180 likes | 300 Views
Server-side Verification of Client Behavior. Presented by: Sanjeev Kumar Verma SANS – GCIH Paladion October 2010. Topics for discussion…. Introduction Why server-side verification? Does your application perform proper server-side verification?
E N D
Server-side Verification of Client Behavior Presented by: Sanjeev Kumar Verma SANS – GCIH Paladion October 2010
Topics for discussion… • Introduction • Why server-side verification? • Does your application perform proper server-side verification? • Implementing server-side verification • Don’t we need client-side verification then? • Case study • Conclusion
Introduction • What do we mean by the terms “Client” & "Behavior"? • “Client” refers to a user interface of an application and can be categorized as: • Thin clients • Thick clients • “Behavior” refers to the client state implied by each client-to-server message (request\response)
Why server-side verification? • Client-side verification is never enough • Most of the popular attacks are due to weak\no server-side verification of the parameters in the client request. Some of the popular attacks are: • SQL Injection • Cross-Site Scripting • Command Injection • Parameter Manipulation • Response Splitting • Many more……..
Does your application perform proper server-side verification? • How to check? • Automated tools (partially), eg: Burp • Manual Static Application Security Assessment • Manual Dynamic Application Security Assessment
Implementing server-side verification • Use white lists for verification • Link the user to the session ID and ensure that the parameters in the request belongs to the logged in user • Use Checksum • Use Encryption
Don't we need client-side verification then? • No, if a proper server-side verification is in place • Why client-side verification? • Reduces the load on the server • Simple • Fast • Makes an application more interactive
Case study: • Parameter Manipulation attack on an online Membership Application Portal • Attack: Manipulating the Membership Fee while making the payment
Conclusion • Client-side verification is not sufficient • Proper server-side verification is a must • With proper server-side verification, most of the popular attacks can be avoided • Incorporate security assessment (server-side verification) in SDLC stages • Reduced development and testing costs
Questions?.... Thank you……..
Good reads • Securing Web Based Payment Systems, http://palisade.plynt.com/issues/2007Mar/secure-web-payment • Thick Client Application Security - Defenses, http://palisade.plynt.com/issues/2006May/thick-client-defenses • Best Practices in Input Validation, http://palisade.plynt.com/issues/2004Dec/input-validation • Catch'em Young - How to discover vulnerabilities early, http://palisade.plynt.com/issues/2004Nov/software-bugs