Web application security design considerations

• ·         Development teams must take care to follow secured coding guidelines to ensure that data is kept private and confidential via encryption.

•            Coding teams must also ensure that the data being passed into a web site will take a number of factors into consideration including how users or device are authenticated.

•   Application should design by taking care of security considerations. To design the secure application; we have to take consideration of below things.

o   Authentication

o   Authorized access and access control

o   Data input checking and validation

o   Session management

o   Encryption

o   Auditing and logging

• While design secure application various application vulnerabilities should take care like

o   Insecure direct object references

o   XSS (cross site scripting)

o   Cross-Site Request Forgery(CSRF)

o   Click-Jacking

o   SQL injection

• Error & Exception handling should be done properly and they could display an appropriate message or take an appropriate course of action when error occurred in application

• Taking consideration of Privilege escalation - means a user is gaining more rights than were intended within application.

o   Vertical Privilege Escalation: User is getting more permissions or rights than originally intended.

o   Horizontal Privilege Escalation: User authenticated to an application figures out a way to impersonate another user with equal security rights. 

•   Fuzzing/Fault injection: In testing phase of application; we could feed an application random or unexpected data. The Reason, we would do this in testing is so that we can monitor that application and observe its results.

•   Memory leaks, buffer overflows, and integer overflow should be handled properly to prevent damage of network security.

•  Proper checks should be put in place by the application developer for Race conditions, resource exhaustion.

• While working with web service; WS-security should be implemented to securely transmit from the client browses client-side to the web application or service running server-side. It is accomplished by transmission of data over HTTPS, encryption of data or using SAML token.

•  Secure coding standards like OWASP should be used by developers to ensure secure of web application and it should be incorporated at every step of the System Development Life Cycle.

• Specific application issues:
• Session management
• Http is session-less
• Security tokens
• HTTP cookies
• Flash Locally Store
• Improper storage of sensitive data- passwords ,key ,PKI certificates
• Secure cookie storage and transmission

Hacking Web Application

Footprint Web Infrastructure

Web infrastructure Foot printing is the first step in web application hacking; it helps attackers to select victims and identify vulnerable web application

·         Server Discovery

·         Service Discovery

·         Server Identification

·         Hidden Content Discovery

1.       Server Discovery
Server Discovery gives information about the location of servers and ensures that the target server is alive on internet.

·         Whois Lookup

·         DNS Interrogation

·         Port Scanning

2.       Service Discovery:

Tools used for service discovery.

a.       Nmap

b.      NetsCan tools pro

c.       Sendcat Browser

3.       Server Identification/ Banner Grabbing
analyze the server response header fields to identify the make, model, and version of the web server software.

This information helps attackers to select the exploits from vulnerability database to attack a web server and applications.

Banner Grabbing Tools:

•     telnet
• NetCat
•  ID Serve
•  NetCraft

4.       Hidden Content Discovery

Discover the hidden content and functionality that is not reachable from the main visible content to exploit user privileges within the application.

a.       Web Spidering :web spidering automatically discover the hidden content and functionality by parsing HTML form and client-side Java-script requests and responses.

5. Web Application Hacking Methodology

1. Footprint Web infrastructure:  It helps attackers to select victims and identity vulnerable web applications. It's include Server Discovery, Service Discovery, Server Identification, and Hidden Content Discover.
2. Attack Web Servers:  Identify the web server environment, scan the server for known vulnerabilities by using various tools like Web Inspect, Nessus ,UrlScan, Nikto.
3. Analyze web Applications:   Identify HTTP header parameters, URL encoding techniques by using tools like Burp Suite, HttPrint, Web Scarab, and OWASP Zed Attack Proxy.
4. Attack Authentication mechanism: check weakness of authentication policy like failure to check password strength or insecure transportation of credentials.
5. Attack Authorization Schemes: Attacker’s first access web applications using low privileged account and then escalate privileges to access protected resources.
6. Attack Session Management Mechanism: by breaking session management attackers try to bypass the authentication controls and to impersonate privileged application users.
7. Perform Injection Attacks: attackers supply malicious input to break down the application's normal flow.
8. Attack Data Connectivity: attack includes connection string injection, Connection String Parameter Pollution, Connection Pool Dos
9. Attack Web App Client: attack includes Cross-Site Scripting, Redirection Attacks, HTTP header Injection, Frame Injection, Request Forgery Attack, Session Fixation P
10. Attack Web Services:  SOAP injection by manipulate SOAP requests.

  6] various tool used for web application hacking like Burp Site, Cookie Digger, and Web Scarab & Signification of encoding and different encoding schemes.

     

ENABLING ANGULAR INTELLISENSE IN VISUAL STUDIO 2013

First, you need to download the angular.intellisense.js file for Visual Studio and place it in the Program Files (x86)\Microsoft Visual Studio 12.0\JavaScript\References folder of your machine. Now open visual studio and have a look on intellisense support.

This support will work the same with any project that uses AngularJS, including Apache Cordova, ASP.NET MVC, ASP.NET WebForm, LightSwitch, Windows Store apps and any tagged with Angular JS, Intellisense, Jquery.