Web application
- 2. Web Application HTTP(s) agent Web Application Application Server Web Server Application Server Web Application Database Server Web Application
- 4. Firewall, Load Balancer, Reverse Proxy Server, Cache System web client database sever Layer HTTP Client / User Cross-Site Scripting Spoofing Javascript Injection Browser
- 5. Layer Transport Layer HTTP(s) Passive Monitoring) Man-in- the-Middle Attack) Session (Session Hijack) Firewall SSL Session Web Server Buffer Overflow Format String Directory Traversal Default Accounts Default Applications
- 6. Layer Web Applications Meracharacters Null Characters Buffer Overflow Firewall Internet Network Firewall Database Direct SQL Commands SQL Injection Query Restricted Database Database Exploit
- 7. MS IIS
- 8. Hidden Field Manipulation Cookie Poisoning Backdoors and debug options Application buffer overflows Stealth commanding 3rd party misconfigurations Known vulnerabilities Parameter tempering
- 9. Cross site scripting Forceful browsing Hacking over SSL Sourcecode Disclosure Web Server Architecture Attack SQL Injection Java Script Injection
- 10. Hidden Field hidden field hidden field View Source) Tag HIDDEN Application
- 11. 2 Hidden Field
- 12. Cookie Poisoning Cookie Session cookie Session ID cookie
- 13. Back Door & Bebug Options Developing Environment debug Debug Debug Debug back door
- 14. disable debug mode back door
- 15. Application Bugger Overflow Buffer Overflow text box
- 16. Stealth Commanding SQL Command Command SQL Command
- 17. 3th Party Misconfiguration Default password
- 18. Know Vulnerabilities Microsoft IIS Patch patch) patch patch
- 19. Microsoft IIS
- 21. Cross Site Script cross site script script script sends an email javascript
- 22. 3 Cross Site Script
- 23. Forceful Browsing Default file
- 24. Hacking Over SSL SSL content SSL SSL
- 25. Source Code Disclosures Source Code Disclosure configuration file Source Code Disclosures WebLogic / WebSpere JSP JHTML jsp” URL
- 26. Source Code Disclosures Microsoft IIS HTR” ASA ASP URL http://10.0.0.1/global.asa+.htr URL htr ISM.DLL URL ISM.DLL Microsoft IIS showcode.asp showcode.asp bundled IIS Windows NT Option Pack 4.0 URL
- 27. Web Server Architecture Attack bypass built-in procedure
- 28. handler html handler html cgi handler cgi default handler handler default handler cgi html jsp handler html java compiler java run-time handler forcing Sun Java Web Server URL
- 29. http://10.0.0.2/servlet/com.sun.server.http.pagecompile.j sp.runtime.JspServlet/path/to/file.html servlet path /servlet/ PageCompile handler (Servlet) handle path handle java run-time root
- 30. SQL Poisoning & Injections sql statement sql statement DBMS SQL Query) sql statement database Dim sql_con , result, sql_qry Const CONNECT_STRING = “Provider=SQLOLEDB;SERVER=WEB_DB;UID=sa; PWD=xyzzy” sql_qry = “SELECT * FROM PRODUCT WHERE ID =”
- 31. Set objCon = Server.CreateObject(“ADODB.Connection”) ObjCon.Open CONNECT_STRING Set objRS – objCon.Execute(strSQL); http://10.0.0.3/showtable.asp?ID=3+OR+1=1
- 32. Query Statement SELECT * FROM PRODUCT WHERE ID=3OR 1=1 PRODUCT http://10.0.0.3/showtable.asp?ID=3%01DROP+TABLE+PR ODUCT SELECT * FROM PRODUCT WHERE ID=3 DROP TABLE PRODUCT SQL statement
- 33. http://10.0.0.3/showtable.asp?ID=3%01EXEC+master..xp_ cmdshell+’copy+winntsystem32cmd.ex e+inetpubscripts’ Copy winntsystem32winntcmd.exe inetpubscripts SQL Injection Inject Backdoor Inject
- 34. Java Script Injection Javascript Injection Javascript Java Script Injection Session Hidden Field Session Invalid Javascript HTML Javascript Cookies javascript:alert(document.cookie)
- 35. System Scanner and Security Infrastructure Software Secure Coding
- 36. System Scanner and Securiry Infrastructure Software System Scanner permission Scanner Whisker , Nikto , Stealth , Twwwscan AppScan
- 37. reject AppShield
- 38. Secure Coding input & output validation SSL HTML forms
- 39. Input & Output validation NEVER TRUST CLIENT SIDE DATA) Client Side Script JavaScript , VBScript , Java Applets , Flash , Active X , CSS XML/XSL script script
- 40. Sanity Checking YES NO drop system call directory traversal NULL character HTML HTML
- 41. HTML tag webmail, message board chat HTML Allow List HTML tag drop HTML tag tag HTML <APPLET> , <BASE> , <BODY> , <EMBED> , <FRAME> , <FRAMESET> , <HTML> , <IFRAME> , <IMG> , <LAYER> , <META> , <OBJECT> , <P> , <SCRIPT> , <STYLE> HTML tag attributes STYLE> , <SRC> , <HREF> , < TYPE> HTML
- 42. SSL HTTP HTTP Plaintext Sniffer HTTP HTTP SSL (Secure Socket Layer) Web Client Web Server SSL transport Client & Server Authentication
- 43. SSL SSL Web Browser Public Key Server Browser Server Server SSL SSL Server Certificate) Public Key)
- 44. HTML forms hidden form element hidden hidden element password element SSL plain text password element method HTTP/GET HTTP/POST MaxSize Attribute (<input MaxSize=”##”>)
- 45. Cookies Cookies Cookie persistent : Cookie non-persistent : Cookie Cookies User Authentication State Management Saving user preference Cookies • Cookies Plaintext
- 46. • restrictive path Cookies • Authentication valid • Cookies • Token ID • Cookies Timeout Cookies • Authentication Business Intranet authentication • Authentication header User-Agent , Accept-Language , Etc.
- 47. HTTP REFERER Header script attack script attack HTTP REFERER header HTTP REFERER
- 48. POST & GET method method GET Proxy Server, Firewall , Web Servers log POST POST method client side script POST method GET
- 49. logout logout Cookies Cookies session session Cookies
- 50. Error Handing Mechanism Error Handling Error Description Error Description Error Desciption Error Desciption Username Password Password
- 51. The End