Uniface Web Application Security
Download as PPTX, PDF1 like1,686 views
The document discusses web application security, focusing on common threats such as password cracking, interpreter injection, and session hijacking. It emphasizes the importance of proactive security measures, including proper authentication, authorization, and the use of tools to enhance security. Additionally, it highlights the significance of security audits and regular testing to mitigate vulnerabilities, such as those related to OpenSSL.
Uniface Web Application Security
- 1. WEB APPLICATION SECURITY James Rodger Solution Consultant 30/04/2014
- 2. Agenda Introduction Client Server vs. Web Security Areas Threats • Password Cracking • Interpreter Injection • Session Hijacking
- 3. Why Bother? Internet facing web applications Internal web applications Increasingly a developer role Good tooling helps improve security
- 4. Introduction Huge topic Taking a developer point of view Looking at Uniface based solutions Example code
- 5. Client Server vs. Web Stateless No control over client Network is part of the application
- 6. Overview
- 7. Security Areas Some areas we need to consider: Authentication Authorisation Browser Security Session Management Data I/O Configuration and Deployment
- 8. Threats Password Cracking Interpreter Injection • SQL Injection • JavaScript Injection • Parameter Manipulation Session Hijacking
- 9. Password Cracking These attacks include techniques like: Brute forcing the login page (remotely) Brute forcing the database with common passwords Brute forcing the database with rainbow tables
- 10. Brute Force Simply trying a lot of passwords at a login page Basic protection include: Throttling login requests Logging failed attempts: • Locking out accounts • Issuing a CAPTCHA Password policies
- 11. Cracking Hashed Passwords Attacker has access to the user database Plain text passwords make abuse trivial Passwords should be properly hashed
- 15. Threats Password Cracking Interpreter Injection • SQL Injection • JavaScript Injection • Parameter Manipulation Session Hijacking
- 16. Interpreter Injection These attacks include techniques like: SQL Injection JavaScript Injection Parameter Manipulation
- 17. SQL Injection ID: 1 Date of Birth: 23-feb-1982 Name: Robert INSERT INTO students VALUES (1, ‘23-feb-1982', ‘Robert');
- 19. SQL Injection ID: 2 Date of Birth: 13-Nov-1973 Name: Robert'); DROP TABLE students;-- INSERT INTO students VALUES (1, ‘23-feb-1982', ‘Robert'); DROP TABLE students; --’);
- 20. JavaScript Injection Getting a browser to execute unintended JS Usually injected where user input is allowed Malicious code runs for anyone visiting the page The code appears to have come from the application
- 22. Parameter Manipulation User has control of the browser JavaScript based validation can be bypassed Requests can be sent at any time to: • Any Public Web operation • Any Public Trigger
- 24. Uniface SQL Injection • Database drivers prevent SQL injection JavaScript Injection • Widgets correctly escape HTML • Any Public Web operation • Any Public Trigger Parameter Manipulation • Model definitions used for validation at each step • Read-only field handling • Public web / Public trigger • Standard triggers
- 25. Threats Password Cracking Interpreter Injection • SQL Injection • JavaScript Injection • Parameter Manipulation Session Hijacking
- 26. Session Hijacking These attacks include techniques like: Session Fixation Session Sidejacking Physical Access
- 28. Uniface Tomcat session handling • $webinfo(“SESSIONCOMMANDS”) • $webinfo(“WEBSERVERCONTEXT”) HTTP only cookies by default
- 29. Summary Security needs to be designed in Good tooling helps improve security What else? • Security audits • Vericode – regular security testing
- 30. Heartbleed Uniface uses OpenSSL 9.5 / 9.6 vulnerable if using SSL Patches out now • Uniface 9.5 – E123s • Uniface 9.6 – X402s Tomcat version shipped with Uniface is safe • Changed Tomcat version? • Using different servlet engine? More information at unifaceinfo.com
- 31. Questions If you have any questions, or feedback about this session, please send an email to ask.uniface@uniface.com