Web Application Hardening

Web Application Hardening Jan Peter Alexander Rajagukguk Rudi Airlangga Disclaimer: This slideshow contains copyrighted material and is provided for ...
Author: Aldous Carter
11 downloads 0 Views 469KB Size
Web Application Hardening Jan Peter Alexander Rajagukguk Rudi Airlangga

Disclaimer: This slideshow contains copyrighted material and is provided for internal Universitas Indonesia security training only. Please don't share this slide. For internal use only.

Securing Web Applications ●



Prevent Input Validation Attacks Protect Systems from Buffer Overflow Attacks



Implement Server Security Mechanism



Protect Systems from Scripting Attacks



Implement Secure Cookies



Harden a Web Browser

INPUT VALIDATION

Input Validation Attack 01/01/20 09

01/01/2009:DELETE table ‘Users’

Delivered format: mm/dd/yyyy:DELETE table ‘Users’ Malicious code

Expected format: mm/dd/yyyy

Data valid, proceed

More at: https://www.owasp.org/

Data invalid, rejected

http://www.example.org/index.php?page=alert("injection");

GET Parameters

page=%3Cscript%3Ealert%28%22injection%22%29; %3C%2Fscript%3E

POST DATA (Web 2.0 Scripts) alert('injection');

Input Validation Attack Types Cookies HTTP Headers

GET /index.php HTTP/1.1 Host: www.example.com Cookie: id=alert('injection');

GET /index.php HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0">alert('injection');