19-04-2011, 01:03 PM
[attachment=12383]
Introduction To Web Page Security
How the web really works?
What is web page login?
• Un-validated Input
• Who is a “hacker“ and who is a “cracker“?
• Tools used for securing the web page
• Insecure storage
Securing the Web page
• Choosing a good password
• Securing Your Network
What is web page???
• A web page or web service is a software application that is accessible using a web browser or HTTP(s) user agent
• Web page Security is“The securing of web applications”.
What is web site??
• Key terms
• Web page
• Web browser
• HTTP
• URL
web page encryption
• Cookies
• On a typical Web server…
Your host has an open 80/8080 port
Following components are running
OS
web server
main application (e.g., apache)
plugins
servlets
scripts (CGI, Perl, ...)
Common Web Page Security Mistakes
• Trusting Client-Side Data
• Unescaped Special Characters
• HTML Character Filtering
• Lack of re-authenticating
• Hosting of uncontrolled data on a protected domain
How the web really works?
• Un-validated Input
• Attacker can easily change any part of the HTTP request before submitting
– URL
– Cookies
– Form fields
– Hidden fields
– Headers
• Who is a “hacker“ and who is a “cracker“?
The basic difference:
hackers build things,& crackers break them.
Securing the Web page
• Choosing a good password
• Using Tools
Choosing a good password
• Retina checks are currently not possible, so guard your password ;-)
– NEVER give your password to anyone
• Not even your girl(boy-)friend
– Make your password something you can remember
– Make your password difficult for others to guess
– DO NOT change your password because someone told you to(e.g., via e-mail)
• Crackers might crack the following passwords:
– Words in any dictionary, your user name, your name, names of people you know, substituting some characters (a 0 (zero) for an o,or a 1 for an l)
– http://openwalljohn/ (John, passwd cracker)
Password examples
• • The “Bad”
• – admin
• – 9860456564
• – Rahul
• – Konrad4868
• • The “Good”
• – #bdiBuM1a
• – Qa56Fge(/
• – sdFOiKqw”=
Securing Your Network
• Router
• Firewall
• Switch
• Securing Your Host
• operating system
• .NET Framework
Securing Your Application
• Input Validation
• Authentication
• Authorization
• Exception Management
• Auditing and Logging
Cryptography
• Recognization of Secure page
• Check for the "Lock" icon
• Check the web page URL
• Example of secure web page…
Tools used for securing the web page
• eBay Inc
• WebGoat
• VMware
• Nmap (Network Mapper)
• WebScarab
• Mozilla Firefox
Commonly attacked services
• SMTP servers (port 25)
– sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application
RPC servers (port 111 & others)
• NetBIOS shares (ports 135, 139, 445)
– Blaster worm
– Sasser worm
• FTP servers (ports 20, 21)
– wuftpd vulnerabilities
• SSH servers (port 22)
– OpenSSH, PAM vulnerabilities
• Web servers (ports 80, 443)
– Apache chunked encoding vulnerability
