Your SlideShare is downloading. ×
Web application security: Threats & Countermeasures
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Web application security: Threats & Countermeasures


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide
  • Disable remote connection,
  • Network-router,firewall,switch :protocols and portsHost-OS,appplatform,DBservices,webserver,app serverApp- Validation, AAA, exception management
  • Transcript

    • 1. Aung Thu Rha Hein(g5536871)
    • 2.  Fundamentals • Principles • Practices • Three-Tiered Approach Threats & Countermeasures • Anatomy of web attacks • Threat categories  STRIDE  Network Threats & Countermeasures  Host Threats & Countermeasures  Application Threats & Countermeasures Summary & Conclusion 2
    • 3. Principles Defense in Depth • Use multi layers to protect against defense failure • E.g. firewalls, IDS, Load balancers, IP restrictions Least Privilege • Grant fewer access to the system as possible • E.g. restrict access to DB Least Complicated • Complexity generates mistakes 3
    • 4. Practices Filter input • Ensure coming data it invalid Escape output • Ensure outgoing data is not misinterpreted Input Application Output 4
    • 5. Secure the networkSecure the host Runtime services Platform Secure the application Services Presentation Data Access Business Logic Operating Logic Logic System 5
    • 6.  Anatomy of web attack Survey and Exploit and Escalates assess penetrate privileges Maintain Deny access service 6
    • 7.  Threat Categories • STRIDE: based on goals and purposes of attacker • Three categories based on the three-tiered approach Application Network Host 7
    • 8. Spoofing • Gain access to system with false identity Tampering • Unauthorized modification of data • Ability of user to deny of performing specific Repudiation actions or transactions Information • Exposure of private data disclosureDenial of Service • Making the system unavailable Elevation of • user with limited privileges assumes the identity Privilege of a full privileged user 8
    • 9. • Strong authentication, SSL, avoid plaintext to Spoofing store and send sensitive data Tampering • Data Hashing, Digital signature, Authorization Repudiation • Secure audit trails, Digital Signature Information • Strong authorization and encryption, avoid disclosure plaintexts, secure communication links • Validate and filter input, bandwidth throttling Denial of Service techniques, AAA ProtocolElevation of Privilege • Follow principle of “Least Principle” 9
    • 10. Information • Discover and profile network devices to gathering find vulnerabilities • Eavesdropping data across over the Sniffing network traffic • Hide one’s true ID and access the system Spoofing and work around ACLsSession hijacking • Main in the middle attack • Denies legitimate access to server orDenial of service services 10
    • 11. Information • Configure routers to restrict to footprinting, disabled gathering unused protocols and ports • Use strong physical security, network Sniffing segmentation, encrypt communication Spoofing • Filter incoming packets and outgoing packets • encrypted session negotiation and communicationSession hijacking channelsDenial of service • IDS, appropriate registry settings of TCP/IP stack 11
    • 12. Viruses, Trojan • perform malicious acts and causehorses, and worms disruption to OS • Try to reveal valuable information of the Footprinting systemPassword cracking • try to establish an authenticated connection with server Arbitrary code • execute malicious code on the server execution Unauthorized • Try to access restricted information or access perform restricted operations 12
    • 13. Viruses, Trojan • Harden weak, default configurationhorses, and worms settings, anti-virus applications • Disable unused ports and Footprinting protocols, IDS, “defense in depth” • Strong passwords, lockout policies, AuditPassword craking failed logins attempts Arbitrary code • Lock down system commands & utilities with execution restricted ACLs, update patches and updates Unauthorized • Secure web permission, Lock down files and access folders 13
    • 14. Input Validation • Cross-site scripting(XSS), SQL injection Authentication • Dictionary attacks, brute-force attacksSession management • Session hijacking, man in the middle • Poor key generation or key management, weak or Cryptography custom encryption Parameter • Query string & form field manipulation, cookie manipulation manipulation, HTTP header manipulation Exception • Information disclosure, denial of service Management 14
    • 15. • Validate input, Encode user output, Use Input Validation parameterized stored procedures Authentication • Strong passwords with hashesSession management • SSL, expiration period on the session cookie, HMACs • Secure encryption system, DPAPI, use proven Cryptography cryptographic services Parameter • Session identifier, HTTP Post, Encrypt query manipulation strings, HMACs Exception • Exception Handling and logging Management 15
    • 16.  By understanding STRIDE, it is more effective when applying countermeasures. Also understanding common threats, it can be prevented from compromising the application Thank You! 16