Slide 33
Slide 33 text
33
33
Users
Request
Responses
DMZ (User/Web Server Boundary)
Message
Call
Account/
Transaction
Query Calls
Web Server
Application
Server
Application
Calls
Encryption +
Authentication
Encryption +
Authentication
Financial
Server
Authentication
Data
Restricted Network
(App & DB Server/Financial Server Boundary)
Database
Server
Application
Responses
Financial
Data
Auth Data
Message
Response
SQL Query Call
Customer
Financial
Data
Internal (Web Server/ App & DB Server Boundary)
alert(“Cookie”+
document.cookie)</
SCRIPT>
Injec*on
flaws
CSRF,
Insecure
Direct
Obj.
Ref,
Insecure
Remote
File
Inclusion
ESAPI/
ISAPI
Filter
Custom
errors
OR ‘1’=’1—‘,
Prepared
Statements/
Parameterized
Queries,
Store
Procedures
ESAPI
Filtering,
Server
RBAC
Form
Tokeniza*on
XSS,
SQL
Injec*on,
Informa*on
Disclosure
Via
errors
Broken
Authen*ca*on,
Connec*on
DB
PWD
in
clear
Hashed/
Salted
Pwds
in
Storage
and
Transit
Trusted
Server
To
Server
Authen*ca*on,
SSO
Trusted
Authen*ca*on,
Federa*on,
Mutual
Authen*ca*on
Broken
Authen*ca*on/
Impersona*on,
Lack
of
Synch
Session
Logout
Encrypt
Confiden*al
PII
in
Storage/Transit
Insecure
Crypto
Storage
Insecure
Crypto
Storage
"../../../../etc/passwd
%00"
Cmd=%3B+mkdir
+hackerDirectory
http://www.abc.com?
RoleID
Phishing,
Privacy
ViolaNons,
Financial
Loss
IdenNty
Thek
System
Compromise,
Data
AlteraNon,
DestrucNon