Web Application Security - OWASP

Web Application Security - OWASP

Web Application Security The OWASP Foundation http://www.owasp.org Securing the application Input validation Session mgmt Authenticatio n Authorization Config mgmt

Error handling Securing the network Apps Host App server Auditing/ logging Firewall Firewall Web server Secure

storage DB server Apps Database Host Host Securing the host Router Patches/ updates

Accounts Firewall Services Files/directories Registry Protocols Shares Switch Ports Auditing/ logging

Web Application Behaviour The OWASP Foundation http://www.owasp.org HTTP is stateless and hence requests and responses to communicate between browser and server have no memory. Most typical HTTP requests utilise either GET or POST methods Scripting can occur on: Server-Side (e.g. perl, asp, jsp) Client-Side (javascript, flash, applets) Web server file mappings allow the web server to handle certain file types using specific handlers (ASP, ASP.NET, Java, JSP,CFM etc) Data is posted to the application through HTTP methods, this data is processed by the relevant script and result returned to the users browser

2 HTTP POST HTTP GET The OWASP Foundation http://www.owasp.org GET exposes sensitive authentication information in the URL In Web Server and Proxy Server logs In the http referer header In Bookmarks/Favorites often emailed to others POST places information in the body of the request and not the URL Enforce HTTPS POST For Sensitive Data Transport 3

The OWASP Foundation http://www.owasp.org GET vs POST HTTP Request GET request POST request GET /search.jsp? name=blah&type=1 HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Cookie: SESSIONID=2KDSU72H9GSA 289

POST /search.jsp HTTP/1.0 User-Agent: Mozilla/4.0 Host: www.mywebsite.com Content-Length: 16 Cookie: SESSIONID=2KDSU72H9GSA 289 name=blah&type=1 The OWASP Foundation http://www.owasp.org What are HTTP Headers? HTTP headers are components of the message header of HTTP Requests and Responses HTTP headers define different aspects of an HTTP transaction

HTTP headers are colon-separated name-value pairs in clear-text string format, terminated by a carriage return (CR) and line feed (LF) character sequence. http://en.wikipedia.org/wiki/List_of_HTTP_header_fields The OWASP Foundation http://www.owasp.org Security HTTP Response Headers X-Frame-Options X-Xss-Protection X-Content-Type-Options Content Security Policy Access-Control-Allow-Origin HTTPS Strict Transport Security Cache-Control / Pragma The OWASP Foundation

http://www.owasp.org Security HTTP Response headers X-Frame-Options 'SAMEORIGIN' - allow framing on same domain. Set it to 'DENY' to deny framing at all or 'ALLOWALL' if you want to allow framing for all website. X-XSS-Protection '1; mode=block' - use XSS Auditor and block page if XSS attack is detected. Set it to '0;' if you want to switch XSS Auditor off(useful if response contents scripts from request parameters) X-Content-Type-Options 'nosniff - stops the browser from guessing the MIME type of a file. X-Content-Security-Policy - A powerful mechanism for controlling which sites certain content types can be loaded from Access-Control-Allow-Origin - used to control which sites are allowed to bypass same origin policies and send cross-origin requests. Strict-Transport-Security - used to control if the browser is allowed to only access a site over a secure connection Cache-Control - used to control mandatory content caching rules

The OWASP Foundation http://www.owasp.org X-Frame-Options Protects you from most classes of Clickjacking X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN X-Frame-Options: ALLOW FROM The OWASP Foundation http://www.owasp.org X-XSS-Protection Use the browsers built in XSS Auditor X-XSS-Protection: [0-1](; mode=block)? X-XSS-Protection: 1; mode=block

The OWASP Foundation http://www.owasp.org X-ContentTypeOptions Fixes mime sniffing attacks Only applies to IE, because only IE would do something like this X-Content-Type-Options = nosniff The OWASP Foundation http://www.owasp.org Content Security Policy Anti-XSS W3C standard http://www.w3.org/TR/CSP/ Move all inline script and style into external files Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use

Define a policy for the site regarding loading of content Chrome version 25 and later (50%) Firefox version 23 and later (30%) Internet Explorer version 10 and later (10%) The OWASP Foundation http://www.owasp.org Strict Transport Security Strict-transport-security: max-age=10000000 Do all of your subdomains support SSL? Strict-transport-security: max-age=10000000; includeSubdomains The OWASP Foundation http://www.owasp.org

Disabling the Browser Cache Add the following as part of your HTTP Response Cache-Control: no-store, no-cache, must-revalidate Expires: -1 The OWASP Foundation http://www.owasp.org HTTP Security Headers Tool Secure headers! Open source https://github.com/twitter/secureheaders

Recently Viewed Presentations

  • Languages and Finite Automata

    Languages and Finite Automata

    Comic Sans MS Arial Times New Roman class Microsoft Equation 3.0 Languages Slide 2 Slide 3 Alphabets and Strings Slide 5 Slide 6 String Operations Slide 8 String Length Length of Concatenation Empty String Substring Prefix and Suffix Another Operation...
  • Add book title here - PhilMancusi.com

    Add book title here - PhilMancusi.com

    Economics looms large in contemporary international relations and everyone who studies IR should be an economist to some extent. ... Functionalism (1 of 2) Functionalism- Theory that cooperation in specialized areas will encourage overall cooperation among nations.
  • Formation Des Aidants

    Formation Des Aidants

    Principes de base. Déontologie. Respect de la singularité de la personne et de sa famille. Respect des priorités de la personne et de sa famille. Interventions basées sur une évaluation préalable
  • The Trade Union Act 2016 and The Right to Strike: Where Are ...

    The Trade Union Act 2016 and The Right to Strike: Where Are ...

    The Trade Union (Wales) Act 2017. The legislation disapplies the 40% threshold in 'important public services' in respect of devolved public services which are the responsibility of the National Assembly for Wales (NHS, education, local government, fire service) The legislation...
  •  but the equilibrium is unstable. In order to

    but the equilibrium is unstable. In order to

    The Local Supercluster gets bigger with time It has a flattened shape The Local Group is on the edge of the majority of galaxies The Local Supercluster is about 130 Million light-years across The Universe 1.3 Billion light-years Surveys of...
  • 7.4 Regular Polygons - Kyrene School District

    7.4 Regular Polygons - Kyrene School District

    Define regular polygon… Regular Polygons: Equilateral and equiangular Find m 1 in the figure below 1 m 1 = 360 5 m 1 = 72 Theorem 58: The measure E of each exterior angle of an equiangular polygon of n...
  • Social Studies Warm-Ups

    Social Studies Warm-Ups

    What do I need to know about Social Studies warm-ups? You will have a warm-up every day. At the beginning of every week, we will glue in a weekly warm-up sheet to our interactive notebooks.
  • What Did Jesus Say About Christmas? - IslamHouse.com

    What Did Jesus Say About Christmas? - IslamHouse.com

    What Did Jesus Say About Christmas? What Did Jesus Say . About . Christmas ? The Christmas Experience. The Christmas Experience. The perfect Christmas tree is bought. Adorned with ornaments and glittering with tinsel, it stands by the window. ......