• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Web application security: Threats & Countermeasures
 

Web application security: Threats & Countermeasures

on

  • 1,609 views

 

Statistics

Views

Total Views
1,609
Views on SlideShare
1,600
Embed Views
9

Actions

Likes
0
Downloads
37
Comments
0

1 Embed 9

http://triplecolourlife.com 9

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Disable remote connection,
  • Network-router,firewall,switch :protocols and portsHost-OS,appplatform,DBservices,webserver,app serverApp- Validation, AAA, exception management

Web application security: Threats & Countermeasures Web application security: Threats & Countermeasures Presentation Transcript

  • Aung Thu Rha Hein(g5536871)
  •  Fundamentals • Principles • Practices • Three-Tiered Approach Threats & Countermeasures • Anatomy of web attacks • Threat categories  STRIDE  Network Threats & Countermeasures  Host Threats & Countermeasures  Application Threats & Countermeasures Summary & Conclusion 2
  • Principles Defense in Depth • Use multi layers to protect against defense failure • E.g. firewalls, IDS, Load balancers, IP restrictions Least Privilege • Grant fewer access to the system as possible • E.g. restrict access to DB Least Complicated • Complexity generates mistakes 3
  • Practices Filter input • Ensure coming data it invalid Escape output • Ensure outgoing data is not misinterpreted Input Application Output 4
  • Secure the networkSecure the host Runtime services Platform Secure the application Services Presentation Data Access Business Logic Operating Logic Logic System 5
  •  Anatomy of web attack Survey and Exploit and Escalates assess penetrate privileges Maintain Deny access service 6
  •  Threat Categories • STRIDE: based on goals and purposes of attacker • Three categories based on the three-tiered approach Application Network Host 7
  • Spoofing • Gain access to system with false identity Tampering • Unauthorized modification of data • Ability of user to deny of performing specific Repudiation actions or transactions Information • Exposure of private data disclosureDenial of Service • Making the system unavailable Elevation of • user with limited privileges assumes the identity Privilege of a full privileged user 8
  • • Strong authentication, SSL, avoid plaintext to Spoofing store and send sensitive data Tampering • Data Hashing, Digital signature, Authorization Repudiation • Secure audit trails, Digital Signature Information • Strong authorization and encryption, avoid disclosure plaintexts, secure communication links • Validate and filter input, bandwidth throttling Denial of Service techniques, AAA ProtocolElevation of Privilege • Follow principle of “Least Principle” 9
  • Information • Discover and profile network devices to gathering find vulnerabilities • Eavesdropping data across over the Sniffing network traffic • Hide one’s true ID and access the system Spoofing and work around ACLsSession hijacking • Main in the middle attack • Denies legitimate access to server orDenial of service services 10
  • Information • Configure routers to restrict to footprinting, disabled gathering unused protocols and ports • Use strong physical security, network Sniffing segmentation, encrypt communication Spoofing • Filter incoming packets and outgoing packets • encrypted session negotiation and communicationSession hijacking channelsDenial of service • IDS, appropriate registry settings of TCP/IP stack 11
  • Viruses, Trojan • perform malicious acts and causehorses, and worms disruption to OS • Try to reveal valuable information of the Footprinting systemPassword cracking • try to establish an authenticated connection with server Arbitrary code • execute malicious code on the server execution Unauthorized • Try to access restricted information or access perform restricted operations 12
  • Viruses, Trojan • Harden weak, default configurationhorses, and worms settings, anti-virus applications • Disable unused ports and Footprinting protocols, IDS, “defense in depth” • Strong passwords, lockout policies, AuditPassword craking failed logins attempts Arbitrary code • Lock down system commands & utilities with execution restricted ACLs, update patches and updates Unauthorized • Secure web permission, Lock down files and access folders 13
  • Input Validation • Cross-site scripting(XSS), SQL injection Authentication • Dictionary attacks, brute-force attacksSession management • Session hijacking, man in the middle • Poor key generation or key management, weak or Cryptography custom encryption Parameter • Query string & form field manipulation, cookie manipulation manipulation, HTTP header manipulation Exception • Information disclosure, denial of service Management 14
  • • Validate input, Encode user output, Use Input Validation parameterized stored procedures Authentication • Strong passwords with hashesSession management • SSL, expiration period on the session cookie, HMACs • Secure encryption system, DPAPI, use proven Cryptography cryptographic services Parameter • Session identifier, HTTP Post, Encrypt query manipulation strings, HMACs Exception • Exception Handling and logging Management 15
  •  By understanding STRIDE, it is more effective when applying countermeasures. Also understanding common threats, it can be prevented from compromising the application Thank You! 16