SlideShare a Scribd company logo

Web Application Security

n|u - The Open Security Community
n|u - The Open Security Community

This document discusses several common web application vulnerabilities and attacks, including denial of service (DoS) attacks, SQL injection, cross-site scripting (XSS), and the Heartbleed bug. It also provides tips on mitigating these risks, such as using strong passwords, regular backups, and following security best practices. Additionally, it introduces the Open Web Application Security Project (OWASP) which works to create freely available security standards, methodologies, and tools to help developers build more secure applications.

Related slideshows

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
1 of 8
Download to read offline
Web Application Security Prabhu Shiv Singh
Alphabets - APSTNDP
Coming for ya !...vulnerabilities and attacks • Denial of Service (DoS) attacks - All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create. • SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
Heartbleed….not heartache ! • Heartbleed is a security bug in the open- source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. • Check here: http://filippo.io/Heartbleed • To make sure if the problem actually exists: Run cmd $ openssl version -a • "Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1" • 2. Not sure what version of OS you are on, and whether patch exists, but you can build openssl: https://www.openssl.org/source/openssl- 1.0.1g.tar.gz
CAPTCHA my comments… else… (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge- response test used in computing to determine whether or not the user is human.
Gotcha…now what ? Top Reasons for web-application level attacks: • Low Quality application code – not following security standards • File Permissions incorrectly set – securest – 655 • DB Admin, Cpanel, FTP passwords are weak Regular DB – Files backup policy should be in place from the start • http://httpd.apache.org/docs/2.4/misc/security_tip s.html - var/log/apache2/error.log Google can detect and inform you of malicious scripts in a website – Google Attack Page • Hacked Account: What to Look For: • http://support.hostgator.com/articles/pre-sales- policies/security-abuse/what-security-measures- are-used-to-protect-my-server • Things to look for include: • Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo) • PHP files located in image folders
Lets Play….and Learn - OWASP • The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. • OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).[1] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
Thank You for your time – prabhu9484@gmail.com Sources – Wikipedia.org, Apache.org, Support.hostgator.com, OWASP.org

More Related Content

Web Application Security

  • 3. Coming for ya !...vulnerabilities and attacks • Denial of Service (DoS) attacks - All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create. • SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). • Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
  • 4. Heartbleed….not heartache ! • Heartbleed is a security bug in the open- source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. • Check here: http://filippo.io/Heartbleed • To make sure if the problem actually exists: Run cmd $ openssl version -a • "Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1" • 2. Not sure what version of OS you are on, and whether patch exists, but you can build openssl: https://www.openssl.org/source/openssl- 1.0.1g.tar.gz
  • 5. CAPTCHA my comments… else… (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge- response test used in computing to determine whether or not the user is human.
  • 6. Gotcha…now what ? Top Reasons for web-application level attacks: • Low Quality application code – not following security standards • File Permissions incorrectly set – securest – 655 • DB Admin, Cpanel, FTP passwords are weak Regular DB – Files backup policy should be in place from the start • http://httpd.apache.org/docs/2.4/misc/security_tip s.html - var/log/apache2/error.log Google can detect and inform you of malicious scripts in a website – Google Attack Page • Hacked Account: What to Look For: • http://support.hostgator.com/articles/pre-sales- policies/security-abuse/what-security-measures- are-used-to-protect-my-server • Things to look for include: • Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo) • PHP files located in image folders
  • 7. Lets Play….and Learn - OWASP • The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. • OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).[1] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
  • 8. Thank You for your time – prabhu9484@gmail.com Sources – Wikipedia.org, Apache.org, Support.hostgator.com, OWASP.org