Beruflich Dokumente
Kultur Dokumente
Network Security
Firewalls
Intrusion Detection Systems (IDS)
Access Controls on network devices
Vulnerability Scanners
Host Security
Authentication and Logging Mechanisms
Host based IDS
File Integrity Checkers
What about Web Applications?
4
Conventional Security (contd)
TELNET
Network Security
Controls
N-BIOS
HTTP(S)
FTP
Firewall Web Server Data Base
Server
RPC
Are Web Applications Vulnerable?
Time-to-Market/Deploy
Design
Bringing new applications to
Design market/deploy quickly
Complexity is Growing
Increasing application
Deployment
Deployment Coding
Coding lifecycle complexity
Increasing Business Demand
More inclination on getting
Testing/
Testing/QA
QA the job done functionality
Vs security
Lack of security awareness
Wearing the White Hat Our Experiences
http://www.mybank.com/example?accountnumber=12345&debitamo
unt=1
URL Manipulation - Solution
Expected:
username: abc
password: test123
The unexpected:
username: abc'; --
password:
Expected:
Username: doug
Password: p@$$w0rd
SELECT COUNT(*)
FROM Users
WHERE username='doug' and password='p@$$w0rd'
The unexpected:
Username: ' OR 1=1 --
Password:
SELECT COUNT(*)
FROM Users
WHERE username='' OR 1=1 -- and password=''
SQL Injection
Target Site
Login Successful
http://target.site/login.jsp
Expected
The Unexpected
from user
Malicious User
SQL Injection - Solution
Incorrect Login
Invalid Username / Invalid Password
Username not found in database
Server: Error executing Database query: user_id returned
empty rows
Error executing Database query
[Macromedia][SQL Server JDBC Driver][SQL Server]: no rows
returned for following query:
select * from user_table where user_id=#UserID# and
password=#Password#
RETURN
Error Messages Enumerate Databases
Error Messages Damage Potential
Shutdown database
Delete all tables
Execute system commands on database
server
Give access to command shell on server
Modify Windows registry
Start or stop system services
Error Messages The Solution
Browser
Firewall
Web server
Web host
Application Server
Middle ware
Data Base
Data Center
Internal Network
People
Management
Typical Internet Application Infrastructure
DMZ2 Web Server with Host based IDS
SSL
Accelerator
DMZ1
Central
Database Customer
PayWay
Server Middleware Server
Transaction
Switch
Internet
Load Balancing
device
ATM Switch
Network IDS Load- Network IDS Load-
Balanced Balanced
Firewalls Local LAN Firewalls
To ATMs
and
Branch
Offices Domain
Controller Content
Proxy
Accelerator Firewall
Server Reporting Server
The Security implications
Protecting
Input Protecting
Denial
Denialofof Secure Input sensitive
Secure Validation sensitive
Service Configurat Validation data
Service Configurat data
ion
ion
Authentica
Authentica
ting
tingUser
User
Web Application
Server DB
Server
Protecting
Protecting
Sensitive
Sensitive
Data
Data Input
Input
Validation Authorizing
Validation Authorizing
Users Auditing
Users Auditing
and
Preventing and
PreventingParameter
Parameter Logging
Manipulation Logging
Manipulation
Securing 3-Tiered Enterprise Web Application :
Defence in Depth
Firewall
Apps Apps Database
Firewall
D P Dube
Durga.dube@ril.com