Defense in Depth Web Server Custom HTTP Handler Input Validation

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Understand Database Security Concepts
DT211/3 Internet Application Development Active Server Pages & IIS Web server.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Database Connectivity Rose-Hulman Institute of Technology Curt Clifton.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Securing Enterprise Applications Rich Cole. Agenda Sample Enterprise Architecture Sample Enterprise Architecture Example of how University Apps uses Defense.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
SQL Injection Timmothy Boyd CSE 7330.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CIS 451: Servers, CGI and Log Files Dr. Ralph D. Westfall January, 2009.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Software Security Testing Vinay Srinivasan cell:
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
WEB SERVER SOFTWARE FEATURE SETS
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Display Page (HTML/CSS)
Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Defense In Depth: Minimizing the Risk of SQL Injection
Group 18: Chris Hood Brett Poche
How they work and how to stop them.
CSCE 548 Student Presentation Ryan Labrador
SQL Server Security & Intrusion Prevention
Manuel Brugnoli, Elisa Heymann UAB
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
World Wide Web policy.
Cross-Site Scripting Travis Deyarmin.
SQL Injection.
SQL INJECTION ATTACKS.
SQL Injection Attacks Many web servers have backing databases
MIS Professor Sandvig MIS 324 Professor Sandvig
Security.
Chapter 13 Security Methods Part 3.
Lecture 2 - SQL Injection
Security.
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
PHP Forms and Databases.
Protecting Against Common Web Application Vulnerabilities
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Rob Kraft – www.KraftSoftware.com Defense in Depth Web Server Custom HTTP Handler Input Validation Sanitize Input If the hacker discovers the server is vulnerable to SQL Injection, he can then use SQL Injection to attempt to exploit unsecured database features and data. The request is processed by the code in the web page. The code could perform input validation such as analyzing the length of input in specific fields, or looking for suspicious characters. Finally, any input persisted to a database should be “sanitized” by using parameters, stored procs, and replacing single quotes with two single quotes. The hacker could attempt to obtain passwords or sensitive data like social security numbers and credit card numbers. The request enters the web server (usually IIS or Apache). The request may be examined by a custom HTTP handler written to look for suspicious input. A hacker can choose to bypass or forge almost any client side validation techniques, such as javascript code to validate data. Hashing passwords, encrypting sensitive data and database permissions can protect data. If a SQL Injection manages to bypass all attempts to prevent it, what the SQL Injector can accomplish is largely determined by the permissions provided by the database connection string. Hackers may attempt to access other databases and features, but what they can do is limited by the connection string. The hacker could attempt to run xp_cmdshell to gain access to the host OS. The sheep represents the data sent from a computer to our web site. The Net Appliance looks at a black list of suspicious characters, but this one passes the list. Unnecessary features like xp_cmdshell should be disabled. DB Conn String Master database Pwds and SSNs Xp_cmdshell September 22, 2011 Rob Kraft – www.KraftSoftware.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.