Web Security

Top 10 Web Security Vulnerabilities
  • SQL Injection
  • Cross Site Scripting
  • Malicious file execution.
  • Insecure Direct Object Reference
  • Cross Site Request Forgery
  • Information Leakage and Improper Error Handling
  •  Broken Authentication and Session Management
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Failure to Restrict URL
Cross Site Scripting

Reflective XSS
  • Attacker directly sends malicious code to the user.
Persistent XSS
  • Web application fails to sanitize user Input and reflects malicious code.
Types of Code Scans
  • DAST Scan
    • Dynamic Application Security Testing
    • Also called as Black Box Testing
  • SCABBA
    • Grey Box Testing
    • Blue Team Assessment.
  • SAST Scan
    • Static Analysis,Static Application Security Testing
    • Also called as White Box Testing

 SQL Injection Testing Methodology
  1. Input Validation
  2. Info Gathering
    1. Check for Attacks
    2. Extracting Data related to attacks
    3. Check for Source Interaction
    4. Check Source Command Prompts
    5. Expand the influence.
SQL Injection Defense
  • Input Validation
  • Making Best Practices consistent through all your code
  • Even if you have Air Tight Design harden your services
Ways to secure a Web Application
  • The environment in which the web application executes is made secure.
    •  This is also called as System Hardening
  • HTTP exchanges between browser and server take place within the SSL/TLS protocol.
    • Combined use of both of these protocols is called as HTTPS
    • Communication between browser and server is done by exchanging messages.
      • Browser initiates the exchange by sending an HTTP request message.
      • Server responds by returning an HTTP response message.
    • Separate messages are tied together with the use of a session identifier, which is normally accomplished by use of HTTP cookies.
      • The server sends the first response with a Set-Cookie header in its HTTP response message that contains a session identifier.
      • In subsequent requests the browser returns the session identifier with an HTTP-Cookie header.  
  • Users identify themselves to the application by submitting a username and password.The Server identifies itself to connecting browsers with the use of the public key Infrastructure(PKI).
    • These two procedures are referred to as user authentication and server authentication respectively.
  • Authorization to access the web application resources - identified by the resource component of url - is enforced according to the security policy.
  • Data submitted into the web application from connecting clients is validated before being accepted.
Questions to Answer
What is Cross Site Scripting(XSS)?
What is the impact of Cross Site Scripting?
Is your code vulnerable to Cross Site Scripting?
How to prevent Cross Site Scripting

No comments:

Post a Comment

Subscribe to: Posts (Atom)

Recursion

Q What do you understand by a Recursive  Programme? Recursion Is the process of repeating items in a self similar way. In programming langua...

  • Prefer Composition Over Inheritance
    Inheritanceis tightly coupled. Inheritance is basically used for polymorphism which can be done in other ways to. Generally over a time we d...
  • Microservices
    How can we secure our micro-services? Application security User security Spring access controls Framework security Interaction with downstre...
  • IoT
    Q What is the difference between wireless sensor networks and IOT networks? Ans :  IoT exists at a higher level then WSN. In other words,...