Web Application Security
Prabhu Shiv Singh
Alphabets - APSTNDP
Coming for ya !...vulnerabilities and
attacks
• Denial of Service (DoS) attacks - All
network servers can be subject to de...
Heartbleed….not
heartache !
• Heartbleed is a security bug in the open-
source OpenSSL cryptography library, widely
used t...
CAPTCHA my comments…
else…
(an acronym for "Completely
Automated Public Turing test
to tell Computers and Humans
Apart") i...
Gotcha…now what ?
Top Reasons for web-application level attacks:
• Low Quality application code – not following
security s...
Lets Play….and Learn -
OWASP
• The Open Web Application Security Project
(OWASP) is an open-source web application securit...
Thank You for your time –
prabhu9484@gmail.com
Sources – Wikipedia.org, Apache.org,
Support.hostgator.com, OWASP.org
Upcoming SlideShare
Loading in...5
×

Web Application Security

820

Published on

null Dharmashala Chapter - April 2014 Meet

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
820
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Web Application Security

  1. 1. Web Application Security Prabhu Shiv Singh
  2. 2. Alphabets - APSTNDP
  3. 3. Coming for ya !...vulnerabilities and attacks • Denial of Service (DoS) attacks - All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create. • SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
  4. 4. Heartbleed….not heartache ! • Heartbleed is a security bug in the open- source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. • Check here: http://filippo.io/Heartbleed • To make sure if the problem actually exists: Run cmd $ openssl version -a • "Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1" • 2. Not sure what version of OS you are on, and whether patch exists, but you can build openssl: https://www.openssl.org/source/openssl- 1.0.1g.tar.gz
  5. 5. CAPTCHA my comments… else… (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge- response test used in computing to determine whether or not the user is human.
  6. 6. Gotcha…now what ? Top Reasons for web-application level attacks: • Low Quality application code – not following security standards • File Permissions incorrectly set – securest – 655 • DB Admin, Cpanel, FTP passwords are weak Regular DB – Files backup policy should be in place from the start • http://httpd.apache.org/docs/2.4/misc/security_tip s.html - var/log/apache2/error.log Google can detect and inform you of malicious scripts in a website – Google Attack Page • Hacked Account: What to Look For: • http://support.hostgator.com/articles/pre-sales- policies/security-abuse/what-security-measures- are-used-to-protect-my-server • Things to look for include: • Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo) • PHP files located in image folders
  7. 7. Lets Play….and Learn - OWASP • The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. • OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).[1] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
  8. 8. Thank You for your time – prabhu9484@gmail.com Sources – Wikipedia.org, Apache.org, Support.hostgator.com, OWASP.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×