Web Applications Security Tutorial: Contents

Web Applications Security Tutorial
Contents

slide 1: Web Applications Security Tutorial
slide 2: Introduction
slide 3: Intro - My background
slide 4: Intro - The Danger
slide 5: Intro - The Danger
slide 6: Intro - The Danger
slide 7: Intro - The Danger
slide 8: Intro - Why is Web Security so difficult?
slide 9: Intro - Why is Web Security so difficult? (cont.)
slide 10: Intro - Embedded Browsers
slide 11: Goals
slide 12: Goals (cont.)
slide 13: General
slide 14: General (cont.)
slide 15: Basic Definitions
slide 16: SSL
slide 17: CGIs - Method="Post" vs. Method="Get"
slide 18: CGIs - Method="Post" vs. Method="Get" (cont.)
slide 19: CGI Environment Variables
slide 20: Displaying Environment Variables
slide 21: Application Setup
slide 22: Application Setup (cont.)
slide 23: Application Setup (cont.)
slide 24: Application Setup (cont.)
slide 25: Freeware
slide 26: FormMail.pl
slide 27: Web Server Maintenance
slide 28: Hardening Hosts
slide 29: Application Design
slide 30: Input to the Server:
slide 31: Input to the Server (cont.)
slide 32: Input to the Server (cont.)
slide 33: Server Languages
slide 34: Maintaining State
slide 35: Maintaining State (cont.)
slide 36: Cookies
slide 37: The Back Button and Caching
slide 38: Replaying logins
slide 39: Maintaining the Web Pages
slide 40: Vulnerabilities
slide 41: Vulnerability - Trusting Hidden Variables
slide 42: Vulnerability - Trusting Hidden Variables (cont.)
slide 43: Vulnerability - Trusting Hidden Variables (cont.)
slide 44: Vulnerability - Trusting Cookies
slide 45: Vulnerability - Buffer Overflows
slide 46: Vulnerability - Buffer Overflows (cont.)
slide 47: Vulnerability - Buffer Overflows (cont.)
slide 48: Vulnerability - Directory Traversal
slide 49: Vulnerability - Directory Traversal (cont.)
slide 50: Vulnerability - Shell escapes
slide 51: Vulnerability - Shell escapes (cont.)
slide 52: Vulnerability - Shell escapes (cont.)
slide 53: Embedded Script Attack
slide 54: Embedded Script Attack (cont.)
slide 55: Character Filtering
slide 56: ISO-18859-1?
slide 57: Cross Site Scripting
slide 58: Cross Site Scripting (cont.)
slide 59: Vulnerability - SQL Passwords
slide 60: Vulnerability - SQL Injection
slide 61: Vulnerability - SQL Injection
slide 62: Vulnerability - 404 Errors
slide 63: Vulnerability - Canonicalization
slide 64: Perl's Taint Mode
slide 65: Perl's Taint Mode (cont.)
slide 66: PHP Security
slide 67: PHP Security (cont.)
slide 68: PHP Security (cont.)
slide 69: PHP Security (cont.)
slide 70: PHP Security (cont.)
slide 71: Address and Account Harvesting
slide 72: Permissions
slide 73: Testing for Vulnerabilities
slide 74: Resources, Books on Security:
slide 75: Resources, Books on Web Security:
slide 76: Resources - On the Web:
slide 77: Resources - On the Web:
slide 78: Resources - CERT on Malicious Tags
slide 79: Resources - Security Mailing lists:
slide 80: Resources - Security Mailing lists (cont.)
slide 81: Resources - System Hardening (cont.)
slide 82: Questions?

"Web Applications Security Tutorial" Jerry Berkman, September 21, 2003