Web Application Hacking & Security

Web Application Hacking & Security Why Web Application Security? Application Layer • Attacker sends attacks inside valid HTTP requests.   • Your custom code is tricked into doing something it should not. • Security requires software development expertise, not signatures. Network Layer • Firewall, hardening, patching, IDS, and SSL cannot detect or stop  attacks inside HTTP requests. • Security relies on signature databases Network Layer • Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests.  • Security relies on signature databases Security Misconceptions“The Firewall protects my web server and database” • Access to the server through ports 80 and 443 makes the web server part of your  xternal perimeter defense.  • Vulnerabilities in the web server software or web applications  may allow access to internal network resources “The IDS protects my web server and database” • The IDS is configured to detect signatures of various well-known attacks.  • Attack signatures do not include those for attacks against custom applications.  “SSL secures my site” • SSL secures the transport of data between the web server and the user‟s browser. • SSL does not protect against attacks against the server and applications . • SSL is the hackers best friend due to the false sense of security.