Cybsec Security Systems
Página PrincipalSobre NosotrosServiciosCapacitaciónNoticiasArtículosInvestigaciónContáctenos Contáctenos via Email
 
 
Web Applications Security

Seminar Objectives:

  • Show the audience the aspects of security in Web applications.
  • Point out Web applications weaknesses and the fundamentals of a secure defense-oriented programming against internal and external attacks.
  • Highlight Web server weaknesses and the fundamentals of a secure defense-oriented configuration against internal and external attacks.
  • Learn the techniques used by potential intruders and how to become protected against them.
  • Use the tools employed in Web applications attacks and audits.

Developed for:

  • Heads of Computer Security; Computer Security Administrators, Officers and Chiefs; Web Application Auditors, Web Application and/or Web Server Administrators, and Web Application Programmers.

Agenda:

1. Introduction to the HTTP protocol

  • Web architecture.
  • HTTP header.
  • HTTP methods.
  • HTTP authentication.
  • HTTPS protocol (HTTP over SSL).
  • Cookies.
  • WebDAV.
  • WebServices.

2. Web Server Configuration: Apache, Microsoft Internet Information Server and Tomcat Application Server.

  • Banners.
  • Directory Indexing.
  • HTTP authentication.
  • HTTP method restriction.
  • SSL (HTTPS) implementation.

3. Web Penetration Testing tools.

  • Local Proxy: Paros, Burp.
  • Vulnerability scanners: Nikto, w3af.
  • HTTP Brute Forcing:brutus.
  • Web Services:WsChess,wsStudio .

4. Coding and configuration errors and recommendations.

  • Source code comments and versioning.
  • Inclusion of .inc files.
  • Back-Up files (.bak, .old, .tgz, .zip, etc).
  • "MDB" files.
  • Server Side Includes.
  • Hidden HTML Fields.
  • Path disclosure and directory listing.
  • Treating exceptions and error messages.
  • Backend Security.

5. Intrusion techniques

  • Java Applets and Flash reverse engineering.
  • Parameter files.
  • Null Bytes.
  • Gaining server control (cmdasp, phpshell, SQL Query).
  • Privilege escalation and session handling: Cookies.
  • OS Commanding.
  • Path Traversal.
  • SQL Injection:
  • Table and field listing.
  • Execution of Queries.
  • Execution of Stored Procedures.
  • Advanced techniques: Blind SQL Injection, File Generation.
  • Other attacks
  • Solutions.
  • Input Validation (Client vs. Server).
  • Web Services.

6. Workarounds

  • Web Server Hardening:
  • IISLOCKDOWN para IIS (URL SCAN).
  • Mod_Security for Apache.
  • PHP Hardening:
  • Register Globals.
  • Safe Mode.
  • Include Path.
  • Open Base Dir.
  • Application Server Hardening
  • Hardening ASP y .NET.

7. Web Application Firewall (WAF)

  • Need of a WAF.
  • Operation modes.
  • WAF functionalities.
  • SSL handling.
  • Response capabilities.
  • Filtering capabilities.

Registration:

Please contact Claudia Macri (cmacri@cybsec.com) Tel/Fax: (+54-11) 4371-4444.
  ©2009 Cybsec S.A. Todos los derechos reservados
Sobre Nosotros | Gestión Estratégica | Gestión Operativa | Gestión de Control | Auditorías PCI | Capacitación | Noticias | Artículos | Investigación | Contáctenos Diseño y Desarrollo Alfadesign
©2009 Cybsec S.A. Todos los derechos reservados