1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

Slides:



Advertisements
Similar presentations
1 Northwind Traders Order Entry. 2 Northwind Traders Call Center Add an Order Entry capability to the Northwind Traders Call Center application. Start.
Advertisements

Excel Services IV: Allow user input Overview: Be selective When you use Excel Services to publish an Excel 2007 spreadsheet to your Microsoft Office SharePoint.
Annotated User Input Screens from EM Oracle Custom Install Install.
Trojan Horse Program Presented by : Lori Agrawal.
Introduction The concept of “SQL Injection”
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Form Basics CS Web Data  Most interesting web pages revolve around data  examples: Google, IMDB, Digg, Facebook, YouTube, Rotten Tomatoes  can.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.
Evidence.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Telerik Software Academy ASP.NET Web Forms Data Validation, Data Validators, Validation Groups Telerik Software Academy
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
JavaScript, Fourth Edition
11 Updating a Database Table Textbook Chapter 14.
Internet Forms and Database Bob Kisel Amgraf, Inc.
COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.
®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.
ADO.NET A2 Teacher Up skilling LECTURE 3. What’s to come today? ADO.NET What is ADO.NET? ADO.NET Objects SqlConnection SqlCommand SqlDataReader DataSet.
Robinson_CIS_285_2005 HTML FORMS CIS 285 Winter_2005 Instructor: Mary Robinson.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.
Phishing scams Phishing is the fraudulent practice of sending s purporting to be from reputable companies in order to induce individuals to reveal.
Exceptions Handling Exceptionally Sticky Problems.
K A R A Creations ARLIARLI Topic: Why facebook can be dangerous!!
Week 6 - Wednesday.  What did we talk about last time?  Exam 1!  And before that…  Review!  And before that…  Arrays and strings.
11 Using ADO.NET II Textbook Chapter Getting Started Last class we started a simple example of using ADO.NET operations to access the Addresses.
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Sample Application Multi Layered Architecture (n-tier): –Graphical User Interface (GUI): Forms, components, controls The Visual Designer in Visual Studio.
Forms and Server Side Includes. What are Forms? Forms are used to get user input We’ve all used them before. For example, ever had to sign up for courses.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
To access our web services, go to……. Click on Customer Login.
SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
How to protect your computer By: Emily, Jackie and Kathleen.
Controlling Web Site Access Using Logins CS 320. Basic Approach HTML form a php page that collects the username and password  Sends them to second PHP.
1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
It works! PPInfoScreen Server is now running and will display your deployed presentations Some instructions will follow…
Creating a GUI Class An example of class design using inheritance and interfaces.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Myrtle Entertainment System Scanner How to work your way to installing a program via Myrtle Entertainment System Scanner.
1 Windows Forms II Chapter RadioButton / GroupBox Controls Used to solicit a multiple choice input. Radio buttons work as a group. Selecting one.
1 Low Level ADO.NET Operations II Microsoft Visual C# 2008 Step by Step Chapter 25.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
Important of Firewall Security in LAN Presented by: Guo Chean Ooi.
Windows Tutorial 5 Protecting Your Computer
Protecting Memory What is there to protect in memory?
Chapter 6 CS 3370 – C++ Functions.
Allowing File Uploads.
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Handling Exceptionally Sticky Problems
Configuring Cluster Communications
A Trojan is a computer program that contains the malicious code and it misleads users and user's computer. It aims to designed to perform something is.
Claims.
Computer Security Firewalls November 19, 2018 ©2004, Bryan J. Higgs.
Coding Concepts (Basics)
IPC144 Introduction to Programming Using C Week 8 – Lesson 1
CGHS HERITAGE QUEST PRESENTATION
Handling Exceptionally Sticky Problems
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
CS 1111 Introduction to Programming Spring 2019
Allowing File Uploads.
Presentation transcript:

1 Avoiding Hacker Attacks

2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

3 Getting Started Start with the Databound ComboBox from last class: Downloads/2011_04_12_Hacker_Attacks/ Downloads/2011_04_12_Hacker_Attacks/ File Alt_Databound_Combo_Box.zip Download Extract Build and run

4 Hacker Attacks Any time we accept user input and put it into a command string, there is a danger of hacker attacks. A user can enter information that subverts the command we meant to give and makes it do something else. Example: Connection String Parameter attack Palazon/DEFCON-18-Alonso-Palazon-String.pdf Palazon/DEFCON-18-Alonso-Palazon-String.pdf Thanks to student Ryan Wheeler for this reference!

5 The Connection String String cs = "server=scorpius.eng.usf.edu; " + "User=" + tbUserName.Text + ";" + "Password=" + tbPassword.Text; At run time: server=scorpius.eng.usf.edu;User=wpusr40;Password=xxxxx Connection string is a series of pairs separated by semicolors. If a parameter appears multiple times, the last one wins. The user can type a semicolon in the password box and add his own parameter to the connection string.

The Threat If you don't prevent this kind of attack an unscrupulous user can redirect your application to any server of his choice. 6

7 A Connection String Parameter Attack Password: xxxxx;server=sql2k508.discountasp.net

8 A Connection String Parameter Attack Toby, I don't think we are on scorpius any more!

9 Customer Selected

10 Defense Against the Dark Arts To foil this attack, scan user inputs for semicolons. Reject any input including a semicolon.

11 Checking for Semicolons private void btnLogIn_Click(object sender, EventArgs e) { String cs = "server=scorpius.eng.usf.edu; " + "User=" + tbUserName.Text + ";" + "Password=" + tbPassword.Text; if ((tbUserName.Text.IndexOf(';') >= 0) || (tbPassword.Text.IndexOf(';') >= 0)) { MessageBox.Show("Invalid input"); return; } Select_Customer sc = new Select_Customer(cs); this.Hide(); sc.ShowDialog(); this.Show(); }

12 Foiled Attack Password: xxxxx;server=sql2k508.discountasp.net

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.