling
![Page 20: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/20.jpg)
Improper Error Handling (Problem)
![Page 21: Web app security](https://reader036.fdocuments.in/reader036/viewer/2022081414/54b7ad044a79590e468b460e/html5/thumbnails/21.jpg)
Improper Error Handling (Fixed)