SlideShare ist ein Scribd-Unternehmen logo

Web Architecture

Als PPTX, PDF herunterladen
Sumedt Jitpukdebodin
Sumedt Jitpukdebodin

This slide is my presentation in 2600Thailand Meeting

Bildung
1 von 47
Web Architecture - Mechanism and Threats © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice. Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more... © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Agenda © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
URI  URI(Universal Resource Identifier) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Three tier web architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON Request && Response © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(2)  Tag  Element  Content © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(4) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML vs JSON © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Services  Web service is a software system designed to support machine-to-machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP vs REST © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Attack © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Security Control  Application Layer  Network Layer © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Questions www.i-secure.co.th © Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to change without notice.

Empfohlen

Fundamentals of Web for Non-Developers
Fundamentals of Web for Non-DevelopersFundamentals of Web for Non-Developers
Fundamentals of Web for Non-DevelopersLemi Orhan Ergin
 
Busy Architects Guide to Modern Web Architecture in 2014
Busy Architects Guide to Modern Web Architecture in 2014Busy Architects Guide to Modern Web Architecture in 2014
Busy Architects Guide to Modern Web Architecture in 2014Particular Software
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best PracticesAWS Germany
 
SOA and web services
SOA and web servicesSOA and web services
SOA and web servicesSreekanth Narayanan
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architectureRalu Mihordea
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web ServicesImran M Yousuf
 
Introduction to Web Technology
Introduction to Web TechnologyIntroduction to Web Technology
Introduction to Web TechnologyRob Bertholf
 

Empfohlen

Fundamentals of Web for Non-Developers
Fundamentals of Web for Non-DevelopersFundamentals of Web for Non-Developers
Fundamentals of Web for Non-DevelopersLemi Orhan Ergin
 
Busy Architects Guide to Modern Web Architecture in 2014
Busy Architects Guide to Modern Web Architecture in 2014Busy Architects Guide to Modern Web Architecture in 2014
Busy Architects Guide to Modern Web Architecture in 2014Particular Software
 
Web Fundamentals
Web FundamentalsWeb Fundamentals
Web Fundamentalsarunv
 
Architecture Best Practices
Architecture Best PracticesArchitecture Best Practices
Architecture Best PracticesAWS Germany
 
SOA and web services
SOA and web servicesSOA and web services
SOA and web servicesSreekanth Narayanan
 
Basic web architecture
Basic web architectureBasic web architecture
Basic web architectureRalu Mihordea
 
RESTful Web Services
RESTful Web ServicesRESTful Web Services
RESTful Web ServicesImran M Yousuf
 
Introduction to Web Technology
Introduction to Web TechnologyIntroduction to Web Technology
Introduction to Web TechnologyRob Bertholf
 
Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
High performance website
High performance websiteHigh performance website
High performance websiteChamnap Chhorn
 
Introduction To REST
Introduction To RESTIntroduction To REST
Introduction To RESTBhavya Siddappa
 
introduction to web technology
introduction to web technologyintroduction to web technology
introduction to web technologyvikram singh
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQueryDoncho Minkov
 
Seo and analytics basics
Seo and analytics basicsSeo and analytics basics
Seo and analytics basicsSreekanth Narayanan
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services pptOECLIB Odisha Electronics Control Library
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsიოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsunihack
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016Restlet
 
Representational State Transfer
Representational State TransferRepresentational State Transfer
Representational State TransferAlexei Skachykhin
 
Restful web services by Sreeni Inturi
Restful web services by Sreeni InturiRestful web services by Sreeni Inturi
Restful web services by Sreeni InturiSreeni I
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
Web Technology Fundamentals
Web Technology FundamentalsWeb Technology Fundamentals
Web Technology Fundamentalssunmitraeducation
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleEmiliano Pecis
 
5. HTML5
5. HTML55. HTML5
5. HTML5Jalpesh Vasa
 
Vskills angular js sample material
Vskills angular js sample materialVskills angular js sample material
Vskills angular js sample materialVskills
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threatsSumedt Jitpukdebodin
 
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishArun Gupta
 

Weitere ähnliche Inhalte

Was ist angesagt?

Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServicesPrateek Tandon
 
High performance website
High performance websiteHigh performance website
High performance websiteChamnap Chhorn
 
introduction to web technology
introduction to web technologyintroduction to web technology
introduction to web technologyvikram singh
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQueryDoncho Minkov
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsიოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsunihack
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web APIBrad Genereaux
 
The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016Restlet
 
Representational State Transfer
Representational State TransferRepresentational State Transfer
Representational State TransferAlexei Skachykhin
 
Restful web services by Sreeni Inturi
Restful web services by Sreeni InturiRestful web services by Sreeni Inturi
Restful web services by Sreeni InturiSreeni I
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyStormpath
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design WebinarStormpath
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)Jef Claes
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleEmiliano Pecis
 
Vskills angular js sample material
Vskills angular js sample materialVskills angular js sample material
Vskills angular js sample materialVskills
 

Was ist angesagt? (20)

Rest & RESTful WebServices
Rest & RESTful WebServicesRest & RESTful WebServices
Rest & RESTful WebServices
 
High performance website
High performance websiteHigh performance website
High performance website
 
Introduction To REST
Introduction To RESTIntroduction To REST
Introduction To REST
 
introduction to web technology
introduction to web technologyintroduction to web technology
introduction to web technology
 
External Data Access with jQuery
External Data Access with jQueryExternal Data Access with jQuery
External Data Access with jQuery
 
Seo and analytics basics
Seo and analytics basicsSeo and analytics basics
Seo and analytics basics
 
Restful web services ppt
Restful web services pptRestful web services ppt
Restful web services ppt
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIsიოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIs
 
Introduction to the Web API
Introduction to the Web APIIntroduction to the Web API
Introduction to the Web API
 
The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016The never-ending REST API design debate -- Devoxx France 2016
The never-ending REST API design debate -- Devoxx France 2016
 
Representational State Transfer
Representational State TransferRepresentational State Transfer
Representational State Transfer
 
Restful web services by Sreeni Inturi
Restful web services by Sreeni InturiRestful web services by Sreeni Inturi
Restful web services by Sreeni Inturi
 
REST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And JerseyREST API Design for JAX-RS And Jersey
REST API Design for JAX-RS And Jersey
 
Elegant Rest Design Webinar
Elegant Rest Design WebinarElegant Rest Design Webinar
Elegant Rest Design Webinar
 
Web Technology Fundamentals
Web Technology FundamentalsWeb Technology Fundamentals
Web Technology Fundamentals
 
REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)REST and ASP.NET Web API (Milan)
REST and ASP.NET Web API (Milan)
 
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with OracleThe RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
 
5. HTML5
5. HTML55. HTML5
5. HTML5
 
Vskills angular js sample material
Vskills angular js sample materialVskills angular js sample material
Vskills angular js sample material
 

Ähnlich wie Web Architecture

Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threatsSumedt Jitpukdebodin
 
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishArun Gupta
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Nordic APIs
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tBeau Christensen
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...CA API Management
 
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...Puneet Sachdev
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdfksudhakarreddy5
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology EssayPamela Wright
 
Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)Yu Kwangjong
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Melanie Brandt
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...ufpb
 
Oracle REST Data Services
Oracle REST Data ServicesOracle REST Data Services
Oracle REST Data ServicesChris Muir
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Matt Raible
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001Miguel Ibarra
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Jeremiah Grossman
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Jeremiah Grossman
 
Ed presents JSF 2.2 at a 2013 Gameduell Tech talk
Ed presents JSF 2.2 at a 2013 Gameduell Tech talkEd presents JSF 2.2 at a 2013 Gameduell Tech talk
Ed presents JSF 2.2 at a 2013 Gameduell Tech talkEdward Burns
 

Ähnlich wie Web Architecture (20)

Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
 
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFishJava API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
 
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
 
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_tConf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
 
Unit 1 b
Unit 1 bUnit 1 b
Unit 1 b
 
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
 
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...
Institutionalizing Open Source - Puneet Sachdev - Nasscom Tech Series - June ...
 
HTTP_Header_Security.pdf
HTTP_Header_Security.pdfHTTP_Header_Security.pdf
HTTP_Header_Security.pdf
 
E-Business And Technology Essay
E-Business And Technology EssayE-Business And Technology Essay
E-Business And Technology Essay
 
Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)
 
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
A little bit about code injection in WebApplication Frameworks (CVE-2018-1466...
 
Oracle REST Data Services
Oracle REST Data ServicesOracle REST Data Services
Oracle REST Data Services
 
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
 
Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013Java Web Application Security - Denver JUG 2013
Java Web Application Security - Denver JUG 2013
 
Defcon9 Presentation2001
Defcon9 Presentation2001Defcon9 Presentation2001
Defcon9 Presentation2001
 
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
 
Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012Top Ten Web Hacking Techniques of 2012
Top Ten Web Hacking Techniques of 2012
 
Ed presents JSF 2.2 at a 2013 Gameduell Tech talk
Ed presents JSF 2.2 at a 2013 Gameduell Tech talkEd presents JSF 2.2 at a 2013 Gameduell Tech talk
Ed presents JSF 2.2 at a 2013 Gameduell Tech talk
 

Mehr von Sumedt Jitpukdebodin

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environmentSumedt Jitpukdebodin
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breachSumedt Jitpukdebodin
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?Sumedt Jitpukdebodin
 

Mehr von Sumedt Jitpukdebodin (13)

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Phishing
PhishingPhishing
Phishing
 
Which side are you
Which side are youWhich side are you
Which side are you
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
R u hacked
R u hackedR u hacked
R u hacked
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
 
Incident response before:after breach
Incident response before:after breachIncident response before:after breach
Incident response before:after breach
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 

Kürzlich hochgeladen

1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfAyushMahapatra5
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeThiyagu K
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfSoniaTolstoy
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfagholdier
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...Sapna Thakur
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 

Kürzlich hochgeladen (20)

Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"Mattingly "AI & Prompt Design: The Basics of Prompt Design"
Mattingly "AI & Prompt Design: The Basics of Prompt Design"
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Measures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and ModeMeasures of Central Tendency: Mean, Median and Mode
Measures of Central Tendency: Mean, Median and Mode
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 

Web Architecture

  • 1. Web Architecture - Mechanism and Threats © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice. Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
  • 2. ~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more... © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 3. Agenda © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 4. Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 5. Web Architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 6. Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 7. HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 8. URI  URI(Universal Resource Identifier) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 9. URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 10. HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 11. HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 12. HTTP(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 13. Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 14. Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 15. Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 16. HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 17. Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 18. Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 19. Three tier web architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 20. Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 21. Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 22. AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 23. AJAX(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 24. AJAX(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 25. JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 26. JSON Request && Response © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 27. JSON(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 28. XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 29. XML(2)  Tag  Element  Content © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 30. XML(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 31. XML(4) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 32. XML vs JSON © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 33. Web Services  Web service is a software system designed to support machine-to-machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 34. SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 35. SOAP vs REST © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 36. SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 37. REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 38. Web Architecture Attack © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 39. Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 40. Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 41. OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 42. Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 43. Security Control  Application Layer  Network Layer © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 44. Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 45. Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 46. Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  • 47. Questions www.i-secure.co.th © Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to change without notice.