SlideShare ist ein Scribd-Unternehmen logo

Web Application Security

‱
‱
Richard Peter Ong
Richard Peter Ong

Event: Tri{PHP}le Treat@USAutoparts Philippines hosted by PHPUGPH Topic: Web Application Security

Technologie
1 von 53
Downloaden Sie, um offline zu lesen
Web Application Security by Example (for LAMP) Arpee Ong
Who Am I? Name: Richard Peter Ong a.k.a. Arpee Work: Lead Developer, Internal Projects at SysIQ Inc. Open Source Affiliations: a.)core developer, MiaCMS
Who Are you? ✔ PHP Developers/Programmers ✔ L/U/W AMP SysAdmins ✔ IT Managers and Practitioners ✔ Geeks and hackers..
Scope and Coverage: ● Securing a Basic U/L AMP Server ● Web Application Attacks Description, Samples and Prevention
WHAT IS A WEB APPLICATION? ✔ Any application that is served commonly via http or https protocol ✔ Usually being served from a remote computer acting as a host/server
WHAT IS SECURITY? ✔ Is a State of being free from damage and being compromised ✔ Is a condition of being protected against danger or loss
Levels of WebApp Security: ✔ Server Level ✔ Application Level
Server Level Security: ✔ The Box(es) (physical or virtual server(s)) ✔ httpd (Apache) ✔ mysqld (MySQL) ✔ PHP
Secure the Box: ✔ Filesystem ✔ Firewall
Filesystem:: File Ownership and Permission ✔ Folders should be 0755 ✔ Files should be 0644 ✔ Files and Folders under Document Root should be owned by the Apache User ✔ 666 is evil, in the web world well, so as 777.
Filesystem:: How to Set Permissions ✔ Folders chmod 0755 {directory} ✔ Files chmod 0644 {files}
Filesystem:: How to Set Ownership ✔ Files/Folders chown -R {apache_user} {document_root}
Firewall:: Opened Ports ✔ Port 80 Web/Http ✔ Port 443 Web/Https ✔ Port 21 FTP ✔ Port 22 SSH ✔ Port 25 SMTP (outgoing) ✔ Port 110 POP (inbound) ✔ Port 3306 MySQL Daemon
Secure httpd (Apache): ✔ Set an apache user ✔ Do not run apache as root rd ✔ 3 Party Tools: ✔ ModSecurity http://www.modsecurity.org/
Secure the mysqld (MySQL): ✔ Set root(admin) password ✔ Rename the root(admin) account ✔ Restrict Network Access ✔ Use SSH Tunneling/Port Forwarding if necessary
MySQL:: Set Admin Password mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD('passw ord'); mysql> FLUSH PRIVILEGES;
MySQL:: Change Admin Username mysql -u root -p{PASSWORD} mysql> update user set user=quot;mydbadminquot; where user=quot;rootquot;; mysql> FLUSH PRIVILEGES;
MySQL:: Why Restrict Network Access? ✔Usually only your web application needs access to MySQL Server, NOTHING ELSE.
MySQL:: How to Restrict Network Access? ✔ Open my.cnf ✔ Add skip-networking parameter to mysqld or mysqld_safe (depending which you are using)
MySQL:: How to tunnel mysql via ssh? ssh -N -f -L 3306:localhost:3306 user@mysql_server.com N Do not execute command (useful for port forwarding only) f Run in background L (port:host:hostport)
Secure php.ini (PHP): ✔ disable_functions ✔ register_globals=off ✔ allow_url_fopen=on/off ✔ allow_url_include=off rd ✔ 3 Party Tools: ✔ Suhosin http://www.hardened-php.net/suhosin/
PHP:: Functions to disable ✔ Exec() - executes a command ✔ Passthru() - execute a command and display raw output
PHP:: Register Globals ✔ DO NOT ENABLE register_globals ✔ Write your apps to use SuperGlobals instead in initializing variables and its values whenever necessary. ($_GET, $_POST, $_REQUEST and $_SERVER)
PHP:: allow_url_fopen, allow_url_include ✔ Allow_url_fopen if set to on, allows treatment of URLs as files ✔ Allow_url_include - if set to on, allows include/require to open URLs (like http:// or ftp://) as files.
PHP:: misuse of register_globals, allow_url_fopen, allow_url_include altogether >> ✔SEE remote file inclusion attacks..
Application Level Security:: Attack Samples and Prevention ✔ Remote File Inclusion ✔ Form Spoofing ✔ XSS (Cross-Site Scripting) ✔ CSRF (Cross-Site Request Forgery) ✔ SQL Injection ✔ Session Fixation
Application Level Security:: Remote File Inclusion Attack Description A Remote File Inclusion is a type of attack where an Remote File attacker executes a php Inclusion script of his liking against the target web application
Application Level Security:: Remote File Inclusion Attack Possible Damage ● Expose/Modiy variable values of the script doing Remote File the include() Inclusion ● Expose stored credentials eg. MySQL user/pass from a webapp configuration file
Application Level Security:: Remote File Inclusion Attack Vectors ● User-controllable value of Remote File variable called by Inclusion include() or require()
Application Level Security:: Remote File Inclusion Attack Prevention ● Disable register_globals ● Disable allow_url_fopen Remote File ● Disable allow_url_include Inclusion ● Do not include() from a dynamic variable with user controllable value
Application Level Security:: Form Spoofing Attack Description A type of an attack where an HTML Form is mimicked Form Spoofing or copied and then submitted from a location different from the original
Application Level Security:: Form Spoofing Attack Possible Damage ● Bypass client-side validation ● Mass data insertion Form Spoofing resulting to flood (eg. Flooded guestbooks, forum boards etc.)
Application Level Security:: Form Spoofing Attack Vectors ● No Form Tokens present, thus all requests thrown Form Spoofing to the accepting script is considered valid
Application Level Security:: Form Spoofing Attack Prevention ● Tokenize the form Form Spoofing ● [optional]Check Referrer
Application Level Security:: XSS Attack Description Cross-Site scripting is a type of attack where an attacker inserts html code into the html output of the webapplication, usually a XSS client-side code such as javascript. The injected html/js code script is then executed on the user browsers visiting the infiltrated web application
Application Level Security:: XSS Attack Possible Damage ● Steal/Fixate browser cookies and direct to another page XSS ● Redirect user to another page ● Mess up a format of web application page
Application Level Security:: XSS Attack Vectors XSS ● Unfiltered input forms
Application Level Security:: XSS Attack Prevention ● Do Not Trust User Input Is not enough, I say, XSS Make User Input Trustable ● Filter incoming data
Application Level Security:: CSRF Attack Description Cross-Site Request Forgery is a type of attack where an attacker CSRF forces an unknowing victim into making (malicious) http requests
Application Level Security:: CSRF Attack Possible Damage ● Make victim execute an operation without his knowledge on a web CSRF application while being validy authenticated (eg. Change Account details, logout, spam etc.
Application Level Security:: CSRF Attack Vectors ● XSS Vulnerabilities ● Untokenized forms CSRF ● Usage of $_GET for operations where $_POST may be best suited
Application Level Security:: CSRF Attack Prevention ● Use $_POST instead of $_GET and/or $_REQUEST CSRF ● Filter incoming data ● Tokenize
Application Level Security:: SQL Injection Attack Description An SQL Injection is an attack where an attacker is able to execute SQL Injection arbitrary sql code against the database
Application Level Security:: SQL Injection: Basic Sample //legit $sort = 'ASC'; //malicious injection? $sort = '; TRUNCATE POSTS'; //actual query $query = quot;SELECT * FROM posts ORDER BY date_entered $sortquot;; // Output Query: uh-oh! SELECT * FROM posts ORDER BY date_entered; TRUNCATE POSTS
Application Level Security:: SQL Injection Attack Possible Damage ● Corrupt data by executing truncate() SQL Injection ● Alter current DB data (eg. Change admin password)
Application Level Security:: SQL Injection Attack Vectors ● Dynamic queries getting SQL Injection values from unsanitized user-submitted data
Application Level Security:: SQL Injection (MySQL) Attack Prevention ● Enclose user-submitted SQL Injection Values with mysql_real_escape_string()
Application Level Security:: Session Hijacking Attack Description Session Hijacking is an attack where an attacker impersonates a legitimate Session user(commonly the Hijacking administrator) that is currently logged in on the web application
Application Level Security:: Session Hijacking Attack Possible Damage ● Attacker gaining Session administrator privileges, Hijacking damage/threat is highly serious.
Application Level Security:: Session Hijacking Attack Vectors ● Session ID Fixation via XSS ● Web Application is not going Session thru HTTPS and therefore Hijacking sniffable ● Session id is not regenerated when necessary
Application Level Security:: Session Hijacking Attack Prevention ● Protect Site against XSS attacks (Fixation avoidance only) ● Regenerate SID whenever Session necessary and do not Hijacking trust user-specified session id ● Deliver the web app Over HTTPS to avoid getting sniffed
In a nutshell: ● The Server Level is part of the Web Application. It is necessary to Secure the Server as well. 30% of Web Application Attacks are still suffered by the Server. ● Do not Trust User Input is not enough, Make User Input TRUSTABLE by filtering methods before they undergo processing. ● Tokenize your forms whenever necessary ● Use SSL Layer (via https) in dealing with highly sensitive data to avoid being sniffed or captured .
I hope you enjoyed.. The End...

Empfohlen

Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

Empfohlen

Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)IJERD Editor
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 
Rahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_CodeRahul-Analysis_of_Adversarial_Code
Rahul-Analysis_of_Adversarial_Codeguest66dc5f
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2Shreeraj-Hacking_Web_2
Shreeraj-Hacking_Web_2guest66dc5f
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Attques web
Attques webAttques web
Attques webTarek MOHAMED
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Antiviruxss
AntiviruxssAntiviruxss
AntiviruxssMarcusgcm
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXSpentest pentest
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
XSS
XSSXSS
XSSHrishikesh Mishra
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelinesTrupti Shiralkar, CISSP
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 

Weitere Àhnliche Inhalte

Was ist angesagt?

OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)vinayh.vaghamshi _
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front endErlend Oftedal
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Antiviruxss
AntiviruxssAntiviruxss
AntiviruxssMarcusgcm
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack PresentationKhoa Nguyen
 
Front end-security
Front end-securityFront end-security
Front end-securityMiao Siyu
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 

Was ist angesagt? (20)

OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Attques web
Attques webAttques web
Attques web
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)
 
Web Application Security in front end
Web Application Security in front endWeb Application Security in front end
Web Application Security in front end
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Antiviruxss
AntiviruxssAntiviruxss
Antiviruxss
 
DEfcon15 XXE XXS
DEfcon15 XXE XXSDEfcon15 XXE XXS
DEfcon15 XXE XXS
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
XSS
XSSXSS
XSS
 
Web application attack Presentation
Web application attack PresentationWeb application attack Presentation
Web application attack Presentation
 
Front end-security
Front end-securityFront end-security
Front end-security
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 

Ähnlich wie Web Application Security

Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.pptOmprakashVerma56
 
Web-Security-Application.pptx
Web-Security-Application.pptxWeb-Security-Application.pptx
Web-Security-Application.pptxhamidTalib2
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Automatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPressAutomatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPressFresh Consulting
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications SecureAryashree Pritikrishna
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMagno Logan
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xssappsec
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Webandres1422
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationAlbena Asenova-Belal
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeFastly
 

Ähnlich wie Web Application Security (20)

Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Web-Security-Application.pptx
Web-Security-Application.pptxWeb-Security-Application.pptx
Web-Security-Application.pptx
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Automatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPressAutomatically detecting security vulnerabilities in WordPress
Automatically detecting security vulnerabilities in WordPress
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications Secure
 
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka IrongeekMutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
 
15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss15 owasp top 10 - a3-xss
15 owasp top 10 - a3-xss
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
4.Xss
4.Xss4.Xss
4.Xss
 
Web Security
Web SecurityWeb Security
Web Security
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And Countermeasures
 
ieee
ieeeieee
ieee
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Pantallas escaneo Sitio Web
Pantallas escaneo Sitio WebPantallas escaneo Sitio Web
Pantallas escaneo Sitio Web
 
A8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentationA8 cross site request forgery (csrf) it 6873 presentation
A8 cross site request forgery (csrf) it 6873 presentation
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 

KĂŒrzlich hochgeladen

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 

KĂŒrzlich hochgeladen (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 

Web Application Security

  • 1. Web Application Security by Example (for LAMP) Arpee Ong
  • 2. Who Am I? Name: Richard Peter Ong a.k.a. Arpee Work: Lead Developer, Internal Projects at SysIQ Inc. Open Source Affiliations: a.)core developer, MiaCMS
  • 3. Who Are you? ✔ PHP Developers/Programmers ✔ L/U/W AMP SysAdmins ✔ IT Managers and Practitioners ✔ Geeks and hackers..
  • 4. Scope and Coverage: ● Securing a Basic U/L AMP Server ● Web Application Attacks Description, Samples and Prevention
  • 5. WHAT IS A WEB APPLICATION? ✔ Any application that is served commonly via http or https protocol ✔ Usually being served from a remote computer acting as a host/server
  • 6. WHAT IS SECURITY? ✔ Is a State of being free from damage and being compromised ✔ Is a condition of being protected against danger or loss
  • 7. Levels of WebApp Security: ✔ Server Level ✔ Application Level
  • 8. Server Level Security: ✔ The Box(es) (physical or virtual server(s)) ✔ httpd (Apache) ✔ mysqld (MySQL) ✔ PHP
  • 9. Secure the Box: ✔ Filesystem ✔ Firewall
  • 10. Filesystem:: File Ownership and Permission ✔ Folders should be 0755 ✔ Files should be 0644 ✔ Files and Folders under Document Root should be owned by the Apache User ✔ 666 is evil, in the web world well, so as 777.
  • 11. Filesystem:: How to Set Permissions ✔ Folders chmod 0755 {directory} ✔ Files chmod 0644 {files}
  • 12. Filesystem:: How to Set Ownership ✔ Files/Folders chown -R {apache_user} {document_root}
  • 13. Firewall:: Opened Ports ✔ Port 80 Web/Http ✔ Port 443 Web/Https ✔ Port 21 FTP ✔ Port 22 SSH ✔ Port 25 SMTP (outgoing) ✔ Port 110 POP (inbound) ✔ Port 3306 MySQL Daemon
  • 14. Secure httpd (Apache): ✔ Set an apache user ✔ Do not run apache as root rd ✔ 3 Party Tools: ✔ ModSecurity http://www.modsecurity.org/
  • 15. Secure the mysqld (MySQL): ✔ Set root(admin) password ✔ Rename the root(admin) account ✔ Restrict Network Access ✔ Use SSH Tunneling/Port Forwarding if necessary
  • 16. MySQL:: Set Admin Password mysql -u root mysql> SET PASSWORD FOR root@localhost=PASSWORD('passw ord'); mysql> FLUSH PRIVILEGES;
  • 17. MySQL:: Change Admin Username mysql -u root -p{PASSWORD} mysql> update user set user=quot;mydbadminquot; where user=quot;rootquot;; mysql> FLUSH PRIVILEGES;
  • 18. MySQL:: Why Restrict Network Access? ✔Usually only your web application needs access to MySQL Server, NOTHING ELSE.
  • 19. MySQL:: How to Restrict Network Access? ✔ Open my.cnf ✔ Add skip-networking parameter to mysqld or mysqld_safe (depending which you are using)
  • 20. MySQL:: How to tunnel mysql via ssh? ssh -N -f -L 3306:localhost:3306 user@mysql_server.com N Do not execute command (useful for port forwarding only) f Run in background L (port:host:hostport)
  • 21. Secure php.ini (PHP): ✔ disable_functions ✔ register_globals=off ✔ allow_url_fopen=on/off ✔ allow_url_include=off rd ✔ 3 Party Tools: ✔ Suhosin http://www.hardened-php.net/suhosin/
  • 22. PHP:: Functions to disable ✔ Exec() - executes a command ✔ Passthru() - execute a command and display raw output
  • 23. PHP:: Register Globals ✔ DO NOT ENABLE register_globals ✔ Write your apps to use SuperGlobals instead in initializing variables and its values whenever necessary. ($_GET, $_POST, $_REQUEST and $_SERVER)
  • 24. PHP:: allow_url_fopen, allow_url_include ✔ Allow_url_fopen if set to on, allows treatment of URLs as files ✔ Allow_url_include - if set to on, allows include/require to open URLs (like http:// or ftp://) as files.
  • 25. PHP:: misuse of register_globals, allow_url_fopen, allow_url_include altogether >> ✔SEE remote file inclusion attacks..
  • 26. Application Level Security:: Attack Samples and Prevention ✔ Remote File Inclusion ✔ Form Spoofing ✔ XSS (Cross-Site Scripting) ✔ CSRF (Cross-Site Request Forgery) ✔ SQL Injection ✔ Session Fixation
  • 27. Application Level Security:: Remote File Inclusion Attack Description A Remote File Inclusion is a type of attack where an Remote File attacker executes a php Inclusion script of his liking against the target web application
  • 28. Application Level Security:: Remote File Inclusion Attack Possible Damage ● Expose/Modiy variable values of the script doing Remote File the include() Inclusion ● Expose stored credentials eg. MySQL user/pass from a webapp configuration file
  • 29. Application Level Security:: Remote File Inclusion Attack Vectors ● User-controllable value of Remote File variable called by Inclusion include() or require()
  • 30. Application Level Security:: Remote File Inclusion Attack Prevention ● Disable register_globals ● Disable allow_url_fopen Remote File ● Disable allow_url_include Inclusion ● Do not include() from a dynamic variable with user controllable value
  • 31. Application Level Security:: Form Spoofing Attack Description A type of an attack where an HTML Form is mimicked Form Spoofing or copied and then submitted from a location different from the original
  • 32. Application Level Security:: Form Spoofing Attack Possible Damage ● Bypass client-side validation ● Mass data insertion Form Spoofing resulting to flood (eg. Flooded guestbooks, forum boards etc.)
  • 33. Application Level Security:: Form Spoofing Attack Vectors ● No Form Tokens present, thus all requests thrown Form Spoofing to the accepting script is considered valid
  • 34. Application Level Security:: Form Spoofing Attack Prevention ● Tokenize the form Form Spoofing ● [optional]Check Referrer
  • 35. Application Level Security:: XSS Attack Description Cross-Site scripting is a type of attack where an attacker inserts html code into the html output of the webapplication, usually a XSS client-side code such as javascript. The injected html/js code script is then executed on the user browsers visiting the infiltrated web application
  • 36. Application Level Security:: XSS Attack Possible Damage ● Steal/Fixate browser cookies and direct to another page XSS ● Redirect user to another page ● Mess up a format of web application page
  • 37. Application Level Security:: XSS Attack Vectors XSS ● Unfiltered input forms
  • 38. Application Level Security:: XSS Attack Prevention ● Do Not Trust User Input Is not enough, I say, XSS Make User Input Trustable ● Filter incoming data
  • 39. Application Level Security:: CSRF Attack Description Cross-Site Request Forgery is a type of attack where an attacker CSRF forces an unknowing victim into making (malicious) http requests
  • 40. Application Level Security:: CSRF Attack Possible Damage ● Make victim execute an operation without his knowledge on a web CSRF application while being validy authenticated (eg. Change Account details, logout, spam etc.
  • 41. Application Level Security:: CSRF Attack Vectors ● XSS Vulnerabilities ● Untokenized forms CSRF ● Usage of $_GET for operations where $_POST may be best suited
  • 42. Application Level Security:: CSRF Attack Prevention ● Use $_POST instead of $_GET and/or $_REQUEST CSRF ● Filter incoming data ● Tokenize
  • 43. Application Level Security:: SQL Injection Attack Description An SQL Injection is an attack where an attacker is able to execute SQL Injection arbitrary sql code against the database
  • 44. Application Level Security:: SQL Injection: Basic Sample //legit $sort = 'ASC'; //malicious injection? $sort = '; TRUNCATE POSTS'; //actual query $query = quot;SELECT * FROM posts ORDER BY date_entered $sortquot;; // Output Query: uh-oh! SELECT * FROM posts ORDER BY date_entered; TRUNCATE POSTS
  • 45. Application Level Security:: SQL Injection Attack Possible Damage ● Corrupt data by executing truncate() SQL Injection ● Alter current DB data (eg. Change admin password)
  • 46. Application Level Security:: SQL Injection Attack Vectors ● Dynamic queries getting SQL Injection values from unsanitized user-submitted data
  • 47. Application Level Security:: SQL Injection (MySQL) Attack Prevention ● Enclose user-submitted SQL Injection Values with mysql_real_escape_string()
  • 48. Application Level Security:: Session Hijacking Attack Description Session Hijacking is an attack where an attacker impersonates a legitimate Session user(commonly the Hijacking administrator) that is currently logged in on the web application
  • 49. Application Level Security:: Session Hijacking Attack Possible Damage ● Attacker gaining Session administrator privileges, Hijacking damage/threat is highly serious.
  • 50. Application Level Security:: Session Hijacking Attack Vectors ● Session ID Fixation via XSS ● Web Application is not going Session thru HTTPS and therefore Hijacking sniffable ● Session id is not regenerated when necessary
  • 51. Application Level Security:: Session Hijacking Attack Prevention ● Protect Site against XSS attacks (Fixation avoidance only) ● Regenerate SID whenever Session necessary and do not Hijacking trust user-specified session id ● Deliver the web app Over HTTPS to avoid getting sniffed
  • 52. In a nutshell: ● The Server Level is part of the Web Application. It is necessary to Secure the Server as well. 30% of Web Application Attacks are still suffered by the Server. ● Do not Trust User Input is not enough, Make User Input TRUSTABLE by filtering methods before they undergo processing. ● Tokenize your forms whenever necessary ● Use SSL Layer (via https) in dealing with highly sensitive data to avoid being sniffed or captured .
  • 53. I hope you enjoyed.. The End...