Web Application Security


Published on

null Dharmashala Chapter - April 2014 Meet

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web Application Security

  1. 1. Web Application Security Prabhu Shiv Singh
  2. 2. Alphabets - APSTNDP
  3. 3. Coming for ya !...vulnerabilities and attacks • Denial of Service (DoS) attacks - All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create. • SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
  4. 4. Heartbleed….not heartache ! • Heartbleed is a security bug in the open- source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. • Check here: http://filippo.io/Heartbleed • To make sure if the problem actually exists: Run cmd $ openssl version -a • "Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1" • 2. Not sure what version of OS you are on, and whether patch exists, but you can build openssl: https://www.openssl.org/source/openssl- 1.0.1g.tar.gz
  5. 5. CAPTCHA my comments… else… (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge- response test used in computing to determine whether or not the user is human.
  6. 6. Gotcha…now what ? Top Reasons for web-application level attacks: • Low Quality application code – not following security standards • File Permissions incorrectly set – securest – 655 • DB Admin, Cpanel, FTP passwords are weak Regular DB – Files backup policy should be in place from the start • http://httpd.apache.org/docs/2.4/misc/security_tip s.html - var/log/apache2/error.log Google can detect and inform you of malicious scripts in a website – Google Attack Page • Hacked Account: What to Look For: • http://support.hostgator.com/articles/pre-sales- policies/security-abuse/what-security-measures- are-used-to-protect-my-server • Things to look for include: • Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo) • PHP files located in image folders
  7. 7. Lets Play….and Learn - OWASP • The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. • OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).[1] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
  8. 8. Thank You for your time – prabhu9484@gmail.com Sources – Wikipedia.org, Apache.org, Support.hostgator.com, OWASP.org