Web Application Security
- 3. Coming for ya !...vulnerabilities and
attacks
• Denial of Service (DoS) attacks - All
network servers can be subject to denial of
service attacks that attempt to prevent
responses to clients by tying up the resources
of the server. It is not possible to prevent such
attacks entirely, but you can do certain things
to mitigate the problems that they create.
• SQL injection is a code injection technique,
used to attack data driven applications, in
which malicious SQL statements are inserted
into an entry field for execution (e.g. to dump
the database contents to the attacker).
• Cross-site scripting (XSS) is a type of
computer security vulnerability typically found
in Web applications. XSS enables attackers to
inject client-side script into Web pages viewed
by other users. A cross-site scripting
vulnerability may be used by attackers to
bypass access controls such as the same origin
policy.
- 4. Heartbleed….not
heartache !
• Heartbleed is a security bug in the open-
source OpenSSL cryptography library, widely
used to implement the Internet's Transport
Layer Security (TLS) protocol.
• Check here: http://filippo.io/Heartbleed
• To make sure if the problem actually exists:
Run cmd
$ openssl version -a
• "Ensure your version is NOT 1.0.1f,
1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1,
1.0.2-beta1"
• 2. Not sure what version of OS you are on,
and whether patch exists, but you can build
openssl:
https://www.openssl.org/source/openssl-
1.0.1g.tar.gz
- 5. CAPTCHA my comments…
else…
(an acronym for "Completely
Automated Public Turing test
to tell Computers and Humans
Apart") is a type of challenge-
response test used in
computing to determine
whether or not the user is
human.
- 6. Gotcha…now what ?
Top Reasons for web-application level attacks:
• Low Quality application code – not following
security standards
• File Permissions incorrectly set – securest – 655
• DB Admin, Cpanel, FTP passwords are weak
Regular DB – Files backup policy should be in
place from the start
• http://httpd.apache.org/docs/2.4/misc/security_tip
s.html
- var/log/apache2/error.log
Google can detect and inform you of malicious scripts
in a website – Google Attack Page
• Hacked Account: What to Look For:
• http://support.hostgator.com/articles/pre-sales-
policies/security-abuse/what-security-measures-
are-used-to-protect-my-server
• Things to look for include:
• Strangely named files or directories (i.e:
xf8c3l.php or
/home/username/public_html/wellsfargo)
• PHP files located in image folders
- 7. Lets Play….and Learn -
OWASP
• The Open Web Application Security Project
(OWASP) is an open-source web application security
project. The OWASP community includes corporations,
educational organizations, and individuals from
around the world. This community works to create
freely-available articles, methodologies,
documentation, tools, and technologies.
• OWASP is also an emerging standards body,
with the publication of its first standard in
December 2008, the OWASP Application Security
Verification Standard (ASVS).[1] The primary aim of
the OWASP ASVS Project is to normalize the range of
coverage and level of rigor available in the market
when it comes to performing application-level security
verification. The goal is to create a set of
commercially workable open standards that are
tailored to specific web-based technologies. A Web
Application Edition has been published. A Web Service
Edition is under development.
- 8. Thank You for your time –
prabhu9484@gmail.com
Sources – Wikipedia.org, Apache.org,
Support.hostgator.com, OWASP.org