Introduction to the basics of Web Application Security and Security testing.
Presentation delivered by Emstell Director Ayoob at the Info Sec Conference Kuwait
SQL Database Design For Developers at php[tek] 2024
Web application security - Emstell Technology Consulting
1. Ayoob Kalathingal - PMP
Director - Emstell Technology Consulting
Ayoob.ok@emstell.com
Kuwait, India, United Kingdom, Saudi Arabia
2. Understand the need for securing the application layer of web based
applications.
Understand the various web application vulnerabilities, impact and Counter
Measures
Security testing.
www.emstell.com
3. Web applications have evolved from static pages to a more interactive set up.
This interaction has started exposing the technical deficiencies of web
applications in the form of vulnerabilities.
Dependency on the internet to carry out critical and sensitive business
transactions has increased . Hence the stake involved is very high.
“Over 50% of security attacks are targeted on web based applications” -
Gartner Report”
Competition is so high that enterprises can‟t ignore the risk associated with
their vulnerable application. Loss incurred could vary from monetary losses
to loss of credibility. In certain cases it could mean end of business.
www.emstell.com
4. Many Countries has come up with strict rules and regulations on Information
Security of business.
IT Act 2011 in India
PIPED Act – Canada (Personal Information Protection and Electronic Documents Act)
U.S. Information Security Law,
HIPAA – 1996 - Health Insurance Portability and Accountability Act
Business Customers are increasingly aware of the systems security and is
demanding security and quality certifications in the systems
ISO 27001
PCI DSS - Payment Card Industry Data Security Standard
www.emstell.com
5. Large number of applications coming to the hands of common man carrying out
transactions with personal and financial data
More and more applications moving to cloud where multiple user or enterprise
data is stored in single server or data centers.
“Application security is no more a Luxury, its Business”
www.emstell.com
6. Confidentiality – ensuring that information is accessible only to those authorized.
Integrity – safeguarding the accuracy and completeness of information and processing
methods.
Availability – ensuring that authorized users have access to information and associated
assets when required.
Accountability – ensuring that authorized users use information in appropriate ways.
www.emstell.com
8. SQL Query
SELECT user FROM Users
WHERE
Username = '"& strname &"' AND Password = '"& strPassword &"„
Query with valid input
SELECT user FROM Users
WHERE
Username = 'avis' AND Password = 'avis'
www.emstell.com
9. Query with tampered input
SELECT user FROM Users
WHERE
Username = 'avis';--' AND Password = '"& strPassword &"'
www.emstell.com
10. Authorization
Credential/Session
Prediction
Insufficient Session
Expiration
Session Fixation
Insufficient
Authorization
Authentication
Brute Force
Weak Password Recovery
Policy
Insufficient
Authentication
Client-Side Attacks
Content Spoofing
Cross Site Scripting
Information Disclosure
Directory Indexing
Information Leakage
Path Traversal
Predictable Resource
Location
Command Execution
Buffer Overflow
Format String Attack
LDAP Injection
OS Commanding
SQL Injection
SSI Injection
X Path Injection
Logical Attacks
Abuse of Functionality
Denial of Service
Insufficient Anti-
Automation
Insufficient Process
Validation
www.emstell.com
11. Non-availability (By bringing the database down)
Breach of confidentiality (By viewing other user‟s records)
Breach of integrity (By updating other user‟s records)
Impersonation (By logging into accounts without a valid password)
+ Business Impacts
www.emstell.com
12. Strong and Secure systems, firewalls and antiviruses
Proper Input validation
Following standard coding practices
Have strong password policy in place.
Use of strong session ID generation algorithms
Disable scripting in the web browser and disable input echoing
Grant only necessary privileges for accounts that are used to connect to DB
Implement/configure proper access control mechanisms on the web server.
Application Security Testing and Fixing the vulnerabilities
Educating the users
www.emstell.com
13. “Though the significant attacks over time where of Zero Day Attack nature, this
forms much a lesser count of the total attacks”
Test based on the Target Users
Vulnerability Assessments
Penetration Testing
Manual - a team of security
experts manually probe the
application for common flaws.
Automated - a tool is used for
testing the application for flaws.
False Positives
www.emstell.com
14. “The cost of quality is higher in the later stages of an application”
Application security should be a part of the application development and
should be incorporated to the SDLC Process.
Integrating security to the build.
Educating the users, using the best of media and creative formats.
www.emstell.com
16. Emstell Technology Consulting, is a technology firm offering enterprise level
software quality assurance and testing services and ERP Solutions in Education
sector.
Our Media team deliver creative animated videos for educating users on
company policies, explaining business and promotion.
We deliver ERP Solutions in
◦ Web Enabled School Management
◦ Library Management Solution
◦ Business Accounting and Inventory
www.emstell.com
17. Ayoob Kalathingal - PMP
Director - Emstell Technology Consulting
Ayoob.ok@emstell.com
Kuwait, India, United Kingdom, Saudi Arabia
www.emstell.com