Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Web Architecture - Mechanism and Threats 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject ...
~# whoami 
 Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์) 
 My blog: http://www.r00tsec.com, http://twitter.com/mate...
Agenda 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Agenda 
 Web Architecture 
 Web Architecture Attack 
 Security Controls & Mechanism 
© Copyright 2013 i-secure Co., Ltd...
Web Architecture 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice...
Basic Web Architecture 
 Two Tier Architecture 
– Web browser display content that return from Web Server 
– Web server p...
HTML 
 HTML(Hyper Text Markup Language) 
– Document Layout Language 
– Viewed by using Web Browser. 
© Copyright 2013 i-s...
URI 
 URI(Universal Resource Identifier) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject...
URI(2) 
 URL(Universal Resource Locator) 
 URN(Universal Resource Name) 
© Copyright 2013 i-secure Co., Ltd. The informa...
HTTP 
 HTTP(Hyper Text Transfer Protocol) 
 HTTP is an application layer. 
 HTTP has 2 way communication: HTTP Request ...
HTTP(2) 
 Request Message 
– Request Line 
– Request Header 
– An empty line 
– An optional Message Body 
© Copyright 201...
HTTP(3) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Request Method 
– HEAD 
– GET 
– POST 
– PUT 
– DELETE 
– TRACE 
– OPTIONS 
– CONNECT 
© Copyright 2013 i-secure Co., Ltd....
Safe Method 
– HEAD 
– GET 
– OPTIONS 
– TRACE 
– POST 
– PUT 
– DELETE 
– CONNECT 
© Copyright 2013 i-secure Co., Ltd. Th...
Status Code 
 Success: 2xx 
 Redirection: 3xx 
 Client-Side Error: 4xx 
 Server-Side Error: 5xx 
© Copyright 2013 i-se...
HTTP Session State 
 HTTP is stateless Protocol 
 Solutions 
– Cookies 
– Sessions 
– Hidden variable 
– URL encode para...
Web Architecture Extension 
 Two tier architecture is not enough 
 Common Gateway Interface(CGI) 
 Standard protocol fo...
Javascript 
 Scripting language designed for dynamic, interactive web application 
 Run on client side. 
 Preprocessing...
Three tier web architecture 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change wit...
Make HTTP to stateful(2) 
 Cookie 
 A text stored on a client’s computer by a web browser. 
 Sent as an HTTP Header 
 ...
Server and Client Processing 
 Server-Side Processing 
 PHP 
 ASP 
 ASP.NET 
 Perl 
 J2EE 
 Python, Django 
 Ruby ...
AJAX 
 Asynchronous Javascript and XML(AJAX) 
 Create by Jesse James Garrett, Febuary 18, 2005 
 Ajax Incorporates 
 X...
AJAX(2) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX(3) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON 
 Javascript Object Notation(JSON) 
 JSON is lightweight computer data interchange format. 
 JSON is based on a su...
JSON Request && Response 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change withou...
JSON(2) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML 
 eXtensible Markup Language 
 Using for information exchange. 
 Two primary building blocks of XML are elements an...
XML(2) 
 Tag 
 Element 
 Content 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to ch...
XML(3) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(4) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML vs JSON 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Services 
 Web service is a software system designed to support machine-to-machine 
intraction over a network. 
 Web...
SOAP vs REST 
 SOAP(Simple Object Access Protocol) 
– Web service based on XML 
 REST(Representational State Transfer) 
...
SOAP vs REST 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP Example 
Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. 
html 
© Copyright 2013 ...
REST Example 
Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. 
html 
© Copyright 2013 ...
Web Architecture Attack 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without...
Web Architecture 
Reference :: Web Application Hacking/Security 
101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfX...
Web Architecture Attack 
Reference :: Web Application Hacking/Security 
101(https://docs.google.com/presentation/d/1fw7fO7...
OWASP 2013 
 Injection 
 Broken Authentication and Session Management 
 Cross-Site Scripting(XSS) 
 Insecure Direct Ob...
Security Controls & Mechanism 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change w...
Security Control 
 Application Layer 
 Network Layer 
© Copyright 2013 i-secure Co., Ltd. The information contained here...
Application Layer 
 Input Validation 
 Sessions Management 
 Authentication Method 
 Strong Policy(Such as password po...
Network Layer 
 Firewall 
 Intrusion Detection System/Intrusion Prevention System(IDS/IPS) 
 Web Application Firewall(W...
Network Layer Diagram 
Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php 
© Copyright 2013 i-secure Co., Ltd. T...
Questions 
www.i-secure.co.th 
© Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to cha...
Nächste SlideShare
Wird geladen in …5
×

Web Architecture - Mechanism and Threats

3.021 Aufrufe

Veröffentlicht am

This slide is my presentation in 2600Thailand Meeting

Veröffentlicht in: Bildung

Web Architecture - Mechanism and Threats

  1. 1. Web Architecture - Mechanism and Threats © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice. Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
  2. 2. ~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more... © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  3. 3. Agenda © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  4. 4. Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  5. 5. Web Architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  6. 6. Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  7. 7. HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  8. 8. URI  URI(Universal Resource Identifier) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  9. 9. URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  10. 10. HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  11. 11. HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  12. 12. HTTP(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  13. 13. Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  14. 14. Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  15. 15. Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  16. 16. HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  17. 17. Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  18. 18. Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  19. 19. Three tier web architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  20. 20. Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  21. 21. Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  22. 22. AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  23. 23. AJAX(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  24. 24. AJAX(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  25. 25. JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  26. 26. JSON Request && Response © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  27. 27. JSON(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  28. 28. XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  29. 29. XML(2)  Tag  Element  Content © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  30. 30. XML(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  31. 31. XML(4) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  32. 32. XML vs JSON © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  33. 33. Web Services  Web service is a software system designed to support machine-to-machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  34. 34. SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  35. 35. SOAP vs REST © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  36. 36. SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  37. 37. REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  38. 38. Web Architecture Attack © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  39. 39. Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  40. 40. Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  41. 41. OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  42. 42. Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  43. 43. Security Control  Application Layer  Network Layer © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  44. 44. Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  45. 45. Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  46. 46. Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  47. 47. Questions www.i-secure.co.th © Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to change without notice.

×