1 / 15

Web Communications and Security

FORE SEC Academy Security Essentials (II ). Web Communications and Security. Agenda. Web communication Web security protocols Active content Cracking web applications Web application defenses. Everything You Always Wanted to Know About Web Communications. Servers and Clients

fionnuala-russell
Download Presentation

Web Communications and Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FORESEC AcademySecurity Essentials (II) Web Communications and Security

  2. Agenda • Web communication • Web security protocols • Active content • Cracking web applications • Web application defenses

  3. Everything You Always Wanted to Know About Web Communications... • Servers and Clients • HTTP and HTML

  4. Everything You Always Wanted to Know About Web Communications(2) • Stateless Communications • Retrieving Information . GET, HEAD • Sending Information . POST, PUT

  5. HTML Security • Reading HTML Source

  6. HTML Security (2) • Hidden Fields • Server Side Includes

  7. Common Gateway Interface(CGI) • Allows web pages to dosomething instead of just returning pages • Extends the capabilities of a web server • Creates many exposures on server - Leaking information - Performing unauthorized transactions - Executing unintended programs

  8. Common Gateway Interface(CGI) (2) • Common Mistakes - Misuse of command interpreters - Bad memory management - Passing unchecked parameters to system

  9. Cookies • HTTP is “stateless” - no context information • Cookies provide “state” and context • Can only hold information given to the browser by the server • Can only be exchanged with originating server or domain • Beware of cross-site sharing (e.g., DoubleClick) • Can block cookies if desired

  10. What About Non-PersistentCookies? • Non-persistent cookies = per-session cookies • Non-persistent cookies are not written to the browser file system -So they can't be edited and are therefore safe from session ID attacks. Right? -Wrongo!!! • Several possible methods - 1) Raw read/write from/to the client-side memory - 2) Adapt Mozilla browser source to edit cookies - 3) Write a Javascript app that lets you view page and edit - 4) Write a proxy that allows for editing of entire session passed back and forth from browser (Achilles)

  11. SSL • Protocol for encrypting network traffic • Operates at Transport Layer • Operates on port 443 • How it works - Client connects to server - Server indicates need for SSL - Client and server exchange crypto keys - Secure session begins • Not a guarantee of security

  12. Secure Electronic Transactions(SET) • Developed by Visa, MasterCard, Microsoft, Netscape • Specific-purpose protocol • Secures credit and debit card transactions

  13. Secure Electronic Transactions(SET) (2) • Services provided - Authentication - Confidentiality - Message Integrity - Linkage

  14. Active Content • Programs that interact in a network environment • Java/ActiveX

  15. Java and JavaScript • Java - executable code • JavaScript - instructions embedded in HTML • Security Model - Execution in a controlled environment (the “sandbox”) - Local apps have more access than network apps - Byte Code Verifier, Class Loader & Security Manager enforce security

More Related