1 ece 4112 internetwork security: web application security 28 april 2005 john owens shantan pesaru
TRANSCRIPT
![Page 1: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/1.jpg)
1
ECE 4112 Internetwork Security: Web Application Security
28 April 2005
John Owens
Shantan Pesaru
![Page 2: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/2.jpg)
2
Overview
Define Web Applications Importance of Web Application Security Framework for secure Web Applications Attacks and vulnerabilities on Web
Applications Client/server verification (pros/cons) Secure Programming Tools (SPI Dynamics’ WebInspect, ISS)
![Page 3: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/3.jpg)
3
Web Applications: What are they? An application generally comprised of a
collection of scripts that reside on a web server.
Interact with databases or other sources of dynamic content
Examples include: webmail, online banking, portal systems, etc.
![Page 4: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/4.jpg)
4
Good Programming=Good Security
![Page 5: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/5.jpg)
5
Importance of Web Application Security Web Apps are becoming more prevalent and
more sophisticated Critical to online transactions and information
processing Protecting privacy and following regulation
such as HIPAA and Sarbanes-Oxley
![Page 6: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/6.jpg)
6
Framework for Web Application Security Framework for web developers to develop
secure code Involves identifying and implementing
responses to existent security issues S.W.A.T. (Secure Web Applications through
Testing)
![Page 7: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/7.jpg)
7
Web Application Pitfalls
![Page 8: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/8.jpg)
8
Types of Attacks and Vulnerabilities SQL Injection Attacks Improper input verification Default methods Form processing methods GET & POST / Querystring information “ELSE” programming Educated Guessing
![Page 9: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/9.jpg)
9
Mechanisms of Vulnerability Discovery Server fingerprinting
Determine capabilities Determine technology
Using Error Messages IE – disable friendly error messages Deliberate access of wrong pages
Observing behavior in the presence of unexpected variables
![Page 10: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/10.jpg)
10
Mechanisms of Vulnerability Protection Brute force lockouts Re-authenticate when necessary Encrypt databases (prevent download) Strong file/directory naming convention Session-based authentication and access Validate all input no matter how trivial TEST, TEST, TEST Don’t rely solely on the client Never pass in headers/auto-fill critical info
![Page 11: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/11.jpg)
11
Client/Server Side Validation Scripts Pros
Immediate response Give server a break High user interaction
Cons Easily bypassed Puts security in user’s hands No database connectivity to verify authentication
data SOLUTION = Client + Server Redundancy
![Page 12: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/12.jpg)
12
What you will do in the lab
Exploit vulnerabilities in a realistic web application to: Get accepted to Georgia Tech Register for classes before timeticket Get tuition paid for free and a check back Change your grades to something “more
appealing”
![Page 13: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/13.jpg)
13
What you will do in the lab
![Page 14: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/14.jpg)
14
What you will do in the lab
![Page 15: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/15.jpg)
15
What you will do in the lab
![Page 16: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/16.jpg)
16
What you will do in the lab
![Page 17: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/17.jpg)
17
What you will do in the lab
![Page 18: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/18.jpg)
18
What you will do in the lab
![Page 19: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/19.jpg)
19
What you will do in the lab
![Page 20: 1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru](https://reader036.vdocument.in/reader036/viewer/2022081603/5697bfc41a28abf838ca6456/html5/thumbnails/20.jpg)
20
QUESTIONS?