Escolar Documentos
Profissional Documentos
Cultura Documentos
Web application
Software
accessible using a web browser
Multi-tiered (got web, database servers)
First generation = CGI
HTTP
Set of rules
Stateless
HTTP Request + HTTP Response
o Header fields: Server, Host, Length, etc.
o Response codes 200, 403, 404 etc.
o Request
Format
Method URI Protocol/Version
GET http://library.nyp.edu.sg HTTP/1.1
Request Header
Accept-Language: en-us
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows
NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR
3.0.04506.648; .NET CLR
3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729;
.NET4.0C; .NET4.0E) Paros/3.2.13
Host: library.nyp.edu.sg
Proxy-Connection: Keep-Alive
Content-length: 0
Entity Body
Methods GET, POST, HEAD, etc
HEAD
o return response headers only
o Does not contain a message body, just status
line and headers
o check characteristics of a resource without
actually downloading it
GET
o Data sent using name/value pair appended to
URL
o Query length is limited
o Data seen in address bar
http://myhost.com/register.jsp?
AppSec3
name=Mike&country=SG
POST
o Data sent as part of the HTTP request entity
body
o send large amount of data
o data sent as input stream
o Data hidden from users
Response
o
Format
Protocol status code Description
HTTP/1.1 200 OK
Response Header
Server: Netscape-Enterprise/6.0
Date: Tue, 31 Aug 2010 09:16:29 GMT
Content-length: 406
Content-type: text/html
Etag: "49ff3a46-12-0-196"
Last-modified: Fri, 29 Sep 2006 12:03:23 GMT
Accept-ranges: bytes
Entity Body
<HTML>
<HEAD><TITLE>New Document</TITLE></HEAD>
<BODY>Hello !!</BODY>
</HTML>
Session Management
client side identification (session id) and server side storage to maintain state
used in network communications (often over HTTP) to identify a session
forms
o embedded in URL
can be used even disabled use of cookies
disadvantages
others can retrieve using browsing history
logging by intermediary systems
attacks just by modifying URL and session ID
surf new site, URL containing sessionID can be sent to
new site via HTTP REFERER field
o stored within fields of forms and submitted to the application
can be used even disabled use of cookies
not as obvious
need tools to manipulate values
they are commonly available
o cookies
AppSec3
Session Management
Session ID
o Random and unpredictable
o Sufficient length so that brute force guess is not feasible
Secure transmission
o Use encryption when sending session information
Length of Session Validity
o Client cancellation, session time-out and server-side revocation
Session Verification
o Ensure correct session ID length, no unexpected information
Re-authenticate all significant system actions and re-issue new tokens
Entry Point
URL
AppSec3
Web Application threats
Buffer overflow
cross-site scripting
SQL injection
canonicalization
Network eavesdropping
brute force attacks
dictionary attacks
cookie replay
credential theft
Elevation of privilege
disclosure of confidential data
data tampering
luring attacks
Unauthorized access to administration
interfaces
Unauthorized access to configuration
stores
Retrieval of clear text configuration data
Lack of individual accountability
Over privileged process and service
accounts
Access sensitive data in storage
Network eavesdropping
Data tampering
Session hijacking
Session replay
Man in the middle
Poor key generation or key management
Weak or custom encryption
Query string manipulation
Form field manipulation
Cookie manipulation
HTTP header manipulation
User denies performing an operation
Attacker exploits an application without
trace
Attacker covers his tracks
Information disclosure
Denial of service
Input Validation
Authentication
Authorization
Configuration management
Sensitive data
Session management
Cryptography
Parameter manipulation
Exception management
AppSec3
AppSec3
Tools
Sniffing
o Wireshark
o Ngrep
Browser plugins
o FF
LiveHttpHeaders
Allow users to view HTTP request & response headers of a
page while browsing
Able to edit request headers & replay an URL
Tamperdata
Show all headers of the traffic
Able to tamper data & values
Firebug
Good for assessment and web development
Edit and inspect HTML, debug javascript
o IE
Fiddler
HTTP debugging proxy written in C#
Inspect & modify traffic
Logs all HTTP traffic between computer & internet