• No results found

Web Application Security Considerations

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Web Application Security Considerations"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

RTI International is a trade name of Research Triangle Institute 

3040 Cornwallis Road  ■  P.O. Box 12194  ■  Research Triangle Park, North Carolina, USA 27709 

Phone 919­316­3898  Fax 919­541­6178  e­mail [email protected] 

Web Application Security 

Considerations 

Eric Peele, Kevin Gainey 

(2)

Types of Threats 

Spoofed packets, etc.

Buffer overflows, illicit paths, etc.

SQL injection, XSS, input tampering, etc.

Network 

Host 

Application 

Threats against 

the network 

Threats against the host 

(3)

Why Security? 

Reported security breaches 

in the last 12 months 

Acknowledged financial 

losses as a result 

Identified Internet connection 

as frequent source of attacks 

Reported intrusions to 

authorities 

90%

http://www.gocsi.com/press/20020407.html

2002 Computer Crime and Security Survey

80% 

74% 

34%

(4)

How Does This Happen? 

Session management 

79%

Common Software Vulnerabilities

Percentages of apps that have "serious design flaws" in the indicated areas

(5)
(6)
(7)
(8)
(9)
(10)
(11)
(12)

Session Hijacking 

§ 

Web applications use sessions to store state 

§ 

Sessions are private to individual users 

§ 

Sessions can be compromised 

Medium  Eavesdropping on state server connection  Medium  Remote connection to state server database  Medium  Remote connection to state server service  Low*  Predictable session IDs  Medium*  Links to sites that use cookieless session state  High*  Theft and replay of session ID cookies 

Risk Factor 

Threat

(13)

Identity Spoofing 

High  Dictionary attacks and password guessing  Medium*  Theft and replay of authentication cookies  High  Theft of forms authentication credentials  High  Theft of Windows authentication credentials 

Risk Factor 

Threat 

§ 

Security depends on authentication 

§ 

If authentication can be compromised, security goes out 

the window 

§ 

Authentication can be compromised

(14)

Information Disclosure 

(15)
(16)
(17)
(18)
(19)

References

Download now ( PDF - 19 Page - 2.27 MB )

Related documents

Beaufort Gazette Death Notices Richard Hoffman

Hunting and beaufort gazette death notices hoffman known for funerals is in or parish church in sixteen gates cemetery on her volunteer work at faith memorial chapel in family?.

Taxation, growth and welfare: Dynamic effects of Estonia’s 2000 income tax act

We have constructed and calibrated a dynamic general equilibrium growth model that could offer plausible predictions about the impact of Estonia’s 2000 income tax reform. 18

Experiential Knowledge: How Literacy Practices Seek to Mediate Personal and Systemic Change

Because this form of knowledge plays a leading role in fostering personal changes, and because Nhat Hanh holds that some personal changes have systemic implications, examining

A Multimedia Approach to Game-Based Training: Exploring the Effects of the Modality and Temporal Contiguity Principles on Learning in a Virtual Environment

A Multimedia Approach to Game-Based Training: Exploring the A Multimedia Approach to Game-Based Training: Exploring the Effects of the Modality and Temporal Contiguity Principles on

Revisiting the Impact of System Use on Task Performance: An Exploitative-Explorative System Use Framework

Second, using our exploitative- explorative system use framework, we develop a research model to investigate how system use influences task performance factors (i.e.,

Knightly News Magazine

In the event that there is no written policy in effect for that Grand Lodge or Grand Chapter, the Excellent Chief shall submit a written statement from the Grand Master of that Grand

KUMASI TECHNICAL UNIVERSITY DOCUMENT RETENTION AND DISPOSAL POLICY

The University will store, retain and dispose of all its public records inaccordance with the relevant legislation, and the Records Management Standards, Record Keeping