I have always been interested in web security since web applications offer a big attack surface and I am personally fascinated by the creativity and passion the attackers show.
Therefore you will read much more about security on this blog in the near future. ;-)

Yesterday I visited a dissertation arranged by the Java User Group Karlsruhe in the building of the University of Karlsruhe. Software Architect Patrick Schemitz from Netpioneer GmbH talked about Web Application Security Auditing.

Here are my notes:

  • In case of non-targeted attacks, your server or application does not have to be absolute secure, just more secure than others. ;-)
  • The German Federal Ministry has defined an interesting security layer model (PDF, german).
  • Parallel to this layer is the layer of responsibility: from IT services over software developers to the end user.
  • Techniques

    1. Server

      • SQL injection
      • Code injection (buffer overflow)
      • SMTP injection
    2. Client

      • Cross side scripting
      • Session hijacking
      • Session riding
  • Demos

    1. Server

      • PHP: register_globals, eval()
      • Perl: system()
      • SQL: two queries are build on one, skipping code by using a SQL comment
    2. Client

      • Reflected XSS: Manipulate input through URL to poison HTML sent from server
      • Persistent XSS: Manipulate input which is stored on server and can be delivered every time
      • Session hijacking if session data is stored in URL
  • Counteractions

    1. Do not trust the user input.
    2. Filter input in different ways for database and frontend.
    3. Avoid eval() and system().
    4. Search for dangerous files (backups with different file extension, test files etc.) in the webserver's document root.
    5. Security analytic tools do not find many holes.