Web Application Security - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

Web Application Security

Description:

The information contained in this presentation is intended to be ... Victoria's Secret reveals far too much. http://cooltech.iafrica.com/technews/280300.htm ... – PowerPoint PPT presentation

Number of Views:674
Avg rating:3.0/5.0
Slides: 20
Provided by: AllenB59
Category:

less

Transcript and Presenter's Notes

Title: Web Application Security


1
Web Application Security
  • Presented By
  • Allen Brokken GSEC, CSDA

2
Overview
  • Disclaimer
  • Why Should I Care?
  • Open Web Application Security Project
  • OWASP Top Vulnerabilities
  • Conclusion
  • QA

3
Disclaimer
  • The information contained in this presentation is
    intended to be used to educate developers about
    security vulnerabilities commonly found in Web
    Applications.
  • This presentation is not intended as training
    material for those with malicious intent against
    information systems.
  • Exploitation of the vulnerabilities listed in
    this presentation on systems or applications not
    owned or developed by the viewer is illegal in
    jurisdictions worldwide.
  • It is a violation of the University of Missouri
    Acceptable Use policy to transmit these exploits
    across the MU network without explicit permission
    of the system or application owner they are
    directed at.
  • The presenter is a trained professional, dont
    try this at home

4
Why Should I Care?
all users were able to view individual
customers' orders for items of intimate apparel
in which the retailer specializes.
50,000
One clever MySpace user figured out how to
force others to become his friend In less than
24 hours, "Samy" had amassed over 1 million
friends
1,000,000 Profiles
informed its members that their credit card
information might have been compromised after a
Chicago-based hacker cracked the site's code
5000 Credit Card 's
5
Why Should I Care?
  • Common Misconceptions
  • Arent I protected by firewalls or something?
  • I thought you just needed to keep things patched?
  • Im not using Microsoft, so I must be secure.
  • Isnt keeping me secure your job?

6
The Open Web Application Security Project
  • The Open Web Application Security Project (OWASP)
    is dedicated to finding and fighting the causes
    of insecure software.
  • They have chapters world wide and manage multiple
    projects designed to help individuals and
    organizations increase the level of security of
    their applications.
  • http//www.owasp.org

7
OWASP TOP 10
  • 1 Unvalidated Input
  • Information from web requests is not validated
    before being used by a web application. Attackers
    can use these flaws to attack backend components
    through a web application.

8
OWASP TOP 10
  • 2 Broken Access Control
  • Restrictions on what authenticated users are
    allowed to do are not properly enforced.
    Attackers can exploit these flaws to access other
    users' accounts, view sensitive files, or use
    unauthorized functions.

9
OWASP TOP 10
  • 3 Broken Authentication and Session Management
  • Account credentials and session tokens are not
    properly protected. Attackers that can compromise
    passwords, keys, session cookies, or other tokens
    can defeat authentication restrictions and assume
    other users' identities.

10
OWASP TOP 10
  • 4 Cross Site Scripting (XSS) Flaws
  • The web application can be used as a mechanism to
    transport an attack to an end user's browser. A
    successful attack can disclose the end user's
    session token, attack the local machine, or spoof
    content to fool the user.

11
OWASP TOP 10
  • 5 Buffer Overflows
  • Web application components in some languages that
    do not properly validate input can be crashed
    and, in some cases, used to take control of a
    process. These components can include CGI,
    libraries, drivers, and web application server
    components.

12
OWASP TOP 10
  • 5 Buffer Overflows cont.

Memory Manager Table Program
Allocation Your Code 1148-1248 Explorer.exe
1548-5548
Memory
Free Memory
Your Code
Explorer.exe
13
OWASP TOP 10
  • 6 Injection Flaws
  • Web applications pass parameters when they access
    external systems or the local operating system.
    If an attacker can embed malicious commands in
    these parameters, the external system may execute
    those commands on behalf of the web application.

14
OWASP TOP 10
  • 7 Improper Error Handling
  • Error conditions that occur during normal
    operation are not handled properly. If an
    attacker can cause errors to occur that the web
    application does not handle, they can gain
    detailed system information, deny service, cause
    security mechanisms to fail, or crash the server.

15
OWASP TOP 10
  • 8 Insecure Storage
  • Web applications frequently use cryptographic
    functions to protect information and credentials.
    These functions and the code to integrate them
    have proven difficult to code properly,
    frequently resulting in weak protection.

16
OWASP TOP 10
  • 9 Denial of Service
  • Attackers can consume web application resources
    to a point where other legitimate users can no
    longer access or use the application. Attackers
    can also lock users out of their accounts or even
    cause the entire application to fail.

17
OWASP TOP 10
  • 10 Insecure Configuration Management
  • Having a strong server configuration standard is
    critical to a secure web application. These
    servers have many configuration options that
    affect security and are not secure out of the
    box.

18
Practice Sites
  • Starfleet Academy
  • http//academy.dyndns.org
  • HACK This Site
  • http//www.hulla-balloo.com/hack/level1/
  • Next Generation Security Games
  • http//quiz.ngsec.com/
  • WebGoat
  • http//www.owasp.org/software/webgoat.html
  • Requires a Java Virtual Machine be available on
    the local machine, and runs from the local
    machine.
  • HACME Bank / HACME Books
  • http//www.foundstone.com
  • Note you will have to install these on a system
    you can run an appropriate web server on.

19
References
  • Victoria's Secret reveals far too much
  • http//cooltech.iafrica.com/technews/280300.htm
  • Cross-Site Scripting Worm Hits MySpace
  • http//www.betanews.com/article/CrossSite_Scriptin
    g_Worm_Hits_MySpace/1129232391
  • Online political warriors savage opposition Web
    sites
  • http//www.statesman.com/metrostate/content/metro/
    stories/07/14hackers.html
Write a Comment
User Comments (0)
About PowerShow.com