Scribd
Upload
70 views7 pages

Web App Security: Core Defenses

The document discusses core defense mechanisms for web applications: 1) It outlines handling user access to prevent unauthorized access through proper authentication, session management, and access control. 2) It covers handling user input to prevent malformed input from causing issues, including approaches like rejecting known bad inputs, accepting known good inputs, sanitization, and safe data handling. 3) It mentions validating user input at boundaries within each component of the server-side application rather than just the client-side or server-side overall.

Uploaded by

Zain Alabeeden Alareji
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
70 views7 pages

Web App Security: Core Defenses

The document discusses core defense mechanisms for web applications: 1) It outlines handling user access to prevent unauthorized access through proper authentication, session management, and access control. 2) It covers handling user input to prevent malformed input from causing issues, including approaches like rejecting known bad inputs, accepting known good inputs, sanitization, and safe data handling. 3) It mentions validating user input at boundaries within each component of the server-side application rather than just the client-side or server-side overall.

Uploaded by

Zain Alabeeden Alareji
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Web Security

Lecture 
Web Application
Defense Mechanism (I)
Core Defense Mechanisms

  Know who is your enemy


  The following are defense mechanisms employed by
web applications
–  Handling user access to the applications data and functionality,
to prevent users from gaining unauthorized access
–  Handling user input to the applications functions, to prevent
malformed input from causing undesirable behavior
–  Handling attackers, to ensure that the application behaves
appropriately when being directly targeted, taking suitable
defensive and offensive measures to frustrate the attacker
–  Managing the application itself, by enabling administrators to
monitor its activities and configure its functionality
Handling User Access

  There are often many different types of users of a


web site:
–  Anonymous users
–  Ordinary authenticated users
–  Administrative users
  The access each type of user has is based on three
components:
–  Authentication
–  Session management
–  Access control
  A defect in any one of the above components may
enable an attacker to gain unrestricted access to the
applications functionality and data.
User Access Security Components
  Authentication
–  Establishing that a user is in fact who he claims to be
–  Most applications use a username and password.
–  Attackers can identify other users usernames, guess their passwords, or
bypass the login function altogether by exploiting defects in its logic.
  Session Management
–  Web application issues an authenticated user a token that identifies the
session because the data in the session is stored on the server.
–  Attackers attempt to compromise the tokens issued to other users by
guessing the tokens issued to other users or capturing other users tokens.
  Access Control
–  Authenticated users may only be able to access specific areas of a site,
such as only being able to read their own email after logging in
successfully.
–  Attackers can gain unauthorized access to data and functionality by
exploiting programmers who have made flawed assumptions about how
users will interact with the application.
Handling User Input
  Approaches to Input Handling
–  Reject Known Bad
  Match literal strings that are known to be used in attacks.
–  Accept Known Good
  Match literal strings that are known to be only benign input.
–  Sanitization
  Remove characters that could potentially be malicious but accept everything
else.
–  Safe Data Handling
  Instead of only validating the input, ensure the processing that is performed is
inherently safe, such as by parameterizing queries for database access (which
prevents SQL injection).
–  Semantic Checks
  The data submitted is not malformed, but just malicious, such as a user
changing the bank account number in a hidden form field to try to access
another users account
Boundary Validation

  Instead of only validating input on the client side or


on the server side, validate input within each
individual component or functional unit of the server-
side application.
Boundary Validation

You might also like