Upload File

web app security

22
Secure Java Coding Practices Araf Karsh Hamid June, 2006

Upload: araf-karsh-hamid

Post on 15-Jan-2015

294 views

Category:

Technology


6 download

Report

Tags:

DESCRIPTION

 

TRANSCRIPT

Page 1: Web app security

Secure Java Coding PracticesAraf Karsh Hamid

June, 2006

Page 2: Web app security

Rich Internet Applications History Architecture Nothing New

Security Threats, Vulnerabilities & Defense Web Application Firewalls Web Application Security Concerns Secure Java Coding Practices

Agenda

Page 3: Web app security

Rich Internet Apps – History

Page 4: Web app security

AJAX Vs. Traditional Web Applications

Rich Internet Apps

Page 5: Web app security

Security

Threats, Vulnerabilities & Defense

Web Application Firewalls

Web Application Security Concerns

Security

Page 6: Web app security

Threats, Vulnerabilities & Defense

Page 7: Web app security

Web Security

Web Application Firewalls

Page 8: Web app security

Web Application Security &

Secure Java Coding Practices

Page 9: Web app security

1. Unvalidated Inputs2. Cross-Site Scripting (XSS)3. Injection Flaws4. Improper Error Handling5. Broken Authentication and Session

Management6. Insecure Direct Object References7. Cross-Site Request Forgery (CSRF)8. Security Misconfiguration9. Insecure Cryptographic Storage10.Failure to Restrict URL Access11.Insufficient Transport Layer Protection

Top 10 Web Vulnerabilities

Page 10: Web app security

Attacker can change any value of the input submitted to the Web Server

Re-validate all the inputs at the server

Take only the necessary information (user input) from a for submission

Un-validated Input

Page 11: Web app security

Un-validated Input (Problem)

Page 12: Web app security

Unvalidated Input (Fixed)

Page 13: Web app security

Attacker Injects code into the input data Hide malicious code with Unicode

Counter measures Input validations Input length check

Cross Site Scripting

Page 14: Web app security

Cross Site Scripting (Problem)

Page 15: Web app security

Cross Site Scripting (Fixed)

Page 16: Web app security

Attacker Can inject System commands Can inject other SQL Can override access checks

Examples Add more commands “; select * from users;” Override access “’ OR 1=1;”

Counter Measures Use prepared statements in SQL Run with limited privileges Filter / validate the input

SQL Injection

Page 17: Web app security

SQL Injection (Problem)

Page 18: Web app security

SQL Injection (Fixed)

Page 19: Web app security

Attacker Gets system information Gets Database information

Examples Stack (Thread) Traces Database dump

Counter Measures Sanitize the error message Avoid sending stack traces to end user. Customize error pages (HTTP errors 404 etc)

Improper Error Handling

Page 20: Web app security

Improper Error Handling (Problem)

Page 21: Web app security

Improper Error Handling (Fixed)

Page 22: Web app security

[email protected]

Questions?


Rich Web App Security - Keeping your application safe

Hands on Web App security testing - ISACA on Web App security testing Simon Whittaker [email protected] @szlwzl Wifi • ... applications would be considered a crime and

Hands on Web App security testing - ISACAm.isaca.org/chapters5/Ireland/Documents/2012 Presentations/Hands on... · Hands on Web App security testing ... NMAP Basics nmap -v -A targethost

Whats app security

Security Bootcamp 2012 - Bảo vệ Web App với Mod Security (Sử Hoàng Sơn)

Web App Security Horror Stories

Application Centric Infrastructure · Application Centric Infrastructure DB Web Web App Web App Turnkey integrated solution with security, centralized management, compliance and scale

Project 2: Web App Security

Android app security

Mobile App Security and PaymentsFeb 08, 2012  · Mobile App Security and Payments Overview of mobile app security issues and mitigation strategies !

Use the force! Web app testing services are your security force multiplier

App Security and Securing App

App Security Guide

Rapport atelier Web App Security 2015

Security Notifications App

Web App Security, Ethical hacking for CodeCamp SDQ 5

Web App Security 2015.10

Mobile app security

Web App Security Standard

Openflow App Security

Best practices of web app security (samvel gevorgyan)

Pactera Cybersecurity - Application Security Penetration Testing - Mobile, Web App, IoT

Web App Security Hakin9!07!2011 Teasers

11 Web App Security

Choosing the Best web app security Scanner

Web App Security Slides

THE STATE OF MOBILE APP SECURITY - Beth.technology...The Open Web Application Security Project (OWASP) has identified the top 10 mobile app security risks. Of those identified, the

AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Work for You

Building a Web App Security Program.v3 - Securosis

Web App Cryptology - OWASP · Background WSJ.com Security Fail Bad Crypto Generally MAC More Web Security Flaws Summary Web App Cryptology A Study in Failure ravisT …

Devfest istanbul'14 web app security and framework

Web app security part 1

Pactera - App Security Assessment - Mobile, Web App, IoT - v2

Web app security - owasp top 10

Data Center & Cloud Networking · Application Centric Infrastructure DB Web Web App Web App Turnkey integrated solution with security, centralised management, compliance and scale