Scribd Logo
Upload

Welcome to Scribd!

  • Alpha Five Web Security

    Uploaded by

    Marko Cenic
    32 views16 pages
    Alpha Five Web Security

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Alpha Five Web Security

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    32 views16 pages

    Alpha Five Web Security

    Uploaded by

    Marko Cenic
    Alpha Five Web Security

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    Security Issues With Web Based Systems

    Security Issues Web Based Systems

    Security can not be considered an add-on or afterthought Security must be integrated into the design Security should use an algorithm based on a denied unless specifically allowed concept

    Security Issues Web Based Systems

    Depending on security being applied outside of the application is insufficient Any browser based system with a URL is public Data in a URL is not secured Hidden data may still be exposed with a limited search

    Security Issues Web Based Systems

    Security should be applied to anything with value Security should be viewed from a thiefs perspective Security is limited to the weakest link No security system is impregnable

    Copyrights and other legal restrictions are weak restrictions

    Security Issues Web Based Systems

    Security must be considered in all areas of a data stream SSL and Web Security Physical security of hardware must be considered

    Security Issues Web Based Systems

    SQL Injection
    What is it?
    Malicious method to replace values sent to a SQL statement with values that cause another action.

    Why does it Happen?


    A value sent to a SQL statement is not tested for proper type or format No test is applied to verify the proper result from an action

    Security Issues Web Based Systems

    SQL Injection
    Example
    A user name is sent to a page as userName=joe The page has a statement like

    statement = SELECT * FROM users WHERE userName = +userName+;

    An injection might send a value like


    userName = a OR t=t

    This gives a statement of


    statement = SELECT * FROM users WHERE userName = a OR t=t;

    Instead of a specific record, it gives all records A test for the number of records returned would cause the injection to fail

    Security Issues Web Based Systems


    SQL

    Injection

    Example
    An injection might send a value like
    userName = a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't

    This gives a statement of


    statement = SELECT * FROM users WHERE userName = a';DROP TABLE users; SELECT * FROM data WHERE 't' = 't ;

    Instead of a specific record, it drops the user table entirely and shows all values from the data table A test for the proper format of userName would have prevented the injection.

    Security Issues Web Based Systems

    SQL Injection
    Prevention
    Use arguments to pass values

    UPDATE dbo.Insurance SET Zipcode = :new.Zipcode, Phone = :new.Phone WHERE IdInsurance = :old.IdInsurance

    :new.Zipcode, :new.Phone and :old.IdInsurance are Alpha arguments

    The method to set arguments will test for proper value type and format
    The actual SQL statement is fixed to use only the specified arguments

    Test the value type and format of any value sent to a statement
    If the value should just be a text string, reject any text containing any specific unexpected characters

    Test for the proper return values and actions

    Alpha Five Web Security System

    Alpha Five Web Security System


    How Does it Work?

    Alpha

    Five Web Security is an access control system


    Deny Unless authorized at the file (page) level Checks every file request It is not a data filtering system, although it can be used to create filters based on user roles

    Security

    can be applied to a single file in the web project, any folder, or by file extension

    Alpha Five Web Security System


    How Does it Work?

    Security can be applied to component elements and actions Security is integrated into the server technology The Alpha Five Web Security is highly configurable

    Alpha Five Web Security System


    How Does it Work?

    Security

    data is saved in isolated data tables

    Tables are published to the same folder as the web pages The tables are not placed in the same location as other data tables The server prevents direct access to the tables The data in the tables on the server is not the same as the data shown in the desktop Users and Groups dialog

    Alpha Five Web Security System


    How Does it Work?

    Security data can be linked to other user tables


    The ulink field The security session variable

    All login processes and authorization processes are integrated into the system code and never exposed to the user

    Alpha Five Web Security System


    Building a Web Security System

    Configuring the Web Security Entering initial values for users and groups Setting permissions

    Publishing the web security


    Maintaining web security data

    From the desktop From the web

    Web security xbasic functions

    Alpha Five Web Security System

    You might also like