Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Slides:

Advertisements

Similar presentations

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Advertisements

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Cross Site Scripting & SQL injection

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

Security Issues and Challenges in Cloud Computing

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Expert System Approach on Web Vulnerability Analysis / Jong Heon, PARK / Hyun Woo, CHO CS548 Advanced Information Security Term Project.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Workshop 3 Web Application Security Li Weichao March

OWASP Zed Attack Proxy Project Lead

Prevent Cross-Site Scripting (XSS) attack

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

The OWASP Way Understanding the OWASP Vision and the Top Ten.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:

Module: Software Engineering of Web Applications

An Introduction to Web Application Security

Intro to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

TOPIC: Web Security (Part-4)

Example – SQL Injection

Network Security: DNS Spoofing, SQL Injection, ARP Poisoning

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Protecting Against Common Web Application Vulnerabilities

Exploring DOM-Based Cross Site Attacks

Presentation transcript:

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth

Outline OWASP Injection: ▫Define ▫Attacks ▫Preventions Cross-Site Scripting: ▫Define ▫Attacks ▫Preventions

Open Web Application Security Project (OWASP) The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP Top 10 Application Security Risk – 2013 #1 Injection #3 Cross-Site Scripting (XSS)

SQL Injection SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. Consists of insertion or "injection" of a SQL query via the input data from the client to the application A successful SQL injection exploit can: Read sensitive data from the database Modify database data (Insert/Update/Delete) Execute administration operations on the database (such as shutdown the DBMS) Recover the content of a given file present on the DBMS file system In some cases issue commands to the operating system.

Attacks Injection can result in: Data loss or corruption Lack of accountability or denial of access Can lead to complete host takeover All data can be stolen, modified, or deleted

Preventions Preventing injection requires keeping untrusted data separate from commands and queries. Types of Preventions: 1.Use a safe API which avoids the use of the interpreter entirely or provides a parameterized interface. 2.Carefully escape special characters using the specific escape syntax for that interpreter. 3.Positive or “white list” input validation, but this is not a complete defense as many applications require special characters in their input.

Cross-Site Scripting (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to: Execute scripts in the victim’s browser which can hijack user sessions Deface web sites Redirect the user to malicious sites

Attacks Attackers can execute scripts in a victim’s browser: To hijack user sessions Deface web sites Insert hostile content Redirect users Hijack the user’s browser using malware

Preventions Preventing XSS requires keeping untrusted data separate from active browser content. Types of Preventions: 1.Encoding – Escaping any character a user enters before displaying it 2.Whitelisting – Only allow certain characters (e.g. A-Z and 0-9) to be entered 3.Blacklisting – Not allowing a user to enter sequences such as or

References