Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

OWASP Web Vulnerabilities and Auditing

SEC835 OWASP Top Ten Project.

Hands on Demonstration for Testing Security in Web Applications

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project.

Introduction to Application Penetration Testing

Workshop 3 Web Application Security Li Weichao March

Web Security Overview Lohika ASC team 2009

OWASP Zed Attack Proxy Project Lead

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

The OWASP Way Understanding the OWASP Vision and the Top Ten.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.

Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

MIS Week 10 Site:

Module: Software Engineering of Web Applications

Web Application Vulnerabilities

Intro to Web Application Security

Module: Software Engineering of Web Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

TOPIC: Web Security (Part-4)

Penetration Testing following OWASP

COMP3371 Cyber Security Week 10

Intro to Ethical Hacking

Riding Someone Else’s Wave with CSRF

CSC 495/583 Topics of Software Security Intro to Web Security

Cross-Site Request Forgery (CSRF) Attack Lab

Web Security Advanced Network Security Peter Reiher August, 2014

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Page 1 Ethical Hacking by Douglas Williams

Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your business or organization. Each of these paths represents a risk that may, or may not, be serious enough to warrant attention. Sometimes, these paths are trivial to find and exploit and sometimes they are extremely difficult. Similarly, the harm that is caused may be of no consequence, or it may put you out of business.

Page 3 What you need You don’t need to be an expert Keep up to date with vulnerabilties OWASP Know your tools Manual methods via browser Sqlmap Burp (or any intercept proxy suite) BeEF Reminder: It’s still hacking so make sure you let others know of your actions for CYA purposes

Page 4 Types of Vulnerabilities VulnerabilityDescription Injection (SQL, OS, LDAP, & XML) The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Broken Authentication Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens. Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. Cross-Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim.

Page 5 Demos SQL Injection Demo Manual Using sqlmap XSS Demo

Page 6 Links OWASP Top 10 p/Top10#OWASP_Top_10_for_ 2013 Sqlmap - BeEF -