Raymond K. Ng Technical Lead - JAAS Platform Security Oracle Corporation
Web Application Security Raymond Camden [email protected].
-
Upload
jemimah-rice -
Category
Documents
-
view
214 -
download
0
Transcript of Web Application Security Raymond Camden [email protected].
What We Will Discuss…
Identify and Protect Input Points Security Through Obscurity… Cross-site scripting Web Server Tips Resources Q & A
Input Points
Web communication is stateless Page A passes information to Page B
– URL parameters– Form fields– Cookies
Input Points – URL parameters
Visible to the user Easy to change
Input Points – Form variables
Like URL variables, form variables should be checked before being passed to SQL
Don’t rely on JavaScript checking Hidden fields are harder to change, but not
impossible
Input Points – Cookies
Don’t store information in unencrypted form Treat them just like URL vars.
Security Through Obscurity…
Is not really security! If you are going to do it, do it right. Keep includes and custom tags out of the web
root. Encrypt URL values, give them weird names.
Cross-site scripting
Again, it’s the input! User input displayed on screen, and in context For more info, see:
http://www.cert.org/advisories/CA-2000-02.html
Web Server Tips
Turn off Directory Browsing! Beware IIS and +.htr and ::$DATA This URL patches +.htr
– http://www.microsoft.com/technet/security/bulletin/ms00-031.asp
Info on ::$DATA– http://www.allaire.com/handlers/index.cfm?
ID=8729&Method=Full
Resources
Allaire’s Security Zone– http://www.allaire.com/developer/SecurityZone/
Security Best Practices – http://www.allaire.com/handlers/index.cfm?
id=10956&method=full
Q & A
Contact Information:– [email protected]