1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru

1

ECE 4112 Internetwork Security: Web Application Security

28 April 2005

John Owens

Shantan Pesaru

2

Overview

Define Web Applications Importance of Web Application Security Framework for secure Web Applications Attacks and vulnerabilities on Web

Applications Client/server verification (pros/cons) Secure Programming Tools (SPI Dynamics’ WebInspect, ISS)

3

Web Applications: What are they? An application generally comprised of a

collection of scripts that reside on a web server.

Interact with databases or other sources of dynamic content

Examples include: webmail, online banking, portal systems, etc.

4

Good Programming=Good Security

5

Importance of Web Application Security Web Apps are becoming more prevalent and

more sophisticated Critical to online transactions and information

processing Protecting privacy and following regulation

such as HIPAA and Sarbanes-Oxley

6

Framework for Web Application Security Framework for web developers to develop

secure code Involves identifying and implementing

responses to existent security issues S.W.A.T. (Secure Web Applications through

Testing)

7

Web Application Pitfalls

8

Types of Attacks and Vulnerabilities SQL Injection Attacks Improper input verification Default methods Form processing methods GET & POST / Querystring information “ELSE” programming Educated Guessing

9

Mechanisms of Vulnerability Discovery Server fingerprinting

Determine capabilities Determine technology

Using Error Messages IE – disable friendly error messages Deliberate access of wrong pages

Observing behavior in the presence of unexpected variables

10

Mechanisms of Vulnerability Protection Brute force lockouts Re-authenticate when necessary Encrypt databases (prevent download) Strong file/directory naming convention Session-based authentication and access Validate all input no matter how trivial TEST, TEST, TEST Don’t rely solely on the client Never pass in headers/auto-fill critical info

11

Client/Server Side Validation Scripts Pros

Immediate response Give server a break High user interaction

Cons Easily bypassed Puts security in user’s hands No database connectivity to verify authentication

data SOLUTION = Client + Server Redundancy

12

What you will do in the lab

Exploit vulnerabilities in a realistic web application to: Get accepted to Georgia Tech Register for classes before timeticket Get tuition paid for free and a check back Change your grades to something “more

appealing”

13

What you will do in the lab

14

What you will do in the lab

15

What you will do in the lab

16

What you will do in the lab

17

What you will do in the lab

18

What you will do in the lab

19

What you will do in the lab

20

QUESTIONS?