1 / 13

Exploring Web Application Security Techniques

Learn about cookies, sessions, database connections, CGI specifications, HTTP authentication, file uploading, and more for secure web development.

gary-delaney
Télécharger la présentation

Exploring Web Application Security Techniques

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Generic Issues. Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.

  2. Content • Cookies • Sessions • Database connection • Persistence connection • HTTP header • HTTP authentication • File Uploading • CGI Specification

  3. Cookies • PERSISTENT CLIENT STATE • Set-Cookie HTTP Response Set-Cookie: NAME=VALUE; expires=DATE;path=PATH; domain=DOMAIN_NAME; secure • HTTP Request Header Cookie: NAME1=OPAQUE_STRING1; NAME2=OPAQUE_STRING2 ...

  4. Sessions • Preserve certain data across subsequent accesses • Cookies Mechanism

  5. Database Connection • CGI Application Interface to Database • Each Web Connection with particular Database Connection

  6. Persistent Database Connections • links that do not close when the execution of your script ends • same host, with the same username and the same password • Require extra-ordinary Server Configuration.

  7. HTTP Basic Access Authentication • Header Part (Server). WWW-Authenticate: Basic realm=“Test Authentication System” HTTP/1.0 401 Unauthorized • Header Part (Client) Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== userid ":" password (Base-64 Encoder) • Whole Site Authentication. • Base-64 Encoder

  8. Base 64 Encoder • 3x8bit to 4x6bit

  9. Header Part (Server). HTTP/1.1 401 Unauthorized WWW-Authenticate: Digest realm="testrealm@host.com", qop="auth,auth-int", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", opaque="5ccc069c403ebaf9f0171e9517f40e41” Level Support MD5 Encoder (More Secure) Header Part(Client) Authorization: Digest username="Mufasa", realm="testrealm@host.com", nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093", uri="/dir/index.html", qop=auth, nc=00000001, cnonce="0a4f113b", response="6629fae49393a05397450978507c4ef1", opaque="5ccc069c403ebaf9f0171e9517f40e41" HTTP Digest Access Authentication

  10. File Uploading • PUT method (used by clients such as Netscape Composer and W3C Amaya) • PUT /path/filename.html HTTP/1.1 • Form POST Method <form enctype=“multipart/form-data” action="_URL_" method="post"> <input type="hidden" name="MAX_FILE_SIZE" value="1000"> Send this file: <input name="userfile" type="file"> <input type="submit" value="Send File"> </form>

  11. Environment SERVER_SOFTWARE SERVER_NAME GATEWAY_INTERFACE SERVER_PROTOCOL SERVER_PORT REQUEST_METHOD PATH_INFO PATH_TRANSLATED SCRIPT_NAME QUERY_STRING REMOTE_HOST REMOTE_ADDR AUTH_TYPE REMOTE_USER REMOTE_IDENT CONTENT_TYPE CONTENT_LENGTH HTTP_ACCEPT HTTP_USER_AGENT Command Line http://www…./test?hello Execute ‘test hello’ CGI 1.1 Specification

  12. Standard Input POST or PUT Standard Output (No server directives) Content-type Location (status line) Example HTTP/1.0 200 OK Server: NCSA/1.0a6 Content-type: text/plain [Data] Simple CGI with Sheel Script #! /bin/sh echo "Content-type: text/plain" echo "" echo "Hello World"; set CGI 1.1 Specification (cont.)

  13. Reference • Ref : http://wp.netscape.com/newsref/std/cookie_spec.html • http://www.w3c.org • HTTP Authentication: Basic and Digest Access Authentication (RFC 2617) • http://hoohoo.ncsa.uiuc.edu/cgi/interface.html

More Related