With IoT being the buzz and all operating systems being integrated with central network and intruder in that can create major devastations than an IT system. For example, if someone can intrude into an electric utility network and operate on "SCADA" and entire network going down can be a bizarre or just assume the control system configured for addressing backup mechanism being turn down can result in blackouts.
Preventing Such havocs is what security framework should look into.
4. EVAL ()
• eval() like functions takes string argument and
• evaluate those as source code
• var x = req.body.x;
• var y = req.body.y;
• var sum = eval(a + "+" +
b);what if attacker fills 'x' with:
some.super.class.wipe.the.database('now’);
LOL :)
6. SECURITY GAP
Security Professionals Don’t
Know The Applications
Application Developers and QA
Professionals Don’t Know Security
The Web Application
Security Gap
“As a Network Security
Professional, I don’t know how
my companies web applications
are supposed to work so I deploy
a protective solution…but don’t
know if it’s protecting what it’s
supposed to.”
“As an Application Developer, I can build
great features and functions while
meeting deadlines, but I don’t know how
to develop my web application with
security as a feature.”
7. VULNERABILITIES
Platform
Administration
Application
Known Vulnerabilities
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow scripting
Application vulnerabilities occur in multiple areas.
12. DB SECURITY
• User Access Management –Authentication
• User Rights Management – Authorization
• Auditing
• Environmental and Process Control
• Encryption
• Network Encryption
• Network Filter
• Binding IP Addresses
• Running in VPNs
• Dedicated OS User Account.
• File System Permissions
• Query Injection
• Physical Access Controls
Environment & Processes
SSL Encryption for DB
communication
13. ENVIRONMENT &
PROCESSES
•Network Filter Binding IP
Addresses
Running in
VPNs
Dedicated OS
User Account.
File System
Permissions
Query Injection
Physical Access
Controls
14. MY ARCHITECTURE
SSL
Web
Application
Mobile
Application
Firewall
Port No’s:
83 & 2011
Public IP
App
Server
Port :83
Port :88
Public IP – Static
IP
Web
Server
Port :2011
Public IP – Static
IP
Port :2016
Static IP 1
Static IP 3
DB Server
DB
Node
Web Server
Port:271
8
SSL
Bind IP :Static IP
1
Traffic Log
Customer Environment
18. PRACTISE
• Update your DB and application versions
• Always ensure to move your traffic through firewall
• Identify security owner for your applications
• Test for what it has not been developed for
• Create rules in the firewall
• Educate your network administrator
• Prepare Risk Assessment blog
23. Platform
Known
Vulnerabilities
PLATFORM
• Known vulnerabilities can be exploited
immediately with a minimum amount of
skill or experience – “script kiddies”
• Most easily defendable of all web
vulnerabilities
• MUST have streamlined patching
procedures
24. Administration
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
• Less easily corrected than known issues
• Require increased awareness
• More than just configuration, must be aware
of security flaws in actual content
• Remnant files can reveal applications and
versions in use
• Backup files can reveal source code and
database connection strings
ADMINISTRATION
25. • Common coding techniques do not necessarily include
security
• Input is assumed to be valid, but not tested
• Unexamined input from a browser can inject scripts into page
for replay against later visitors
• Unhandled error messages reveal application and database
structures
• Unchecked database calls can be ‘piggybacked’ with a
hacker’s own database call, giving direct access to business
data through a web browser
Application
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
APPLICATION