Web Application SecurityPrabhu Shiv Singh

Alphabets - APSTNDP

Coming for ya !...vulnerabilities and attacks

• Denial of Service (DoS) attacks - All network servers can be subject to denial of service attacks that attempt to prevent responses to clients by tying up the resources of the server. It is not possible to prevent such attacks entirely, but you can do certain things to mitigate the problems that they create.

• SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

• Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy.

Heartbleed….not heartache !

• Heartbleed is a security bug in the open-source OpenSSL cryptography library, widely used to implement the Internet's Transport Layer Security (TLS) protocol.

• Check here: http://filippo.io/Heartbleed

• To make sure if the problem actually exists: Run cmd

$ openssl version -a

• "Ensure your version is NOT 1.0.1f, 1.0.1e, 1.0.1d, 1.0.1c, 1.0.1b, 1.0.1a, 1.0.1, 1.0.2-beta1"

• 2. Not sure what version of OS you are on, and whether patch exists, but you can build openssl: https://www.openssl.org/source/openssl-1.0.1g.tar.gz

CAPTCHA my comments…else…

(an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-response test used in computing to determine whether or not the user is human.

Gotcha…now what ?Top Reasons for web-application level attacks:

• Low Quality application code – not following security standards

• File Permissions incorrectly set – securest – 655• DB Admin, Cpanel, FTP passwords are weak

Regular DB – Files backup policy should be in place from the start

• http://httpd.apache.org/docs/2.4/misc/security_tips.html - var/log/apache2/error.log

Google can detect and inform you of malicious scripts in a website – Google Attack Page

• Hacked Account: What to Look For:• http://support.hostgator.com/articles/pre-sales-

policies/security-abuse/what-security-measures-are-used-to-protect-my-server

• Things to look for include:

• Strangely named files or directories (i.e: xf8c3l.php or /home/username/public_html/wellsfargo)

• PHP files located in image folders• Base64 or other encrypted injections inside of

site files which can be removed using file editors.

Lets Play….and Learn - OWASP

• The Open Web Application Security Project (OWASP) is an open-source web application security project. The OWASP community includes corporations, educational organizations, and individuals from around the world. This community works to create freely-available articles, methodologies, documentation, tools, and technologies.

• OWASP is also an emerging standards body, with the publication of its first standard in December 2008, the OWASP Application Security Verification Standard (ASVS).[1] The primary aim of the OWASP ASVS Project is to normalize the range of coverage and level of rigor available in the market when it comes to performing application-level security verification. The goal is to create a set of commercially workable open standards that are tailored to specific web-based technologies. A Web Application Edition has been published. A Web Service Edition is under development.

Thank You for your time – prabhu9484@gmail.com

Sources – Wikipedia.org, Apache.org, Support.hostgator.com, OWASP.org