Introduction to Web Security

After wrangling a bit with a good way to add it to the “services” section, I have added a training section to the site as a top-level section, and should be accessible from the menu at the top of each page. This will wind up being where you can get information on the training and lectures that I present. Very Soon Now, it’ll have information about the SANS courses that I will be teaching on the Mississippi State University campus.

I’ll also be providing materials for many of the lectures and such that I personally create. That is the case with the first entry to this new section. I will be lecturing the Distributed Client-Server Programming class at Miss. State on Tuesday, so I needed a place for the students to download the slides and handouts . Hopefully others will find it interesting as well.

The topic for this lecture is Web Application Security, and it serves as an introduction. The students have been learning how to develop web-based applications in this class, and this should hopefully raise their awareness of the threats their applications will face. There is a low barrier of entry to attacking web apps, and I think this will open their eyes to that fact.

A comprehensive look at the topic would take many days of lecturing, so I’ve limited this to a handful of the most pressing issues that illustrate the problems with untrusted clients and unfiltered input. I cover the problems with obscured interfaces, hidden form elements, client-side filtering, cross-site scripting, SQL injection, session handling, and password storage. These are the problems I see time and time again with the student projects in this class (and production web apps!), so I figure that awareness is a good starting point. Stuffing values into hidden form elements so that you don’t have to retrieve them from the database later when it gets POSTed sounds like a wonderful idea until someone shows you how easy it is to modify that data .

The slides and handouts are available here.