Web Applications Security What are web Applications Tal
Web Applications Security What are web Applications? Tal. Tech IT College, Andres Käver, 2018 -2019, Fall semester Web: http: //enos. Itcollege. ee/~akaver/Web. Sec Skype: akaver Email: akaver@itcollege. ee
Web Applications - overview Initial web was just static pages, no dynamic interaction with user was possible CGI (Common Gateway Interface) was developed – allows input from user to be sent to an external program/script and then result rendered back to the user. CGI is very rare now, but the concept is parent to all current web technologies. 2
Web. App - Technologies CGI – mostly not used today. Very fast, applications are written in C/C++. Low level languages don’t have direct HTML output. Write-compile-deploy cycle is slow. CGI does not support session/authorization controls. Language barrier is high. C and C++ suffer from buffer overflow and resource leaks. 3
Web. App - Technologies Filters – low level components (C/C++), living within execution context of webserver itself. Apache server modules, MS ISAPI. Perl, PHP, MS ASP 4
Web. App - Technologies Scripting – interpreters run script code within the web server process. Not compiled – write-deploy-run cycle is quicker. Usually do not suffer from buffer overflows or resource leaks. Most are not strongly typed and do not promote good programming practices. Slower. As apps grow, codebase becomes unmaintainable. Multi-tier large scale apps are hard to implement. ASP, Perl, Python, PHP, … 5
Web. App - Technologies Application frameworks – J 2 EE, ASP. NET J 2 EE Fast (almost on the level of C++) Large distributed apps Session and auth controls Strongly typed- prevents many common security and programming issues Hard to learn (similar to C) 6
Web. App - Technologies MS ASP. NET framework, just in time MSIL compiler Lot of J 2 EE problem areas are improved Easier to do smaller apps Supports many languages, garbage collection, buffer overflow protection Fast (near to C++ speed), ASP. NET Core is even faster Strongly typed Used to be windows centric – but not anymore. Native support on most platforms (. net core) 7
Web. App – small scale apps Most applications are small/medium scale. Usual architecture is simple linear procedural script. Can be written in any language/platform (rarer on J 2 EE or ASP. NET) Easy to write, fewer skills are needed to maintain the code Many typical issues Dynamic db queries constructed from direct user input Bad user input validation Poor error handling Weak session/auth control 8
Web. App – large scale apps Need a different architecture to that of simple survey or feedback form. Scalable architecture becomes necessity (rather than being an luxury) – when more than 5 tables in database or more than 20 -50 functions to user are provided. Often divided into tiers and broken down into re-usable chunks - allows distributed application (at the expense of complexity). MVC is common pattern. Microservices, docker. Good automatic scalability, high complexity. 9
10 THE END
TODO Download and modify for your choice of VM engine OWASP Broken Web Applications Project https: //sourceforge. net/projects/owaspbwa/files/ Install into windows Microsoft Threat Modeling Tool 2016 http: //aka. ms/tmt 2016 11
- Slides: 11