SlideShare a Scribd company logo

WEB APPLICATION SECURITY

Download as PPTX, PDF
Y
yashwanthlavu

The security issues with web application and its prevention .

Engineering
1 of 20
Web Application Security By Lavu Yaswanth Ponamala Gopi Krishna Attaluri Venkata Chaitanya
Security Threats • According the security vendor Cenzic, the top vulnerabilities
Cross-site scripting (XSS) • is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
Cross-site scripting (XSS) Prevention Methods: • Contextual output encoding/escaping of string input • Safely validating untrusted HTML input • Cookie security • Disabling scripts
Emerging defensive technologies • Content security policy • JavaScript sandbox tools • Auto-escaping templates These mechanisms are still evolving but promise a future of heavily reduced XSS attack occurrence.
SQL Injection • SQL injection is a Code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). • A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. • A distributed denial-of-service(DDoS) is where the attack source is more than one–and often thousands of-unique IP addresses.
Defense techniques • Firewalls • Switches • Routers • Application front end hardware • Application level Key Completion Indicators • IPS based prevention • DDS based defense • Black holing and sink holing • Clean pipes
Arbitrary Code Execution • Arbitrary code execution is used to describe an attacker's ability to execute any commands on a target machine or in a target process. • Arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. • A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. • The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. • Arbitrary code execution is commonly achieved through control over the instruction pointer of a running process.
Memory Corruption • • Memory corruption occurs in a computer program when the contents of a memory location are unintentionally modified due to programming errors; this is termed violating memory safety. • Memory corruption is one of the most intractable class of programming errors, for two reasons: The source of the memory corruption and its manifestation may be far apart, making it hard to correlate the cause and the effect. Symptoms appear under unusual conditions, making it hard to consistently reproduce the error.
Memory Corruption • Memory corruption errors can be broadly classified into four categories: • Using uninitialized memory • Using none-owned memory • Using memory beyond the memory that was allocated (buffer overflow) • Faulty heap memory management
Cross-Site Request Forgery • Cross-site request forgery, also known as a one-click attack or session riding. • Several things have to happen for cross-site request forgery to succeed: The attacker must target either a site that doesn't check the referrer header or a victim with a browser or plugin that allows referer spoofing The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password). The attacker must determine the right values for all the forms or URL inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will most likely fail (unless the attacker is extremely lucky in their guess). The attacker must lure the victim to a Web page with malicious code while the victim is logged into the target site.
Prevention • Synchronizer token pattern • Client side safeguards
DATA BREACH • • A data breach is the intentional or unintentional release of secure information to an untrusted environment. • Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. • A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. • Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries.
Example of a chart 0 10 20 30 40 50 60 70 80 90 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr East West North South
Picture slide • Bullet 1 • Bullet 1
Examples of default styles • Text and lines are like this • Hyperlinks like this • Visited hyperlinks like this Table Text box Text box With shadow
Reference "Web Application Security Overview". 2015-10-23. Jump up^ "The Ghost in the Browser" (PDF). Niels Provos et al. May 2007. Jump up^ "All Your iFrames Point to Us" (PDF). Niels Provos et al. February 2008. Jump up^ "Improving Web Application Security: Threats and Countermeasures". Microsoft Corporation. June 2003. Jump up^ "Microsoft fortifies IE8 against new XSS exploits". Dan Goodin, The Register. February 2009. Jump up^ "Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks" (PDF). Fonseca, J.; Vieira, M.; Madeira, H., Dependable Computing, IEEE. Dec 2007. Jump up^ "CWE/SANS Top 25 Most Dangerous Programming Errors". CWE/SANS. May 2009.
Reference • Jump up^ "2012 Global Losses From Phishing Estimated At $1.5 Bn". FirstPost. February 20, 2013. Retrieved December 21, 2014. • Jump up^ "2012 Trends Report: Application Security Risks". Cenzic, Inc. 11 March 2012. Retrieved 9 July 2012. • Jump up^ Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). "Systematic review of web application security development model". Artificial Intelligence Review 43 (2): 259–276. doi:10.1007/s10462-012-9375-6. ISSN 0269-2821. • Jump up^ "The Web Hacking Incidents Database". WASC. January 2010. • Jump up^ "Web Application Vulnerability Scanners". NIST. • Jump up^ "Source Code Security Analyzers". NIST. • Jump up^ "Fuzzing". OWASP. • Jump up^ "Web application firewalls for security and regulatory compliance". Secure Computing Magazine. February 2008. •
WEB APPLICATION SECURITY
WEB APPLICATION SECURITY

Recommended

WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Atlantic Security Conference
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Types of Cyber-Attacks
Types of Cyber-AttacksTypes of Cyber-Attacks
Types of Cyber-Attacks
techexpert2345
 

Recommended

WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Security Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas AzureSecurity Implications of the Cloud - CSS Dallas Azure
Security Implications of the Cloud - CSS Dallas Azure
Alert Logic
 
Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011Jean pier talbot - web is the battlefield - atlseccon2011
Jean pier talbot - web is the battlefield - atlseccon2011
Atlantic Security Conference
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectorsOutpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24 webinar - Understanding the 7 deadly web application attack vectors
Outpost24
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
G Prachi
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Types of Cyber-Attacks
Types of Cyber-AttacksTypes of Cyber-Attacks
Types of Cyber-Attacks
techexpert2345
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
phanleson
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
Alert Logic
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020
SecPod Technologies
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoS
Kenny Huang Ph.D.
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
Lalit Kale
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
Emily2014
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
Quick Heal Technologies Ltd.
 
Client server security threats
Client server security threatsClient server security threats
Client server security threats
rahul kundu
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
Priyanka Aash
 
Finding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analyticsFinding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analytics
NetFort
 
Client server network threat
Client server network threatClient server network threat
Client server network threat
Raj vardhan
 
Mobile security and drozer tool demo
Mobile security and drozer tool demoMobile security and drozer tool demo
Mobile security and drozer tool demo
Gowthamraj Palani
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
Radware
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Internet Security
Internet SecurityInternet Security
Internet Security
Mitesh Gupta
 

More Related Content

What's hot

Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
Emily2014
 
Client server security threats
Client server security threatsClient server security threats
Client server security threats
rahul kundu
 
Client server network threat
Client server network threatClient server network threat
Client server network threat
Raj vardhan
 

What's hot (20)

Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
 
Security Implications of the Cloud
Security Implications of the CloudSecurity Implications of the Cloud
Security Implications of the Cloud
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
8 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 20208 Types of Cyber Attacks That Can Bother CISOs in 2020
8 Types of Cyber Attacks That Can Bother CISOs in 2020
 
Cyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoSCyber Attack Analysis : Part I DDoS
Cyber Attack Analysis : Part I DDoS
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Port of seattle security presentation david morris
Port of seattle security presentation david morrisPort of seattle security presentation david morris
Port of seattle security presentation david morris
 
Enterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entitiesEnterprise security: ransomware in enterprise and corporate entities
Enterprise security: ransomware in enterprise and corporate entities
 
Client server security threats
Client server security threatsClient server security threats
Client server security threats
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
Finding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analyticsFinding the source of Ransomware - Wire data analytics
Finding the source of Ransomware - Wire data analytics
 
Client server network threat
Client server network threatClient server network threat
Client server network threat
 
Mobile security and drozer tool demo
Mobile security and drozer tool demoMobile security and drozer tool demo
Mobile security and drozer tool demo
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?Cyber Attack Survival: Are You Ready?
Cyber Attack Survival: Are You Ready?
 

Similar to WEB APPLICATION SECURITY

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
10900220021_cyber (1).pptx
10900220021_cyber (1).pptx10900220021_cyber (1).pptx
10900220021_cyber (1).pptx
pk3172517
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
Nicholas Davis
 

Similar to WEB APPLICATION SECURITY (20)

Web application security
Web application securityWeb application security
Web application security
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
10900220021_cyber (1).pptx
10900220021_cyber (1).pptx10900220021_cyber (1).pptx
10900220021_cyber (1).pptx
 
Protection from hacking attacks
Protection from hacking attacksProtection from hacking attacks
Protection from hacking attacks
 
AW-Infs201101067.pptx
AW-Infs201101067.pptxAW-Infs201101067.pptx
AW-Infs201101067.pptx
 
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
 
Advanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEFAdvanced Client Side Exploitation Using BeEF
Advanced Client Side Exploitation Using BeEF
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 

Recently uploaded

Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Call Girls Mumbai
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Kandungan 087776558899
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
Kamal Acharya
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
Kamal Acharya
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 

Recently uploaded (20)

AIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech studentsAIRCANVAS[1].pdf mini project for btech students
AIRCANVAS[1].pdf mini project for btech students
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
kiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal loadkiln thermal load.pptx kiln tgermal load
kiln thermal load.pptx kiln tgermal load
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
Bhubaneswar🌹Call Girls Bhubaneswar ❤Komal 9777949614 💟 Full Trusted CALL GIRL...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Integrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - NeometrixIntegrated Test Rig For HTFE-25 - Neometrix
Integrated Test Rig For HTFE-25 - Neometrix
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
Hazard Identification (HAZID) vs. Hazard and Operability (HAZOP): A Comparati...
 
School management system project Report.pdf
School management system project Report.pdfSchool management system project Report.pdf
School management system project Report.pdf
 
Online food ordering system project report.pdf
Online food ordering system project report.pdfOnline food ordering system project report.pdf
Online food ordering system project report.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptxS1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
S1S2 B.Arch MGU - HOA1&2 Module 3 -Temple Architecture of Kerala.pptx
 

WEB APPLICATION SECURITY

  • 1. Web Application Security By Lavu Yaswanth Ponamala Gopi Krishna Attaluri Venkata Chaitanya
  • 2. Security Threats • According the security vendor Cenzic, the top vulnerabilities
  • 3. Cross-site scripting (XSS) • is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.
  • 4. Cross-site scripting (XSS) Prevention Methods: • Contextual output encoding/escaping of string input • Safely validating untrusted HTML input • Cookie security • Disabling scripts
  • 5. Emerging defensive technologies • Content security policy • JavaScript sandbox tools • Auto-escaping templates These mechanisms are still evolving but promise a future of heavily reduced XSS attack occurrence.
  • 6. SQL Injection • SQL injection is a Code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). • A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet. • A distributed denial-of-service(DDoS) is where the attack source is more than one–and often thousands of-unique IP addresses.
  • 7. Defense techniques • Firewalls • Switches • Routers • Application front end hardware • Application level Key Completion Indicators • IPS based prevention • DDS based defense • Black holing and sink holing • Clean pipes
  • 8. Arbitrary Code Execution • Arbitrary code execution is used to describe an attacker's ability to execute any commands on a target machine or in a target process. • Arbitrary code execution vulnerability to describe a software bug that gives an attacker a way to execute arbitrary code. • A program that is designed to exploit such a vulnerability is called an arbitrary code execution exploit. • The ability to trigger arbitrary code execution from one machine on another (especially via a wide-area network such as the Internet) is often referred to as remote code execution. • Arbitrary code execution is commonly achieved through control over the instruction pointer of a running process.
  • 9. Memory Corruption • • Memory corruption occurs in a computer program when the contents of a memory location are unintentionally modified due to programming errors; this is termed violating memory safety. • Memory corruption is one of the most intractable class of programming errors, for two reasons: The source of the memory corruption and its manifestation may be far apart, making it hard to correlate the cause and the effect. Symptoms appear under unusual conditions, making it hard to consistently reproduce the error.
  • 10. Memory Corruption • Memory corruption errors can be broadly classified into four categories: • Using uninitialized memory • Using none-owned memory • Using memory beyond the memory that was allocated (buffer overflow) • Faulty heap memory management
  • 11. Cross-Site Request Forgery • Cross-site request forgery, also known as a one-click attack or session riding. • Several things have to happen for cross-site request forgery to succeed: The attacker must target either a site that doesn't check the referrer header or a victim with a browser or plugin that allows referer spoofing The attacker must find a form submission at the target site, or a URL that has side effects, that does something (e.g., transfers money, or changes the victim's e-mail address or password). The attacker must determine the right values for all the forms or URL inputs; if any of them are required to be secret authentication values or IDs that the attacker can't guess, the attack will most likely fail (unless the attacker is extremely lucky in their guess). The attacker must lure the victim to a Web page with malicious code while the victim is logged into the target site.
  • 12. Prevention • Synchronizer token pattern • Client side safeguards
  • 13. DATA BREACH • • A data breach is the intentional or unintentional release of secure information to an untrusted environment. • Other terms for this phenomenon include unintentional information disclosure, data leak and also data spill. • A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. • Many jurisdictions have passed data breach notification laws, requiring a company that has been subject to a data breach to inform customers and take other steps to remediate possible injuries.
  • 14. Example of a chart 0 10 20 30 40 50 60 70 80 90 1st Qtr 2nd Qtr 3rd Qtr 4th Qtr East West North South
  • 15. Picture slide • Bullet 1 • Bullet 1
  • 16. Examples of default styles • Text and lines are like this • Hyperlinks like this • Visited hyperlinks like this Table Text box Text box With shadow
  • 17. Reference "Web Application Security Overview". 2015-10-23. Jump up^ "The Ghost in the Browser" (PDF). Niels Provos et al. May 2007. Jump up^ "All Your iFrames Point to Us" (PDF). Niels Provos et al. February 2008. Jump up^ "Improving Web Application Security: Threats and Countermeasures". Microsoft Corporation. June 2003. Jump up^ "Microsoft fortifies IE8 against new XSS exploits". Dan Goodin, The Register. February 2009. Jump up^ "Testing and Comparing Web Vulnerability Scanning Tools for SQL Injection and XSS Attacks" (PDF). Fonseca, J.; Vieira, M.; Madeira, H., Dependable Computing, IEEE. Dec 2007. Jump up^ "CWE/SANS Top 25 Most Dangerous Programming Errors". CWE/SANS. May 2009.
  • 18. Reference • Jump up^ "2012 Global Losses From Phishing Estimated At $1.5 Bn". FirstPost. February 20, 2013. Retrieved December 21, 2014. • Jump up^ "2012 Trends Report: Application Security Risks". Cenzic, Inc. 11 March 2012. Retrieved 9 July 2012. • Jump up^ Shuaibu, Bala Musa; Norwawi, Norita Md; Selamat, Mohd Hasan; Al-Alwani, Abdulkareem (2013-01-17). "Systematic review of web application security development model". Artificial Intelligence Review 43 (2): 259–276. doi:10.1007/s10462-012-9375-6. ISSN 0269-2821. • Jump up^ "The Web Hacking Incidents Database". WASC. January 2010. • Jump up^ "Web Application Vulnerability Scanners". NIST. • Jump up^ "Source Code Security Analyzers". NIST. • Jump up^ "Fuzzing". OWASP. • Jump up^ "Web application firewalls for security and regulatory compliance". Secure Computing Magazine. February 2008. •