Web app security


Published on

Published in: Technology
1 Comment
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • http://designingwebinterfaces.com/designing-web-interfaces-12-screen-patterns
  • http://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectThe OWASP Top 10 Web Application Security Risks for 2010 are:A1: InjectionA2: Cross-Site Scripting (XSS)A3: Broken Authentication and Session ManagementA4: Insecure Direct Object ReferencesA5: Cross-Site Request Forgery (CSRF)A6: Security MisconfigurationA7: Insecure Cryptographic StorageA8: Failure to Restrict URL AccessA9: Insufficient Transport Layer ProtectionA10: Unvalidated Redirects and Forwards
  • Web app security

    1. 1. Secure Java Coding Practices Araf Karsh Hamid June, 2006
    2. 2. Rich Internet Applications History Architecture Nothing New Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Secure Java Coding Practices Agenda
    3. 3. Rich Internet Apps – History
    4. 4. AJAX Vs. Traditional Web Applications Rich Internet Apps
    5. 5. Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Security
    6. 6. Threats, Vulnerabilities & Defense
    7. 7. Web Security Web Application Firewalls
    8. 8. Web Application Security & Secure Java Coding Practices
    9. 9. 1. Unvalidated Inputs 2. Cross-Site Scripting (XSS) 3. Injection Flaws 4. Improper Error Handling 5. Broken Authentication and Session Management 6. Insecure Direct Object References 7. Cross-Site Request Forgery (CSRF) 8. Security Misconfiguration 9. Insecure Cryptographic Storage 10. Failure to Restrict URL Access 11. Insufficient Transport Layer Protection Top 10 Web Vulnerabilities
    10. 10. Attacker can change any value of the input submitted to the Web Server Re-validate all the inputs at the server Take only the necessary information (user input) from a for submission Un-validated Input
    11. 11. Un-validated Input (Problem)
    12. 12. Unvalidated Input (Fixed)
    13. 13. Attacker Injects code into the input data Hide malicious code with Unicode Counter measures Input validations Input length check Cross Site Scripting
    14. 14. Cross Site Scripting (Problem)
    15. 15. Cross Site Scripting (Fixed)
    16. 16. Attacker Can inject System commands Can inject other SQL Can override access checks Examples Add more commands “; select * from users;” Override access “’ OR 1=1;” Counter Measures Use prepared statements in SQL Run with limited privileges Filter / validate the input SQL Injection
    17. 17. SQL Injection (Problem)
    18. 18. SQL Injection (Fixed)
    19. 19. Attacker Gets system information Gets Database information Examples Stack (Thread) Traces Database dump Counter Measures Sanitize the error message Avoid sending stack traces to end user. Customize error pages (HTTP errors 404 etc) Improper Error Handling
    20. 20. Improper Error Handling (Problem)
    21. 21. Improper Error Handling (Fixed)
    22. 22. araf.karsh@gmail.com Questions?