1

Introduction

• Statistics and changes in web-related vulnerabilities according to IBM X-Force and OWASP.
• Changes in protocol and application attacks.
• The world of hackers: Who are they? What are their motives, their means?

2

Components of a Web application.

• Elements of an N-tier application.
• The HTTP front-end server, its role, and its weaknesses.
• The intrinsic risks of these components.
• Major players on the market.

3

The HTTP protocol in detail.

• Refreshers on TCP, HTTP, persistence, and pipelining.
• The PDUs GET, POST, PUT, DELETE, HEAD, and TRACE.
• Header fields, status codes 1xx to 5xx.
• Redirection, virtual host, proxy cache, and tunneling.
• Cookies, attributes, corresponding options.
• Authentications (Basic, Improved Digest, etc.).
• HTTP acceleration, proxy, web balancing.
• HTTP Request Smuggling and HTTP Response Splitting protocol attacks.

4

Vulnerabilities of Web applications

• Why are Web applications more vulnerable?
• Major risks of Web applications according to OWASP (Top Ten 2017).
• “Cross Site Scripting” or XSS attacks Why are they growing? How can they be avoided?
• Injection attacks (injection commands, SQL Injection, LDAP injection, etc.).
• Session attacks (cookie poisoning, session hijacking, etc.).
• Exploiting vulnerabilities on the HTTP front-end (Nimda worm, Unicode exploit, etc.).
• Attacks on standard configurations (Default Password, Directory Traversal, etc.).

5

The network firewall in protecting HTTP applications

• The network firewall, its role, and its functions.
• How many DMZs for an N-Tier architecture?
• Why isn't the network firewall suitable for protecting a Web application?

6

Making flows secure with SSL/TLS

• Reminders of cryptographic techniques used in SSL and TLS.
• Managing your server certificates, the X509 standard.
• What is the new X509 EV certificate good for?
• What certification authority should you choose?
• SSL flow capture and analysis techniques.
• The main vulnerabilities of X509 certificates.
• Using a reverse proxy for SSL acceleration.
• The benefit of HSM crypto-hardware cards.

7

System and software configuration

• Default configuration, the major risk.
• Rules to follow when installing an operating system.
• Linux or Windows. Apache or IIS?
• How do you configure Apache and IIS for optimal security?
• Middleware and the database. VDSs (Vulnerability Detection Systems).

8

Principle of secure development

• Development security: What's the right budget?
• Security in the development cycle.
• The role of client-side code: Security or ergonomics?
• Checking data sent by the client.
• Fighting buffer overflow attacks.
• Development rules to follow.
• How to fight residual risks: Headers, poorly formed URL, cookie poisoning, etc. ?

9

User authentication

• Authentication via HTTP: Basic Authentication and Digest Authentication or application-based authentication (HTML form).
• Strong authentication: X509 client certificate, Token SecurID, Mobilegov Digital DNA, etc.
• Other software authentication techniques: CAPTCHA, Keypass, etc.
• Password attacks: Sniffing, brute force, phishing, keyloggers, etc.
• Attack on session numbers (session hijacking) or on cookies (cookie poisoning).
• Attack on HTTPS authentications (fake server, sslsniff, X509 certificate exploit, etc.).

10

The “application” firewall

• Reverse-proxy and application firewall, details of the features.
• What does the application firewall add to website security?
• Inserting an application firewall into a system in production. Players on the market.