1 / 21

Web Application Security

Web Application Security. Introduction. Security is a process of authenticating users and controlling what a user can see or do. Server. Web. DB Server. 3-tier architecture. Web Browser. Some Internet Security Protocols. Application Layer Security Electronic mail security

cassd
Télécharger la présentation

Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Security

  2. Introduction • Security is a process of authenticating users and controlling what a user can see or do

  3. Server Web DB Server 3-tier architecture Web Browser

  4. Some Internet Security Protocols • Application Layer Security • Electronic mail security • PGP (Pretty Good Privacy) • S/MIME (Secure Multi-Purpose Internet Mail Extensions) • Transport Layer Security • SSL/TLS (Secure Sockets Layer/Transport Layer Security ) • SSH (Secure Shell ) • Network Layer Security • IP Security (IPsec) • Infrastructure protection • DNSSEC (DNS Security Extensions) • SNMPv3 security (Simple Network Management Protocol Version 3)

  5. How do you measure security? • Does 128-bit encryption make you feel safer?

  6. The client • Common web browser • Communicates to server with HTTP (PUT, POST, GET) • HTML markup language for layout of pages • Scripting languages built into client to control client side content and communications with server dynamically • Cookies to store state

  7. The server • Analyses HTTP requests from client and responds accordingly. • Either send plain HTML page • Process query data and send back dynamically produced page to client.

  8. The web server • Common examples: Apache, IIS. • These servers and the host’s have their own security problems • Server side programming • Perl, ASP (Jscript/VBScript), PHP, C

  9. The DBMS • SQL • DBMS • Microsoft SQL server • Oracle • MySQL • DB2 • These DBMS also have their own security problems

  10. Attacks • On the server • Using “out of the box” security holes to gain escalated privileges, or execute commands on the server. • Make the server do something it is not supposed to do. • Examples • ColdFusion, Showcode.asp, FrontPage, etc. etc. etc.

  11. Attacks • Through holes found using a common security scanner • Scanners simply request a fixed file name to see if the file exists or not • Assumes that exploitable files/server have not been patched, can bring false positives • Old techniques, but effective. • EASY to protect against.

  12. Attacks • On out of the box applications • Attacker can setup and audit the application in their own environment • If one goes down, they all do • Targets of common scanners

  13. Attacks • On custom applications • More difficult to audit • “Black box” auditing techniques • Looks for common stupid mistakes

  14. Case one • IIS Security hole used to view ASP • Database settings extracted • SQL server live to internet • Information from server-side scripts used to connect to server

  15. Case two • ASP not filtering input • Able to directly manipulate SQL query • Manipulating the SQL query extracts a valid cookie and creates the password

  16. The problems? • Unfiltered user input • User data not checked and can be crafted to manipulate processing on the server to reveal file contents or bypass and gain access • Backdoor straight to the Crown Jewels

  17. The enablers • Reliance on cryptography for security • Security through obscurity • Poor development • Poor experience • Limited resources • Awareness • Monitoring and plan

  18. The solution(s) • Good initial setup • Programming practices • Internal Audits • Awareness • Updates, patches and hotfixes

  19. The solution(s) • Intrusion detection • Network design • System architecture

  20. Keep (Last Building in Castle to Fall) Moat / Main Gate Outer Perimeter Controlling Castle Access Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters Security Analogy

  21. Keep Outer Perimeter Inner Perimeter Stronghold Internet Security Crown Jewels Internal Firewall Internet Internal Network DMZ Mission Critical Systems

More Related