SlideShare a Scribd company logo

Web Security Terms such as what is a WAF, Access Control, Output Encoding .pptx

Download as PPTX, PDF
Y
Your Study_Buddy

The document discusses web application firewalls (WAFs) that protect web applications by blocking malicious traffic and are distinct from traditional firewalls. It highlights the use of tools like Nikto for vulnerability scanning and emphasizes the importance of secure coding practices, including input validation and session management, to enhance application security. Additionally, it warns against common security oversights, such as revealing sensitive information in error messages and the risks associated with referer header leakage.

Technology
Related topics:
Web Security Overview
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Web Security Terms
Web Application Firewalls Essentially bouncers to a web application Do not need the source code to your application A firewall secures the entire network and the WAF secures just the application WAF blocks traffic WAF are placed before application and servers WAFS can help against XSS and DDOS attacks WAFS are on layer 7 (application layer)
What is a Blocklist A web application firewall uses a blocklist to block possible malicious payloads
So how do we bypass a web application firewall ? ● One technique is mangling and mutating the code
Nikto background data for lab 10 ● Nikto is a web vulnerability scanner ● Say nikto –help to find out what commands you can use ! ● Nikto works on any web server or website ● How to specify the host and port ● nikto -h 192.168.1.108 -p 80 -o filenamehere -F txt ● -F indicates the file type (38) Nikto Web Vulnerability Scanner - Web Penetration Testing - #1 - YouTube
Nikto is very easily picked up by security so you should be careful if you are doing something bad…. Which you shouldn’t be.
Tip Nikto can show what our application version is and then people can look up how to exploit what your website is powered by….
Oh look we have put commands meaning we can probably upload some malicious malware And hey! Look! There’s a default account we can sign in with….
Secure development ● Developing your applications securely will help you be a great developer but it’s usually not just your security ● Secure coding is not perfectly integrates (there isn’t really a standard yet) ● Startups do not have security teams usually so its important to try and learn a bit about security
Input Validation Concerns incoming (untrusted) data to the application All validation should be made through trusted systems=> don’t do validation on the client side, do it on the server There should be a centralized input validation routine
Output encoding ● A defensive way to stop injection attacks ● Best applied just before content is passed to the target interpreter ● Output encoding should be done unless you know the code is safe ● One library that does this is DOM purify but it even still has vulnerabilities ● Alphanumeric characters won’t be risky lol
Session management ● Happens when user logs in and supplies authentication ● A session ID is generated for the user for a period of time ● This is a cookie, form field or URL Session cookie ● Has temporary data and deleted after session or the web browser is closed ● Tracks clients movements in website ● Has an expiration date SESSION INACTIVITY SHOULD ALWAYS BE IMPLEMENTED FOR OPTIMAL SECURITY
Access control ● Used sessions ● Do not trust anything from the client ● Cookies should be validated and created on your own server ● Single site wide component to authorize ● Enforce authorization controls on every request
● Avoid using random open source stuff ● Use the apis for the specific application you are using
Handling and logging Do not have sensitive info in error responses Error occurs = error message details in burp and then hackers have fun
Data protection
Referer header leakage Referer header can let other sites know where you came from which is not good, some older browsers still have this issue

More Related Content

PDF
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
PDF
Best Practices for Developing Secure Web Applications
ScalaCode
 
PPTX
So Your Company Hired A Pentester
NorthBayWeb
 
PDF
00 Introduction for sangfor more important
shalehgaul1
 
PPTX
Owasp Proactive Controls for Web developer
Sameer Paradia
 
PPTX
Create code confidence for better application security
Rogue Wave Software
 
PDF
Secure coding guidelines
Zakaria SMAHI
 
PDF
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 
Cyber security webinar 6 - How to build systems that resist attacks?
F-Secure Corporation
 
Best Practices for Developing Secure Web Applications
ScalaCode
 
So Your Company Hired A Pentester
NorthBayWeb
 
00 Introduction for sangfor more important
shalehgaul1
 
Owasp Proactive Controls for Web developer
Sameer Paradia
 
Create code confidence for better application security
Rogue Wave Software
 
Secure coding guidelines
Zakaria SMAHI
 
Web Security: What's wrong, and how the bad guys can break your website
Andrew Sorensen
 

Similar to Web Security Terms such as what is a WAF, Access Control, Output Encoding .pptx (20)

PPTX
Owasp top 10 2017
ibrahimumer2
 
PDF
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
PPTX
Measures to ensure Cyber Security in a serverless environment
Fibonalabs
 
PPT
Benefits of web application firewalls
EnclaveSecurity
 
ODP
CISSP Week 14
jemtallon
 
PPTX
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
PPT
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
PPTX
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
PPTX
Securing against data theft against Vulnerable dependency
Jagdsh L K Chand
 
PPTX
Cyber ppt
karthik menon
 
PPT
Web Apps Security
Victor Bucutea
 
PDF
SSL VPN Evaluation Guide
Array Networks
 
PPTX
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
PDF
Truetesters presents OWASP Top 10 Web Vulnerability
TrueTesters
 
PDF
Using Analyzers to Resolve Security Problems
kiansahafi
 
PDF
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
PPTX
Cm9 secure code_training_1day_input sanitization
dcervigni
 
PDF
Application Security - Your Success Depends on it
WSO2
 
PDF
Web Application Penetration Testing Course in 2025.pdf
daksh908982
 
PDF
9 Writing Secure Android Applications
Sam Bowne
 
Owasp top 10 2017
ibrahimumer2
 
Hacking Vulnerable Websites to Bypass Firewalls
Netsparker
 
Measures to ensure Cyber Security in a serverless environment
Fibonalabs
 
Benefits of web application firewalls
EnclaveSecurity
 
CISSP Week 14
jemtallon
 
VAPT_FINAL SLIDES.pptx
karthikvcyber
 
2009: Securing Applications With Web Application Firewalls and Vulnerability ...
Neil Matatall
 
Tune in for the Ultimate WAF Torture Test: Bots Attack!
Distil Networks
 
Securing against data theft against Vulnerable dependency
Jagdsh L K Chand
 
Cyber ppt
karthik menon
 
Web Apps Security
Victor Bucutea
 
SSL VPN Evaluation Guide
Array Networks
 
Outpost24 webinar - Demystifying Web Application Security with Attack Surface...
Outpost24
 
Truetesters presents OWASP Top 10 Web Vulnerability
TrueTesters
 
Using Analyzers to Resolve Security Problems
kiansahafi
 
Top 5 best practice for delivering secure in-vehicle software
Rogue Wave Software
 
Cm9 secure code_training_1day_input sanitization
dcervigni
 
Application Security - Your Success Depends on it
WSO2
 
Web Application Penetration Testing Course in 2025.pdf
daksh908982
 
9 Writing Secure Android Applications
Sam Bowne
 
Ad

More from Your Study_Buddy (7)

PPTX
OWASP Juice Shop Reference: How to set up OWASP Juice Shop (reference ONLY)
Your Study_Buddy
 
PPTX
Learn what Bitcoin and Blockchain is for beginners
Your Study_Buddy
 
PDF
What is Angular and some of the terms used
Your Study_Buddy
 
PDF
React Interview Questions for Noobs or Juniors
Your Study_Buddy
 
PPTX
How to use Burpe Suite Intruder for beginner
Your Study_Buddy
 
PPTX
Web Security: Working with burpe suite for beginners
Your Study_Buddy
 
PPTX
Beginner: Types of Operating Systems and Attacks in Web Security
Your Study_Buddy
 
OWASP Juice Shop Reference: How to set up OWASP Juice Shop (reference ONLY)
Your Study_Buddy
 
Learn what Bitcoin and Blockchain is for beginners
Your Study_Buddy
 
What is Angular and some of the terms used
Your Study_Buddy
 
React Interview Questions for Noobs or Juniors
Your Study_Buddy
 
How to use Burpe Suite Intruder for beginner
Your Study_Buddy
 
Web Security: Working with burpe suite for beginners
Your Study_Buddy
 
Beginner: Types of Operating Systems and Attacks in Web Security
Your Study_Buddy
 
Ad

Recently uploaded (20)

PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PPTX
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
sap open course for s4hana steps from ECC to s4
sreeni2106invites
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
MYSQL Presentation for SQL database connectivity
Swati270511
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Detection-First SIEM: Rule Types, Dashboards, and Threat-Informed Strategy
ReZa AdineH
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Cloud computing and distributed systems.
kkkkkhan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 

Web Security Terms such as what is a WAF, Access Control, Output Encoding .pptx

  • 2. Web Application Firewalls Essentially bouncers to a web application Do not need the source code to your application A firewall secures the entire network and the WAF secures just the application WAF blocks traffic WAF are placed before application and servers WAFS can help against XSS and DDOS attacks WAFS are on layer 7 (application layer)
  • 3. What is a Blocklist A web application firewall uses a blocklist to block possible malicious payloads
  • 4. So how do we bypass a web application firewall ? ● One technique is mangling and mutating the code
  • 5. Nikto background data for lab 10 ● Nikto is a web vulnerability scanner ● Say nikto –help to find out what commands you can use ! ● Nikto works on any web server or website ● How to specify the host and port ● nikto -h 192.168.1.108 -p 80 -o filenamehere -F txt ● -F indicates the file type (38) Nikto Web Vulnerability Scanner - Web Penetration Testing - #1 - YouTube
  • 6. Nikto is very easily picked up by security so you should be careful if you are doing something bad…. Which you shouldn’t be.
  • 7. Tip Nikto can show what our application version is and then people can look up how to exploit what your website is powered by….
  • 8. Oh look we have put commands meaning we can probably upload some malicious malware And hey! Look! There’s a default account we can sign in with….
  • 9. Secure development ● Developing your applications securely will help you be a great developer but it’s usually not just your security ● Secure coding is not perfectly integrates (there isn’t really a standard yet) ● Startups do not have security teams usually so its important to try and learn a bit about security
  • 10. Input Validation Concerns incoming (untrusted) data to the application All validation should be made through trusted systems=> don’t do validation on the client side, do it on the server There should be a centralized input validation routine
  • 11. Output encoding ● A defensive way to stop injection attacks ● Best applied just before content is passed to the target interpreter ● Output encoding should be done unless you know the code is safe ● One library that does this is DOM purify but it even still has vulnerabilities ● Alphanumeric characters won’t be risky lol
  • 12. Session management ● Happens when user logs in and supplies authentication ● A session ID is generated for the user for a period of time ● This is a cookie, form field or URL Session cookie ● Has temporary data and deleted after session or the web browser is closed ● Tracks clients movements in website ● Has an expiration date SESSION INACTIVITY SHOULD ALWAYS BE IMPLEMENTED FOR OPTIMAL SECURITY
  • 13. Access control ● Used sessions ● Do not trust anything from the client ● Cookies should be validated and created on your own server ● Single site wide component to authorize ● Enforce authorization controls on every request
  • 14. ● Avoid using random open source stuff ● Use the apis for the specific application you are using
  • 15. Handling and logging Do not have sensitive info in error responses Error occurs = error message details in burp and then hackers have fun
  • 17. Referer header leakage Referer header can let other sites know where you came from which is not good, some older browsers still have this issue