Suche senden
Hochladen
Web architecture mechanism and threats
•
2 gefällt mir
•
956 views
Sumedt Jitpukdebodin
Folgen
Fundamental of web architecture and threats, OWASP Thailand 2014
Weniger lesen
Mehr lesen
Technologie
Melden
Teilen
Melden
Teilen
1 von 47
Jetzt herunterladen
Downloaden Sie, um offline zu lesen
Empfohlen
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
Incorporating OAuth
Incorporating OAuth
Twobo Technologies
Neo-security Stack
Neo-security Stack
Twobo Technologies
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) Explained
Dhananjay Nene
RESTful Web Services
RESTful Web Services
Imran M Yousuf
Designing an API
Designing an API
Twobo Technologies
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
Emiliano Pecis
Restful web-services
Restful web-services
rporwal
Empfohlen
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
Incorporating OAuth
Incorporating OAuth
Twobo Technologies
Neo-security Stack
Neo-security Stack
Twobo Technologies
ReST (Representational State Transfer) Explained
ReST (Representational State Transfer) Explained
Dhananjay Nene
RESTful Web Services
RESTful Web Services
Imran M Yousuf
Designing an API
Designing an API
Twobo Technologies
The RESTful Soa Datagrid with Oracle
The RESTful Soa Datagrid with Oracle
Emiliano Pecis
Restful web-services
Restful web-services
rporwal
RESTful services
RESTful services
gouthamrv
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIs
unihack
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
Twobo Technologies
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
Best practices for RESTful web service design
Best practices for RESTful web service design
Ramin Orujov
REST - Representational State Transfer
REST - Representational State Transfer
Peter R. Egli
Understanding REST
Understanding REST
Nitin Pande
Web Service Security
Web Service Security
Luqman Shareef
REST & RESTful Web Services
REST & RESTful Web Services
Halil Burak Cetinkaya
Elegant Rest Design Webinar
Elegant Rest Design Webinar
Stormpath
Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2
kriszyp
Rest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
RESTEasy
RESTEasy
Khushbu Joshi
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
Li Yi
Rest and the hypermedia constraint
Rest and the hypermedia constraint
Inviqa
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
Guy K. Kloss
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
Hacking with paper
Hacking with paper
Sumedt Jitpukdebodin
Fundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
Weitere ähnliche Inhalte
Was ist angesagt?
RESTful services
RESTful services
gouthamrv
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
Stormpath
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIs
unihack
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
Twobo Technologies
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Shreeraj Shah
Best practices for RESTful web service design
Best practices for RESTful web service design
Ramin Orujov
REST - Representational State Transfer
REST - Representational State Transfer
Peter R. Egli
Understanding REST
Understanding REST
Nitin Pande
Web Service Security
Web Service Security
Luqman Shareef
REST & RESTful Web Services
REST & RESTful Web Services
Halil Burak Cetinkaya
Elegant Rest Design Webinar
Elegant Rest Design Webinar
Stormpath
Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2
kriszyp
Rest & RESTful WebServices
Rest & RESTful WebServices
Prateek Tandon
RESTEasy
RESTEasy
Khushbu Joshi
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
Li Yi
Rest and the hypermedia constraint
Rest and the hypermedia constraint
Inviqa
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
Guy K. Kloss
Html5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Shreeraj Shah
Content Security Policy (CSP)
Content Security Policy (CSP)
Arun Kumar
Was ist angesagt?
(20)
RESTful services
RESTful services
Design Beautiful REST + JSON APIs
Design Beautiful REST + JSON APIs
იოსებ ძმანაშვილი - The Web APIs
იოსებ ძმანაშვილი - The Web APIs
OAuth and OpenID Connect for Microservices
OAuth and OpenID Connect for Microservices
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
[Infosecworld 08 Orlando] New Defenses for .NET Web Apps: IHttpModule in Prac...
Best practices for RESTful web service design
Best practices for RESTful web service design
REST - Representational State Transfer
REST - Representational State Transfer
Understanding REST
Understanding REST
Web Service Security
Web Service Security
REST & RESTful Web Services
REST & RESTful Web Services
Elegant Rest Design Webinar
Elegant Rest Design Webinar
Java Script Based Client Server Webapps 2
Java Script Based Client Server Webapps 2
Rest & RESTful WebServices
Rest & RESTful WebServices
RESTEasy
RESTEasy
RESTful SOA - 中科院暑期讲座
RESTful SOA - 中科院暑期讲座
Rest and the hypermedia constraint
Rest and the hypermedia constraint
Representational State Transfer (REST) and HATEOAS
Representational State Transfer (REST) and HATEOAS
Html5 localstorage attack vectors
Html5 localstorage attack vectors
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
HTML5 Top 10 Threats - Silent Attacks and Stealth Exploits
Content Security Policy (CSP)
Content Security Policy (CSP)
Andere mochten auch
Hacking with paper
Hacking with paper
Sumedt Jitpukdebodin
Fundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
R u hacked
R u hacked
Sumedt Jitpukdebodin
Purple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
Security awareness training
Security awareness training
Sumedt Jitpukdebodin
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Michael Gough
Andere mochten auch
(6)
Hacking with paper
Hacking with paper
Fundamental of malware analysis
Fundamental of malware analysis
R u hacked
R u hacked
Purple team is awesome
Purple team is awesome
Security awareness training
Security awareness training
The top 10 windows logs event id's used v1.0
The top 10 windows logs event id's used v1.0
Ähnlich wie Web architecture mechanism and threats
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Arun Gupta
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Melanie Brandt
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
Nordic APIs
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
Akana
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
ksudhakarreddy5
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
CA API Management
Implementing Data Caching and Data Synching Using Oracle MAF
Implementing Data Caching and Data Synching Using Oracle MAF
Steven Davelaar
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
CA API Management
E-Business And Technology Essay
E-Business And Technology Essay
Pamela Wright
Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)
Yu Kwangjong
Unit 1 b
Unit 1 b
Sheetal Verma
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
VMware Tanzu
Oracle REST Data Services
Oracle REST Data Services
Chris Muir
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
CA API Management
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
Beau Christensen
IRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET Journal
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET Journal
Defcon9 Presentation2001
Defcon9 Presentation2001
Miguel Ibarra
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Jeremiah Grossman
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
CA API Management
Ähnlich wie Web architecture mechanism and threats
(20)
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Java API for WebSocket 1.0: Java EE 7 and GlassFish
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Accelerating breakthrough business technologies in atlanta, tag featured spea...
Open APIs - Risks and Rewards (Øredev 2013)
Open APIs - Risks and Rewards (Øredev 2013)
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
HTTP_Header_Security.pdf
HTTP_Header_Security.pdf
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
API Roles In Cloud and Mobile Security - Greg Olsen, IT Manager, Integration ...
Implementing Data Caching and Data Synching Using Oracle MAF
Implementing Data Caching and Data Synching Using Oracle MAF
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...
E-Business And Technology Essay
E-Business And Technology Essay
Asynchronous architecture (Node.js & Vert.x)
Asynchronous architecture (Node.js & Vert.x)
Unit 1 b
Unit 1 b
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Simple Data Movement Patterns: Legacy Application to Cloud-Native Environment...
Oracle REST Data Services
Oracle REST Data Services
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Trust No One: The New Security Model for Web APIs - SecTor talk by Greg Kliew...
Conf2013 bchristensen thebig_t
Conf2013 bchristensen thebig_t
IRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET- Micro-Content Shortlisting using Interactive AI Method
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
IRJET- Semantic Web Mining and Semantic Search Engine: A Review
Defcon9 Presentation2001
Defcon9 Presentation2001
Web Application Security - "In theory and practice"
Web Application Security - "In theory and practice"
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...
Mehr von Sumedt Jitpukdebodin
How to create your own hack environment
How to create your own hack environment
Sumedt Jitpukdebodin
Phishing
Phishing
Sumedt Jitpukdebodin
Which side are you
Which side are you
Sumedt Jitpukdebodin
Endpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
Antivirus is hopeless
Antivirus is hopeless
Sumedt Jitpukdebodin
DDoS handlering
DDoS handlering
Sumedt Jitpukdebodin
Incident response before:after breach
Incident response before:after breach
Sumedt Jitpukdebodin
What should I do when my website got hack?
What should I do when my website got hack?
Sumedt Jitpukdebodin
Mehr von Sumedt Jitpukdebodin
(8)
How to create your own hack environment
How to create your own hack environment
Phishing
Phishing
Which side are you
Which side are you
Endpoint is not enough
Endpoint is not enough
Antivirus is hopeless
Antivirus is hopeless
DDoS handlering
DDoS handlering
Incident response before:after breach
Incident response before:after breach
What should I do when my website got hack?
What should I do when my website got hack?
Kürzlich hochgeladen
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
The Digital Insurer
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
apidays
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
Khushali Kathiriya
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
Product Anonymous
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
MIND CTI
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Nanddeep Nachan
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
DianaGray10
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
apidays
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
The Digital Insurer
Kürzlich hochgeladen
(20)
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
Web architecture mechanism and threats
1.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture - Mechanism and Threats Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
2.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. ~# whoami Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์) My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้ องกันการเจาะระบบ” Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more...
3.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Agenda
4.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Agenda Web Architecture Web Architecture Attack Security Controls & Mechanism
5.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture
6.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Basic Web Architecture Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client
7.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTML HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser.
8.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. URI URI(Universal Resource Identifier)
9.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. URI(2) URL(Universal Resource Locator) URN(Universal Resource Name)
10.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP HTTP(Hyper Text Transfer Protocol) HTTP is an application layer. HTTP has 2 way communication: HTTP Request and HTTP Response.
11.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP(2) Request Message – Request Line – Request Header – An empty line – An optional Message Body
12.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP(3)
13.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT
14.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT
15.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Status Code Success: 2xx Redirection: 3xx Client-Side Error: 4xx Server-Side Error: 5xx
16.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. HTTP Session State HTTP is stateless Protocol Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code)
17.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Extension Two tier architecture is not enough Common Gateway Interface(CGI) Standard protocol for interfacing with external application software with a web server CGI program are executable programs that run on the web server.
18.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Javascript Scripting language designed for dynamic, interactive web application Run on client side. Preprocessing data on the client before submission to a server. Changing content type and styles
19.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Three tier web architecture
20.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Make HTTP to stateful(2) Cookie A text stored on a client’s computer by a web browser. Sent as an HTTP Header Can used for authenticating, session tracking
21.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Server and Client Processing Server-Side Processing PHP ASP ASP.NET Perl J2EE Python, Django Ruby On Rail Client-Side Processing CSS HTML Javascript Adobe Flash Microsoft Silverlight
22.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX Asynchronous Javascript and XML(AJAX) Create by Jesse James Garrett, Febuary 18, 2005 Ajax Incorporates XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript
23.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX(2)
24.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. AJAX(3)
25.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON Javascript Object Notation(JSON) JSON is lightweight computer data interchange format. JSON is based on a subset of Javascript programming language. Using of XML format.
26.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON Request && Response
27.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. JSON(2)
28.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML eXtensible Markup Language Using for information exchange. Two primary building blocks of XML are elements and attributes. Elements are tags and have values. Elements are structured as a tree. Alternatively, elements may have both attributes as well as data. Attributes help you to give more meaning and describe your element more efficiently and clearly.
29.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(2) Tag Element Content
30.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(3)
31.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML(4)
32.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. XML vs JSON
33.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Services Web service is a software system designed to support machine-to- machine intraction over a network. Web service are frequently just used to Internet Application Programming Interfaces(API). Web service use HTTP for transmitting messages(RPC,SOAP,REST)
34.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP vs REST SOAP(Simple Object Access Protocol) – Web service based on XML REST(Representational State Transfer) – Web service represent in format of application
35.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP vs REST
36.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest- challenges.html
37.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest- challenges.html
38.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Attack
39.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p)
40.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p)
41.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
42.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Security Controls & Mechanism
43.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Security Control Application Layer Network Layer
44.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Application Layer Input Validation Sessions Management Authentication Method Strong Policy(Such as password policy) Same-Origin Policy
45.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Network Layer Firewall Intrusion Detection System/Intrusion Prevention System(IDS/IPS) Web Application Firewall(WAF) Centralize Log Server
46.
© Copyright 2013
i-secure Co., Ltd. The informationcontained herein is subject to change without notice. Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php
47.
www.i-secure.co.th Questions © Copyright 2013
ACIS i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Jetzt herunterladen