Web application security
Transcript of Web application security
![Page 1: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/1.jpg)
Web Application Security
![Page 2: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/2.jpg)
Components & Architecture
2
![Page 3: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/3.jpg)
Security Threats
• Cross-site scripting• SQL injection• Denial-of-service attack• Brute Force attack• Remote file inclusion• Man in Middle Attack• Other Server side Threats.
![Page 4: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/4.jpg)
![Page 5: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/5.jpg)
Cross-site scripting(XSS)
• Allows attackers to inject their own malicious scripts onto web pages and have it executed by the user’s browser
• Vulnerability commonly seen in :– Search results that display back the text that was entered– Error messages that display the text that caused the error – Forms which are filled out whose values are later
displayed to the user– Web message boards where users can post messages
![Page 6: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/6.jpg)
![Page 7: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/7.jpg)
![Page 8: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/8.jpg)
Defense tactics
Write an HTMLEncode
![Page 9: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/9.jpg)
SQL Injection
• The process of attacker adding his own SQL Statements in user input
• Used by attackers to– Gain confidential information (Credit Card numbers, Account
details etc.)– Bypass authorization – Perform unauthorized updates
• Injection occurs through :– Input fields (e.g. UserID and Password entry)– Query string (values added to website’s URL)– Manipulated values in HTML
![Page 10: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/10.jpg)
10
UserID: TestPassword : 123
Select * from Users where UserID = ‘Test’ and Password = ‘123’;
Web Applications take user input and build an SQL statement which they send to the database
Drop example
![Page 11: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/11.jpg)
11
UserID: Test; drop table users; -- Password : 123
Select * from Users where UserID = ‘Test’; drop table users; -- and Password = ‘123’;
Web Applications take user input and build an SQL statement which they send to the database
![Page 12: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/12.jpg)
SQL Injection Defense• It is quite simple: input validation
• Check all input
• Web Applications should not directly build SQL statements based on user input
![Page 13: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/13.jpg)
Brute Force Attack
• A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN).
• In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security.
A brute force attack may also be referred to as brute force cracking.
![Page 14: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/14.jpg)
Preventing Brute Force Attack
• Implement an account lockout policy• Another technique is to use a challenge-
response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA
• Web application should enforce the use of strong passwords
![Page 15: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/15.jpg)
Dos and DDOS
• Attempt to make a machine or network resource unavailable to its intended users.
• One common method of attack involves saturating the target machine with external communications requests
• attacks usually lead to a server overload
![Page 16: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/16.jpg)
![Page 17: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/17.jpg)
Effects of DDOS
• Consumption of computational resources, such as bandwidth, memory, disk space, or processor time.
• Disruption of configuration information, such as routing information.
• Disruption of state information, such as unsolicited resetting of TCP sessions.
• Disruption of physical network components.• Obstructing the communication media between the
intended users and the victim so that they can no longer communicate adequately.
![Page 18: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/18.jpg)
DDOS Prevention
• An effective defense against an HTTP flood can be the deployment of a reverse proxy
• increase the capability of the system.• Load-balancing tools can distribute requests
among many servers scattered across a wide geographical area
![Page 19: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/19.jpg)
Remote file inclusion
• It allows an attacker to include a file, usually through a script on the web server.
• vulnerability occurs due to the use of user-supplied input without proper validation
![Page 20: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/20.jpg)
This can lead to
• Code execution on the web server• Code execution on the client-side such
as JavaScript which can lead to other attacks such as cross site scripting (XSS)
• Denial of service (DoS)• Data theft/manipulation
![Page 21: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/21.jpg)
Prevention
• This type of attack can be defended against at the .htaccess level and by filtering the inputs.
• Make sure you keep the Global Registers OFF. This is a biggie that will prevent much evil!
• Hardening the Server
![Page 22: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/22.jpg)
Man in Middle Attack
• A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties,
• A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.
![Page 23: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/23.jpg)
![Page 24: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/24.jpg)
Prevention
• use a strong encryption between the client and the server
• you can use a browser plug-in such as HTTPS Everywhere or ForceTLS.
![Page 25: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/25.jpg)
Server Hardening
• Shut down unused Services
• Hide Services with Port Knocking– Example:
• Web Server Service is public • hide SFTP-, SSH- Services
• Use Onetime Passwords by generating them with Password generators
25
![Page 26: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/26.jpg)
Restrict Resources to avoid DoS-Attacks• Change Default TimeOut • Restrict HTTP-Requests
Restrict access to Web Resources • Often resources are not to be accessible for everyone• htaccess is a simple mechanism for access Protection• htaccess is activated by a file .htaccess to protected
directory (or above in one)
26
Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/
![Page 27: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/27.jpg)
Hide our Informations
![Page 28: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/28.jpg)
Linux Systems Monitoring Cycle
28
![Page 29: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/29.jpg)
OWASP
• The Open Web Application Security Project is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world
• https://www.owasp.org/
![Page 30: Web application security](https://reader037.fdocuments.in/reader037/viewer/2022103019/55c4fabcbb61eba71e8b45f2/html5/thumbnails/30.jpg)