SlideShare a Scribd company logo

Web application security: Threats & Countermeasures

Download as PPTX, PDF
Aung Thu Rha Hein
Aung Thu Rha Hein
Technology
1 of 16
Aung Thu Rha Hein(g5536871)
 Fundamentals • Principles • Practices • Three-Tiered Approach  Threats & Countermeasures • Anatomy of web attacks • Threat categories  STRIDE  Network Threats & Countermeasures  Host Threats & Countermeasures  Application Threats & Countermeasures  Summary & Conclusion 2
Principles  Defense in Depth • Use multi layers to protect against defense failure • E.g. firewalls, IDS, Load balancers, IP restrictions  Least Privilege • Grant fewer access to the system as possible • E.g. restrict access to DB  Least Complicated • Complexity generates mistakes 3
Practices  Filter input • Ensure coming data it invalid  Escape output • Ensure outgoing data is not misinterpreted Input Application Output 4
Secure the network Secure the host Runtime services Platform Secure the application Services Presentation Data Access Business Logic Operating Logic Logic System 5
 Anatomy of web attack Survey and Exploit and Escalates assess penetrate privileges Maintain Deny access service 6
 Threat Categories • STRIDE: based on goals and purposes of attacker • Three categories based on the three-tiered approach Application Network Host 7
Spoofing • Gain access to system with false identity Tampering • Unauthorized modification of data • Ability of user to deny of performing specific Repudiation actions or transactions Information • Exposure of private data disclosure Denial of Service • Making the system unavailable Elevation of • user with limited privileges assumes the identity Privilege of a full privileged user 8
• Strong authentication, SSL, avoid plaintext to Spoofing store and send sensitive data Tampering • Data Hashing, Digital signature, Authorization Repudiation • Secure audit trails, Digital Signature Information • Strong authorization and encryption, avoid disclosure plaintexts, secure communication links • Validate and filter input, bandwidth throttling Denial of Service techniques, AAA Protocol Elevation of Privilege • Follow principle of “Least Principle” 9
Information • Discover and profile network devices to gathering find vulnerabilities • Eavesdropping data across over the Sniffing network traffic • Hide one’s true ID and access the system Spoofing and work around ACLs Session hijacking • Main in the middle attack • Denies legitimate access to server or Denial of service services 10
Information • Configure routers to restrict to footprinting, disabled gathering unused protocols and ports • Use strong physical security, network Sniffing segmentation, encrypt communication Spoofing • Filter incoming packets and outgoing packets • encrypted session negotiation and communication Session hijacking channels Denial of service • IDS, appropriate registry settings of TCP/IP stack 11
Viruses, Trojan • perform malicious acts and cause horses, and worms disruption to OS • Try to reveal valuable information of the Footprinting system Password cracking • try to establish an authenticated connection with server Arbitrary code • execute malicious code on the server execution Unauthorized • Try to access restricted information or access perform restricted operations 12
Viruses, Trojan • Harden weak, default configuration horses, and worms settings, anti-virus applications • Disable unused ports and Footprinting protocols, IDS, “defense in depth” • Strong passwords, lockout policies, Audit Password craking failed logins attempts Arbitrary code • Lock down system commands & utilities with execution restricted ACLs, update patches and updates Unauthorized • Secure web permission, Lock down files and access folders 13
Input Validation • Cross-site scripting(XSS), SQL injection Authentication • Dictionary attacks, brute-force attacks Session management • Session hijacking, man in the middle • Poor key generation or key management, weak or Cryptography custom encryption Parameter • Query string & form field manipulation, cookie manipulation manipulation, HTTP header manipulation Exception • Information disclosure, denial of service Management 14
• Validate input, Encode user output, Use Input Validation parameterized stored procedures Authentication • Strong passwords with hashes Session management • SSL, expiration period on the session cookie, HMACs • Secure encryption system, DPAPI, use proven Cryptography cryptographic services Parameter • Session identifier, HTTP Post, Encrypt query manipulation strings, HMACs Exception • Exception Handling and logging Management 15
 By understanding STRIDE, it is more effective when applying countermeasures.  Also understanding common threats, it can be prevented from compromising the application Thank You! 16

Recommended

Spoofing
SpoofingSpoofing
Spoofing
Greater Noida Institute Of Technology
 
Acl
AclAcl
Acl
Raghu Kiran
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing Techniques
Raza_Abidi
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
Deepak Upadhyay
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 

Recommended

Spoofing
SpoofingSpoofing
Spoofing
Greater Noida Institute Of Technology
 
Acl
AclAcl
Acl
Raghu Kiran
 
Intrusion detection
Intrusion detectionIntrusion detection
Intrusion detection
CAS
 
Spoofing Techniques
Spoofing TechniquesSpoofing Techniques
Spoofing Techniques
Raza_Abidi
 
Spoofing
SpoofingSpoofing
Spoofing
Sanjeev
 
Man in The Middle Attack
Man in The Middle AttackMan in The Middle Attack
Man in The Middle Attack
Deepak Upadhyay
 
Security Attacks.ppt
Security Attacks.pptSecurity Attacks.ppt
Security Attacks.ppt
Zaheer720515
 
DDoS ATTACKS
DDoS ATTACKSDDoS ATTACKS
DDoS ATTACKS
Anil Antony
 
ip spoofing
ip spoofingip spoofing
ip spoofing
mohan babu
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
Mahmoud Ibra
 
Network attacks
Network attacksNetwork attacks
Network attacks
Manjushree Mashal
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
ISMT College
 
Denial of service
Denial of serviceDenial of service
Denial of service
garishma bhatia
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
Triad Square InfoSec
 
Network scanning
Network scanningNetwork scanning
Network scanning
oceanofwebs
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
Kailash Kumar
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
Fatima Qayyum
 
Cryptography
CryptographyCryptography
Cryptography
Sidharth Mohapatra
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
Santosh Khadsare
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
bensonoo
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
krishh sivakrishna
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniques
Mohd Arif
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
Uday Meena
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
IGZ Software house
 
17 - Web Application Threats
17 - Web Application Threats17 - Web Application Threats
17 - Web Application Threats
Federico Russo
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
LinkedIn
 

More Related Content

What's hot

Cipher techniques
Cipher techniquesCipher techniques
Cipher techniques
Mohd Arif
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
rahul kundu
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
Uday Meena
 

What's hot (20)

ip spoofing
ip spoofingip spoofing
ip spoofing
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Brute force-attack presentation
Brute force-attack presentationBrute force-attack presentation
Brute force-attack presentation
 
Network attacks
Network attacksNetwork attacks
Network attacks
 
Access Control List (ACL)
Access Control List (ACL)Access Control List (ACL)
Access Control List (ACL)
 
Denial of service
Denial of serviceDenial of service
Denial of service
 
Symmetric and asymmetric key
Symmetric and asymmetric keySymmetric and asymmetric key
Symmetric and asymmetric key
 
Network scanning
Network scanningNetwork scanning
Network scanning
 
Ports and protocols
Ports and protocolsPorts and protocols
Ports and protocols
 
DNS spoofing/poisoning Attack
DNS spoofing/poisoning AttackDNS spoofing/poisoning Attack
DNS spoofing/poisoning Attack
 
Cryptography
CryptographyCryptography
Cryptography
 
IDS and IPS
IDS and IPSIDS and IPS
IDS and IPS
 
P H I S H I N G
P H I S H I N GP H I S H I N G
P H I S H I N G
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Cipher techniques
Cipher techniquesCipher techniques
Cipher techniques
 
Authentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slidesAuthentication, authorization, accounting(aaa) slides
Authentication, authorization, accounting(aaa) slides
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Authentication techniques
Authentication techniquesAuthentication techniques
Authentication techniques
 

Viewers also liked

Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
LinkedIn
 
Cloud security design considerations
Cloud security design considerationsCloud security design considerations
Cloud security design considerations
Mike Kavis
 

Viewers also liked (9)

17 - Web Application Threats
17 - Web Application Threats17 - Web Application Threats
17 - Web Application Threats
 
Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]Sample Cloud Application Security and Operations Policy [release]
Sample Cloud Application Security and Operations Policy [release]
 
Cloud security design considerations
Cloud security design considerationsCloud security design considerations
Cloud security design considerations
 
AWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and ComplianceAWS Security Best Practices, SaaS and Compliance
AWS Security Best Practices, SaaS and Compliance
 
SaaS Challenges & Security Concerns
SaaS Challenges & Security ConcernsSaaS Challenges & Security Concerns
SaaS Challenges & Security Concerns
 
Security Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS ApplicationsSecurity Architecture Best Practices for SaaS Applications
Security Architecture Best Practices for SaaS Applications
 
Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)Security As A Service In Cloud(SECaaS)
Security As A Service In Cloud(SECaaS)
 
Cloud security and security architecture
Cloud security and security architectureCloud security and security architecture
Cloud security and security architecture
 
Cloud security ppt
Cloud security pptCloud security ppt
Cloud security ppt
 

Similar to Web application security: Threats & Countermeasures

Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
Niel Dunnage
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and Interset
Perforce
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
Securing your telco cloud
Securing your telco cloud Securing your telco cloud
Securing your telco cloud
OPNFV
 
Electronic security
Electronic securityElectronic security
Electronic security
We Learn - A Continuous Learning Forum from Welingkar's Distance Learning Program.
 

Similar to Web application security: Threats & Countermeasures (20)

WebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdfWebApp_to_Container_Security.pdf
WebApp_to_Container_Security.pdf
 
Web security uploadv1
Web security uploadv1Web security uploadv1
Web security uploadv1
 
Fighting cyber fraud with hadoop
Fighting cyber fraud with hadoopFighting cyber fraud with hadoop
Fighting cyber fraud with hadoop
 
Inside the Wire - thotcon 0x9
Inside the Wire - thotcon 0x9Inside the Wire - thotcon 0x9
Inside the Wire - thotcon 0x9
 
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptxTckhjhhjbbggujvg Day13-Post-Exploitation.pptx
Tckhjhhjbbggujvg Day13-Post-Exploitation.pptx
 
Security chapter6
Security chapter6Security chapter6
Security chapter6
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and Interset
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
OTG - Practical Hands on VAPT
OTG - Practical Hands on VAPTOTG - Practical Hands on VAPT
OTG - Practical Hands on VAPT
 
Web attacks
Web attacksWeb attacks
Web attacks
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 
Securing your telco cloud
Securing your telco cloud Securing your telco cloud
Securing your telco cloud
 
Electronic security
Electronic securityElectronic security
Electronic security
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
IT infrastructure security 101
IT infrastructure security 101IT infrastructure security 101
IT infrastructure security 101
 
Database Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best PracticesDatabase Security Threats - MariaDB Security Best Practices
Database Security Threats - MariaDB Security Best Practices
 
intrusion detection system (IDS)
intrusion detection system (IDS)intrusion detection system (IDS)
intrusion detection system (IDS)
 
大数据数据安全
大数据数据安全大数据数据安全
大数据数据安全
 
OWASP_Training.pptx
OWASP_Training.pptxOWASP_Training.pptx
OWASP_Training.pptx
 
Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)Protecting Sensitive Data (and be PCI Compliant too!)
Protecting Sensitive Data (and be PCI Compliant too!)
 

More from Aung Thu Rha Hein

Fuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessmentFuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessment
Aung Thu Rha Hein
 

More from Aung Thu Rha Hein (19)

Writing with ease
Writing with easeWriting with ease
Writing with ease
 
Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists Bioinformatics for Computer Scientists
Bioinformatics for Computer Scientists
 
Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)Analysis of hybrid image with FFT (Fast Fourier Transform)
Analysis of hybrid image with FFT (Fast Fourier Transform)
 
Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)
 
Private Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic OpportunityPrivate Browsing: A Window of Forensic Opportunity
Private Browsing: A Window of Forensic Opportunity
 
Network switching
Network switchingNetwork switching
Network switching
 
Digital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research ChallengeDigital Forensic: Brief Intro & Research Challenge
Digital Forensic: Brief Intro & Research Challenge
 
Survey & Review of Digital Forensic
Survey & Review of Digital ForensicSurvey & Review of Digital Forensic
Survey & Review of Digital Forensic
 
Partitioned Based Regression Verification
Partitioned Based Regression VerificationPartitioned Based Regression Verification
Partitioned Based Regression Verification
 
CRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web ApplicationsCRAXweb: Automatic Exploit Generation for Web Applications
CRAXweb: Automatic Exploit Generation for Web Applications
 
Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Session initiation protocol
Session initiation protocolSession initiation protocol
Session initiation protocol
 
TPC-H in MongoDB
TPC-H in MongoDBTPC-H in MongoDB
TPC-H in MongoDB
 
Cloud computing security
Cloud computing securityCloud computing security
Cloud computing security
 
Can the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaughtCan the elephants handle the no sql onslaught
Can the elephants handle the no sql onslaught
 
Fuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessmentFuzzy logic based students’ learning assessment
Fuzzy logic based students’ learning assessment
 
Link state routing protocol
Link state routing protocolLink state routing protocol
Link state routing protocol
 
Chat bot analysis
Chat bot analysisChat bot analysis
Chat bot analysis
 
Data mining & column stores
Data mining & column storesData mining & column stores
Data mining & column stores
 

Recently uploaded

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Recently uploaded (20)

Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

Web application security: Threats & Countermeasures

  • 1. Aung Thu Rha Hein(g5536871)
  • 2.  Fundamentals • Principles • Practices • Three-Tiered Approach  Threats & Countermeasures • Anatomy of web attacks • Threat categories  STRIDE  Network Threats & Countermeasures  Host Threats & Countermeasures  Application Threats & Countermeasures  Summary & Conclusion 2
  • 3. Principles  Defense in Depth • Use multi layers to protect against defense failure • E.g. firewalls, IDS, Load balancers, IP restrictions  Least Privilege • Grant fewer access to the system as possible • E.g. restrict access to DB  Least Complicated • Complexity generates mistakes 3
  • 4. Practices  Filter input • Ensure coming data it invalid  Escape output • Ensure outgoing data is not misinterpreted Input Application Output 4
  • 5. Secure the network Secure the host Runtime services Platform Secure the application Services Presentation Data Access Business Logic Operating Logic Logic System 5
  • 6.  Anatomy of web attack Survey and Exploit and Escalates assess penetrate privileges Maintain Deny access service 6
  • 7.  Threat Categories • STRIDE: based on goals and purposes of attacker • Three categories based on the three-tiered approach Application Network Host 7
  • 8. Spoofing • Gain access to system with false identity Tampering • Unauthorized modification of data • Ability of user to deny of performing specific Repudiation actions or transactions Information • Exposure of private data disclosure Denial of Service • Making the system unavailable Elevation of • user with limited privileges assumes the identity Privilege of a full privileged user 8
  • 9. • Strong authentication, SSL, avoid plaintext to Spoofing store and send sensitive data Tampering • Data Hashing, Digital signature, Authorization Repudiation • Secure audit trails, Digital Signature Information • Strong authorization and encryption, avoid disclosure plaintexts, secure communication links • Validate and filter input, bandwidth throttling Denial of Service techniques, AAA Protocol Elevation of Privilege • Follow principle of “Least Principle” 9
  • 10. Information • Discover and profile network devices to gathering find vulnerabilities • Eavesdropping data across over the Sniffing network traffic • Hide one’s true ID and access the system Spoofing and work around ACLs Session hijacking • Main in the middle attack • Denies legitimate access to server or Denial of service services 10
  • 11. Information • Configure routers to restrict to footprinting, disabled gathering unused protocols and ports • Use strong physical security, network Sniffing segmentation, encrypt communication Spoofing • Filter incoming packets and outgoing packets • encrypted session negotiation and communication Session hijacking channels Denial of service • IDS, appropriate registry settings of TCP/IP stack 11
  • 12. Viruses, Trojan • perform malicious acts and cause horses, and worms disruption to OS • Try to reveal valuable information of the Footprinting system Password cracking • try to establish an authenticated connection with server Arbitrary code • execute malicious code on the server execution Unauthorized • Try to access restricted information or access perform restricted operations 12
  • 13. Viruses, Trojan • Harden weak, default configuration horses, and worms settings, anti-virus applications • Disable unused ports and Footprinting protocols, IDS, “defense in depth” • Strong passwords, lockout policies, Audit Password craking failed logins attempts Arbitrary code • Lock down system commands & utilities with execution restricted ACLs, update patches and updates Unauthorized • Secure web permission, Lock down files and access folders 13
  • 14. Input Validation • Cross-site scripting(XSS), SQL injection Authentication • Dictionary attacks, brute-force attacks Session management • Session hijacking, man in the middle • Poor key generation or key management, weak or Cryptography custom encryption Parameter • Query string & form field manipulation, cookie manipulation manipulation, HTTP header manipulation Exception • Information disclosure, denial of service Management 14
  • 15. • Validate input, Encode user output, Use Input Validation parameterized stored procedures Authentication • Strong passwords with hashes Session management • SSL, expiration period on the session cookie, HMACs • Secure encryption system, DPAPI, use proven Cryptography cryptographic services Parameter • Session identifier, HTTP Post, Encrypt query manipulation strings, HMACs Exception • Exception Handling and logging Management 15
  • 16.  By understanding STRIDE, it is more effective when applying countermeasures.  Also understanding common threats, it can be prevented from compromising the application Thank You! 16

Editor's Notes

  1. Disable remote connection,
  2. Network-router,firewall,switch :protocols and portsHost-OS,appplatform,DBservices,webserver,app serverApp- Validation, AAA, exception management