WEB APPLICATION SECURITY - THREATS AND COUNTERMEASURES

Introduction and adaptation of new technologies like Ajax, Rich Internet Applications and Web Services has changed the dimension of Application Hacking. We are witnessing new ways of hacking web based applications and it needs better understanding of technologies to secure applications. The only constant in this space is change. In this dynamically changing scenario in the era of Web 2.0 it is important to understand new threats that emerge in order to build constructive strategies to protect corporate application assets. Application layers are evolving and lot of client side attack vectors are on the rise like Ajax based XSS, CSRF, Widget injections, RSS exploits, Mashup manipulations and client side logic exploitations. At the same time various new attack vectors are evolving around SOA by attacking SOAP, XML-RPC and REST. It is time to understand these advanced attack vectors and defense strategies.

The course is designed by the author of "Web Hacking: Attacks and Defense", "Hacking Web Services" and "Web 2.0 Security - Defending Ajax, RIA and SOA" bringing his experience in application security and research as part of curriculum to address new challenges. Application Security is hands-on class. The class features real life cases, hands one exercises, new scanning tools and defense mechanisms. Participants would be methodically exposed to various different attack vectors and exploits. In the class instructor will explain new tools like wsScanner, scanweb2.0, AppMap, AppCodeScan etc. for better pentesting and application audits.

All concepts taught in this class are punctuated with hands-on exercises based on situations observed in real life. The class ends with a challenge exercise. Working within a limited time period, participants are expected to analyze the code, identify loopholes, exploit vulnerabilities present in the applications and suggest appropriate defense strategies.

Student Pre-requisite

None

Software Requirement

Microsoft Windows with .Net framework

Hardware Requirement

Laptop computer

Course Outline

Application Security Fundamentals and Principles - The evolution of applications, threats to an application, application security trends, the spectrum of application security attacks

Application Components and Protocols - Understanding multilayered application architecture, programming languages used in applications - J2EE, .NET, PHP, etc., inside HTTP, HTML forms and browser interaction, introduction to tools useful for testing applications, Web Server configuration, web server vulnerabilities, fingerprinting web servers and application servers, security controls pertaining to web servers and their deployment

Application Footprinting, discovery and profiling applications - Host and Domain discovery, discovering web applications and interfaces, discovering the functional structure of applications - the hacker's viewpoint, Advanced techniques, Discovering Web services and Web applications, Profiling Web services and applications, Ajax fingerprinting, Profiling Ajax applications and Server-side entry point detection

Application Attack Vectors - Mapping assets to attacks, sifting through HTML source, forcing application layer errors, information leakage through error messages, source code disclosure, input tampering and input validation attacks, SQL injection and attacks on the database, injecting malicious code and remote command exec, accessing the underlying file system, brute forcing HTTP authentication, Brute Forcing HTML form authentication, Session Hijacking, Cross Site Scripting (XSS) attacks, Cross Site Request Forgery (XSRF) attacks

Threat Modeling - Threat analysis, Architecture review, Technologies and Source Code, Threat matrix, Security controls for code, Design analysis and review

Assessment methods - Blackbox, Whitebox, analyzing configuration and deployment issues, Reconnaissance and Vulnerability Assessment, Fingerprinting Web servers and Architectures, Defense strategies - Minimizing the window of opportunity, Leveraging Web mashups and search APIs

Application Attack countermeasures - Security by design, The importance of application security controls in the software development life cycle, Secure coding practices, Protecting data at rest and data in transit, Client side security

An Introduction to Advanced Application Architectures - Refreshing classic application security threats and vulnerabilities, Evolution of application architectures, Web services, SOAP and AJAX, Security model for next generation application architectures, Web Services and SOAP, XML-RPC, AJAX enriched clients, New tools and techniques for attacking advanced application architectures

Advanced Web attacks - XPATH injection, XML and Schema poisoning, Blind SQL injection, XSS proxy attacks, Browser hijacking, Intranet scanning, Javascript exploitation

Whitebox Analysis - Entry points detection, Tracing and Digging, Function and Component dissecting, Threat and Impact analysis

Securing Code and Defense - Fundamentals, Controls and Strategies, Input validations, Error handling, Session hardening, Logs and Tracing, Traps for hackers, Assembly hardening, Guarding application code, Fundamentals, Controls and Strategies

XML and Web Services - SOAP, XML-RPC and REST base attacks and security.

Web Fuzzing and Exploits - Web application entry points, the art of fault injection, Exploit framework - Metasploit, Exploiting SQL injection points, Building exploits and launching them effectively

Client side coding - Ajax and JavaScript analysis, Flash based application reviews and Browser security.

About Instructor

Shreeraj Shah, B.E., MSCS, MBA, is the founder of Blueinfy, a company that provides application security services. Prior to founding Blueinfy, he was founder and board member at Net Square. He also worked with Foundstone (McAfee), Chase Manhattan Bank and IBM in security space. He is also the author of popular books like Web 2.0 Security (Thomson 07), Hacking Web Services (Thomson 06) and Web Hacking: Attacks and Defense (Addison-Wesley 03). In addition, he has published several advisories, tools, and whitepapers, and has presented at numerous conferences including RSA, AusCERT, InfosecWorld (Misti), HackInTheBox, Blackhat, OSCON, Bellua, Syscan, ISACA etc. His articles are regularly published on Securityfocus, InformIT, DevX, O'reilly, HNS. His work has been quoted on BBC, Dark Reading, Bank Technology as an expert.