SlideShare a Scribd company logo

Web application

Download as PPTX, PDF
E
Eve_Srithong

This document provides an overview of web application architecture and security. It describes the typical layers of a web application including the browser, web server, application server, and database server. It then discusses various types of attacks against web applications like SQL injection, cross-site scripting, and hidden field manipulation. Finally, it outlines best practices for secure coding and system scanning to prevent vulnerabilities.

1 of 51
Web Application
Web Application HTTP(s) agent Web Application Application Server Web Server Application Server Web Application Database Server Web Application
1 Web Architecture
Firewall, Load Balancer, Reverse Proxy Server, Cache System web client database sever Layer HTTP Client / User Cross-Site Scripting Spoofing Javascript Injection Browser
Layer Transport Layer HTTP(s) Passive Monitoring) Man-in- the-Middle Attack) Session (Session Hijack) Firewall SSL Session Web Server Buffer Overflow Format String Directory Traversal Default Accounts Default Applications
Layer Web Applications Meracharacters Null Characters Buffer Overflow Firewall Internet Network Firewall Database Direct SQL Commands SQL Injection Query Restricted Database Database Exploit
MS IIS
Hidden Field Manipulation Cookie Poisoning Backdoors and debug options Application buffer overflows Stealth commanding 3rd party misconfigurations Known vulnerabilities Parameter tempering
Cross site scripting Forceful browsing Hacking over SSL Sourcecode Disclosure Web Server Architecture Attack SQL Injection Java Script Injection
Hidden Field hidden field hidden field View Source) Tag HIDDEN Application
2 Hidden Field
Cookie Poisoning Cookie Session cookie Session ID cookie
Back Door & Bebug Options Developing Environment debug Debug Debug Debug back door
disable debug mode back door
Application Bugger Overflow Buffer Overflow text box
Stealth Commanding SQL Command Command SQL Command
3th Party Misconfiguration Default password
Know Vulnerabilities Microsoft IIS Patch patch) patch patch
Microsoft IIS
Parameter Tempering
Cross Site Script cross site script script script sends an email javascript
3 Cross Site Script
Forceful Browsing Default file
Hacking Over SSL SSL content SSL SSL
Source Code Disclosures Source Code Disclosure configuration file Source Code Disclosures WebLogic / WebSpere JSP JHTML jsp” URL
Source Code Disclosures Microsoft IIS HTR” ASA ASP URL http://10.0.0.1/global.asa+.htr URL htr ISM.DLL URL ISM.DLL Microsoft IIS showcode.asp showcode.asp bundled IIS Windows NT Option Pack 4.0 URL
Web Server Architecture Attack bypass built-in procedure
handler html handler html cgi handler cgi default handler handler default handler cgi html jsp handler html java compiler java run-time handler forcing Sun Java Web Server URL
http://10.0.0.2/servlet/com.sun.server.http.pagecompile.j sp.runtime.JspServlet/path/to/file.html servlet path /servlet/ PageCompile handler (Servlet) handle path handle java run-time root
SQL Poisoning & Injections sql statement sql statement DBMS SQL Query) sql statement database Dim sql_con , result, sql_qry Const CONNECT_STRING = “Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa; PWD=xyzzy” sql_qry = “SELECT * FROM PRODUCT WHERE ID =”
Set objCon = Server.CreateObject(“ADODB.Connection”) ObjCon.Open CONNECT_STRING Set objRS – objCon.Execute(strSQL); http://10.0.0.3/showtable.asp?ID=3+OR+1=1
Query Statement SELECT * FROM PRODUCT WHERE ID=3OR 1=1 PRODUCT http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PR ODUCT SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT SQL statement
http://10.0.0.3/showtable.asp?ID=3%01EXEC+master..xp_ cmdshell+’copy+winntsystem32cmd.ex e+inetpubscripts’ Copy winntsystem32winntcmd.exe inetpubscripts SQL Injection Inject Backdoor Inject
Java Script Injection Javascript Injection Javascript Java Script Injection Session Hidden Field Session Invalid Javascript HTML Javascript Cookies javascript:alert(document.cookie)
System Scanner and Security Infrastructure Software Secure Coding
System Scanner and Securiry Infrastructure Software System Scanner permission Scanner Whisker , Nikto , Stealth , Twwwscan AppScan
reject AppShield
Secure Coding input & output validation SSL HTML forms
Input & Output validation NEVER TRUST CLIENT SIDE DATA) Client Side Script JavaScript , VBScript , Java Applets , Flash , Active X , CSS XML/XSL script script
Sanity Checking YES NO drop system call directory traversal NULL character HTML HTML
HTML tag webmail, message board chat HTML Allow List HTML tag drop HTML tag tag HTML <APPLET> , <BASE> , <BODY> , <EMBED> , <FRAME> , <FRAMESET> , <HTML> , <IFRAME> , <IMG> , <LAYER> , <META> , <OBJECT> , <P> , <SCRIPT> , <STYLE> HTML tag attributes STYLE> , <SRC> , <HREF> , < TYPE> HTML
SSL HTTP HTTP Plaintext Sniffer HTTP HTTP SSL (Secure Socket Layer) Web Client Web Server SSL transport Client & Server Authentication
SSL SSL Web Browser Public Key Server Browser Server Server SSL SSL Server Certificate) Public Key)
HTML forms hidden form element hidden hidden element password element SSL plain text password element method HTTP/GET HTTP/POST MaxSize Attribute (<input MaxSize=”##”>)
Cookies Cookies Cookie persistent : Cookie non-persistent : Cookie Cookies User Authentication State Management Saving user preference Cookies • Cookies Plaintext
• restrictive path Cookies • Authentication valid • Cookies • Token ID • Cookies Timeout Cookies • Authentication Business Intranet authentication • Authentication header User-Agent , Accept-Language , Etc.
HTTP REFERER Header script attack script attack HTTP REFERER header HTTP REFERER
POST & GET method method GET Proxy Server, Firewall , Web Servers log POST POST method client side script POST method GET
logout logout Cookies Cookies session session Cookies
Error Handing Mechanism Error Handling Error Description Error Description Error Desciption Error Desciption Username Password Password
The End

Recommended

Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 

Recommended

Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Web Attacks - Top threats - 2010
Web Attacks - Top threats - 2010Shreeraj Shah
 
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYFIND ME IF YOU CAN – SMART FUZZING AND DISCOVERY
FIND ME IF YOU CAN – SMART FUZZING AND DISCOVERYShreeraj Shah
 
2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST Security2018 JavaLand Deconstructing and Evolving REST Security
2018 JavaLand Deconstructing and Evolving REST SecurityDavid Blevins
 
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)
Next Generation Web Attacks – HTML 5, DOM(L3) and XHR(L2)Shreeraj Shah
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsShreeraj Shah
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL InjectionBlueinfy Solutions
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Silvio Cesare
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 

More Related Content

What's hot

Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseShreeraj Shah
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0robwinch
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...CA API Management
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web Shreeraj Shah
 
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Silvio Cesare
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Spring4 security
Spring4 securitySpring4 security
Spring4 securitySang Shin
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceCA API Management
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserShreeraj Shah
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityJoris Kuipers
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 

What's hot (20)

Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the RiseHacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Blind SQL Injection
Blind SQL InjectionBlind SQL Injection
Blind SQL Injection
 
From 0 to Spring Security 4.0
From 0 to Spring Security 4.0From 0 to Spring Security 4.0
From 0 to Spring Security 4.0
 
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
Understanding Identity in the World of Web APIs – Ronnie Mitra, API Architec...
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web [Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
 
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
Simseer and Bugwise - Web Services for Binary-level Software Similarity and D...
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Spring4 security
Spring4 securitySpring4 security
Spring4 security
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Using & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack SurfaceUsing & Abusing APIs: An Examination of the API Attack Surface
Using & Abusing APIs: An Examination of the API Attack Surface
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Blackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browserBlackhat11 shreeraj reverse_engineering_browser
Blackhat11 shreeraj reverse_engineering_browser
 
Building Layers of Defense with Spring Security
Building Layers of Defense with Spring SecurityBuilding Layers of Defense with Spring Security
Building Layers of Defense with Spring Security
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 

Similar to Web application

Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop Priyanka Aash
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenSqreen
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioDenim Group
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworksukdpe
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007ClubHack
 
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper DiveBIOVIA
 
Programming SharePoint 2010 with Visual Studio 2010
Programming SharePoint 2010 with Visual Studio 2010Programming SharePoint 2010 with Visual Studio 2010
Programming SharePoint 2010 with Visual Studio 2010Quang Nguyễn Bá
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomQConLondon2008
 
Consuming Web Services in Microsoft Silverlight 3
Consuming Web Services in Microsoft Silverlight 3Consuming Web Services in Microsoft Silverlight 3
Consuming Web Services in Microsoft Silverlight 3goodfriday
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azuresdeconf
 
Introduction to share point 2010 development
Introduction to share point 2010 developmentIntroduction to share point 2010 development
Introduction to share point 2010 developmentEric Shupps
 
Syllabus PS03CINT05 detailing
Syllabus PS03CINT05 detailingSyllabus PS03CINT05 detailing
Syllabus PS03CINT05 detailingOPENLANE
 
20101220架構討論
20101220架構討論20101220架構討論
20101220架構討論Kyle Lin
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityDarren Sim
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 

Similar to Web application (20)

Application Security Workshop
Application Security Workshop Application Security Workshop
Application Security Workshop
 
Api days 2018 - API Security by Sqreen
Api days 2018 - API Security by SqreenApi days 2018 - API Security by Sqreen
Api days 2018 - API Security by Sqreen
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San AntonioEnterprise Security API (ESAPI) Java - Java User Group San Antonio
Enterprise Security API (ESAPI) Java - Java User Group San Antonio
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns FrameworksMike Taulty MIX10 Silverlight 4 Patterns Frameworks
Mike Taulty MIX10 Silverlight 4 Patterns Frameworks
 
Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007Shreeraj - Hacking Web 2 0 - ClubHack2007
Shreeraj - Hacking Web 2 0 - ClubHack2007
 
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
(ATS3-GS03) Accelrys Enterprise Platform Deeper Dive
 
Programming SharePoint 2010 with Visual Studio 2010
Programming SharePoint 2010 with Visual Studio 2010Programming SharePoint 2010 with Visual Studio 2010
Programming SharePoint 2010 with Visual Studio 2010
 
Application Services On The Web Sales Forcecom
Application Services On The Web Sales ForcecomApplication Services On The Web Sales Forcecom
Application Services On The Web Sales Forcecom
 
Consuming Web Services in Microsoft Silverlight 3
Consuming Web Services in Microsoft Silverlight 3Consuming Web Services in Microsoft Silverlight 3
Consuming Web Services in Microsoft Silverlight 3
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2
 
C fowler intro-azure
C fowler intro-azureC fowler intro-azure
C fowler intro-azure
 
Introduction to share point 2010 development
Introduction to share point 2010 developmentIntroduction to share point 2010 development
Introduction to share point 2010 development
 
Html5 security
Html5 securityHtml5 security
Html5 security
 
Syllabus PS03CINT05 detailing
Syllabus PS03CINT05 detailingSyllabus PS03CINT05 detailing
Syllabus PS03CINT05 detailing
 
20101220架構討論
20101220架構討論20101220架構討論
20101220架構討論
 
C# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access SecurityC# and ASP.NET Code and Data-Access Security
C# and ASP.NET Code and Data-Access Security
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 

Web application

  • 2. Web Application HTTP(s) agent Web Application Application Server Web Server Application Server Web Application Database Server Web Application
  • 4. Firewall, Load Balancer, Reverse Proxy Server, Cache System web client database sever Layer HTTP Client / User Cross-Site Scripting Spoofing Javascript Injection Browser
  • 5. Layer Transport Layer HTTP(s) Passive Monitoring) Man-in- the-Middle Attack) Session (Session Hijack) Firewall SSL Session Web Server Buffer Overflow Format String Directory Traversal Default Accounts Default Applications
  • 6. Layer Web Applications Meracharacters Null Characters Buffer Overflow Firewall Internet Network Firewall Database Direct SQL Commands SQL Injection Query Restricted Database Database Exploit
  • 8. Hidden Field Manipulation Cookie Poisoning Backdoors and debug options Application buffer overflows Stealth commanding 3rd party misconfigurations Known vulnerabilities Parameter tempering
  • 9. Cross site scripting Forceful browsing Hacking over SSL Sourcecode Disclosure Web Server Architecture Attack SQL Injection Java Script Injection
  • 10. Hidden Field hidden field hidden field View Source) Tag HIDDEN Application
  • 12. Cookie Poisoning Cookie Session cookie Session ID cookie
  • 13. Back Door & Bebug Options Developing Environment debug Debug Debug Debug back door
  • 16. Stealth Commanding SQL Command Command SQL Command
  • 17. 3th Party Misconfiguration Default password
  • 18. Know Vulnerabilities Microsoft IIS Patch patch) patch patch
  • 21. Cross Site Script cross site script script script sends an email javascript
  • 22. 3 Cross Site Script
  • 23. Forceful Browsing Default file
  • 24. Hacking Over SSL SSL content SSL SSL
  • 25. Source Code Disclosures Source Code Disclosure configuration file Source Code Disclosures WebLogic / WebSpere JSP JHTML jsp” URL
  • 26. Source Code Disclosures Microsoft IIS HTR” ASA ASP URL http://10.0.0.1/global.asa+.htr URL htr ISM.DLL URL ISM.DLL Microsoft IIS showcode.asp showcode.asp bundled IIS Windows NT Option Pack 4.0 URL
  • 27. Web Server Architecture Attack bypass built-in procedure
  • 28. handler html handler html cgi handler cgi default handler handler default handler cgi html jsp handler html java compiler java run-time handler forcing Sun Java Web Server URL
  • 29. http://10.0.0.2/servlet/com.sun.server.http.pagecompile.j sp.runtime.JspServlet/path/to/file.html servlet path /servlet/ PageCompile handler (Servlet) handle path handle java run-time root
  • 30. SQL Poisoning & Injections sql statement sql statement DBMS SQL Query) sql statement database Dim sql_con , result, sql_qry Const CONNECT_STRING = “Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa; PWD=xyzzy” sql_qry = “SELECT * FROM PRODUCT WHERE ID =”
  • 31. Set objCon = Server.CreateObject(“ADODB.Connection”) ObjCon.Open CONNECT_STRING Set objRS – objCon.Execute(strSQL); http://10.0.0.3/showtable.asp?ID=3+OR+1=1
  • 32. Query Statement SELECT * FROM PRODUCT WHERE ID=3OR 1=1 PRODUCT http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PR ODUCT SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT SQL statement
  • 34. Java Script Injection Javascript Injection Javascript Java Script Injection Session Hidden Field Session Invalid Javascript HTML Javascript Cookies javascript:alert(document.cookie)
  • 35. System Scanner and Security Infrastructure Software Secure Coding
  • 36. System Scanner and Securiry Infrastructure Software System Scanner permission Scanner Whisker , Nikto , Stealth , Twwwscan AppScan
  • 37. reject AppShield
  • 38. Secure Coding input & output validation SSL HTML forms
  • 39. Input & Output validation NEVER TRUST CLIENT SIDE DATA) Client Side Script JavaScript , VBScript , Java Applets , Flash , Active X , CSS XML/XSL script script
  • 40. Sanity Checking YES NO drop system call directory traversal NULL character HTML HTML
  • 41. HTML tag webmail, message board chat HTML Allow List HTML tag drop HTML tag tag HTML <APPLET> , <BASE> , <BODY> , <EMBED> , <FRAME> , <FRAMESET> , <HTML> , <IFRAME> , <IMG> , <LAYER> , <META> , <OBJECT> , <P> , <SCRIPT> , <STYLE> HTML tag attributes STYLE> , <SRC> , <HREF> , < TYPE> HTML
  • 42. SSL HTTP HTTP Plaintext Sniffer HTTP HTTP SSL (Secure Socket Layer) Web Client Web Server SSL transport Client & Server Authentication
  • 43. SSL SSL Web Browser Public Key Server Browser Server Server SSL SSL Server Certificate) Public Key)
  • 44. HTML forms hidden form element hidden hidden element password element SSL plain text password element method HTTP/GET HTTP/POST MaxSize Attribute (<input MaxSize=”##”>)
  • 45. Cookies Cookies Cookie persistent : Cookie non-persistent : Cookie Cookies User Authentication State Management Saving user preference Cookies • Cookies Plaintext
  • 46. restrictive path Cookies • Authentication valid • Cookies • Token ID • Cookies Timeout Cookies • Authentication Business Intranet authentication • Authentication header User-Agent , Accept-Language , Etc.
  • 47. HTTP REFERER Header script attack script attack HTTP REFERER header HTTP REFERER
  • 48. POST & GET method method GET Proxy Server, Firewall , Web Servers log POST POST method client side script POST method GET
  • 49. logout logout Cookies Cookies session session Cookies
  • 50. Error Handing Mechanism Error Handling Error Description Error Description Error Desciption Error Desciption Username Password Password