Web Security

1,859 views

Published on

0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,859
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
68
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Web Security

  1. 1. Web Security Gerald Z. VillorenteLorma Colleges San Fernando, La Union
  2. 2. if [ “$SLIDE” -eq “intro” ]; then echo “Im Gerald Z. Villorente”fi● Senior Web Developer, Kite Systems Ltd. Hong Kong / Philippines● Drupal Developer, Cable Network News (CNN) Travel Hong Kong / Atlanta, USA● System Administrator, InternetJail Oregon, USA● Drupal Phil. Users Group (DPUG) member● Freelancer
  3. 3. Agenda● Security levels● Aspect of Data Security● Most common Web application threats and counter measures● Principle of Secure Development● Best Practices● Tools
  4. 4. What is a Web Application?• Any application that is served commonly via http or https protocol• Usually running under port 80 or port 443• Served from a remote computer acting as host/server
  5. 5. What is a Web Application?• Any application that is served commonly via http or https protocol• Usually running under port 80 or port 443• Served from a remote computer acting as host/server
  6. 6. What is a Web Application?• Any application that is served commonly via http or https protocol• Usually running under port 80 or port 443• Served from a remote computer acting as host/server
  7. 7. What is Web Security?• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack• Is a state of being free from damage and being compromised• Is a condition of being protected against danger or loss
  8. 8. What is Web Security?• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack• Is a state of being free from damage and being compromised• Is a condition of being protected against danger or loss
  9. 9. What is Web Security?• A.k.a “Cyber Security”, involves protecting all informations by preventing, detecting, and responding to attack• Is a state of being free from damage and being compromised• Is a condition of being protected against danger or loss
  10. 10. Security Levels• Server level• Network level• Application level• User level
  11. 11. Security Levels• Server level• Network level• Application level• User level
  12. 12. Security Levels• Server level• Network level• Application level• User level
  13. 13. Security Levels• Server level• Network level• Application level• User level
  14. 14. Security Levels• Server level - Ensure you have installed the latest operating system security patches. - Keep your web server software up-to-date - Limit access from the Internet to your servers. Use firewall software to block access to any port but the following: * 80 * 443 (SSL, only if your application uses it) * 22 (SSH, SCP) * 21 (not recomended)• Network level• Application level• User level
  15. 15. Security Levels• Server level• Network level - Place servers that your users do not directly interact with (e.g., a back-end database server) in a private network that is inaccessible from the Internet. If that is not possible, then use firewall software to block access from any computer other than your web server.• Application level• User level
  16. 16. Security Levels• Server level• Network level• Application level - Never store passwords in clear text. Instead, use a hashing algorithm such as MD5 or SHA-256 to create a signature of the users password for storage. - Generate a unique signature for the user based on the login and password and store that in the cookie. - Carefully check any parameters you pass to SQL statements in your application. Validate all user inputs. - Purge unused/unnecessary user data from your system regularly.• User level
  17. 17. Security Levels• Server level• Network level• Application level• User level - Protecting yourself is to recognize the risks and become familiar with some of the terminology associated with them. - Keep your personal information in private - Use complex password - Keep your computer away from viruses, worms, keyloggers, trojans, malwares, etc
  18. 18. Aspects of Data Security• Privacy - keeping your information private• Integrity - knowing that the information has not been changed• Authenticity - knowing who sent the information
  19. 19. Aspects of Data Security• Privacy - keeping your information private• Integrity - knowing that the information has not been changed• Authenticity - knowing who sent the information
  20. 20. Aspects of Data Security• Privacy - keeping your information private• Integrity - knowing that the information has not been changed• Authenticity - knowing who sent the information
  21. 21. Aspects of Data Security• Privacy - keeping your information private• Integrity - knowing that the information has not been changed• Authenticity - knowing who sent the information
  22. 22. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Parameter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  23. 23. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  24. 24. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  25. 25. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  26. 26. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  27. 27. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  28. 28. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  29. 29. Most Common Security Threats1. Cross-site scripting (XSS)2. SQL injection3. Improper error handling4. Paremeter Tampering5. Application denial-of-service (DDoS)6. Remote File Inclusion7. Form Spoofing Source: OWASP
  30. 30. Most Common Security ThreatsCross Site Scripting - Injecting Javascript or other scripts that will run on behalf of other user. This code usually steals cookies (authenticated credentials) of the person who “sees” the infected web page.Ex:<script>alert(“This site has been hacked!”);</script>Preventions:1. Filter all foreign data - $filter_user_input = htmlentities($post[userinput]);2. Always assume data to be invalid until it is proved valid.3. Use BBCode – [b]bold[/b] vs <b>bold</b>XSS Cheat Sheet
  31. 31. Most Common Security ThreatsSQL Injection - an attack where an attacker is able to execute arbitrary sql code against the databaseEx:// legit$sort = ASC;// malicious injection$sort = ; TRUNCATE USERS;// actual query$query = “SELECT * FROM users ORDER BY membership_date$sort”;// output querySELECT * FROM users ORDER BY membership_date; TRUCATEUSERS
  32. 32. Most Common Security ThreatsSQL Injection (cont.)Possible damage:1. Corrupt data by executing truncate()2. Alter current data (e.g change admin password)Vectors:1. Dynamic queries getting values from unsanitized user-submitted dataPrevention(MySQL):1. Enclose user-submitted values with mysql_real_escape_string()2. Harden the environment by reducing sql account permissions, remove unneeded system stored procedures, and audit password strength
  33. 33. Most Common Security ThreatsImproper Error Handling - errors are not properly handled by system code
  34. 34. Most Common Security ThreatsParameter Tampering - based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control.Ex:http://www.attackbank.com/savepage.asp?nr=147&status=readAttackhttp://www.attackbank.com/savepage.asp?nr=147&status=del
  35. 35. Most Common Security ThreatsDenial-of-Service - an attack to make a computer resources unavailable to its intended usersResources: 1. Bandwidth 2. CPUPreventions: 1. Firewall 2. Router & Switches 3. Intrusion Prevention Systems (IPS) 4. DoS Defense System (DDS)
  36. 36. Most Common Security ThreatsRemote File Inclusion- an attack where attacker executes a script of his liking from against the target web applicationPossible Damage:1. Expose / Modify variable values of the script doing the include2. Expose stored credentials (e.g username/password from a web app configuration fileVector:User-controllable value of variable called byinclude() or require()
  37. 37. Most Common Security ThreatsRemote File InclusionPreventions(PHP): 1. Disable register_globals 2. Disable allow_url_open 3. Disable allow_url_include 4. Do not include from a dynamic variable with user controllable value
  38. 38. Most Common Security ThreatsForm Spoofing - an attack where an HTML form is mimicked or copied and then submitted from a location different from originalPossible Damage: 1. Bypass client-side validation 2. Mass data insertion resulting to flood (e.g guestbook, forum, etc.)
  39. 39. Most Common Security ThreatsForm SpoofingVectors: 1. No forms tokens present, thus all request thrown to the accepting script is considered validPreventions: 1. Tokenize the form 2. (Optional) Check referrer
  40. 40. The Principles of Secure Development1. Input Validation2. Output Validation3. Error Handling4. Authentication and Authorisation5. Session Management6. Secure Communications7. Secure Storage8. Secure Resource Access
  41. 41. Know your tools● Each language is different and has different strengths and weaknesses * PHP * Python * .NET * ASP * Ruby * Scala * Java
  42. 42. Best Practices1. Never ever use WAMP, XAMP stack in production2. Avoid spaghetti code3. Dont re-invent the wheel4. Naming conventions5. Use case-sensitive6. Secure the filesystem
  43. 43. if [ “$SLIDE” -eq “end” ]; then echo -n “Any question? [Y/n]” read QTN if [ "$QTN" == "N" -o "$QTN" == "n" ]; then echo "Thank You!" exit 1 elif [ "$QTN" == "Y" -o "$QTN" == "y" ]; then echo “Ok Ill try to answer them.” else echo “Email me if you have. Thanks” fifi f70c89933a2f18cfd69af64ed32e9141 - f25d38b18f6da9feff9a76e0cfe6c245

×