Your SlideShare is downloading. ×
0
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Web application security: Threats & Countermeasures
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web application security: Threats & Countermeasures

2,319

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,319
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
116
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Disable remote connection,
  • Network-router,firewall,switch :protocols and portsHost-OS,appplatform,DBservices,webserver,app serverApp- Validation, AAA, exception management
  • Transcript

    • 1. Aung Thu Rha Hein(g5536871)
    • 2.  Fundamentals • Principles • Practices • Three-Tiered Approach Threats & Countermeasures • Anatomy of web attacks • Threat categories  STRIDE  Network Threats & Countermeasures  Host Threats & Countermeasures  Application Threats & Countermeasures Summary & Conclusion 2
    • 3. Principles Defense in Depth • Use multi layers to protect against defense failure • E.g. firewalls, IDS, Load balancers, IP restrictions Least Privilege • Grant fewer access to the system as possible • E.g. restrict access to DB Least Complicated • Complexity generates mistakes 3
    • 4. Practices Filter input • Ensure coming data it invalid Escape output • Ensure outgoing data is not misinterpreted Input Application Output 4
    • 5. Secure the networkSecure the host Runtime services Platform Secure the application Services Presentation Data Access Business Logic Operating Logic Logic System 5
    • 6.  Anatomy of web attack Survey and Exploit and Escalates assess penetrate privileges Maintain Deny access service 6
    • 7.  Threat Categories • STRIDE: based on goals and purposes of attacker • Three categories based on the three-tiered approach Application Network Host 7
    • 8. Spoofing • Gain access to system with false identity Tampering • Unauthorized modification of data • Ability of user to deny of performing specific Repudiation actions or transactions Information • Exposure of private data disclosureDenial of Service • Making the system unavailable Elevation of • user with limited privileges assumes the identity Privilege of a full privileged user 8
    • 9. • Strong authentication, SSL, avoid plaintext to Spoofing store and send sensitive data Tampering • Data Hashing, Digital signature, Authorization Repudiation • Secure audit trails, Digital Signature Information • Strong authorization and encryption, avoid disclosure plaintexts, secure communication links • Validate and filter input, bandwidth throttling Denial of Service techniques, AAA ProtocolElevation of Privilege • Follow principle of “Least Principle” 9
    • 10. Information • Discover and profile network devices to gathering find vulnerabilities • Eavesdropping data across over the Sniffing network traffic • Hide one’s true ID and access the system Spoofing and work around ACLsSession hijacking • Main in the middle attack • Denies legitimate access to server orDenial of service services 10
    • 11. Information • Configure routers to restrict to footprinting, disabled gathering unused protocols and ports • Use strong physical security, network Sniffing segmentation, encrypt communication Spoofing • Filter incoming packets and outgoing packets • encrypted session negotiation and communicationSession hijacking channelsDenial of service • IDS, appropriate registry settings of TCP/IP stack 11
    • 12. Viruses, Trojan • perform malicious acts and causehorses, and worms disruption to OS • Try to reveal valuable information of the Footprinting systemPassword cracking • try to establish an authenticated connection with server Arbitrary code • execute malicious code on the server execution Unauthorized • Try to access restricted information or access perform restricted operations 12
    • 13. Viruses, Trojan • Harden weak, default configurationhorses, and worms settings, anti-virus applications • Disable unused ports and Footprinting protocols, IDS, “defense in depth” • Strong passwords, lockout policies, AuditPassword craking failed logins attempts Arbitrary code • Lock down system commands & utilities with execution restricted ACLs, update patches and updates Unauthorized • Secure web permission, Lock down files and access folders 13
    • 14. Input Validation • Cross-site scripting(XSS), SQL injection Authentication • Dictionary attacks, brute-force attacksSession management • Session hijacking, man in the middle • Poor key generation or key management, weak or Cryptography custom encryption Parameter • Query string & form field manipulation, cookie manipulation manipulation, HTTP header manipulation Exception • Information disclosure, denial of service Management 14
    • 15. • Validate input, Encode user output, Use Input Validation parameterized stored procedures Authentication • Strong passwords with hashesSession management • SSL, expiration period on the session cookie, HMACs • Secure encryption system, DPAPI, use proven Cryptography cryptographic services Parameter • Session identifier, HTTP Post, Encrypt query manipulation strings, HMACs Exception • Exception Handling and logging Management 15
    • 16.  By understanding STRIDE, it is more effective when applying countermeasures. Also understanding common threats, it can be prevented from compromising the application Thank You! 16

    ×