SlideShare a Scribd company logo

Web Application Security Guide by Qualys 2011

N
nat page

Qualsys Web Security Application Guide 2011

Technology
1 of 7
Download to read offline
GUIDE WEB APPLICATION SECURITY How to Minimize the Risk of Attacks Table of Contents I. Summary 2 II. Overview of Web Application Scanning 2 III. Types of Web Application Vulnerabilities 3 IV. Detecting Web Application Vulnerabilities 4 V. Introducing QualysGuard® WAS 2.0 5 VI. Protect Your Web Applications 7 VII. About Qualys 7
Guide: Web Application Security; How to Minimize the Risk of Attacks page 2 Summary Vulnerabilities in web applications are now the largest source of enterprise security attacks. Web application vulnerabilities accounted for over 55% of all vulnerabilities disclosed in 2010, according to an IBM X-Force study. That may be the tip of the iceberg as the study includes only commercial web applications.1 Stories about compromised sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these often fall outside the traditional expertise of network security managers. The relative obscurity of web application vulner- abilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions. To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the QualysGuard Web Application Scanning solution – an on demand service from Qualys that automates detection of the most prevalent vulnerabilities in custom web applications. Overview of Web Application Security Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting. http://example/foo.cgi?a=1 http://example/foo.cgi?a=1’ Example of SQL Injection http://example/foo.cgi?a=<script>… Example of Cross-site Scripting (XSS) Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI. http://example/foo.cgi?admin=false http://example/foo.cgi?admin=true Example of increasing privileges A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these require manual inspection of web application source code analysis and security testing. Web application security vulner- abilities can stem from misconfigurations, bad architecture, or poor programming practices within commercial or custom application code. Vulnerabilities may be in code libraries and design patterns of popular programming languages such as Java, .NET, PHP, Python, Perl, and Ruby. These vulnerabilities can be complex and may occur under many different circumstances. Using a web application firewall might control effects of some exploits but will not resolve the underlying vulnerabilities. 1 IBM ISS X-Force 2010 Mid-yearTrend & Risk Report
Guide: Web Application Security; How to Minimize the Risk of Attacks page 3 Types of Web Application Vulnerabilities The number of new vulnerability disclosures in the first half of Web applications may have any of two dozen types of vulnerabilities. Security the year is at the highest level consultants who do penetration testing may focus on finding top vulnerabilities, ever recorded. This is in stark such as those in a list published by the Open Web Application Security Project contrast to the 2009 mid-year (www.owasp.org), the OWASP Top 10. Other efforts to systematically organize report when new vulnerability web application vulnerabilities include more than 30 granular threat classifications disclosures were at the lowest published by the Web Application Security Consortium (www.webappsec.org). level in the previous four years. The following descriptions of web vulnerabilities are modeled on a WASC schema. Web application vulnerabilities— particularly cross-site scripting Authentication – stealing user account identities and SQL injection—continue to n Brute Force attack automates a process of trial and error to guess a dominate the threat landscape. person’s username, password, credit-card number or cryptographic key. IBM X-Force® n Insufficient Authentication permits an attacker to access sensitive 2010 Mid-year Trend & Risk Report content or functionality without proper authentication. n Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password. Authorization – illegal access to applications n Credential / Session Prediction is a method of hijacking or impersonating a user. n Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions. n Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization. n Session Fixation attacks force a user’s session ID to an explicit value. Client-side Attacks – illegal execution of foreign code n Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source. n Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser. Command Execution – hijacks control of web application n Buffer Overflow attacks alter the flow of an application by overwriting parts of memory. n Format String Attack alters the flow of an application by using string formatting library features to access other memory space. n LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input. n OS Commanding executes operating system commands on a web site by manipulating application input.
Guide: Web Application Security; How to Minimize the Risk of Attacks page 4 n SQL Injection constructs illegal SQL statements on a web site application Enterprise-class web applica- from user-supplied input. tion scanning solutions are broader, and should include a n SSI Injection (also called Server-side Include) sends code into a web wide range of tests for major application, which is later executed locally by the web server. web application vulnerability n XPath Injection constructs XPath queries from user-supplied input. classes, such as SQL injection, cross-site scripting, and directory Information Disclosure – shows sensitive data to attackers traversals. The OWASP Top 10 n Directory Indexing is an automatic directory listing / indexing web server is a good starting list of major function that shows all files in a requested directory if the normal base vulnerabil¬ities, but an enter- file is not present. prise class solution shouldn’t n Information Leakage occurs when a web site reveals sensitive data such limit itself to just one list or as developer comments or error messages, which may aid an attacker in category of vulnerabilities. An exploiting the system. enteprise solution should also n Path Traversal forces access to files, directories and commands that be capable of scanning multiple potentially reside outside the web document root directory. applications, tracking results over time, providing robust n Predictable Resource Location uncovers hidden web site content and reporting (especially compli- functionality. ance reports), and providing Logical Attacks – interfere with application usage reports customized for local requirements. n Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms. Securosis.com Building a Web Application Security n Denial of Service (DoS) attacks prevent a web site from serving normal Program Whitepaper user activity. n Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. n Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application. Detecting Web Application Vulnerabilities There is no “silver bullet” to detecting web application vulnerabilities. The strategy for their detection is identical to the multi-layer approach used for security on a network. Detection and remediation of some vulnerabilities requires source code analysis, particularly for complex enterprise-scale web applications. Detection of other vulnerabilities may also require on-site penetration testing. As mentioned earlier, the most prevalent web application vulnerabilities can also be detected with an automated scanner. An automated web application vulnerability scanner both supplements and complements manual forms of testing. It provides four key benefits: n Lower total cost of operations by automating repeatable testing processes
Guide: Web Application Security; How to Minimize the Risk of Attacks page 5 n Close security loopholes by discovering and identifying rogue web applications n Understand the security risks for your most public and accessible IT assets n Drive secured coding practices for custom application development A scanner does not have access to a web application’s source code, so the only way it can detect vulnerabilities is by performing likely attacks on the target application. Time required for scanning varies, but doing a broad simulated attack on an application takes significantly longer than doing a network vulnerability scan against a single IP. A major requirement for a web application vulnerability scanner is comprehensive coverage of the target application’s functionality. Incomplete coverage will cause the scanner to overlook existing vulnerabilities. Introducing QualysGuard® WAS 2.0 The QualysGuard Web Application Scanning (WAS) solution is an on demand service integrated into the QualysGuard security and compliance Security-as-a-Service (SaaS) suite. Use of the QualysGuard WAS presumes no specialized knowledge of web security. The service allows a network security or IT administrator to execute comprehensive, accurate vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic content. The broad scope of coverage focuses tests on Web application security. Figure 1: The QualysGuard WAS 2.0 Dashboard Figure 2: Scan Management view within QualysGuard WAS 2.0
Guide: Web Application Security; How to Minimize the Risk of Attacks page 6 Key Benefits QualysGuard WAS helps organizations catalog web applications within their enterprise and get an inventory of their applications – no matter where they reside. Then, QualysGuard WAS automates repeatable techniques used to identify the most prevalent web vulnerabilities, such as SQL injection and cross-site scripting in web applications. It combines pattern recognition and observed behaviors to accurately identify and verify vulnerabilities. The QualysGuard WAS service identifies and profiles login forms, session state, error pages, and other customized features of the target application – even if it extends across multiple web sites. This site profile data helps QualysGuard WAS to adapt to changes as the web application matures. Adaptability enables the scanner to be used against unknown or legacy web applications that may carry little information about error pages or other behavior. As a result, QualysGuard WAS delivers accurate detection and reduces false positives. The automated nature of QualysGuard WAS enables regular testing that produces consistent results and easily scales for large numbers of web sites. Feature Highlights QualysGuard WAS offers comprehensive capabilities to assess, track, and report web application vulnerabilities. Key features include: n Crawling & Link Discovery – Embedded browser crawls complex sites. Reaches wide coverage of the site’s functionality by sampling redundant and related links. n Authentication – Automatically finds and authenticates to login forms. Maintains an authenticated session. Support for server-based authentication (Basic, Digest, NTLM) including SSL client certificates. Figure 3: Scan Summary results within QualysGuard WAS 2.0 n Exclusion Lists – Use blacklists and whitelists to guarantee coverage and prevent the crawler from hitting certain links or areas of the site. n Performance – User-determined bandwidth level for parallel scanning to control impact on application performance. Smart vulnerability checks skip unnecessary tests. n Sensitive Content – Search for privacy- or security-related content within the site’s HTML. n Accurate Vulnerability Tests – Minimizes false positives by profiling the target’s behavior. Uses multiple steps to verify discoveries. n Site Discovery & Management – Discover web servers across a network. Manage scores of web applications from Figure 4: QualysGuard WAS 2.0 – Detailed Scan Results a unified interface.
Guide: Web Application Security; How to Minimize the Risk of Attacks page 7 Operations QualysGuard WAS 2.0 is delivered as an on demand service fully integrated with the QualysGuard IT security and compliance suite of solutions. QualysGuard is already in use by thousands of customers for vulnerability management and policy compliance. Users can manage web applications, launch scans, and generate reports from an integrated security platform with unified web interface. QualysGuard WAS scans may be pre-scheduled or executed on demand. The QualysGuard WAS service can be scaled to the largest web applications hosted anywhere in the world. Account rights management allows an organization to centrally control which web applications may be scanned by individual users. Protect Your Web Applications The QualysGuard Web Application Scanning service will help your organization immediately begin identifying the most prevalent security vulnerabilities open to criminal exploit. The scanner will be a powerful supplement to existing security efforts such as source code analysis and penetration testing. The latter controls are necessary, but QualysGuard WAS will automate detection testing for the majority of threats – the kinds you read about when data thieves breach confidential information via web applications. In addition to comprehensive testing and accurate detection, QualysGuard WAS is a cost effective and easy-to-use on demand service allowing administrator to execute scans without any special knowledge of web application security. If you would like a free trial of the QualysGuard WAS, please visit our website and sign-up: www.qualys.com. About Qualys Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions – delivered as a service. Qualys’ Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures. The QualysGuard® service is used today by more than 5,000 organizations in 85 countries, including 47 of the Fortune Global 100, and performs more than 500 million IP audits per year. Qualys has the largest vulnerability management deployment in the world at a Fortune Global 50 company, and has been recognized by leading industry analysts for its market leadership. Qualys has established strategic agreements with leading managed service providers and consulting organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, NTT, SecureWorks, Symantec, Tata Communications and TELUS. Qualys is also a founding member of the Cloud Security Alliance (CSA). For more information, please visit www.qualys.com. USA – Qualys, Inc. • 1600 Bridge Parkway, Redwood Shores, CA 94065 • T: 1 (650) 801 6100 • sales@qualys.com UK – Qualys, Ltd. • Beechwood House, 10 Windsor Road , Slough, Berkshire, SL1 2EJ • T: +44 (0) 1753 872100 Germany – Qualys GmbH • München Airport, Terminalstrasse Mitte 18, 85356 München • T: +49 (0) 89 97007 146 France – Qualys Technologies • Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie • T: +33 (0) 1 41 97 35 70 Japan – Qualys Japan K.K. • Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo • T: +81 3 6860 8296 United Arab Emirates – Qualys FZE • P.O Box 10559, Ras Al Khaimah, United Arab Emirates • T: +971 7 204 1225 www.qualys.com China – Qualys Hong Kong Ltd. • Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing • T: +86 10 84417495 © Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 02/11

Recommended

ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Usebrittanyjespersen
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 

Recommended

ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Analysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and BrowsersAnalysis of XSS attack Mitigation techniques based on Platforms and Browsers
Analysis of XSS attack Mitigation techniques based on Platforms and Browserscscpconf
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Routine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsRoutine Detection Of Web Application Defence Flaws
Routine Detection Of Web Application Defence FlawsIJTET Journal
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.IRJET Journal
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Usebrittanyjespersen
 
HallTumserFinalPaper
HallTumserFinalPaperHallTumserFinalPaper
HallTumserFinalPaperDaniel Tumser
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&AttackEmanuela Boroș
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniqueIJCSIS Research Publications
 
Cross Site Scripting Attacks and Preventive Measures
Cross Site Scripting Attacks and Preventive MeasuresCross Site Scripting Attacks and Preventive Measures
Cross Site Scripting Attacks and Preventive MeasuresIRJET Journal
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006losalamos
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014Patrick Bouillaud
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testingPaúl Sn
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...IBM Security
 
Improving code quality
Improving code qualityImproving code quality
Improving code qualityJano Suchal
 
Alexandra45
Alexandra45Alexandra45
Alexandra45mayraALE
 
Soccerbook gestionalislideshare
Soccerbook gestionalislideshareSoccerbook gestionalislideshare
Soccerbook gestionalislideshareSoccerbook Calcio
 

More Related Content

What's hot

Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Marco Morana
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesMarco Morana
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&AttackEmanuela Boroș
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting toolBhagyashri Chalakh
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010Aditya K Sood
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniqueIJCSIS Research Publications
 
Cross Site Scripting Attacks and Preventive Measures
Cross Site Scripting Attacks and Preventive MeasuresCross Site Scripting Attacks and Preventive Measures
Cross Site Scripting Attacks and Preventive MeasuresIRJET Journal
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006losalamos
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services SecurityMarco Morana
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012DefCamp
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testingPaúl Sn
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec TrainingMike Spaulding
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System SecuritySamvel Gevorgyan
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testingImaginea
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...IBM Security
 

What's hot (19)

C01461422
C01461422C01461422
C01461422
 
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
Web 2.0 threats, vulnerability analysis,secure web 2.0 application developmen...
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Software Security - Vulnerability&Attack
Software Security - Vulnerability&AttackSoftware Security - Vulnerability&Attack
Software Security - Vulnerability&Attack
 
vulnerability scanning and reporting tool
vulnerability scanning and reporting toolvulnerability scanning and reporting tool
vulnerability scanning and reporting tool
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Prevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash TechniquePrevention of Cross-Site Scripting using Hash Technique
Prevention of Cross-Site Scripting using Hash Technique
 
Cross Site Scripting Attacks and Preventive Measures
Cross Site Scripting Attacks and Preventive MeasuresCross Site Scripting Attacks and Preventive Measures
Cross Site Scripting Attacks and Preventive Measures
 
Bshield osdi2006
Bshield osdi2006Bshield osdi2006
Bshield osdi2006
 
Rapport X force 2014
Rapport X force 2014Rapport X force 2014
Rapport X force 2014
 
Owasp Forum Web Services Security
Owasp Forum Web Services SecurityOwasp Forum Web Services Security
Owasp Forum Web Services Security
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
 
Threat modeling driven security testing
Threat modeling driven security testingThreat modeling driven security testing
Threat modeling driven security testing
 
Bank One App Sec Training
Bank One App Sec TrainingBank One App Sec Training
Bank One App Sec Training
 
Content Management System Security
Content Management System SecurityContent Management System Security
Content Management System Security
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Web application security
Web application securityWeb application security
Web application security
 
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
Pinpointing Vulnerabilities in Android Applications like Finding a Needle in ...
 

Viewers also liked

Improving code quality
Improving code qualityImproving code quality
Improving code qualityJano Suchal
 
Alexandra45
Alexandra45Alexandra45
Alexandra45mayraALE
 
Soccerbook gestionalislideshare
Soccerbook gestionalislideshareSoccerbook gestionalislideshare
Soccerbook gestionalislideshareSoccerbook Calcio
 
Alexandra78
Alexandra78Alexandra78
Alexandra78mayraALE
 
Rank all the (geo) things!
Rank all the (geo) things!Rank all the (geo) things!
Rank all the (geo) things!Jano Suchal
 
Aký programovací jazyk a framework si vybrať a prečo?
Aký programovací jazyk a framework si vybrať a prečo?Aký programovací jazyk a framework si vybrať a prečo?
Aký programovací jazyk a framework si vybrať a prečo?Jano Suchal
 
Soccerbook gestionali offerta 2014
Soccerbook gestionali offerta 2014Soccerbook gestionali offerta 2014
Soccerbook gestionali offerta 2014Soccerbook Calcio
 
Presentación1 jessica
Presentación1 jessicaPresentación1 jessica
Presentación1 jessicamayraALE
 
Mvmtnewyearsguide2011 110107052850-phpapp01
Mvmtnewyearsguide2011 110107052850-phpapp01Mvmtnewyearsguide2011 110107052850-phpapp01
Mvmtnewyearsguide2011 110107052850-phpapp01Hugh Mann
 
Manage your home in the cloud
Manage your home in the cloudManage your home in the cloud
Manage your home in the cloudHomeZada
 
Qg was guide
Qg was guideQg was guide
Qg was guidenat page
 
Slovensko.Digital: Čo ďalej?
Slovensko.Digital: Čo ďalej?Slovensko.Digital: Čo ďalej?
Slovensko.Digital: Čo ďalej?Jano Suchal
 
PostgreSQL: Advanced features in practice
PostgreSQL: Advanced features in practicePostgreSQL: Advanced features in practice
PostgreSQL: Advanced features in practiceJano Suchal
 

Viewers also liked (17)

Improving code quality
Improving code qualityImproving code quality
Improving code quality
 
Alexandra45
Alexandra45Alexandra45
Alexandra45
 
Soccerbook gestionalislideshare
Soccerbook gestionalislideshareSoccerbook gestionalislideshare
Soccerbook gestionalislideshare
 
Alexandra78
Alexandra78Alexandra78
Alexandra78
 
Rank all the (geo) things!
Rank all the (geo) things!Rank all the (geo) things!
Rank all the (geo) things!
 
Datanest 3.0
Datanest 3.0Datanest 3.0
Datanest 3.0
 
Aký programovací jazyk a framework si vybrať a prečo?
Aký programovací jazyk a framework si vybrať a prečo?Aký programovací jazyk a framework si vybrať a prečo?
Aký programovací jazyk a framework si vybrať a prečo?
 
Soccerbook gestionali offerta 2014
Soccerbook gestionali offerta 2014Soccerbook gestionali offerta 2014
Soccerbook gestionali offerta 2014
 
Presentación1 jessica
Presentación1 jessicaPresentación1 jessica
Presentación1 jessica
 
Mvmtnewyearsguide2011 110107052850-phpapp01
Mvmtnewyearsguide2011 110107052850-phpapp01Mvmtnewyearsguide2011 110107052850-phpapp01
Mvmtnewyearsguide2011 110107052850-phpapp01
 
Future world
Future worldFuture world
Future world
 
Manage your home in the cloud
Manage your home in the cloudManage your home in the cloud
Manage your home in the cloud
 
Qg was guide
Qg was guideQg was guide
Qg was guide
 
Slovensko.Digital: Čo ďalej?
Slovensko.Digital: Čo ďalej?Slovensko.Digital: Čo ďalej?
Slovensko.Digital: Čo ďalej?
 
PostgreSQL: Advanced features in practice
PostgreSQL: Advanced features in practicePostgreSQL: Advanced features in practice
PostgreSQL: Advanced features in practice
 
Strange but true
Strange but trueStrange but true
Strange but true
 
Future world
Future worldFuture world
Future world
 

Similar to Web Application Security Guide by Qualys 2011

website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperBhagyashri Chalakh
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Boston Institute of Analytics
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedJennifer Campbell
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsBhargav Modi
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityLarry Ball
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebZero Science Lab
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...IBM Rational software
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsCenzic
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentVESIT/University of Mumbai
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Vaibhav Gupta
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresEditor IJCATR
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awarenessJanagi Kannan
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Alan Kan
 
Vulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingVulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingClinton DSouza
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxCheckmarx
 

Similar to Web Application Security Guide by Qualys 2011 (20)

A26001006
A26001006A26001006
A26001006
 
375 378
375 378375 378
375 378
 
website vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paperwebsite vulnerability scanner and reporter research paper
website vulnerability scanner and reporter research paper
 
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
Identifying and Eradicating Web Application Vulnerabilities : Cyber Security ...
 
Factors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent InvolvedFactors Affecting The Threat Agent Involved
Factors Affecting The Threat Agent Involved
 
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weaponsAre you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
 
EISA Considerations for Web Application Security
EISA Considerations for Web Application SecurityEISA Considerations for Web Application Security
EISA Considerations for Web Application Security
 
Web Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The WebWeb Vulnerabilities And Exploitation - Compromising The Web
Web Vulnerabilities And Exploitation - Compromising The Web
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
 
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...A look at the prevalence of client-side JavaScript vulnerabilities in web app...
A look at the prevalence of client-side JavaScript vulnerabilities in web app...
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
 
Rational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability AssessmentRational Unified Treatment for Web Application Vulnerability Assessment
Rational Unified Treatment for Web Application Vulnerability Assessment
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Study of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their CountermeasuresStudy of Cross-Site Scripting Attacks and Their Countermeasures
Study of Cross-Site Scripting Attacks and Their Countermeasures
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
T04505103106
T04505103106T04505103106
T04505103106
 
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...Discovering the Value of Verifying Web Application Security Using IBM Rationa...
Discovering the Value of Verifying Web Application Security Using IBM Rationa...
 
Vulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computingVulnerabilities in SaaS layer of cloud computing
Vulnerabilities in SaaS layer of cloud computing
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesis
 
The Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's ToolboxThe Web AppSec How-To: The Defender's Toolbox
The Web AppSec How-To: The Defender's Toolbox
 

Recently uploaded

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 

Recently uploaded (20)

Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 

Web Application Security Guide by Qualys 2011

  • 1. GUIDE WEB APPLICATION SECURITY How to Minimize the Risk of Attacks Table of Contents I. Summary 2 II. Overview of Web Application Scanning 2 III. Types of Web Application Vulnerabilities 3 IV. Detecting Web Application Vulnerabilities 4 V. Introducing QualysGuard® WAS 2.0 5 VI. Protect Your Web Applications 7 VII. About Qualys 7
  • 2. Guide: Web Application Security; How to Minimize the Risk of Attacks page 2 Summary Vulnerabilities in web applications are now the largest source of enterprise security attacks. Web application vulnerabilities accounted for over 55% of all vulnerabilities disclosed in 2010, according to an IBM X-Force study. That may be the tip of the iceberg as the study includes only commercial web applications.1 Stories about compromised sensitive data frequently mention culprits such as “cross-site scripting,” “SQL injection,” and “buffer overflow.” Vulnerabilities like these often fall outside the traditional expertise of network security managers. The relative obscurity of web application vulner- abilities thus makes them useful for attacks. As many organizations have discovered, these attacks will evade traditional enterprise network defenses unless you take new precautions. To help you understand how to minimize these risks, Qualys provides this guide as a primer to web application security. The guide surveys typical web application vulnerabilities, compares options for detection, and introduces the QualysGuard Web Application Scanning solution – an on demand service from Qualys that automates detection of the most prevalent vulnerabilities in custom web applications. Overview of Web Application Security Attacks on vulnerabilities in web applications began appearing almost from the beginning of the World Wide Web, in the mid-1990s. Attacks are usually based on fault injection, which exploits vulnerabilities in a web application’s syntax and semantics. Using a standard browser and basic knowledge of HTTP and HTML, an attacker attempts a particular exploit by automatically varying a Uniform Resource Indicator (URI) link, which in turn could trigger an exploit such as SQL injection or cross-site scripting. http://example/foo.cgi?a=1 http://example/foo.cgi?a=1’ Example of SQL Injection http://example/foo.cgi?a=<script>… Example of Cross-site Scripting (XSS) Some attacks attempt to alter logical workflow. Attackers also execute these by automatically varying a URI. http://example/foo.cgi?admin=false http://example/foo.cgi?admin=true Example of increasing privileges A significant number of attacks exploit vulnerabilities in syntax and semantics. You can discover many of these vulnerabilities with an automated scanning tool. Logical vulnerabilities are very difficult to test with a scanning tool; these require manual inspection of web application source code analysis and security testing. Web application security vulner- abilities can stem from misconfigurations, bad architecture, or poor programming practices within commercial or custom application code. Vulnerabilities may be in code libraries and design patterns of popular programming languages such as Java, .NET, PHP, Python, Perl, and Ruby. These vulnerabilities can be complex and may occur under many different circumstances. Using a web application firewall might control effects of some exploits but will not resolve the underlying vulnerabilities. 1 IBM ISS X-Force 2010 Mid-yearTrend & Risk Report
  • 3. Guide: Web Application Security; How to Minimize the Risk of Attacks page 3 Types of Web Application Vulnerabilities The number of new vulnerability disclosures in the first half of Web applications may have any of two dozen types of vulnerabilities. Security the year is at the highest level consultants who do penetration testing may focus on finding top vulnerabilities, ever recorded. This is in stark such as those in a list published by the Open Web Application Security Project contrast to the 2009 mid-year (www.owasp.org), the OWASP Top 10. Other efforts to systematically organize report when new vulnerability web application vulnerabilities include more than 30 granular threat classifications disclosures were at the lowest published by the Web Application Security Consortium (www.webappsec.org). level in the previous four years. The following descriptions of web vulnerabilities are modeled on a WASC schema. Web application vulnerabilities— particularly cross-site scripting Authentication – stealing user account identities and SQL injection—continue to n Brute Force attack automates a process of trial and error to guess a dominate the threat landscape. person’s username, password, credit-card number or cryptographic key. IBM X-Force® n Insufficient Authentication permits an attacker to access sensitive 2010 Mid-year Trend & Risk Report content or functionality without proper authentication. n Weak Password Recovery Validation permits an attacker to illegally obtain, change or recover another user’s password. Authorization – illegal access to applications n Credential / Session Prediction is a method of hijacking or impersonating a user. n Insufficient Authorization permits access to sensitive content or functionality that should require more access control restrictions. n Insufficient Session Expiration permits an attacker to reuse old session credentials or session IDs for authorization. n Session Fixation attacks force a user’s session ID to an explicit value. Client-side Attacks – illegal execution of foreign code n Content Spoofing tricks a user into believing that certain content appearing on a web site is legitimate and not from an external source. n Cross-site Scripting (XSS) forces a web site to echo attacker-supplied executable code, which loads into a user’s browser. Command Execution – hijacks control of web application n Buffer Overflow attacks alter the flow of an application by overwriting parts of memory. n Format String Attack alters the flow of an application by using string formatting library features to access other memory space. n LDAP Injection attacks exploit web sites by constructing LDAP statements from user-supplied input. n OS Commanding executes operating system commands on a web site by manipulating application input.
  • 4. Guide: Web Application Security; How to Minimize the Risk of Attacks page 4 n SQL Injection constructs illegal SQL statements on a web site application Enterprise-class web applica- from user-supplied input. tion scanning solutions are broader, and should include a n SSI Injection (also called Server-side Include) sends code into a web wide range of tests for major application, which is later executed locally by the web server. web application vulnerability n XPath Injection constructs XPath queries from user-supplied input. classes, such as SQL injection, cross-site scripting, and directory Information Disclosure – shows sensitive data to attackers traversals. The OWASP Top 10 n Directory Indexing is an automatic directory listing / indexing web server is a good starting list of major function that shows all files in a requested directory if the normal base vulnerabil¬ities, but an enter- file is not present. prise class solution shouldn’t n Information Leakage occurs when a web site reveals sensitive data such limit itself to just one list or as developer comments or error messages, which may aid an attacker in category of vulnerabilities. An exploiting the system. enteprise solution should also n Path Traversal forces access to files, directories and commands that be capable of scanning multiple potentially reside outside the web document root directory. applications, tracking results over time, providing robust n Predictable Resource Location uncovers hidden web site content and reporting (especially compli- functionality. ance reports), and providing Logical Attacks – interfere with application usage reports customized for local requirements. n Abuse of Functionality uses a web site’s own features and functionality to consume, defraud, or circumvent access control mechanisms. Securosis.com Building a Web Application Security n Denial of Service (DoS) attacks prevent a web site from serving normal Program Whitepaper user activity. n Insufficient Anti-automation is when a web site permits an attacker to automate a process that should only be performed manually. n Insufficient Process Validation permits an attacker to bypass or circumvent the intended flow of an application. Detecting Web Application Vulnerabilities There is no “silver bullet” to detecting web application vulnerabilities. The strategy for their detection is identical to the multi-layer approach used for security on a network. Detection and remediation of some vulnerabilities requires source code analysis, particularly for complex enterprise-scale web applications. Detection of other vulnerabilities may also require on-site penetration testing. As mentioned earlier, the most prevalent web application vulnerabilities can also be detected with an automated scanner. An automated web application vulnerability scanner both supplements and complements manual forms of testing. It provides four key benefits: n Lower total cost of operations by automating repeatable testing processes
  • 5. Guide: Web Application Security; How to Minimize the Risk of Attacks page 5 n Close security loopholes by discovering and identifying rogue web applications n Understand the security risks for your most public and accessible IT assets n Drive secured coding practices for custom application development A scanner does not have access to a web application’s source code, so the only way it can detect vulnerabilities is by performing likely attacks on the target application. Time required for scanning varies, but doing a broad simulated attack on an application takes significantly longer than doing a network vulnerability scan against a single IP. A major requirement for a web application vulnerability scanner is comprehensive coverage of the target application’s functionality. Incomplete coverage will cause the scanner to overlook existing vulnerabilities. Introducing QualysGuard® WAS 2.0 The QualysGuard Web Application Scanning (WAS) solution is an on demand service integrated into the QualysGuard security and compliance Security-as-a-Service (SaaS) suite. Use of the QualysGuard WAS presumes no specialized knowledge of web security. The service allows a network security or IT administrator to execute comprehensive, accurate vulnerability scans on custom web applications such as shopping carts, forms, login pages, and other types of dynamic content. The broad scope of coverage focuses tests on Web application security. Figure 1: The QualysGuard WAS 2.0 Dashboard Figure 2: Scan Management view within QualysGuard WAS 2.0
  • 6. Guide: Web Application Security; How to Minimize the Risk of Attacks page 6 Key Benefits QualysGuard WAS helps organizations catalog web applications within their enterprise and get an inventory of their applications – no matter where they reside. Then, QualysGuard WAS automates repeatable techniques used to identify the most prevalent web vulnerabilities, such as SQL injection and cross-site scripting in web applications. It combines pattern recognition and observed behaviors to accurately identify and verify vulnerabilities. The QualysGuard WAS service identifies and profiles login forms, session state, error pages, and other customized features of the target application – even if it extends across multiple web sites. This site profile data helps QualysGuard WAS to adapt to changes as the web application matures. Adaptability enables the scanner to be used against unknown or legacy web applications that may carry little information about error pages or other behavior. As a result, QualysGuard WAS delivers accurate detection and reduces false positives. The automated nature of QualysGuard WAS enables regular testing that produces consistent results and easily scales for large numbers of web sites. Feature Highlights QualysGuard WAS offers comprehensive capabilities to assess, track, and report web application vulnerabilities. Key features include: n Crawling & Link Discovery – Embedded browser crawls complex sites. Reaches wide coverage of the site’s functionality by sampling redundant and related links. n Authentication – Automatically finds and authenticates to login forms. Maintains an authenticated session. Support for server-based authentication (Basic, Digest, NTLM) including SSL client certificates. Figure 3: Scan Summary results within QualysGuard WAS 2.0 n Exclusion Lists – Use blacklists and whitelists to guarantee coverage and prevent the crawler from hitting certain links or areas of the site. n Performance – User-determined bandwidth level for parallel scanning to control impact on application performance. Smart vulnerability checks skip unnecessary tests. n Sensitive Content – Search for privacy- or security-related content within the site’s HTML. n Accurate Vulnerability Tests – Minimizes false positives by profiling the target’s behavior. Uses multiple steps to verify discoveries. n Site Discovery & Management – Discover web servers across a network. Manage scores of web applications from Figure 4: QualysGuard WAS 2.0 – Detailed Scan Results a unified interface.
  • 7. Guide: Web Application Security; How to Minimize the Risk of Attacks page 7 Operations QualysGuard WAS 2.0 is delivered as an on demand service fully integrated with the QualysGuard IT security and compliance suite of solutions. QualysGuard is already in use by thousands of customers for vulnerability management and policy compliance. Users can manage web applications, launch scans, and generate reports from an integrated security platform with unified web interface. QualysGuard WAS scans may be pre-scheduled or executed on demand. The QualysGuard WAS service can be scaled to the largest web applications hosted anywhere in the world. Account rights management allows an organization to centrally control which web applications may be scanned by individual users. Protect Your Web Applications The QualysGuard Web Application Scanning service will help your organization immediately begin identifying the most prevalent security vulnerabilities open to criminal exploit. The scanner will be a powerful supplement to existing security efforts such as source code analysis and penetration testing. The latter controls are necessary, but QualysGuard WAS will automate detection testing for the majority of threats – the kinds you read about when data thieves breach confidential information via web applications. In addition to comprehensive testing and accurate detection, QualysGuard WAS is a cost effective and easy-to-use on demand service allowing administrator to execute scans without any special knowledge of web application security. If you would like a free trial of the QualysGuard WAS, please visit our website and sign-up: www.qualys.com. About Qualys Qualys, Inc. is the leading provider of on demand IT security risk and compliance management solutions – delivered as a service. Qualys’ Software-as-a-Service solutions are deployed in a matter of hours anywhere in the world, providing customers an immediate and continuous view of their security and compliance postures. The QualysGuard® service is used today by more than 5,000 organizations in 85 countries, including 47 of the Fortune Global 100, and performs more than 500 million IP audits per year. Qualys has the largest vulnerability management deployment in the world at a Fortune Global 50 company, and has been recognized by leading industry analysts for its market leadership. Qualys has established strategic agreements with leading managed service providers and consulting organizations including BT, Etisalat, Fujitsu, IBM, I(TS)2, LAC, NTT, SecureWorks, Symantec, Tata Communications and TELUS. Qualys is also a founding member of the Cloud Security Alliance (CSA). For more information, please visit www.qualys.com. USA – Qualys, Inc. • 1600 Bridge Parkway, Redwood Shores, CA 94065 • T: 1 (650) 801 6100 • sales@qualys.com UK – Qualys, Ltd. • Beechwood House, 10 Windsor Road , Slough, Berkshire, SL1 2EJ • T: +44 (0) 1753 872100 Germany – Qualys GmbH • München Airport, Terminalstrasse Mitte 18, 85356 München • T: +49 (0) 89 97007 146 France – Qualys Technologies • Maison de la Défense, 7 Place de la Défense, 92400 Courbevoie • T: +33 (0) 1 41 97 35 70 Japan – Qualys Japan K.K. • Pacific Century Place 8F, 1-11-1 Marunouchi, Chiyoda-ku, 100-6208 Tokyo • T: +81 3 6860 8296 United Arab Emirates – Qualys FZE • P.O Box 10559, Ras Al Khaimah, United Arab Emirates • T: +971 7 204 1225 www.qualys.com China – Qualys Hong Kong Ltd. • Suite 1901, Tower B, TYG Center, C2 North Rd, East Third Ring Rd, Chaoyang District, Beijing • T: +86 10 84417495 © Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc. All other trademarks are the property of their respective owners. 02/11