Auditing Web Services

Many organisations are offering their services on-line, via so-called web services. Recent articles in the news and IT journals have described a frightening level of attacks on web-enabled applications, many of them successful. Even organisations without an Internet presence are still vulnerable as more and more applications are being written using Internet-related technologies such as web servers and TCP/IP networking for their corporate intranet and other administrative systems.

Auditors working in organisations with Internet-connected applications need to know where the risks are, how to evaluate the security of Internet-enabled applications, and how to recommend controls. This course will start by showing you how web services work, how they interface with web servers and back-end databases and how the user data is processed. Using example web services and applications, you will learn how intruders attack badly-configured web servers and use techniques such as cookie poisoning, SQL injection and parameter tampering to gain unauthorised access to web servers and the data they are presenting.

By the end of the course, you will have gained a detailed understanding of how web services work, how you can assist your organisation to identify the risk areas and recommend improved security controls to keep data safe from intruders. We also have a ‘hands-on’ option for auditors who want to try out the course techniques and tools in a prepared environment with deliberately introduced security ‘holes’

Suggested duration: 2 days, but can be customised to your requirements.

Agenda

Web server configuration settings to audit
Microsoft IIS
Apache
Trusted web servers - Using SSL and Digital Certificates

How Web Services are locatedDetection
Google Hacking
Using network scan tools

Target Identification
Establishing web server types
Enumerating web servers and directories
'Spidering’ a web server

Identifying and fixing common vulnerabilities

Surveying and attacking web applications
Static and Dynamic pages
Active Server Pages
Java Server Pages
ASP.NET

Attacking Web Services and Applications
Session Hijacking Buffer Overruns
Attacking Input Validation
URL Manipulation
Cookie Poisoning
Parameter Tampering
SQL Injection
Misusing ‘Hidden’ Form Fields
Breaking Authentication Schemes
Cross-Site Scripting
Insecure Cryptography

Defending Web Servers
Setting a secure web server configuration
Tools and Techniques for defending your web servers
An audit program for secure web application design