Web application security: Threats & Countermeasures


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Disable remote connection,
  • Network-router,firewall,switch :protocols and portsHost-OS,appplatform,DBservices,webserver,app serverApp- Validation, AAA, exception management
  • Web application security: Threats & Countermeasures

    1. 1. Aung Thu Rha Hein(g5536871)
    2. 2.  Fundamentals • Principles • Practices • Three-Tiered Approach Threats & Countermeasures • Anatomy of web attacks • Threat categories  STRIDE  Network Threats & Countermeasures  Host Threats & Countermeasures  Application Threats & Countermeasures Summary & Conclusion 2
    3. 3. Principles Defense in Depth • Use multi layers to protect against defense failure • E.g. firewalls, IDS, Load balancers, IP restrictions Least Privilege • Grant fewer access to the system as possible • E.g. restrict access to DB Least Complicated • Complexity generates mistakes 3
    4. 4. Practices Filter input • Ensure coming data it invalid Escape output • Ensure outgoing data is not misinterpreted Input Application Output 4
    5. 5. Secure the networkSecure the host Runtime services Platform Secure the application Services Presentation Data Access Business Logic Operating Logic Logic System 5
    6. 6.  Anatomy of web attack Survey and Exploit and Escalates assess penetrate privileges Maintain Deny access service 6
    7. 7.  Threat Categories • STRIDE: based on goals and purposes of attacker • Three categories based on the three-tiered approach Application Network Host 7
    8. 8. Spoofing • Gain access to system with false identity Tampering • Unauthorized modification of data • Ability of user to deny of performing specific Repudiation actions or transactions Information • Exposure of private data disclosureDenial of Service • Making the system unavailable Elevation of • user with limited privileges assumes the identity Privilege of a full privileged user 8
    9. 9. • Strong authentication, SSL, avoid plaintext to Spoofing store and send sensitive data Tampering • Data Hashing, Digital signature, Authorization Repudiation • Secure audit trails, Digital Signature Information • Strong authorization and encryption, avoid disclosure plaintexts, secure communication links • Validate and filter input, bandwidth throttling Denial of Service techniques, AAA ProtocolElevation of Privilege • Follow principle of “Least Principle” 9
    10. 10. Information • Discover and profile network devices to gathering find vulnerabilities • Eavesdropping data across over the Sniffing network traffic • Hide one’s true ID and access the system Spoofing and work around ACLsSession hijacking • Main in the middle attack • Denies legitimate access to server orDenial of service services 10
    11. 11. Information • Configure routers to restrict to footprinting, disabled gathering unused protocols and ports • Use strong physical security, network Sniffing segmentation, encrypt communication Spoofing • Filter incoming packets and outgoing packets • encrypted session negotiation and communicationSession hijacking channelsDenial of service • IDS, appropriate registry settings of TCP/IP stack 11
    12. 12. Viruses, Trojan • perform malicious acts and causehorses, and worms disruption to OS • Try to reveal valuable information of the Footprinting systemPassword cracking • try to establish an authenticated connection with server Arbitrary code • execute malicious code on the server execution Unauthorized • Try to access restricted information or access perform restricted operations 12
    13. 13. Viruses, Trojan • Harden weak, default configurationhorses, and worms settings, anti-virus applications • Disable unused ports and Footprinting protocols, IDS, “defense in depth” • Strong passwords, lockout policies, AuditPassword craking failed logins attempts Arbitrary code • Lock down system commands & utilities with execution restricted ACLs, update patches and updates Unauthorized • Secure web permission, Lock down files and access folders 13
    14. 14. Input Validation • Cross-site scripting(XSS), SQL injection Authentication • Dictionary attacks, brute-force attacksSession management • Session hijacking, man in the middle • Poor key generation or key management, weak or Cryptography custom encryption Parameter • Query string & form field manipulation, cookie manipulation manipulation, HTTP header manipulation Exception • Information disclosure, denial of service Management 14
    15. 15. • Validate input, Encode user output, Use Input Validation parameterized stored procedures Authentication • Strong passwords with hashesSession management • SSL, expiration period on the session cookie, HMACs • Secure encryption system, DPAPI, use proven Cryptography cryptographic services Parameter • Session identifier, HTTP Post, Encrypt query manipulation strings, HMACs Exception • Exception Handling and logging Management 15
    16. 16.  By understanding STRIDE, it is more effective when applying countermeasures. Also understanding common threats, it can be prevented from compromising the application Thank You! 16