Your SlideShare is downloading. ×
0
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Security of Web Servers and Web Applications
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security of Web Servers and Web Applications

789

Published on

Presentation for Software Freedom Kosova Conference 2011

Presentation for Software Freedom Kosova Conference 2011

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
789
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
37
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • 2/3/2011 | |
  • Darmstadt University of Technology 2/3/2011 | |
  • http://www.youtube.com/watch?v=9WfXPsR3TMY http://gazetaexpress.com/?cid=1%2C16%2C62759 http://www.gazetaexpress.com/?cid=1%2C13%2C57939 http://www.panorama.com.al/lajmi-i-fundit/yerja-ndaj-shqiptareve-veper-e-nje-hakeri-serb http://articles.cnn.com/2011-07-04/tech/fox.hack_1_tweets-twitter-feed-twitter-users?_s=PM:TECH 2/3/2011 | |
  • *Sympathizers *Think on people who read this and they are so happy about that, so that they could get some kind of heart attack!!!  Keto mund nese shihen holl e holl mund te kete edhe deme shendetsore…..  paramendoje me pas lshu zemra prej Gezimi diken….. 2/3/2011 | |
  • OK, ketu mesa duket nuk ka pasur Probleme me ne WebSecurity/WebServer Security por me perme Phishing Attack kann vjedh passwordin…..por me rendesi eshte efekti i cili do te kishte ndikim shum te madh nese nuk i jepim rendesis Siguris… 2/3/2011 | |
  • http://www.h-online.com/security/news/item/Hackers-breached-Citibank-security-using-simple-URL-manipulation-Update-1260964.html http://www.h-online.com/security/news/item/Citibank-customers-lost-2-7-million-in-recent-attack-1268302.html *Siguria ndikon ne te gjitha drejtimet 2/3/2011 | |
  • 2/3/2011 | |
  • Mbrojtjet 2/3/2011 | |
  • http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml BSI = Bundesamt für Sicherheit in der Informationstechnik 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • Einmal-Passwörter 2/3/2011 | |
  • 2/3/2011 | |
  • LimitRequestBody can be unlimited (practically up 2 GB to go!) 2/3/2011 | |
  • Question: Do you see any possible Attacks??? A: Yes, because of using HTTP-Protocol and not HTTPS/SSL 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • Transcript

    1. IT-Security Security of Web Servers and Web Applications Software Freedom Kosova 2011
    2. Who‘s Talking? <ul><li>Amir Neziri </li></ul><ul><ul><li>lives and works in Germany </li></ul></ul><ul><li>Double Degree in Master of Science: </li></ul><ul><ul><li>Master in Computer Science </li></ul></ul><ul><ul><li>and Master in IT-Security from TU-Darmstadt/Germany </li></ul></ul><ul><ul><li>Currently I’m writing Master Thesis about Data Security in Cloud Services </li></ul></ul><ul><li>Profession: Software Engineer, Consultant for Web- and Software- Security </li></ul><ul><li>http://www.linkedin.com/in/amirneziri </li></ul><ul><li>https://www.xing.com/profile/Amir_Neziri </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    3. Security of Web Servers and Web Applications <ul><li>Why is it so important today? </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    4. Motivation – Political Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    5. Motivation – Political Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    6. … another shocking news 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    7. … another shocking news 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    8. Motivation – Political Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    9. Motivation – Economic Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    10. Motivation – Economic Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    11. So…. <ul><li>Are we last now???? </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri NO!
    12. Agenda <ul><li>Components and Architecture </li></ul><ul><li>Security Attacks </li></ul><ul><li>Defenses </li></ul><ul><ul><li>Securing (Web) Server </li></ul></ul><ul><ul><li>Securing Web Applications </li></ul></ul><ul><li>Take home message </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    13. Components & Architecture 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    14. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    15. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    16. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    17. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    18. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    19. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    20. Defenses 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe
    21. Securing the operating system <ul><li>Variety of possible sources of information </li></ul><ul><ul><li>Federal Office for Information Security (BSI, Germany) </li></ul></ul><ul><ul><ul><li>Server Security </li></ul></ul></ul><ul><ul><ul><ul><li>https://www.bsi.bund.de/cln_156/ContentBSI/grundschutz/kataloge/baust/b03/b03.html </li></ul></ul></ul></ul><ul><ul><ul><li>IT-Security Catalog </li></ul></ul></ul><ul><ul><li>National Security Agency (NSA, USA) </li></ul></ul><ul><ul><ul><li>Recommendations and guidelines for installation and Configuration of operating systems with focus on security </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    22. Security is a Process 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    23. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    24. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    25. Linux Systems - Installation <ul><li>Installation from CD </li></ul><ul><ul><li>Authentic Source </li></ul></ul><ul><ul><li>Contains no updates </li></ul></ul><ul><li>Installation from Network </li></ul><ul><ul><li>Authentic and trustworthy Source is needed </li></ul></ul><ul><li>Minimal Functionality </li></ul><ul><ul><li>Example: Server Systems do not need GUI </li></ul></ul><ul><ul><li>Example Web-Server Installation : </li></ul></ul><ul><ul><ul><li>Web-Server, Secure-Shell, Secure File Transfer </li></ul></ul></ul><ul><li>ATTENTION: Do not use unsecure protocols like FTP </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    26. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    27. Linux Systems - Configuration <ul><li>Get all running Services </li></ul><ul><ul><li>nmap localhost or </li></ul></ul><ul><ul><li>netstat -lnp --ip </li></ul></ul><ul><ul><li>netstat -lnp --inet6 </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    28. Linux Systems - Configuration <ul><li>Shut down unused Services </li></ul><ul><li>Hide Services with Port Knocking </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><ul><li>Web Server Service is public </li></ul></ul></ul><ul><ul><ul><li>hide SFTP-, SSH- Services </li></ul></ul></ul><ul><li>Use Onetime Passwords by generating them with </li></ul><ul><li>Password generators </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    29. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    30. Linux Systems – Maintenance / Updates <ul><li>Always update the installed Software </li></ul><ul><li>Debian/Ubuntu </li></ul><ul><ul><li>apt-get update && apt-get upgrade or </li></ul></ul><ul><ul><li>apt-get update && apt-get dist-upgrade </li></ul></ul><ul><li>IMPORTANT: The Kernel should be always up-to-date </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    31. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    32. Linux Systems - Monitoring <ul><li>File System Integrity Checker </li></ul><ul><li>Open Source Tool for checking Integrity: Tripwire </li></ul><ul><ul><li>http://www.tripwire.org/ </li></ul></ul><ul><ul><li>http://sourceforge.net/projects/tripwire/ </li></ul></ul><ul><li>Analyze Log Files </li></ul><ul><ul><li>Authentication Errors /-Problems: /var/log/auth.log </li></ul></ul><ul><ul><li>Web-Access and Errors : /var/log/apache2/*.log </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    33. Linux Systems - Monitoring <ul><li>Automated fraud detection </li></ul><ul><ul><li>Example sshguard ( http://www.sshguard.net/ ) </li></ul></ul><ul><li>SSH-Guard </li></ul><ul><ul><li>Analyzes Log Files of SSH-Services </li></ul></ul><ul><ul><li>Detects Attack Attempts and blocks Attacker temporary ( by setting firewall rules ) </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    34. Securing Web-Server – Main Steps <ul><li>User- /Groups settings for Web Server Processes </li></ul><ul><li>File System Settings </li></ul><ul><li>Permissions for executable Software </li></ul><ul><ul><li>Nobody except root should write into Binary-Folders of Apache </li></ul></ul><ul><li>Reduce functions to your needs </li></ul><ul><ul><li>Apache can be extended with Modules, e.g.: mod_cgi, mod_ssl… </li></ul></ul><ul><li>Suppress Fingerprinting </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    35. Securing Web-Server – Main Steps <ul><ul><li>Restrict used Hardware Resources to avoid DoS-Attacks </li></ul></ul><ul><ul><ul><li>Change Default TimeOut </li></ul></ul></ul><ul><ul><ul><li>Restrict HTTP-Requests </li></ul></ul></ul><ul><ul><li>Restrict access to Web Resources </li></ul></ul><ul><ul><ul><li>Often resources are not to be accessible for everyone </li></ul></ul></ul><ul><ul><ul><li>htaccess is a simple mechanism for access Protection </li></ul></ul></ul><ul><ul><ul><li>htaccess is activated by a file .htaccess to protected directory (or above in one) </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/
    36. Access Control - .htaccess <ul><li>Simple Example </li></ul><ul><li>Site-Configuration controls use of .htaccess files: </li></ul><ul><ul><li>AllowOverride None: .htaccess is ignored </li></ul></ul><ul><ul><li>AllowOverride All: .htaccess may overwrite (almost) all global settings </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    37. Access Control <ul><li>Structure of the password file: </li></ul><ul><ul><li>UserName:Hash </li></ul></ul><ul><ul><li>Example: myUser:GxkVrKPk8WSbM </li></ul></ul><ul><ul><li>Default Hash-Function: crypt </li></ul></ul><ul><ul><li>Created by the tool htpasswd </li></ul></ul><ul><ul><li>Transfer of password: </li></ul></ul><ul><ul><ul><li>As HTTP Header “Authorization” </li></ul></ul></ul><ul><ul><ul><li>UserName:Password Base64 encoded </li></ul></ul></ul><ul><ul><ul><li>Example: Authorization: Basic d2lraTpwZWRpYQ== </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    38. Web Application Security <ul><li>Various Sources of Information </li></ul><ul><ul><li>OWASP Top 10 </li></ul></ul><ul><ul><ul><li>The Open Web Application Security Project </li></ul></ul></ul><ul><ul><li>CWE/SANS Top 25 </li></ul></ul><ul><ul><ul><li>Common Weakness Enumeration </li></ul></ul></ul><ul><ul><li>Exploit Databases </li></ul></ul><ul><ul><ul><li>http://www.exploit-db.com/webapps/ </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    39. www.exploit-db.com/webapps/ 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    40. Web Application Security <ul><li>2011 CWE/SANS </li></ul><ul><ul><li>Top 25 Most Dangerous Software Errors </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://cwe.mitre.org/top25/
    41. Web Application Security <ul><li>Buffer Overflows: Statistics </li></ul><ul><ul><li>Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.) </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri <ul><ul><li>Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe </li></ul></ul>
    42. Web Application Security <ul><li>2010 OWASP Top 10 </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
    43. Web Application Security - BackTrack <ul><li>Operating System based on Ubuntu </li></ul><ul><li>Pentetrating testing and digital forensics </li></ul><ul><li>Available as Live CD or USB </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://www.backtrack-linux.org/screenshots/
    44. Web Application Security - BackTrack <ul><li>BackTrack arranges tools into 12 categories: </li></ul><ul><ul><li>Information Gathering </li></ul></ul><ul><ul><li>Vulnerability Assessment </li></ul></ul><ul><ul><li>Exploitation Tools </li></ul></ul><ul><ul><li>Privilege Escalation </li></ul></ul><ul><ul><li>Maintaining Access </li></ul></ul><ul><ul><li>Reverse Engineering </li></ul></ul><ul><ul><li>RFID Tools </li></ul></ul><ul><ul><li>Stress testing </li></ul></ul><ul><ul><li>Forensics </li></ul></ul><ul><ul><li>Reporting Tools </li></ul></ul><ul><ul><li>Services </li></ul></ul><ul><ul><li>Miscellaneous </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    45. Take Home Message <ul><li>Web Security is very important for everyone (e.g. e-banking…) </li></ul><ul><li>Server Security information sources </li></ul><ul><ul><li>Federal Office for Information Security (BSI, Germany) </li></ul></ul><ul><ul><li>National Security Agency (NSA, USA) </li></ul></ul><ul><li>Web Applicaiton Security information sources </li></ul><ul><ul><li>The Open Web Application Security Project (OWASP) Top 10 </li></ul></ul><ul><ul><li>CWE/EANS Top 25 </li></ul></ul><ul><ul><li>Exploit Databases </li></ul></ul><ul><li>Security Tool: BackTrack </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    46. Questions??? 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    47. 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri

    ×