An Aspect-oriented Weaving Mechanism Based on Component and Connector Architecture
Web Architecture - Mechanism and Threats
description
Transcript of Web Architecture - Mechanism and Threats
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture - Mechanism and Threats
Sumedt JitpukdebodinSenior Security Researcher
CompTIA Security+ LPIC-1 NCLA C|EHv6 eCPPT eWPT IWSS CPTE
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
~ whoami Name Sumedt Jitpukdebodin(สเมธ จตภกดบดนทร)
My blog httpwwwr00tseccom httptwittercommateraj httpswwwfacebookcomhackandsecbook
Jobs
ndash I-SECURE Co Ltd
ndash Research And Develop Engineer Senior Web Application Security Specialist Senior Security Researcher
ndash Writer
ndash English article httppacketstormsecuritycomfilesauthor9011 and please google my name
ndash Many Thai article please google my Thai name
ndash หนงสอ ldquoHacking amp Security Book Network Security หนงสอฉบบกาวสนกทดสอบและปองกนการเจาะระบบrdquo
Hobby Penetration Testing Hacking Reading Info Security Play Games Traveling around the world Write
Article Teaching and more
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Agenda
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Agenda
Web Architecture
Web Architecture Attack
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Basic Web Architecture Two Tier Architecture
ndash Web browser display content that return from Web Server
ndash Web server provide resource for client
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTML HTML(Hyper Text Markup Language)
ndash Document Layout Language
ndash Viewed by using Web Browser
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
~ whoami Name Sumedt Jitpukdebodin(สเมธ จตภกดบดนทร)
My blog httpwwwr00tseccom httptwittercommateraj httpswwwfacebookcomhackandsecbook
Jobs
ndash I-SECURE Co Ltd
ndash Research And Develop Engineer Senior Web Application Security Specialist Senior Security Researcher
ndash Writer
ndash English article httppacketstormsecuritycomfilesauthor9011 and please google my name
ndash Many Thai article please google my Thai name
ndash หนงสอ ldquoHacking amp Security Book Network Security หนงสอฉบบกาวสนกทดสอบและปองกนการเจาะระบบrdquo
Hobby Penetration Testing Hacking Reading Info Security Play Games Traveling around the world Write
Article Teaching and more
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Agenda
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Agenda
Web Architecture
Web Architecture Attack
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Basic Web Architecture Two Tier Architecture
ndash Web browser display content that return from Web Server
ndash Web server provide resource for client
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTML HTML(Hyper Text Markup Language)
ndash Document Layout Language
ndash Viewed by using Web Browser
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Agenda
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Agenda
Web Architecture
Web Architecture Attack
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Basic Web Architecture Two Tier Architecture
ndash Web browser display content that return from Web Server
ndash Web server provide resource for client
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTML HTML(Hyper Text Markup Language)
ndash Document Layout Language
ndash Viewed by using Web Browser
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Agenda
Web Architecture
Web Architecture Attack
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Basic Web Architecture Two Tier Architecture
ndash Web browser display content that return from Web Server
ndash Web server provide resource for client
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTML HTML(Hyper Text Markup Language)
ndash Document Layout Language
ndash Viewed by using Web Browser
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Basic Web Architecture Two Tier Architecture
ndash Web browser display content that return from Web Server
ndash Web server provide resource for client
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTML HTML(Hyper Text Markup Language)
ndash Document Layout Language
ndash Viewed by using Web Browser
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Basic Web Architecture Two Tier Architecture
ndash Web browser display content that return from Web Server
ndash Web server provide resource for client
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTML HTML(Hyper Text Markup Language)
ndash Document Layout Language
ndash Viewed by using Web Browser
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTML HTML(Hyper Text Markup Language)
ndash Document Layout Language
ndash Viewed by using Web Browser
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI URI(Universal Resource Identifier)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
URI(2) URL(Universal Resource Locator)
URN(Universal Resource Name)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer
HTTP has 2 way communication HTTP Request and HTTP Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(2) Request Message
ndash Request Line
ndash Request Header
ndash An empty line
ndash An optional Message Body
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Request Methodndash HEAD
ndash GET
ndash POST
ndash PUT
ndash DELETE
ndash TRACE
ndash OPTIONS
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Safe Methodndash HEAD
ndash GET
ndash OPTIONS
ndash TRACE
ndash POST
ndash PUT
ndash DELETE
ndash CONNECT
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Status Code Success 2xx
Redirection 3xx
Client-Side Error 4xx
Server-Side Error 5xx
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
HTTP Session State HTTP is stateless Protocol
Solutionsndash Cookies
ndash Sessions
ndash Hidden variable
ndash URL encode parameter( indexphpsession_id=$session_code)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Extension Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with a web server
CGI program are executable programs that run on the web server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Javascript Scripting language designed for dynamic interactive web application
Run on client side
Preprocessing data on the client before submission to a server
Changing content type and styles
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Three tier web architecture
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Make HTTP to stateful(2) Cookie
A text stored on a clientrsquos computer by a web browser
Sent as an HTTP Header
Can used for authenticating session tracking
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Server and Client Processing Server-Side Processing
PHP
ASP
ASPNET
Perl
J2EE
Python Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett Febuary 18 2005
Ajax Incorporates
XHTML CSS Document Object Model(DOM) XML and XSLT XMLHttpRequest Javascript
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
AJAX(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format
JSON is based on a subset of Javascript programming language
Using of XML format
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON Request ampamp Response
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
JSON(2)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML eXtensible Markup Language
Using for information exchange
Two primary building blocks of XML are elements and attributes
Elements are tags and have values
Elements are structured as a tree
Alternatively elements may have both attributes as well as data
Attributes help you to give more meaning and describe your element more efficiently and clearly
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(2)
Tag
Element
Content
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(3)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML(4)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
XML vs JSON
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Services Web service is a software system designed to support machine-to-
machine intraction over a network
Web service are frequently just used to Internet Application Programming Interfaces(API)
Web service use HTTP for transmitting messages(RPCSOAPREST)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST SOAP(Simple Object Access Protocol)
ndash Web service based on XML
REST(Representational State Transfer)ndash Web service represent in format of application
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP vs REST
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
SOAP Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
REST Example
Reference httpwwwsoapuiorgThe-World-Of-API-Testingsoap-vs-rest-challengeshtml
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Web Architecture Attack
Reference Web Application HackingSecurity 101(httpsdocsgooglecompresentationd1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95LyMseditslide=idp)
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
OWASP 2013 Injection Broken Authentication and Session Management Cross-Site Scripting(XSS) Insecure Direct Object Rerefence Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery(CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Controls amp Mechanism
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Security Control Application Layer
Network Layer
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Application Layer Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Firewall
Intrusion Detection SystemIntrusion Prevention System(IDSIPS)
Web Application Firewall(WAF)
Centralize Log Server
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
copy Copyright 2013 i-secure Co Ltd The information contained herein is subject to change without notice
Network Layer Diagram
Reference httpwwwumvcokrmain_engsm_enterprisephp
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice
wwwi-securecothQuestions
copy Copyright 2013 ACIS i-secure Co Ltd The information contained herein is subject to change without notice