Más contenido relacionado
La actualidad más candente (20)
Similar a Web architecture mechanism and threats (20)
Más de Sumedt Jitpukdebodin (8)
Web architecture mechanism and threats
- 1. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
Senior Security Researcher
CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE
- 2. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
~# whoami
Name: Sumedt Jitpukdebodin(สุเมธ จิตภักดีบดินทร์)
My blog: http://www.r00tsec.com, http://twitter.com/materaj, https://www.facebook.com/hackandsecbook
Jobs
– I-SECURE Co., Ltd.
– Research And Develop Engineer, Senior Web Application Security Specialist, Senior Security Researcher
– Writer
– English article@ http://packetstormsecurity.com/files/author/9011/ and please google my name.
– Many Thai article, please google my Thai name.
– หนังสือ “Hacking & Security Book "Network Security หนังสือฉบับก้าวสู่นักทดสอบและป้ องกันการเจาะระบบ”
Hobby: Penetration Testing, Hacking, Reading Info Security, Play Games, Traveling around the world, Write
Article, Teaching and more...
- 3. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Agenda
- 4. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Agenda
Web Architecture
Web Architecture Attack
Security Controls & Mechanism
- 5. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Web Architecture
- 6. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Basic Web Architecture
Two Tier Architecture
– Web browser display content that return from Web Server
– Web server provide resource for client
- 7. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
HTML
HTML(Hyper Text Markup Language)
– Document Layout Language
– Viewed by using Web Browser.
- 8. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
URI
URI(Universal Resource Identifier)
- 9. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
URI(2)
URL(Universal Resource Locator)
URN(Universal Resource Name)
- 10. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
HTTP
HTTP(Hyper Text Transfer Protocol)
HTTP is an application layer.
HTTP has 2 way communication: HTTP Request and HTTP Response.
- 11. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
HTTP(2)
Request Message
– Request Line
– Request Header
– An empty line
– An optional Message Body
- 12. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
HTTP(3)
- 13. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Request Method
– HEAD
– GET
– POST
– PUT
– DELETE
– TRACE
– OPTIONS
– CONNECT
- 14. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Safe Method
– HEAD
– GET
– OPTIONS
– TRACE
– POST
– PUT
– DELETE
– CONNECT
- 15. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Status Code
Success: 2xx
Redirection: 3xx
Client-Side Error: 4xx
Server-Side Error: 5xx
- 16. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
HTTP Session State
HTTP is stateless Protocol
Solutions
– Cookies
– Sessions
– Hidden variable
– URL encode parameter( /index.php?session_id=$session_code)
- 17. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Web Architecture Extension
Two tier architecture is not enough
Common Gateway Interface(CGI)
Standard protocol for interfacing with external application software with
a web server
CGI program are executable programs that run on the web server.
- 18. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Javascript
Scripting language designed for dynamic, interactive web application
Run on client side.
Preprocessing data on the client before submission to a server.
Changing content type and styles
- 19. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Three tier web architecture
- 20. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Make HTTP to stateful(2)
Cookie
A text stored on a client’s computer by a web browser.
Sent as an HTTP Header
Can used for authenticating, session tracking
- 21. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Server and Client Processing
Server-Side Processing
PHP
ASP
ASP.NET
Perl
J2EE
Python, Django
Ruby On Rail
Client-Side Processing
CSS
HTML
Javascript
Adobe Flash
Microsoft Silverlight
- 22. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
AJAX
Asynchronous Javascript and XML(AJAX)
Create by Jesse James Garrett, Febuary 18, 2005
Ajax Incorporates
XHTML, CSS, Document Object Model(DOM), XML and XSLT,
XMLHttpRequest, Javascript
- 23. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
AJAX(2)
- 24. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
AJAX(3)
- 25. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
JSON
Javascript Object Notation(JSON)
JSON is lightweight computer data interchange format.
JSON is based on a subset of Javascript programming language.
Using of XML format.
- 26. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
JSON Request && Response
- 27. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
JSON(2)
- 28. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
XML
eXtensible Markup Language
Using for information exchange.
Two primary building blocks of XML are elements and attributes.
Elements are tags and have values.
Elements are structured as a tree.
Alternatively, elements may have both attributes as well as data.
Attributes help you to give more meaning and describe your
element more efficiently and clearly.
- 29. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
XML(2)
Tag
Element
Content
- 30. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
XML(3)
- 31. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
XML(4)
- 32. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
XML vs JSON
- 33. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Web Services
Web service is a software system designed to support machine-to-
machine intraction over a network.
Web service are frequently just used to Internet Application
Programming Interfaces(API).
Web service use HTTP for transmitting messages(RPC,SOAP,REST)
- 34. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
SOAP vs REST
SOAP(Simple Object Access Protocol)
– Web service based on XML
REST(Representational State Transfer)
– Web service represent in format of application
- 35. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
SOAP vs REST
- 36. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
SOAP Example
Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-
challenges.html
- 37. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
REST Example
Reference:: http://www.soapui.org/The-World-Of-API-Testing/soap-vs-rest-
challenges.html
- 38. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Web Architecture Attack
- 39. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Web Architecture
Reference :: Web Application Hacking/Security
101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L
yMs/edit#slide=id.p)
- 40. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Web Architecture Attack
Reference :: Web Application Hacking/Security
101(https://docs.google.com/presentation/d/1fw7fO7kmVTcfXuupGTezSM76cdQH3IbYos5xu95L
yMs/edit#slide=id.p)
- 41. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
OWASP 2013
Injection
Broken Authentication and Session Management
Cross-Site Scripting(XSS)
Insecure Direct Object Rerefence
Security Misconfiguration
Sensitive Data Exposure
Missing Function Level Access Control
Cross-Site Request Forgery(CSRF)
Using Components with Known Vulnerability
Unvalidated Redirects and Forwards
- 42. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Security Controls & Mechanism
- 43. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Security Control
Application Layer
Network Layer
- 44. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Application Layer
Input Validation
Sessions Management
Authentication Method
Strong Policy(Such as password policy)
Same-Origin Policy
- 45. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Network Layer
Firewall
Intrusion Detection System/Intrusion Prevention System(IDS/IPS)
Web Application Firewall(WAF)
Centralize Log Server
- 46. © Copyright 2013 i-secure Co., Ltd. The informationcontained herein is subject to change without notice.
Network Layer Diagram
Reference :: http://www.umv.co.kr/main_eng/sm_enterprise.php