Web Application Security
1 likeâą1,248 views
This document discusses several common web application vulnerabilities and attacks, including denial of service (DoS) attacks, SQL injection, cross-site scripting (XSS), and the Heartbleed bug. It also provides tips on mitigating these risks, such as using strong passwords, regular backups, and following security best practices. Additionally, it introduces the Open Web Application Security Project (OWASP) which works to create freely available security standards, methodologies, and tools to help developers build more secure applications.
![Lets PlayâŠ.and Learn -
OWASP
âą The Open Web Application Security Project
(OWASP) is an open-source web application security
project. The OWASP community includes corporations,
educational organizations, and individuals from
around the world. This community works to create
freely-available articles, methodologies,
documentation, tools, and technologies.
âą OWASP is also an emerging standards body,
with the publication of its first standard in
December 2008, the OWASP Application Security
Verification Standard (ASVS).[1] The primary aim of
the OWASP ASVS Project is to normalize the range of
coverage and level of rigor available in the market
when it comes to performing application-level security
verification. The goal is to create a set of
commercially workable open standards that are
tailored to specific web-based technologies. A Web
Application Edition has been published. A Web Service
Edition is under development.](https://image.slidesharecdn.com/webapplicationsecurity-140422103029-phpapp02/85/Web-Application-Security-7-320.jpg)
Web Application Security
- 1. Web Application Security Prabhu Shiv Singh
- 3. Coming for ya !...vulnerabilities and attacks âą Denial of Service (DoS) attacks - All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create. âą SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). âą Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.
- 4. HeartbleedâŠ.not heartache ! âą Heartbleed is a security bug in the open- source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol. âą Check here: http://filippo.io/Heartbleed âą To make sure if the problem actually exists: Run cmd $ openssl version -a âą "Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1" âą 2. Not sure what version of OS you are on, and whether patch exists, but you can build openssl: https://www.openssl.org/source/openssl- 1.0.1g.tar.gz
- 5. CAPTCHA my comments⊠else⊠(an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge- response test used in computing to determine whether or not the user is human.
- 6. GotchaâŠnow what ? Top Reasons for web-application level attacks: âą Low Quality application code â not following security standards âą File Permissions incorrectly set â securest â 655 âą DB Admin, Cpanel, FTP passwords are weak Regular DB â Files backup policy should be in place from the start âą http://httpd.apache.org/docs/2.4/misc/security_tip s.html - var/log/apache2/error.log Google can detect and inform you of malicious scripts in a website â Google Attack Page âą Hacked Account: What to Look For: âą http://support.hostgator.com/articles/pre-sales- policies/security-abuse/what-security-measures- are-used-to-protect-my-server âą Things to look for include: âą Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo) âą PHP files located in image folders
- 7. Lets PlayâŠ.and Learn - OWASP âą The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies. âą OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).[1] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.
- 8. Thank You for your time â [email protected] Sources â Wikipedia.org, Apache.org, Support.hostgator.com, OWASP.org