SlideShare a Scribd company logo

[OWASP Poland Day] Web App Security Architectures

OWASP
OWASP

Michael Schlapfer

Internet
1 of 31
Download to read offline
Teammeeting Application Security Oktober 2016 Michael Schläpfer Web App Security Architectures Cracow, October 2017 Michael Schläpfer
Seite 2 The Need for a Web Application Security Architecture
Office Home En Route Apps are usually embedded into a larger system Seite 3 Workstation Notebook Mobile Tablet Email Time Schedulie Intranet Applications Users Devices Entry Points Services Employees Field Worker Externals Specialists Guests Threat Agents
Web Application Security Architecture Components Seite 4 Cloud Services Internal Network Web Applications Web Applications Service Provider Employees / Customers / Partners (External) Central Identity Store Employees (Internal) Intranet 2FA Provider Internet IdM Solution WAF Auth IdP
United Security Providers’ Products and Services Firewall Wide Area Network Remote Access Mail Gateway Network Access Web Proxy Web Application Firewall Web Authenti- cation 600 world wide customer locations 850’000 end users 7x24h security operations
www.bluesec.pl BLUEsec is a team of professionals working in the field of information security. Our goal is to provide the highest possible level of cybernetic security for organization assets. We provide a wide range of high-quality services and products to build an adequate to needs security model. Our values are knowledge, responsibility and trust. We always seek to be the best. We perform projects in the areas of critical infrastructure and in the field of systems and special purpose infrastructure. We worked for organizations from the energy, finance, public administration, government, health and construction sectors. We are a part of BLUE energy, a Polish consulting company operating in the fields of management, organization, security, strategy and development. The mission of BLUE energy is to develop Polish entrepreneurship by providing efficient and innovative business, organizational and IT solutions and by improve efficiency of communication between business and the public sector. BLUE energy – polish consulting company| BLUEsec – cybernetic security
www.bluesec.pl
www.bluesec.pl SELECTED PROJECTS IN THE AREA OF IT SECURITY
Web Application Security Architecture Components Seite 9 Cloud Services Internal Network Web Applications Web Applications Service Provider Employees / Customers / Partners (External) Central Identity Store Employees (Internal) Intranet 2FA Provider Internet IdM Solution WAF Auth IdP
Goals 1 You know how a (typical) Web Application Security Architecture looks like and what components it (usually) consists of. 2 You know how to integrate your applications into such an environment.
Agenda 1. Web Application Security Architecture Components 2. Integration Tips & Tricks
A Practical Example of a Web Application Security Architecture Seite 12 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – Network Firewalls / Network Zones Seite 13 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – Web Applications and Services Seite 14 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) OWA Portal App active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – Web Application Firewall Seite 15 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) OWA Portal App active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – Users and Devices Seite 16 DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal AppDMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) Field Workers BYOD, in an «untrusted» IP-Subnet Customer’s trusted devices (EMM), in a «trusted» IP- Subnet active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – User Identities Seite 17 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – Authentication Systems (SSO) Seite 18 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet SMS-Provider / YubiCloud / … AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – Identity Federation Components (CDSSO) Seite 19 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet SaaS App 1 SaaS App 2 SAML SPs SAML IdP AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example – Managed Services and SOC Seite 20 Field Workers DMZ (Dual-Homed) Server Zone Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Internet AD (LDAPS) USP Mgmt-Access SOC active passiveAccessWAF Managed VPN Remote Access Federate
A Practical Example of a Web Application Security Architecture Seite 21 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
Agenda 1. Web Application Security Architecture Components 2. Integration Tips & Tricks
Secure Gateway in the Middle Seite 23 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC)
Secure Gateway in the Middle Seite 24 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC) 2 Don’t create links or cookies in the browser
Secure Gateway in the Middle Seite 25 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC) 2 Don’t create links or cookies in the browser 3 Ensure ways for identity propagation: e.g., header, NTLM, Kerberos
Secure Gateway in the Middle Seite 26 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 4 Separate sensitive from public data
Secure Gateway in the Middle Seite 27 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 5 Use correct MIME type headers 4 Separate sensitive from public data
Secure Gateway in the Middle Seite 28 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 6 Use relative paths 7 Don’t use <base href= …> tags 5 Use correct MIME type headers 4 Separate sensitive from public data
Secure Gateway in the Middle Seite 29 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 8 Return proper HTTP error codes 9 Trigger proper relogin for asynchronous requests
Seite 30 Happy Coding within a Web Application Security Architecture!
Teammeeting Application Security Oktober 2016 Michael Schläpfer phone: 61/ 643 51 98 ul. Towarowa 35 61-896 Poznań Michael Schläpfer Senior Manager Application Security Dr. sc. ETH Zürich United Security Providers AG Förrlibuckstrasse 70 CH-8005 Zürich Fon: +41 44 496 61 37 Mobile: +41 79 305 57 12 eMail: michael.schlaepfer@u-s-p.ch Web: www.united-security-providers.ch

Recommended

[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
OWASP
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 

Recommended

[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons[Wroclaw #6] Introduction to desktop browser add-ons
[Wroclaw #6] Introduction to desktop browser add-ons
OWASP
 
[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities[OWASP Poland Day] Application frameworks' vulnerabilities
[OWASP Poland Day] Application frameworks' vulnerabilities
OWASP
 
[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10[Wroclaw #5] OWASP Projects: beyond Top 10
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Mirai botnet
Mirai botnetMirai botnet
Mirai botnet
OWASP
 
[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security[OWASP Poland Day] A study of Electron security
[OWASP Poland Day] A study of Electron security
OWASP
 
Benefits of web application firewalls
Benefits of web application firewallsBenefits of web application firewalls
Benefits of web application firewalls
EnclaveSecurity
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
Javacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 SpeechJavacro 2014 Spring Security 3 Speech
Javacro 2014 Spring Security 3 Speech
Fernando Redondo Ramírez
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
Port80 Software
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
davidjohnrace
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
OWASP
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
Ishan Girdhar
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
Binu Ramakrishnan
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
Lalit Kale
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
Risk Analysis Consultants, s.r.o.
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
Robert MacLean
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Spring Security
Spring SecuritySpring Security
Spring Security
Boy Tech
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
Deivid Toledo
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
MarketingArrowECS_CZ
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
Belsoft
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud Applications
IBM Security
 

More Related Content

What's hot

[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
OWASP
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
OWASP
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Ajin Abraham
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
OWASP
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
OWASP
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
NetSPI
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
Rich Helton
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
ThreatReel Podcast
 

What's hot (20)

Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Benefits of Web Application Firewall
Benefits of Web Application FirewallBenefits of Web Application Firewall
Benefits of Web Application Firewall
 
[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...[OPD 2019] AST Platform and the importance of multi-layered application secu...
[OPD 2019] AST Platform and the importance of multi-layered application secu...
 
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
Hacking Samsung's Tizen: The OS of Everything - Hack In the Box 2015
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework[OWASP Poland Day] Security knowledge framework
[OWASP Poland Day] Security knowledge framework
 
Pentesting With Web Services in 2012
Pentesting With Web Services in 2012Pentesting With Web Services in 2012
Pentesting With Web Services in 2012
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Implementing application security using the .net framework
Implementing application security using the .net frameworkImplementing application security using the .net framework
Implementing application security using the .net framework
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020[OPD 2019] Top 10 Security Facts of 2020
[OPD 2019] Top 10 Security Facts of 2020
 
Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)Radware - WAF (Web Application Firewall)
Radware - WAF (Web Application Firewall)
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Web Application Firewall intro
Web Application Firewall introWeb Application Firewall intro
Web Application Firewall intro
 
Novinky F5
Novinky F5Novinky F5
Novinky F5
 
OISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec PrimerOISC 2019 - The OWASP Top 10 & AppSec Primer
OISC 2019 - The OWASP Top 10 & AppSec Primer
 

Similar to [OWASP Poland Day] Web App Security Architectures

Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Amazon Web Services
 
Implementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management PlatformImplementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management Platform
WSO2
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
Belsoft
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Cristian Garcia G.
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
BAKOTECH
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
RoutecoMarketing
 

Similar to [OWASP Poland Day] Web App Security Architectures (20)

Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Securing Your Cloud Applications
Securing Your Cloud ApplicationsSecuring Your Cloud Applications
Securing Your Cloud Applications
 
NetFoundry - Zero Trust Customer Journey-v1-ext.pptx
NetFoundry - Zero Trust Customer Journey-v1-ext.pptxNetFoundry - Zero Trust Customer Journey-v1-ext.pptx
NetFoundry - Zero Trust Customer Journey-v1-ext.pptx
 
1.3. (In)security Software
1.3. (In)security Software1.3. (In)security Software
1.3. (In)security Software
 
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
Architecting Application Services For Hybrid Cloud - AWS Summit SG 2017
 
F5 Distributed Cloud.pptx
F5 Distributed Cloud.pptxF5 Distributed Cloud.pptx
F5 Distributed Cloud.pptx
 
Implementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management PlatformImplementing API Facade using WSO2 API Management Platform
Implementing API Facade using WSO2 API Management Platform
 
Palo alto networks product overview
Palo alto networks product overviewPalo alto networks product overview
Palo alto networks product overview
 
Remote Workforces Secure by Barracuda
Remote Workforces Secure by BarracudaRemote Workforces Secure by Barracuda
Remote Workforces Secure by Barracuda
 
SAP HANA Cloud Security
SAP HANA Cloud SecuritySAP HANA Cloud Security
SAP HANA Cloud Security
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public Cloud
 
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
Porque las Amenazas avanzadas requieren de una Seguridad para Aplicaciones av...
 
2019-F5-Line-Card.pptx
2019-F5-Line-Card.pptx2019-F5-Line-Card.pptx
2019-F5-Line-Card.pptx
 
SkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for BusinessSkypeShield - Securing Skype for Business
SkypeShield - Securing Skype for Business
 
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
Criminal IP ASM | Threat Intelligence-based Automated Attack Surface Managem...
 
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
End-to-Eend security with Palo Alto Networks (Onur Kasap, Palo Alto Networks)
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
 
AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & Out
 
Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01Routeco cyber security and secure remote access 1 01
Routeco cyber security and secure remote access 1 01
 
John Merline - How make your cloud SASE
John Merline - How make your cloud SASE John Merline - How make your cloud SASE
John Merline - How make your cloud SASE
 

More from OWASP

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
OWASP
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
OWASP
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
OWASP
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
OWASP
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
OWASP
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
OWASP
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
OWASP
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
OWASP
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
OWASP
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
OWASP
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
OWASP
 

More from OWASP (20)

[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps[OPD 2019] Web Apps vs Blockchain dApps
[OPD 2019] Web Apps vs Blockchain dApps
 
[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale[OPD 2019] Threat modeling at scale
[OPD 2019] Threat modeling at scale
 
[OPD 2019] Life after pentest
[OPD 2019] Life after pentest[OPD 2019] Life after pentest
[OPD 2019] Life after pentest
 
[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security[OPD 2019] .NET Core Security
[OPD 2019] .NET Core Security
 
[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture[OPD 2019] Governance as a missing part of IT security architecture
[OPD 2019] Governance as a missing part of IT security architecture
 
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
[OPD 2019] Storm Busters: Auditing & Securing AWS Infrastructure
 
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
[OPD 2019] Side-Channels on the Web:
Attacks and Defenses
 
[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities[OPD 2019] Inter-application vulnerabilities
[OPD 2019] Inter-application vulnerabilities
 
[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing[OPD 2019] Automated Defense with Serverless computing
[OPD 2019] Automated Defense with Serverless computing
 
[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC[OPD 2019] Advanced Data Analysis in RegSOC
[OPD 2019] Advanced Data Analysis in RegSOC
 
[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens[OPD 2019] Attacking JWT tokens
[OPD 2019] Attacking JWT tokens
 
[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing[OPD 2019] Rumpkernels meet fuzzing
[OPD 2019] Rumpkernels meet fuzzing
 
[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS[OPD 2019] Trusted types and the end of DOM XSS
[OPD 2019] Trusted types and the end of DOM XSS
 
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
[Wroclaw #9] To be or Not To Be - Threat Modeling in Security World
 
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure SoftwareOWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
OWASP Poland 13 November 2018 - Martin Knobloch - Building Secure Software
 
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-miningOWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
OWASP Poland Day 2018 - Amir Shladovsky - Crypto-mining
 
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contractsOWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
OWASP Poland Day 2018 - Damian Rusinek - Outsmarting smart contracts
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hackingOWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
OWASP Poland Day 2018 - Dani Ramirez - IPMI hacking
 
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
OWASP Poland Day 2018 - Pedro Fortuna - Are your Java Script based protection...
 

Recently uploaded

一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
c6eb683559b3
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
SS
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
ayvbos
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
A
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
AS
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
AS
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
AS
 

Recently uploaded (20)

一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
20240509 QFM015 Engineering Leadership Reading List April 2024.pdf
 
一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理一比一原版澳大利亚迪肯大学毕业证如何办理
一比一原版澳大利亚迪肯大学毕业证如何办理
 
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptxA LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
A LOOK INTO NETWORK TECHNOLOGIES MAINLY WAN.pptx
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303Loker Pemandu Lagu LC Semarang 085746015303
Loker Pemandu Lagu LC Semarang 085746015303
 
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirtsDown bad crying at the gym t shirts
Down bad crying at the gym t shirtsDown bad crying at the gym t shirts
 
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
一比一原版(USYD毕业证书)悉尼大学毕业证原件一模一样
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 
一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理一比一原版美国北卡罗莱纳大学毕业证如何办理
一比一原版美国北卡罗莱纳大学毕业证如何办理
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
一比一原版(毕业证书)新西兰怀特克利夫艺术设计学院毕业证原件一模一样
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
一比一原版(Dundee毕业证书)英国爱丁堡龙比亚大学毕业证如何办理
 
Washington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers ShirtWashington Football Commanders Redskins Feathers Shirt
Washington Football Commanders Redskins Feathers Shirt
 
一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理一比一原版英国格林多大学毕业证如何办理
一比一原版英国格林多大学毕业证如何办理
 

[OWASP Poland Day] Web App Security Architectures

  • 1. Teammeeting Application Security Oktober 2016 Michael Schläpfer Web App Security Architectures Cracow, October 2017 Michael Schläpfer
  • 2. Seite 2 The Need for a Web Application Security Architecture
  • 3. Office Home En Route Apps are usually embedded into a larger system Seite 3 Workstation Notebook Mobile Tablet Email Time Schedulie Intranet Applications Users Devices Entry Points Services Employees Field Worker Externals Specialists Guests Threat Agents
  • 4. Web Application Security Architecture Components Seite 4 Cloud Services Internal Network Web Applications Web Applications Service Provider Employees / Customers / Partners (External) Central Identity Store Employees (Internal) Intranet 2FA Provider Internet IdM Solution WAF Auth IdP
  • 5. United Security Providers’ Products and Services Firewall Wide Area Network Remote Access Mail Gateway Network Access Web Proxy Web Application Firewall Web Authenti- cation 600 world wide customer locations 850’000 end users 7x24h security operations
  • 6. www.bluesec.pl BLUEsec is a team of professionals working in the field of information security. Our goal is to provide the highest possible level of cybernetic security for organization assets. We provide a wide range of high-quality services and products to build an adequate to needs security model. Our values are knowledge, responsibility and trust. We always seek to be the best. We perform projects in the areas of critical infrastructure and in the field of systems and special purpose infrastructure. We worked for organizations from the energy, finance, public administration, government, health and construction sectors. We are a part of BLUE energy, a Polish consulting company operating in the fields of management, organization, security, strategy and development. The mission of BLUE energy is to develop Polish entrepreneurship by providing efficient and innovative business, organizational and IT solutions and by improve efficiency of communication between business and the public sector. BLUE energy – polish consulting company| BLUEsec – cybernetic security
  • 8. www.bluesec.pl SELECTED PROJECTS IN THE AREA OF IT SECURITY
  • 9. Web Application Security Architecture Components Seite 9 Cloud Services Internal Network Web Applications Web Applications Service Provider Employees / Customers / Partners (External) Central Identity Store Employees (Internal) Intranet 2FA Provider Internet IdM Solution WAF Auth IdP
  • 10. Goals 1 You know how a (typical) Web Application Security Architecture looks like and what components it (usually) consists of. 2 You know how to integrate your applications into such an environment.
  • 11. Agenda 1. Web Application Security Architecture Components 2. Integration Tips & Tricks
  • 12. A Practical Example of a Web Application Security Architecture Seite 12 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
  • 13. A Practical Example – Network Firewalls / Network Zones Seite 13 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
  • 14. A Practical Example – Web Applications and Services Seite 14 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) OWA Portal App active passiveAccessWAF Managed VPN Remote Access Federate
  • 15. A Practical Example – Web Application Firewall Seite 15 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) OWA Portal App active passiveAccessWAF Managed VPN Remote Access Federate
  • 16. A Practical Example – Users and Devices Seite 16 DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal AppDMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) Field Workers BYOD, in an «untrusted» IP-Subnet Customer’s trusted devices (EMM), in a «trusted» IP- Subnet active passiveAccessWAF Managed VPN Remote Access Federate
  • 17. A Practical Example – User Identities Seite 17 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
  • 18. A Practical Example – Authentication Systems (SSO) Seite 18 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet SMS-Provider / YubiCloud / … AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
  • 19. A Practical Example – Identity Federation Components (CDSSO) Seite 19 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet SaaS App 1 SaaS App 2 SAML SPs SAML IdP AD (LDAPS) active passiveAccessWAF Managed VPN Remote Access Federate
  • 20. A Practical Example – Managed Services and SOC Seite 20 Field Workers DMZ (Dual-Homed) Server Zone Client Zone SMS-Provider / YubiCloud / … OWA Portal App Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Internet AD (LDAPS) USP Mgmt-Access SOC active passiveAccessWAF Managed VPN Remote Access Federate
  • 21. A Practical Example of a Web Application Security Architecture Seite 21 Field Workers DMZ (Dual-Homed) Server Zone USP Client Zone SMS-Provider / YubiCloud / … OWA Portal App AD (LDAPS) Customer’s trusted devices (EMM), in a «trusted» IP- Subnet DMZ IP (shared) Internal IP 1 Internal IP 2 Public IP / Port- Forwarding (80/443) SaaS App 1 SaaS App 2 SAML SPs SAML IdP BYOD, in an «untrusted» IP-Subnet portal.customer.com => WAF’s Public IP portal.customer.com => WAF’s DMZ IP Mgmt-Access SOC Internet active passiveAccessWAF Managed VPN Remote Access Federate
  • 22. Agenda 1. Web Application Security Architecture Components 2. Integration Tips & Tricks
  • 23. Secure Gateway in the Middle Seite 23 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC)
  • 24. Secure Gateway in the Middle Seite 24 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC) 2 Don’t create links or cookies in the browser
  • 25. Secure Gateway in the Middle Seite 25 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 1 Follow standard HTTP specs (RFC) 2 Don’t create links or cookies in the browser 3 Ensure ways for identity propagation: e.g., header, NTLM, Kerberos
  • 26. Secure Gateway in the Middle Seite 26 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 4 Separate sensitive from public data
  • 27. Secure Gateway in the Middle Seite 27 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 5 Use correct MIME type headers 4 Separate sensitive from public data
  • 28. Secure Gateway in the Middle Seite 28 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 6 Use relative paths 7 Don’t use <base href= …> tags 5 Use correct MIME type headers 4 Separate sensitive from public data
  • 29. Secure Gateway in the Middle Seite 29 ApplicationSecure Entry Server POST /web/a/start?action=login HTTP/1.1 Host: www.u-s-p.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept-Language: en-US,en;q=0.5 Cookie: SCDID_S=2YNIgcWege5AjuNFo3jXf7W8... Connection: keep-alive EvilHeader: <script>attack</script> Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass&evilparam=evilvalue HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Secure Entry Server Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>…. <a href=https://www.u-s-p.ch/test>Click me</a> ...</body> </html> POST /web/a/start?action=login HTTP/1.1 Host: internal.host.ch User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/ 20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/ *;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: Username=user Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 81 userid=user&password=pass HTTP/1.1 200 OK Date: Fri, 13 Mar 2015 14:53:54 GMT Server: Apache/2.0.55 (Debian) PHP/5.1.2-1+b1 mod_ssl/2.0.55 OpenSSL/0.9.8b Cache-Control: no-cache,no-store,max-age=0 Content-Type: text/html;charset=UTF-8 Keep-Alive: timeout=10, max=300 Connection: Keep-Alive <html> <head></head> <body>… <a href=http://internal.host.ch/test>Click me</a> ….</body> </html> 8 Return proper HTTP error codes 9 Trigger proper relogin for asynchronous requests
  • 30. Seite 30 Happy Coding within a Web Application Security Architecture!
  • 31. Teammeeting Application Security Oktober 2016 Michael Schläpfer phone: 61/ 643 51 98 ul. Towarowa 35 61-896 Poznań Michael Schläpfer Senior Manager Application Security Dr. sc. ETH Zürich United Security Providers AG Förrlibuckstrasse 70 CH-8005 Zürich Fon: +41 44 496 61 37 Mobile: +41 79 305 57 12 eMail: michael.schlaepfer@u-s-p.ch Web: www.united-security-providers.ch