Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Web Architecture - Mechanism and Threats 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject ...
~# whoami 
 Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์) 
 My blog: http://www.r00tsec.com, http://twitter.com/mate...
Agenda 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Agenda 
 Web Architecture 
 Web Architecture Attack 
 Security Controls & Mechanism 
© Copyright 2013 i-secure Co., Ltd...
Web Architecture 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice...
Basic Web Architecture 
 Two Tier Architecture 
– Web browser display content that return from Web Server 
– Web server p...
HTML 
 HTML(Hyper Text Markup Language) 
– Document Layout Language 
– Viewed by using Web Browser. 
© Copyright 2013 i-s...
URI 
 URI(Universal Resource Identifier) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject...
URI(2) 
 URL(Universal Resource Locator) 
 URN(Universal Resource Name) 
© Copyright 2013 i-secure Co., Ltd. The informa...
HTTP 
 HTTP(Hyper Text Transfer Protocol) 
 HTTP is an application layer. 
 HTTP has 2 way communication: HTTP Request ...
HTTP(2) 
 Request Message 
– Request Line 
– Request Header 
– An empty line 
– An optional Message Body 
© Copyright 201...
HTTP(3) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Request Method 
– HEAD 
– GET 
– POST 
– PUT 
– DELETE 
– TRACE 
– OPTIONS 
– CONNECT 
© Copyright 2013 i-secure Co., Ltd....
Safe Method 
– HEAD 
– GET 
– OPTIONS 
– TRACE 
– POST 
– PUT 
– DELETE 
– CONNECT 
© Copyright 2013 i-secure Co., Ltd. Th...
Status Code 
 Success: 2xx 
 Redirection: 3xx 
 Client-Side Error: 4xx 
 Server-Side Error: 5xx 
© Copyright 2013 i-se...
HTTP Session State 
 HTTP is stateless Protocol 
 Solutions 
– Cookies 
– Sessions 
– Hidden variable 
– URL encode para...
Web Architecture Extension 
 Two tier architecture is not enough 
 Common Gateway Interface(CGI) 
 Standard protocol fo...
Javascript 
 Scripting language designed for dynamic, interactive web application 
 Run on client side. 
 Preprocessing...
Three tier web architecture 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change wit...
Make HTTP to stateful(2) 
 Cookie 
 A text stored on a client’s computer by a web browser. 
 Sent as an HTTP Header 
 ...
Server and Client Processing 
 Server-Side Processing 
 PHP 
 ASP 
 ASP.NET 
 Perl 
 J2EE 
 Python, Django 
 Ruby ...
AJAX 
 Asynchronous Javascript and XML(AJAX) 
 Create by Jesse James Garrett, Febuary 18, 2005 
 Ajax Incorporates 
 X...
AJAX(2) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
AJAX(3) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
JSON 
 Javascript Object Notation(JSON) 
 JSON is lightweight computer data interchange format. 
 JSON is based on a su...
JSON Request && Response 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change withou...
JSON(2) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML 
 eXtensible Markup Language 
 Using for information exchange. 
 Two primary building blocks of XML are elements an...
XML(2) 
 Tag 
 Element 
 Content 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to ch...
XML(3) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML(4) 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
XML vs JSON 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
Web Services 
 Web service is a software system designed to support machine-to-machine 
intraction over a network. 
 Web...
SOAP vs REST 
 SOAP(Simple Object Access Protocol) 
– Web service based on XML 
 REST(Representational State Transfer) 
...
SOAP vs REST 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
SOAP Example 
Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. 
html 
© Copyright 2013 ...
REST Example 
Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. 
html 
© Copyright 2013 ...
Web Architecture Attack 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without...
Web Architecture 
Reference :: Web Application Hacking/Security 
101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfX...
Web Architecture Attack 
Reference :: Web Application Hacking/Security 
101(https://docs.google.com/presentation/d/1fw7fO7...
OWASP 2013 
 Injection 
 Broken Authentication and Session Management 
 Cross-Site Scripting(XSS) 
 Insecure Direct Ob...
Security Controls & Mechanism 
© Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change w...
Security Control 
 Application Layer 
 Network Layer 
© Copyright 2013 i-secure Co., Ltd. The information contained here...
Application Layer 
 Input Validation 
 Sessions Management 
 Authentication Method 
 Strong Policy(Such as password po...
Network Layer 
 Firewall 
 Intrusion Detection System/Intrusion Prevention System(IDS/IPS) 
 Web Application Firewall(W...
Network Layer Diagram 
Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php 
© Copyright 2013 i-secure Co., Ltd. T...
Questions 
www.i-secure.co.th 
© Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to cha...
Próxima SlideShare
Cargando en…5
×

Web Architecture - Mechanism and Threats

3.168 visualizaciones

Publicado el

This slide is my presentation in 2600Thailand Meeting

Publicado en: Educación

Web Architecture - Mechanism and Threats

  1. 1. Web Architecture - Mechanism and Threats © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice. Sumedt Jitpukdebodin Senior Security Researcher CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
  2. 2. ~# whoami  Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)  My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook  Jobs – I-SECURE Co., Ltd. – Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher – Writer – English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name. – Many Thai article, please google my Thai name. – หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้องกันการเจาะระบบ”  Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write Article, Teaching and more... © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  3. 3. Agenda © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  4. 4. Agenda  Web Architecture  Web Architecture Attack  Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  5. 5. Web Architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  6. 6. Basic Web Architecture  Two Tier Architecture – Web browser display content that return from Web Server – Web server provide resource for client © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  7. 7. HTML  HTML(Hyper Text Markup Language) – Document Layout Language – Viewed by using Web Browser. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  8. 8. URI  URI(Universal Resource Identifier) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  9. 9. URI(2)  URL(Universal Resource Locator)  URN(Universal Resource Name) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  10. 10. HTTP  HTTP(Hyper Text Transfer Protocol)  HTTP is an application layer.  HTTP has 2 way communication: HTTP Request and HTTP Response. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  11. 11. HTTP(2)  Request Message – Request Line – Request Header – An empty line – An optional Message Body © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  12. 12. HTTP(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  13. 13. Request Method – HEAD – GET – POST – PUT – DELETE – TRACE – OPTIONS – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  14. 14. Safe Method – HEAD – GET – OPTIONS – TRACE – POST – PUT – DELETE – CONNECT © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  15. 15. Status Code  Success: 2xx  Redirection: 3xx  Client-Side Error: 4xx  Server-Side Error: 5xx © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  16. 16. HTTP Session State  HTTP is stateless Protocol  Solutions – Cookies – Sessions – Hidden variable – URL encode parameter( /index.php?session_id=$session_code) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  17. 17. Web Architecture Extension  Two tier architecture is not enough  Common Gateway Interface(CGI)  Standard protocol for interfacing with external application software with a web server  CGI program are executable programs that run on the web server. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  18. 18. Javascript  Scripting language designed for dynamic, interactive web application  Run on client side.  Preprocessing data on the client before submission to a server.  Changing content type and styles © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  19. 19. Three tier web architecture © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  20. 20. Make HTTP to stateful(2)  Cookie  A text stored on a client’s computer by a web browser.  Sent as an HTTP Header  Can used for authenticating, session tracking © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  21. 21. Server and Client Processing  Server-Side Processing  PHP  ASP  ASP.NET  Perl  J2EE  Python, Django  Ruby On Rail  Client-Side Processing  CSS  HTML  Javascript  Adobe Flash  Microsoft Silverlight © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  22. 22. AJAX  Asynchronous Javascript and XML(AJAX)  Create by Jesse James Garrett, Febuary 18, 2005  Ajax Incorporates  XHTML, CSS, Document Object Model(DOM), XML and XSLT, XMLHttpRequest, Javascript © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  23. 23. AJAX(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  24. 24. AJAX(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  25. 25. JSON  Javascript Object Notation(JSON)  JSON is lightweight computer data interchange format.  JSON is based on a subset of Javascript programming language.  Using of XML format. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  26. 26. JSON Request && Response © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  27. 27. JSON(2) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  28. 28. XML  eXtensible Markup Language  Using for information exchange.  Two primary building blocks of XML are elements and attributes.  Elements are tags and have values.  Elements are structured as a tree.  Alternatively, elements may have both attributes as well as data.  Attributes help you to give more meaning and describe your element more efficiently and clearly. © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  29. 29. XML(2)  Tag  Element  Content © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  30. 30. XML(3) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  31. 31. XML(4) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  32. 32. XML vs JSON © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  33. 33. Web Services  Web service is a software system designed to support machine-to-machine intraction over a network.  Web service are frequently just used to Internet Application Programming Interfaces(API).  Web service use HTTP for transmitting messages(RPC,SOAP,REST) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  34. 34. SOAP vs REST  SOAP(Simple Object Access Protocol) – Web service based on XML  REST(Representational State Transfer) – Web service represent in format of application © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  35. 35. SOAP vs REST © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  36. 36. SOAP Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  37. 37. REST Example Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-challenges. html © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  38. 38. Web Architecture Attack © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  39. 39. Web Architecture Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  40. 40. Web Architecture Attack Reference :: Web Application Hacking/Security 101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L yMs/edit#slide=id.p) © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  41. 41. OWASP 2013  Injection  Broken Authentication and Session Management  Cross-Site Scripting(XSS)  Insecure Direct Object Rerefence  Security Misconfiguration  Sensitive Data Exposure  Missing Function Level Access Control  Cross-Site Request Forgery(CSRF)  Using Components with Known Vulnerability  Unvalidated Redirects and Forwards © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  42. 42. Security Controls & Mechanism © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  43. 43. Security Control  Application Layer  Network Layer © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  44. 44. Application Layer  Input Validation  Sessions Management  Authentication Method  Strong Policy(Such as password policy)  Same-Origin Policy © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  45. 45. Network Layer  Firewall  Intrusion Detection System/Intrusion Prevention System(IDS/IPS)  Web Application Firewall(WAF)  Centralize Log Server © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  46. 46. Network Layer Diagram Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php © Copyright 2013 i-secure Co., Ltd. The information contained herein is subject to change without notice.
  47. 47. Questions www.i-secure.co.th © Copyright 2013 ACIS i-secure Co., Ltd. The information contained herein is subject to change without notice.

×