SlideShare uma empresa Scribd logo

Web Application Security and Awareness

Abdul Rahman Sherzad
Abdul Rahman Sherzad

Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web. Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors. The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others. Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered. The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.

Apresentações e oratória
1 de 20
Baixar para ler offline
Web Application Security and Awareness Abdul Rahman, Sherzad Lecturer at Computer Science Faculty of Herat University, Afghanistan, and Ph.D. Student at Technical University of Berlin, Germany December 19, 2016 12th IT Conference for Higher Education in Afghanistan January 05, 2017 Hariwa Institute of Higher Education, Herat, Afghanistan
2 Major problems were only caused by a collection of smaller factors, and only a reverse similar behavior is needed to resolve the given situation (Sherzad).
Goal and Objectives Build security awareness for web applications Get to know attack methods Learn ways to discover security vulnerabilities Learn the basics of secure web development 3
4 Web Application Security Websites Web Applications Web Services
5 Intentions Malicious Damage Financial Gain Blackmail Further Attacks Political Competitor Commercial Personal Grievance Discover Vulnerabilities Show Skills [1]
Security Threats ■ The majority of web application attacks occur through – Cross Site Scripting (XSS) – SQL Injection ■ The majority of web application vulnerabilities arise from – Weak coding, – Failure to properly validate input, – Failure to sanitize output. 6[2] [3] [4]
2010 Web Applications Weakness 7[2][3][4]
User Input • Attacker can easily change any part of the HTTP request before submitting – Cookies – Form fields – Hidden fields – URL – Headers • The ultimate solution: Input must be validated on the SERVER! – Not just on the CLIENT! 8[5]
Client-side - Demo Link ■ Client-side Validation (Can be disabled by client) – HTML5 – JavaScript ■ Input Fields (Can be Modified by client) – Hidden Fields – Dropdown ■ Cookies (Can be Changed by client) 9
Phishing – Demo Link ■ Hackers use E-MAIL / Instant Message to fish or steal user's personal and financial information – User ID / Password – Credit Card Number – PIN ■ In a typical phishing attack a user will receive an e-mail message impersonated to be sent from a bank or other e-commerce enterprise. ■ 1% - 20% users respond to such attacks. ■ In Afghanistan it is very common and practical!!! 10[6] [7]
Phishing Ultimate Solutions ■ Policy guidelines ■ Training the end users ■ User awareness – Carefully check the suspicious links! – Do not click the E-MAIL asking sensitive data! – Do not Trust TinyURL links! – Do not Enter CREDIT CARD or Sensitive Data if the website doesn't start with https:// 11[6] [7]
Cross-site Scripting (XSS) ■ XSS, a security exploit in which the attacker inserts malicious client-side code into webpages. ■ It has been around since the 1990s. ■ Most major websites like Google, Yahoo and Facebook have all been affected by cross-site scripting flaws at some point. ■ Attacks exploiting XSS vulnerabilities can steal data, take control of a user's session, run malicious code, or be used as part of a phishing scam. – Reflected - Demo Link – Persistent – Basic Demo Link || Steal Cookie Demo Link 12[8] [9] [10]
Preventing XSS Attacks ■ Filtering ■ Input Validation / Output Sanitization ■ Select a safer browser ■ Use a virtual machine for suspicious links ■ Pay more attention to shortened URLs ■ Use plugins for better security (like NoScript). 13[8] [9] [10]
SQL Injection ■ SQL Injection is a technique where malicious users can inject SQL commands into an SQL statement through – URLs – Input Parameters – Others e.g. Cookie, HTTP Headers ■ SQL injection is a very old approach but it is still popular among attackers. 14[11] [12]
Possible Threats ■ Unauthorized access to application – User login without knowing the login nor the password ■ Access to whole database / databases on the server – Attacker can delete, modify or even worse, steal the data ■ Read / write files on server's file system ■ Code execution 15[11] [12]
SQL Injection - Demo Link ■ Login without knowing the username and the password – anything' OR TRUE; -- ■ Modify and steal the data – anything' OR 1; UPDATE users SET email = 'evil@evitsite.com' WHERE email = 'absherzad@gmail.com';-- ■ Delete data and even drop the tables – anything' OR 1; DROP TABLE users; -- 16
17 Mitigate Risk Always validate input Escape user input Least privilege Use prepared statements Code reviews Salt & hash passwords [13] [14]
Conclusion - Core Security Principles ■ Use least privilege ■ Do not trust user input ■ Apply defense in depth ■ Fail securely and friendly ■ Turn off un-needed services ■ Keep systems patched ■ Watch for logic holes ■ Hide sensitive information – Encryption – Access controls 18[15] [16]
19 Works Cited 1 The Australian High Tech Crime Center. (2005). Hacking Motives. Australia: Australian High Tech Crime Center. 2 The Ocenzic. (2014). Application Vulnerability Trends Report. Ocenzic. 3 The Open Web Application Security Project. (2013, June 12). OWASP Top Ten Project. Retrieved from OWASP: https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 4 The Web Application Security Consortium. (2011). Web-Hacking-Incident-Database. Retrieved from WASP: http://projects.webappsec.org/w/page/13246995/Web- Hacking-Incident-Database 5 The Open Web Application Security Project. (2010, April 22). Unvalidated Input. Retrieved from OWASP: https://www.owasp.org/index.php/Unvalidated_Input 6 The Open Web Application Security Project. (2009, April 14). Phishing. Retrieved from OWASP: https://www.owasp.org/index.php/Phishing 7 Steinberg, J. (2014, August 25). Why You Are At Risk Of Phishing Attacks. Retrieved from Forbes: http://www.forbes.com/sites/josephsteinberg/2014/08/25/why-you- are-at-risk-of-phishing-attacks-and-why-jp-morgan-chase-customers-were-targeted-this-week/ 8 The Open Web Application Security Project. (2014, April 22). Cross-site Scripting (XSS). Retrieved from OWASP: https://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9 Abela, R. (2013, June 5). The Dangerous Complexity of Web Application Security. Retrieved from NetSparker: https://www.netsparker.com/blog/web-security/dangerous- complexity-of-web-application-security/ 10 Abela, R. (2013, May 22). Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? Retrieved from Netsparker: https://www.netsparker.com/blog/web-security/web-application-security-misconceptions-vulnerabilities/ 11 The Open Web Application Security Project. (2014, August 14). SQL Injection. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection 12 Abela, R. (2013, May 28). South African Police Web Application for Whistleblowers Hacked via SQL Injection. Retrieved from Netsparker: https://www.netsparker.com/blog/news/south-african-police-whistleblowers-hacked-sql-injection/ 13 The Open Web Application Security Project. (2014, June 7). SQL Injection Prevention Cheat Sheet. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 14 Litwin, P. (2004, September). Stop SQL Injection Attacks Before They Stop You. Retrieved from MSDN: https://msdn.microsoft.com/en-us/magazine/cc163917.aspx 15 Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving Web Application Security: Threats and Countermeasures. Microsoft. 16 Bollefer, T., Chander, G., Johansson, J., Kass, M., & Olson, E. (2002). Building and Configuring More Secure Web Sites. Microsoft.
20

Recomendados

Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Cyber security
Cyber securityCyber security
Cyber security
Rishav Sadhu
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Cybersecurity 2 cyber attacks
Cybersecurity 2 cyber attacksCybersecurity 2 cyber attacks
Cybersecurity 2 cyber attacks
sommerville-videos
 
Cyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityCyber security & Importance of Cyber Security
Cyber security & Importance of Cyber Security
Mohammed Adam
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 

Recomendados

Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Cyber security
Cyber securityCyber security
Cyber security
Rishav Sadhu
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Cybersecurity 2 cyber attacks
Cybersecurity 2 cyber attacksCybersecurity 2 cyber attacks
Cybersecurity 2 cyber attacks
sommerville-videos
 
Cyber security & Importance of Cyber Security
Cyber security & Importance of Cyber SecurityCyber security & Importance of Cyber Security
Cyber security & Importance of Cyber Security
Mohammed Adam
 
OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017OWASP Mobile Security: Top 10 Risks for 2017
OWASP Mobile Security: Top 10 Risks for 2017
TecsyntSolutions
 
Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
Parab Mishra
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Cyber Crime and Cyber Security
Cyber Crime and Cyber SecurityCyber Crime and Cyber Security
Cyber Crime and Cyber Security
Sazed Salman
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Cyber security
Cyber securityCyber security
Cyber security
Bhavin Shah
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
Noushad Hasan
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
Avani Patel
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
Animesh Roy
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
Edureka!
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
Vivek Agarwal
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
Rubal Sagwal
 
Security system in banks
Security system in banksSecurity system in banks
Security system in banks
university of education,Lahore
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
krishh sivakrishna
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
Fabiha Shahzad
 
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪThesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Abdul Rahman Sherzad
 
Entity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemEntity Relationship Diagram of Library System
Entity Relationship Diagram of Library System
Abdul Rahman Sherzad
 

Mais conteúdo relacionado

Mais procurados

Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
Aryan Ragu
 

Mais procurados (20)

Cyber security presentation
Cyber security presentationCyber security presentation
Cyber security presentation
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Cyber Crime and Cyber Security
Cyber Crime and Cyber SecurityCyber Crime and Cyber Security
Cyber Crime and Cyber Security
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cybercrime and Security
Cybercrime and SecurityCybercrime and Security
Cybercrime and Security
 
Ppt on cyber security
Ppt on cyber securityPpt on cyber security
Ppt on cyber security
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
1. introduction to cyber security
1. introduction to cyber security1. introduction to cyber security
1. introduction to cyber security
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
What is Cyber Security? | Introduction to Cyber Security | Cyber Security Tra...
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Cyber Security
Cyber SecurityCyber Security
Cyber Security
 
Cyber Security in Society
Cyber Security in SocietyCyber Security in Society
Cyber Security in Society
 
Security system in banks
Security system in banksSecurity system in banks
Security system in banks
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)
 

Destaque

Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪThesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Abdul Rahman Sherzad
 
Herat University Library Management System Persian User Manual
Herat University Library Management System Persian User ManualHerat University Library Management System Persian User Manual
Herat University Library Management System Persian User Manual
Abdul Rahman Sherzad
 
Herat University Library Management System English User Manual
Herat University Library Management System English User ManualHerat University Library Management System English User Manual
Herat University Library Management System English User Manual
Abdul Rahman Sherzad
 
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Abdul Rahman Sherzad
 
Bitcharities Cause Presentation
Bitcharities Cause PresentationBitcharities Cause Presentation
Bitcharities Cause Presentation
Francesco Rulli
 
How to speak in public
How to speak in publicHow to speak in public
How to speak in public
Jawid Qaumi
 
How to take control of your l ife
How to take control of your l ifeHow to take control of your l ife
How to take control of your l ife
Mashooq Jami
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
Savvius, Inc
 

Destaque (20)

Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪThesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
 
Entity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemEntity Relationship Diagram of Library System
Entity Relationship Diagram of Library System
 
Herat University Library Management System Persian User Manual
Herat University Library Management System Persian User ManualHerat University Library Management System Persian User Manual
Herat University Library Management System Persian User Manual
 
Easy Learn Computer Settings
Easy Learn Computer SettingsEasy Learn Computer Settings
Easy Learn Computer Settings
 
Herat University Library Management System English User Manual
Herat University Library Management System English User ManualHerat University Library Management System English User Manual
Herat University Library Management System English User Manual
 
Herat Univeristy Information Department
Herat Univeristy Information DepartmentHerat Univeristy Information Department
Herat Univeristy Information Department
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
 
Tarjumaye jadwali-quran-karim-pdf
Tarjumaye jadwali-quran-karim-pdfTarjumaye jadwali-quran-karim-pdf
Tarjumaye jadwali-quran-karim-pdf
 
Lecture 1. java database connectivity
Lecture 1. java database connectivityLecture 1. java database connectivity
Lecture 1. java database connectivity
 
Introduction to sql_02
Introduction to sql_02Introduction to sql_02
Introduction to sql_02
 
Bitcharities Cause Presentation
Bitcharities Cause PresentationBitcharities Cause Presentation
Bitcharities Cause Presentation
 
E learning ict4-d_presentation
E learning ict4-d_presentationE learning ict4-d_presentation
E learning ict4-d_presentation
 
Simple past
Simple pastSimple past
Simple past
 
How to speak in public
How to speak in publicHow to speak in public
How to speak in public
 
Introduction to graph databases in term of neo4j
Introduction to graph databases in term of neo4jIntroduction to graph databases in term of neo4j
Introduction to graph databases in term of neo4j
 
How to take control of your l ife
How to take control of your l ifeHow to take control of your l ife
How to take control of your l ife
 
MyCV
MyCVMyCV
MyCV
 
Web design - Working with forms in HTML
Web design - Working with forms in HTMLWeb design - Working with forms in HTML
Web design - Working with forms in HTML
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
 

Semelhante a Web Application Security and Awareness

A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
Editor IJMTER
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Imperva Incapsula
 
Security Testing
Security TestingSecurity Testing
Security Testing
ISsoft
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
sudip pudasaini
 

Semelhante a Web Application Security and Awareness (20)

DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
C01461422
C01461422C01461422
C01461422
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Research Paper
Research PaperResearch Paper
Research Paper
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Security Testing
Security TestingSecurity Testing
Security Testing
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 

Mais de Abdul Rahman Sherzad

Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in AfghanistanData is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Abdul Rahman Sherzad
 
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Abdul Rahman Sherzad
 
Database Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event SchedulersDatabase Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event Schedulers
Abdul Rahman Sherzad
 
Mobile Score Notification System
Mobile Score Notification SystemMobile Score Notification System
Mobile Score Notification System
Abdul Rahman Sherzad
 
Evaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan UniversitiesEvaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan Universities
Abdul Rahman Sherzad
 

Mais de Abdul Rahman Sherzad (20)

Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in AfghanistanData is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
 
PHP Unicode Input Validation Snippets
PHP Unicode Input Validation SnippetsPHP Unicode Input Validation Snippets
PHP Unicode Input Validation Snippets
 
Iterations and Recursions
Iterations and RecursionsIterations and Recursions
Iterations and Recursions
 
Sorting Alpha Numeric Data in MySQL
Sorting Alpha Numeric Data in MySQLSorting Alpha Numeric Data in MySQL
Sorting Alpha Numeric Data in MySQL
 
PHP Variable variables Examples
PHP Variable variables ExamplesPHP Variable variables Examples
PHP Variable variables Examples
 
Cross Join Example and Applications
Cross Join Example and ApplicationsCross Join Example and Applications
Cross Join Example and Applications
 
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
 
Database Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event SchedulersDatabase Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event Schedulers
 
Mobile Score Notification System
Mobile Score Notification SystemMobile Score Notification System
Mobile Score Notification System
 
Herat Innovation Lab 2015
Herat Innovation Lab 2015Herat Innovation Lab 2015
Herat Innovation Lab 2015
 
Evaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan UniversitiesEvaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan Universities
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail Explanation
 
Java Applet and Graphics
Java Applet and GraphicsJava Applet and Graphics
Java Applet and Graphics
 
Fundamentals of Database Systems Questions and Answers
Fundamentals of Database Systems Questions and AnswersFundamentals of Database Systems Questions and Answers
Fundamentals of Database Systems Questions and Answers
 
Everything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsEverything about Database JOINS and Relationships
Everything about Database JOINS and Relationships
 
Create Splash Screen with Java Step by Step
Create Splash Screen with Java Step by StepCreate Splash Screen with Java Step by Step
Create Splash Screen with Java Step by Step
 
Fal-e-Hafez (Omens of Hafez) Cards in Persian using Java
Fal-e-Hafez (Omens of Hafez) Cards in Persian using JavaFal-e-Hafez (Omens of Hafez) Cards in Persian using Java
Fal-e-Hafez (Omens of Hafez) Cards in Persian using Java
 
Web Design and Development Life Cycle and Technologies
Web Design and Development Life Cycle and TechnologiesWeb Design and Development Life Cycle and Technologies
Web Design and Development Life Cycle and Technologies
 
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton ClassesJava Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
 
Java Unicode with Live GUI Examples
Java Unicode with Live GUI ExamplesJava Unicode with Live GUI Examples
Java Unicode with Live GUI Examples
 

Último

BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
Delhi Call girls
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
Sheetaleventcompany
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Kayode Fayemi
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Delhi Call girls
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
raffaeleoman
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
Kayode Fayemi
 

Último (20)

Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
Re-membering the Bard: Revisiting The Compleat Wrks of Wllm Shkspr (Abridged)...
 
Mathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptxMathematics of Finance Presentation.pptx
Mathematics of Finance Presentation.pptx
 
Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510Thirunelveli call girls Tamil escorts 7877702510
Thirunelveli call girls Tamil escorts 7877702510
 
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort ServiceBDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
BDSM⚡Call Girls in Sector 97 Noida Escorts >༒8448380779 Escort Service
 
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdfThe workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
The workplace ecosystem of the future 24.4.2024 Fabritius_share ii.pdf
 
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara ServicesVVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
VVIP Call Girls Nalasopara : 9892124323, Call Girls in Nalasopara Services
 
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
No Advance 8868886958 Chandigarh Call Girls , Indian Call Girls For Full Nigh...
 
Presentation on Engagement in Book Clubs
Presentation on Engagement in Book ClubsPresentation on Engagement in Book Clubs
Presentation on Engagement in Book Clubs
 
George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024George Lever - eCommerce Day Chile 2024
George Lever - eCommerce Day Chile 2024
 
Microsoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AIMicrosoft Copilot AI for Everyone - created by AI
Microsoft Copilot AI for Everyone - created by AI
 
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
Governance and Nation-Building in Nigeria: Some Reflections on Options for Po...
 
Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)Introduction to Prompt Engineering (Focusing on ChatGPT)
Introduction to Prompt Engineering (Focusing on ChatGPT)
 
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docxANCHORING SCRIPT FOR A CULTURAL EVENT.docx
ANCHORING SCRIPT FOR A CULTURAL EVENT.docx
 
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
Night 7k Call Girls Noida Sector 128 Call Me: 8448380779
 
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptxChiulli_Aurora_Oman_Raffaele_Beowulf.pptx
Chiulli_Aurora_Oman_Raffaele_Beowulf.pptx
 
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night EnjoyCall Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
Call Girl Number in Khar Mumbai📲 9892124323 💞 Full Night Enjoy
 
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, YardstickSaaStr Workshop Wednesday w/ Lucas Price, Yardstick
SaaStr Workshop Wednesday w/ Lucas Price, Yardstick
 
If this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New NigeriaIf this Giant Must Walk: A Manifesto for a New Nigeria
If this Giant Must Walk: A Manifesto for a New Nigeria
 
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
Andrés Ramírez Gossler, Facundo Schinnea - eCommerce Day Chile 2024
 
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptxMohammad_Alnahdi_Oral_Presentation_Assignment.pptx
Mohammad_Alnahdi_Oral_Presentation_Assignment.pptx
 

Web Application Security and Awareness

  • 1. Web Application Security and Awareness Abdul Rahman, Sherzad Lecturer at Computer Science Faculty of Herat University, Afghanistan, and Ph.D. Student at Technical University of Berlin, Germany December 19, 2016 12th IT Conference for Higher Education in Afghanistan January 05, 2017 Hariwa Institute of Higher Education, Herat, Afghanistan
  • 2. 2 Major problems were only caused by a collection of smaller factors, and only a reverse similar behavior is needed to resolve the given situation (Sherzad).
  • 3. Goal and Objectives Build security awareness for web applications Get to know attack methods Learn ways to discover security vulnerabilities Learn the basics of secure web development 3
  • 6. Security Threats ■ The majority of web application attacks occur through – Cross Site Scripting (XSS) – SQL Injection ■ The majority of web application vulnerabilities arise from – Weak coding, – Failure to properly validate input, – Failure to sanitize output. 6[2] [3] [4]
  • 7. 2010 Web Applications Weakness 7[2][3][4]
  • 8. User Input • Attacker can easily change any part of the HTTP request before submitting – Cookies – Form fields – Hidden fields – URL – Headers • The ultimate solution: Input must be validated on the SERVER! – Not just on the CLIENT! 8[5]
  • 9. Client-side - Demo Link ■ Client-side Validation (Can be disabled by client) – HTML5 – JavaScript ■ Input Fields (Can be Modified by client) – Hidden Fields – Dropdown ■ Cookies (Can be Changed by client) 9
  • 10. Phishing – Demo Link ■ Hackers use E-MAIL / Instant Message to fish or steal user's personal and financial information – User ID / Password – Credit Card Number – PIN ■ In a typical phishing attack a user will receive an e-mail message impersonated to be sent from a bank or other e-commerce enterprise. ■ 1% - 20% users respond to such attacks. ■ In Afghanistan it is very common and practical!!! 10[6] [7]
  • 11. Phishing Ultimate Solutions ■ Policy guidelines ■ Training the end users ■ User awareness – Carefully check the suspicious links! – Do not click the E-MAIL asking sensitive data! – Do not Trust TinyURL links! – Do not Enter CREDIT CARD or Sensitive Data if the website doesn't start with https:// 11[6] [7]
  • 12. Cross-site Scripting (XSS) ■ XSS, a security exploit in which the attacker inserts malicious client-side code into webpages. ■ It has been around since the 1990s. ■ Most major websites like Google, Yahoo and Facebook have all been affected by cross-site scripting flaws at some point. ■ Attacks exploiting XSS vulnerabilities can steal data, take control of a user's session, run malicious code, or be used as part of a phishing scam. – Reflected - Demo Link – Persistent – Basic Demo Link || Steal Cookie Demo Link 12[8] [9] [10]
  • 13. Preventing XSS Attacks ■ Filtering ■ Input Validation / Output Sanitization ■ Select a safer browser ■ Use a virtual machine for suspicious links ■ Pay more attention to shortened URLs ■ Use plugins for better security (like NoScript). 13[8] [9] [10]
  • 14. SQL Injection ■ SQL Injection is a technique where malicious users can inject SQL commands into an SQL statement through – URLs – Input Parameters – Others e.g. Cookie, HTTP Headers ■ SQL injection is a very old approach but it is still popular among attackers. 14[11] [12]
  • 15. Possible Threats ■ Unauthorized access to application – User login without knowing the login nor the password ■ Access to whole database / databases on the server – Attacker can delete, modify or even worse, steal the data ■ Read / write files on server's file system ■ Code execution 15[11] [12]
  • 16. SQL Injection - Demo Link ■ Login without knowing the username and the password – anything' OR TRUE; -- ■ Modify and steal the data – anything' OR 1; UPDATE users SET email = 'evil@evitsite.com' WHERE email = 'absherzad@gmail.com';-- ■ Delete data and even drop the tables – anything' OR 1; DROP TABLE users; -- 16
  • 18. Conclusion - Core Security Principles ■ Use least privilege ■ Do not trust user input ■ Apply defense in depth ■ Fail securely and friendly ■ Turn off un-needed services ■ Keep systems patched ■ Watch for logic holes ■ Hide sensitive information – Encryption – Access controls 18[15] [16]
  • 19. 19 Works Cited 1 The Australian High Tech Crime Center. (2005). Hacking Motives. Australia: Australian High Tech Crime Center. 2 The Ocenzic. (2014). Application Vulnerability Trends Report. Ocenzic. 3 The Open Web Application Security Project. (2013, June 12). OWASP Top Ten Project. Retrieved from OWASP: https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 4 The Web Application Security Consortium. (2011). Web-Hacking-Incident-Database. Retrieved from WASP: http://projects.webappsec.org/w/page/13246995/Web- Hacking-Incident-Database 5 The Open Web Application Security Project. (2010, April 22). Unvalidated Input. Retrieved from OWASP: https://www.owasp.org/index.php/Unvalidated_Input 6 The Open Web Application Security Project. (2009, April 14). Phishing. Retrieved from OWASP: https://www.owasp.org/index.php/Phishing 7 Steinberg, J. (2014, August 25). Why You Are At Risk Of Phishing Attacks. Retrieved from Forbes: http://www.forbes.com/sites/josephsteinberg/2014/08/25/why-you- are-at-risk-of-phishing-attacks-and-why-jp-morgan-chase-customers-were-targeted-this-week/ 8 The Open Web Application Security Project. (2014, April 22). Cross-site Scripting (XSS). Retrieved from OWASP: https://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9 Abela, R. (2013, June 5). The Dangerous Complexity of Web Application Security. Retrieved from NetSparker: https://www.netsparker.com/blog/web-security/dangerous- complexity-of-web-application-security/ 10 Abela, R. (2013, May 22). Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? Retrieved from Netsparker: https://www.netsparker.com/blog/web-security/web-application-security-misconceptions-vulnerabilities/ 11 The Open Web Application Security Project. (2014, August 14). SQL Injection. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection 12 Abela, R. (2013, May 28). South African Police Web Application for Whistleblowers Hacked via SQL Injection. Retrieved from Netsparker: https://www.netsparker.com/blog/news/south-african-police-whistleblowers-hacked-sql-injection/ 13 The Open Web Application Security Project. (2014, June 7). SQL Injection Prevention Cheat Sheet. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 14 Litwin, P. (2004, September). Stop SQL Injection Attacks Before They Stop You. Retrieved from MSDN: https://msdn.microsoft.com/en-us/magazine/cc163917.aspx 15 Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving Web Application Security: Threats and Countermeasures. Microsoft. 16 Bollefer, T., Chander, G., Johansson, J., Kass, M., & Olson, E. (2002). Building and Configuring More Secure Web Sites. Microsoft.
  • 20. 20