web app security

Report

Tags:

Post on 15-Jan-2015

285 Views

Category:

Technology

6 Downloads

Preview:

Click to see full reader

DESCRIPTION

 

TRANSCRIPT

Secure Java Coding PracticesAraf Karsh Hamid

June, 2006

Rich Internet Applications History Architecture Nothing New

Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Secure Java Coding Practices

Agenda

Rich Internet Apps – History

AJAX Vs. Traditional Web Applications

Rich Internet Apps

Security

Threats, Vulnerabilities & Defense

Web Application Firewalls

Web Application Security Concerns

Security

Threats, Vulnerabilities & Defense

Web Security

Web Application Firewalls

Web Application Security &

Secure Java Coding Practices

1. Unvalidated Inputs2. Cross-Site Scripting (XSS)3. Injection Flaws4. Improper Error Handling5. Broken Authentication and Session

Management6. Insecure Direct Object References7. Cross-Site Request Forgery (CSRF)8. Security Misconfiguration9. Insecure Cryptographic Storage10.Failure to Restrict URL Access11.Insufficient Transport Layer Protection

Top 10 Web Vulnerabilities

Attacker can change any value of the input submitted to the Web Server

Re-validate all the inputs at the server

Take only the necessary information (user input) from a for submission

Un-validated Input

Un-validated Input (Problem)

Unvalidated Input (Fixed)

Attacker Injects code into the input data Hide malicious code with Unicode

Counter measures Input validations Input length check

Cross Site Scripting

Cross Site Scripting (Problem)

Cross Site Scripting (Fixed)

Attacker Can inject System commands Can inject other SQL Can override access checks

Examples Add more commands “; select * from users;” Override access “’ OR 1=1;”

Counter Measures Use prepared statements in SQL Run with limited privileges Filter / validate the input

SQL Injection

SQL Injection (Problem)

SQL Injection (Fixed)

Attacker Gets system information Gets Database information

Examples Stack (Thread) Traces Database dump

Counter Measures Sanitize the error message Avoid sending stack traces to end user. Customize error pages (HTTP errors 404 etc)

Improper Error Handling

Improper Error Handling (Problem)

Improper Error Handling (Fixed)

araf.karsh@gmail.com

Questions?

top related

top 10 web app security risks
Technology
whats app security
Technology
web app security part 1
Technology
web app security standard
Documents
introduction to software security web security...
Documents
web app security i
Documents
introduction to software security web security...
Documents
1 project 2: web app security collin jackson cs 155 spring...
Documents
web app security - owasp top 10
Technology
web app security hakin9!07!2011 teasers
Documents
security notifications app
Documents
state of web app security 2012
Technology
ethical hacking & cyber...
Documents
real-world web app security
Documents
devfest istanbul'14 web app security and framework
Engineering
web application vulnerabilities: owasp top 10 · owasp •...
Documents
php web app security (eng)
Technology
aws webcast - top 3 ways to improve web app security
Technology
11 web app security
Documents
rapport atelier web app security 2015
Technology