Web Application Security
Download as PPTX, PDF1 like292 views
The document provides an overview of basics of web application security. It discusses what web application security is, why web application firewalls are not complete solutions, and how to secure websites and web applications. It also introduces history of security flaws, vulnerabilities in web applications, and the OWASP Top 10 risks. The objectives, network vs web security, and how to secure applications through developer training and testing are covered. Types of security testing and their benefits are also summarized.
Web Application Security
- 1. Basics Of Web Application Security Presented By: Sudip Pudasaini Date: 14th Oct, 2015
- 2. lIntroduction of Web Application Security lHistory of Security Flaws lVulnerability on Web Application lIntroduction to OWASP lOWASP Top Ten 2010 & 2013 lSecurity Testing Taxonomy lBenefits of Security Testing lQ & A Objectives
- 3. Overview: lWhat is Web Application Security? lNetwork Security & Web Security lWhy web application firewalls are not a complete web application security solutions? lHow to secure websites and web applications Web Application Security
- 5. Web Application Security lInformation Security lSecurity of websites, web applications and web services lNetwork Security
- 6. Web Application Security Network Security: l Build perimeter defenses l Block unwanted traffic and activities l Allow legitimate traffic in Web Security: l Allow port 80 and port 443 traffic in l Hope everyone plays by the rules
- 7. Web Application Security lWhy web application firewalls are not a complete web application security solutions? Firewall does not analyze request parameter and traffic. Firewall does not check vulnerabilities in web application. Firewall won't fix security holes in web applications. Firewall is not immune to attacks. lBut What does it do? Analyze incoming web traffic. Allows legitimate traffics only. Delays attack. WAF was bypassed in 2009 by OWASP.
- 8. How to secure web application? lTrain developers to write secure code lDevelopers should be able to check their applications for security issues. lThorough application testing lOnce online, web application still need to be constantly checked for vulnerabilities. lBut constant check might be lengthy and expensive process. lTendency to miss I/p and parameters in manual testing. Web Application Security
- 9. lTitle – Short but explicit description of feature lNarrative – A short narrative describing who, what and why of feature. User story syntax is common: In order to add entries, as a user, I can add an entry. lScenario – Descriptions of specific cases for the narrative with following: lInitial condition that is true. lThe expected outcomes. lUse Given, When, and Then Identifiers Vulnerabilities on Web App
- 10. l History of Security Threats 1943 2009 2007 1979 2001 2011 French Computer experts Rene Carmille hacked punched card. The first computer WORM is created at xerox's Palo Alto Research Center. The code red WORM causes $2 billion in damage by infecting Microsoft windows NT and 2000 server software. The storm WORM virus (actually Trojan) is sent to unsuspecting Individuals via emails. The conficker (Downadup/Kido) WORM best known for stealing Technical data and passwords from web servers. The Ramnit virus is used to steal over 45000 passwords on Facebook.
- 11. OWASP Open Web Application Security Project Founded: December 2, 2001 Founders: Mark Curphey, Dennis Groves Not-for-profit charitable organization in the US Open community Core Values: OPEN Everything at OWASP is radically transparent from our finances to our code. INNOVATION OWASP encourages and supports innovation and experiments for solutions to software security challenges. GLOBAL Anyone around the world is encouraged to participate in the OWASP community. INTEGRITY OWASP is an honest and truthful, vendor neutral, global community.
- 12. OWASP Top 10 2013
- 13. A1 - Injection The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.
- 14. A1 - Injection
- 15. A2 – Broken Authentication & Session Management User authentication credentials aren’t protected when stored using hashing or encryption. Credentials can be guessed or overwritten. Session IDs are exposed in the URL (e.g., URL rewriting). Session IDs aren’t rotated after successful login. Passwords, session IDs, and other credentials are sent over unencrypted connections.
- 16. A3 – Cross Site Scripting XSS is the most prevalent web application security flaw. Attacker sends text-based attack scripts that exploit the interpreter in the browser. Impact: Attackers can execute scripts in a victim’s browser to hijack user sessions, deface web sites, insert hostile content, redirect users, hijack the user’s browser using malware, etc. e.g. <script>alert(document.cookie);</script>
- 17. A4 – Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key.
- 18. A5 – Security Misconfiguration Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Is any of your software out of date? This includes the OS, Web/App Server, DBMS, applications, and all code libraries, etc. Are any unnecessary features enabled or installed (e.g., ports, services, pages, accounts, privileges)? Are default accounts and their passwords still enabled and unchanged?
- 19. A6 – Sensitive Data Exposure Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. The most common flaw is simply not encrypting sensitive data. Are any old / weak cryptographic algorithms used?
- 20. A7 – Missing Function Level Access Control Are server side authentication or authorization checks missing? Anyone with network access can send your application a request. The attacker simply force browses to target URLs. http://example.com/app/getappInfo http://example.com/app/admin_getappInfo
- 21. A8 - CSRF Cross Site Request Forgery Attacker creates forged HTTP requests and tricks a victim into submitting them via image tags, XSS, or numerous other techniques. Attackers can trick victims to performs undesired operations e.g., updating account details, making purchases, etc.
- 23. Benefits of Security Testing 1) Vulnerability Coverage 2) Code Coverage 3) Instant Feedback 4) Quality of Service 5) Manage Risk Properly 6) Increase Business Continuity 7) Minimize Attacks
- 24. Q & A 1) Any
- 25. Thank You ! 1) Have 2)a 3)Wonderful 4)Day