SlideShare a Scribd company logo

Web architecture mechanism and threats

Sumedt Jitpukdebodin
Sumedt Jitpukdebodin

Sumedt Jitpukdebodin presents on web architecture, threats, and security controls. The document discusses the basic components of web architecture including browsers, servers, HTML, URIs, HTTP, and the evolution to multi-tier architectures. It then covers common web attacks like injection, XSS, and CSRF. Finally, it lists security controls at the application layer like input validation and sessions management and at the network layer like firewalls, IDS/IPS, and web application firewalls.

Technology
1 of 47
Download to read offline
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture - Mechanism and Threats Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. ~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้ องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more...
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Agenda
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser.
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. URI  URI(Universal Resource Identifier)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response.
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP(3)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server.
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Three tier web architecture
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX(2)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX(3)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format.
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON Request && Response
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON(2)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly.
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(2)  Tag  Element  Content
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(3)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(4)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML vs JSON
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Services  Web service is a software system designed to support machine-to- machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP vs REST
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest- challenges.html
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest- challenges.html
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Attack
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p)
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Security Controls & Mechanism
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Security Control  Application Layer  Network Layer
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server
© Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php
www.i-secure.co.th Questions © Copyright 2013 ACIS i-secure Co., Ltd. The informationcontained herein is subject to change without notice.

Recommended

Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
Twobo Technologies
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
Twobo Technologies
 
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedReST (Representational State Transfer) Explained
ReST (Representational State Transfer) Explained
Dhananjay Nene
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
Imran M Yousuf
 
Designing an API
Designing an APIDesigning an API
Designing an API
Twobo Technologies
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
Emiliano Pecis
 
Restful web-services
Restful web-servicesRestful web-services
Restful web-services
rporwal
 

Recommended

Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
 
Incorporating OAuth
Incorporating OAuthIncorporating OAuth
Incorporating OAuth
Twobo Technologies
 
Neo-security Stack
Neo-security StackNeo-security Stack
Neo-security Stack
Twobo Technologies
 
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) ExplainedReST (Representational State Transfer) Explained
ReST (Representational State Transfer) Explained
Dhananjay Nene
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web Services
Imran M Yousuf
 
Designing an API
Designing an APIDesigning an API
Designing an API
Twobo Technologies
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
Emiliano Pecis
 
Restful web-services
Restful web-servicesRestful web-services
Restful web-services
rporwal
 
RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath
 
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsიოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIs
unihack
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service design
Ramin Orujov
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
Peter R. Egli
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding REST
Nitin Pande
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service SecurityLuqman Shareef
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
Halil Burak Cetinkaya
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design Webinar
Stormpath
 
Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2kriszyp
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
 
RESTEasy
RESTEasyRESTEasy
RESTEasyKhushbu Joshi
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座Li Yi
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraint
Inviqa
 
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOASRepresentational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
Guy K. Kloss
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
Sumedt Jitpukdebodin
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
 

More Related Content

What's hot

RESTful services
RESTful servicesRESTful services
RESTful servicesgouthamrv
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath
 
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsიოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIs
unihack
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
Twobo Technologies
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...Shreeraj Shah
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service design
Ramin Orujov
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
Peter R. Egli
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding REST
Nitin Pande
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
Halil Burak Cetinkaya
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design Webinar
Stormpath
 
Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2kriszyp
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座Li Yi
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraint
Inviqa
 
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOASRepresentational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
Guy K. Kloss
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
 

What's hot (20)

RESTful services
RESTful servicesRESTful services
RESTful services
 
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIsDesign Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
 
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsიოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIs
 
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for MicroservicesOAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
 
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
 
Best practices for RESTful web service design
Best practices for RESTful web service designBest practices for RESTful web service design
Best practices for RESTful web service design
 
REST - Representational State Transfer
REST - Representational State TransferREST - Representational State Transfer
REST - Representational State Transfer
 
Understanding REST
Understanding RESTUnderstanding REST
Understanding REST
 
Web Service Security
Web Service SecurityWeb Service Security
Web Service Security
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design Webinar
 
Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
RESTEasy
RESTEasyRESTEasy
RESTEasy
 
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
 
Rest and the hypermedia constraint
Rest and the hypermedia constraintRest and the hypermedia constraint
Rest and the hypermedia constraint
 
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOASRepresentational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth ExploitsHTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
 
Content Security Policy (CSP)
Content Security Policy (CSP)Content Security Policy (CSP)
Content Security Policy (CSP)
 

Viewers also liked

Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
Sumedt Jitpukdebodin
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
R u hacked
R u hackedR u hacked
R u hacked
Sumedt Jitpukdebodin
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
Sumedt Jitpukdebodin
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
 

Viewers also liked (6)

Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
 
R u hacked
R u hackedR u hacked
R u hacked
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
 

Similar to Web architecture mechanism and threats

Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Arun Gupta
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Melanie Brandt
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
 
Implementing Data Caching and Data Synching Using Oracle MAF
Implementing Data Caching and Data Synching Using Oracle MAFImplementing Data Caching and Data Synching Using Oracle MAF
Implementing Data Caching and Data Synching Using Oracle MAF
Steven Davelaar
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
Pamela Wright
 
Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)
Yu Kwangjong
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
VMware Tanzu
 
Oracle REST Data Services
Oracle REST Data ServicesOracle REST Data Services
Oracle REST Data Services
Chris Muir
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
Beau Christensen
 
IRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET- Micro-Content Shortlisting using Interactive AI MethodIRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET Journal
 
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET- Semantic Web Mining and Semantic Search Engine: A ReviewIRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET Journal
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
CA API Management
 

Similar to Web architecture mechanism and threats (20)

Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
Implementing Data Caching and Data Synching Using Oracle MAF
Implementing Data Caching and Data Synching Using Oracle MAFImplementing Data Caching and Data Synching Using Oracle MAF
Implementing Data Caching and Data Synching Using Oracle MAF
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)
 
Unit 1 b
Unit 1 bUnit 1 b
Unit 1 b
 
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
 
Oracle REST Data Services
Oracle REST Data ServicesOracle REST Data Services
Oracle REST Data Services
 
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
 
IRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET- Micro-Content Shortlisting using Interactive AI MethodIRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET- Micro-Content Shortlisting using Interactive AI Method
 
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET- Semantic Web Mining and Semantic Search Engine: A ReviewIRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
 

More from Sumedt Jitpukdebodin

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
Sumedt Jitpukdebodin
 
Phishing
PhishingPhishing
Phishing
Sumedt Jitpukdebodin
 
Which side are you
Which side are youWhich side are you
Which side are you
Sumedt Jitpukdebodin
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
Sumedt Jitpukdebodin
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
Sumedt Jitpukdebodin
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
Sumedt Jitpukdebodin
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
Sumedt Jitpukdebodin
 

More from Sumedt Jitpukdebodin (8)

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Phishing
PhishingPhishing
Phishing
 
Which side are you
Which side are youWhich side are you
Which side are you
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 

Recently uploaded

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 

Recently uploaded (20)

A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 

Web architecture mechanism and threats

  • 1. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture - Mechanism and Threats Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
  • 2. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. ~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้ องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more...
  • 3. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Agenda
  • 4. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism
  • 5. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture
  • 6. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client
  • 7. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser.
  • 8. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. URI  URI(Universal Resource Identifier)
  • 9. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name)
  • 10. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response.
  • 11. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body
  • 12. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP(3)
  • 13. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT
  • 14. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT
  • 15. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx
  • 16. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code)
  • 17. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server.
  • 18. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles
  • 19. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Three tier web architecture
  • 20. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking
  • 21. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight
  • 22. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript
  • 23. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX(2)
  • 24. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX(3)
  • 25. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format.
  • 26. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON Request && Response
  • 27. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON(2)
  • 28. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly.
  • 29. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(2)  Tag  Element  Content
  • 30. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(3)
  • 31. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(4)
  • 32. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML vs JSON
  • 33. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Services  Web service is a software system designed to support machine-to- machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST)
  • 34. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application
  • 35. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP vs REST
  • 36. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest- challenges.html
  • 37. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest- challenges.html
  • 38. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Attack
  • 39. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p)
  • 40. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p)
  • 41. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards
  • 42. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Security Controls & Mechanism
  • 43. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Security Control  Application Layer  Network Layer
  • 44. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy
  • 45. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server
  • 46. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php
  • 47. www.i-secure.co.th Questions © Copyright 2013 ACIS i-secure Co., Ltd. The informationcontained herein is subject to change without notice.