1 / 18

Server-side Verification of Client Behavior

Server-side Verification of Client Behavior. Presented by: Sanjeev Kumar Verma SANS – GCIH Paladion October 2010. Topics for discussion…. Introduction Why server-side verification? Does your application perform proper server-side verification?

owen
Download Presentation

Server-side Verification of Client Behavior

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Server-side Verification of Client Behavior Presented by: Sanjeev Kumar Verma SANS – GCIH Paladion October 2010

  2. Topics for discussion… • Introduction • Why server-side verification? • Does your application perform proper server-side verification? • Implementing server-side verification • Don’t we need client-side verification then? • Case study • Conclusion

  3. Introduction • What do we mean by the terms “Client” & "Behavior"? • “Client” refers to a user interface of an application and can be categorized as: • Thin clients • Thick clients • “Behavior” refers to the client state implied by each client-to-server message (request\response)

  4. Example: Client behavior

  5. Why server-side verification? • Client-side verification is never enough • Most of the popular attacks are due to weak\no server-side verification of the parameters in the client request. Some of the popular attacks are: • SQL Injection • Cross-Site Scripting • Command Injection • Parameter Manipulation • Response Splitting • Many more……..

  6. Example: Parameter Manipulation Attack

  7. Does your application perform proper server-side verification? • How to check? • Automated tools (partially), eg: Burp • Manual Static Application Security Assessment • Manual Dynamic Application Security Assessment

  8. Implementing server-side verification • Use white lists for verification • Link the user to the session ID and ensure that the parameters in the request belongs to the logged in user • Use Checksum • Use Encryption

  9. Don't we need client-side verification then? • No, if a proper server-side verification is in place • Why client-side verification? • Reduces the load on the server • Simple • Fast • Makes an application more interactive

  10. Case study: • Parameter Manipulation attack on an online Membership Application Portal • Attack: Manipulating the Membership Fee while making the payment

  11. Case study…….continued…

  12. Case study…….continued…

  13. Case study…….continued…

  14. Case study…….continued…

  15. Case study…….continued…

  16. Conclusion • Client-side verification is not sufficient • Proper server-side verification is a must • With proper server-side verification, most of the popular attacks can be avoided • Incorporate security assessment (server-side verification) in SDLC stages • Reduced development and testing costs

  17. Questions?.... Thank you……..

  18. Good reads • Securing Web Based Payment Systems, http://palisade.plynt.com/issues/2007Mar/secure-web-payment • Thick Client Application Security - Defenses, http://palisade.plynt.com/issues/2006May/thick-client-defenses • Best Practices in Input Validation, http://palisade.plynt.com/issues/2004Dec/input-validation • Catch'em Young - How to discover vulnerabilities early, http://palisade.plynt.com/issues/2004Nov/software-bugs

More Related