web application security: threats & countermeasures
DESCRIPTION
TRANSCRIPT
![Page 1: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/1.jpg)
Web Application Security: Threats &
CountermeasuresAung Thu Rha
Hein(g5536871)
![Page 2: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/2.jpg)
2
Outline Fundamentals
• Principles• Practices • Three-Tiered Approach
Threats & Countermeasures• Anatomy of web attacks• Threat categories
STRIDE Network Threats & Countermeasures Host Threats & Countermeasures Application Threats & Countermeasures
Summary & Conclusion
![Page 3: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/3.jpg)
3
FundamentalsPrinciples Defense in Depth
• Use multi layers to protect against defense failure
• E.g. firewalls, IDS, Load balancers, IP restrictions
Least Privilege• Grant fewer access to the system as possible• E.g. restrict access to DB
Least Complicated• Complexity generates mistakes
![Page 4: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/4.jpg)
4
Fundamentals
Practices Filter input
• Ensure coming data it invalid Escape output
• Ensure outgoing data is not misinterpreted
Input Application Output
![Page 5: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/5.jpg)
5
Three-Tiered Approach
Secure the network
Secure the hostRuntime services
Platform Services
Operating System
Secure the applicationPresentation
Logic Business Logic Data Access Logic
![Page 6: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/6.jpg)
6
Threats & Countermeasures
Anatomy of web attack
Survey and assess
Exploit and penetrate
Escalates privileges
Deny service
Maintain access
![Page 7: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/7.jpg)
7
Threats & Countermeasures
Threat Categories• STRIDE: based on goals and purposes of
attacker• Three categories based on the three-tiered
approach
Network
Host
Application
![Page 8: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/8.jpg)
8
Threats & Countermeasures -STRIDE
• Gain access to system with false identitySpoofing
• Unauthorized modification of dataTampering
• Ability of user to deny of performing specific actions or transactions Repudiation
• Exposure of private dataInformation disclosure
• Making the system unavailableDenial of Service
• user with limited privileges assumes the identity of a full privileged user
Elevation of Privilege
![Page 9: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/9.jpg)
9
Threats & Countermeasures-STRIDE
• Strong authentication, SSL, avoid plaintext to store and send sensitive dataSpoofing
• Data Hashing, Digital signature, Authorization Tampering
• Secure audit trails, Digital Signature Repudiation
• Strong authorization and encryption, avoid plaintexts, secure communication links
Information disclosure
• Validate and filter input, bandwidth throttling techniques, AAA ProtocolDenial of Service
• Follow principle of “Least Principle”Elevation of Privilege
![Page 10: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/10.jpg)
10
Threats & Countermeasures -Network
• Discover and profile network devices to find vulnerabilities
Information gathering
• Eavesdropping data across over the network trafficSniffing
• Hide one’s true ID and access the system and work around ACLs Spoofing
• Main in the middle attackSession hijacking
• Denies legitimate access to server or servicesDenial of service
![Page 11: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/11.jpg)
11
Threats & Countermeasures-Network
• Configure routers to restrict to footprinting, disabled unused protocols and ports
Information gathering
• Use strong physical security, network segmentation, encrypt communication Sniffing
• Filter incoming packets and outgoing packets Spoofing
• encrypted session negotiation and communication channels
Session hijacking
• IDS, appropriate registry settings of TCP/IP stackDenial of service
![Page 12: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/12.jpg)
12
Threats & Countermeasures -Host
• perform malicious acts and cause disruption to OS
Viruses, Trojan horses, and
worms• Try to reveal valuable information of
the systemFootprinting
• try to establish an authenticated connection with server
Password cracking
• execute malicious code on the server
Arbitrary code execution
• Try to access restricted information or perform restricted operations
Unauthorized access
![Page 13: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/13.jpg)
13
Threats & Countermeasures-Host
• Harden weak, default configuration settings, anti-virus applications
Viruses, Trojan horses, and
worms• Disable unused ports and protocols, IDS,
“defense in depth”Footprinting
• Strong passwords, lockout policies, Audit failed logins attemptsPassword craking
• Lock down system commands & utilities with restricted ACLs, update patches and updates
Arbitrary code execution
• Secure web permission, Lock down files and folders
Unauthorized access
![Page 14: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/14.jpg)
14
Threats & Countermeasures -Application
• Cross-site scripting(XSS), SQL injectionInput Validation
• Dictionary attacks, brute-force attacksAuthentication
• Session hijacking, man in the middleSession management
• Poor key generation or key management, weak or custom encryptionCryptography
• Query string & form field manipulation, cookie manipulation, HTTP header manipulation
Parameter manipulation
• Information disclosure, denial of serviceException Management
![Page 15: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/15.jpg)
15
Threats & Countermeasures-Application
• Validate input, Encode user output, Use parameterized stored proceduresInput Validation
• Strong passwords with hashesAuthentication
• SSL, expiration period on the session cookie, HMACs
Session management
• Secure encryption system, DPAPI, use proven cryptographic servicesCryptography
• Session identifier, HTTP Post, Encrypt query strings, HMACs
Parameter manipulation
• Exception Handling and loggingException Management
![Page 16: Web application security: Threats & Countermeasures](https://reader036.vdocuments.us/reader036/viewer/2022082805/54b3b4994a7959f1108b45d7/html5/thumbnails/16.jpg)
16
Summary & Conclusion
By understanding STRIDE, it is more effective when applying countermeasures.
Also understanding common threats, it can be prevented from compromising the application
Thank You!