| OWASP - www.owasp.org - Eugene Chapter open application security community Meets every 4th Wed. of each month -------------- URL Filtering For Web Application Security ...Spiders, Bots, and Scammers by Larry Price MoonShadowECommerce itproforum.com Filtering URLs to prevent GET-based attacks Web Apps are... exposed, open, and vulnerable. What a URL is: * an entry point into your app * function of method call * string of characters Anatomy of a URL Protocol - could be many things other than http://, irc, ftp... Top level domain - can be spoofed with DNS and replaced with an IP address Path - certain things break this part of the url Variables - arguments to web server. Can inject variables into this to forge AJAX requests Tools that come with Apache mod_rewrite - can use to filter urls for known patterns ex: ReWriteRule ^/graphics/.*\.gif$ - [L] can be put in .htaccess if ISP allows. Open And Closed Sets Open Set - ^.*$ Closed Set - ^/mumble/[a-z]{8}$ Avoid open sets (anyting accepted) A common hack is a cross-site request forgery, abbreviated as CSRF (Sea-Surf) or XSRF, is a type of malicious exploit of websites. (thank you wikipedia.) Why people mess with your site: $$$, Google Juice, Use for nefarious purposes. Tools for testing * Fuzzers - general know attack vectors and url patterns * Webscarab, Burp? * http://www.owasp.org/index.php/OWASP_Testing_Project * webgoat Important: test for SQL injection, script injection, etc in actual code. phpBB is a common target for attacks. Why? Web application firewalls Learning resources: * OWASP - http://www.owasp.org/ * Web goat with Webscarab * Books: Gary McGraw, Chris Shiflett, John Villegas * SANS security * WASC (Web Application Security Consortium) |
|
Session Notes >
Web App Security |