Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
Advertisements

Past, Present and Future By Eoin Keary and Jim Manico
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Server-Side vs. Client-Side Scripting Languages
IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
WHAT IS AJAX? Zack Sheppard [zts2101] WHIM April 19, 2011.
Multiple Tiers in Action
Introduction to eValid Presentation Outline What is eValid? About eValid, Inc. eValid Features System Architecture eValid Functional Design Script Log.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Security Assessment and Vulnerability Assessment.
WEB DESIGN SOME FOUNDATIONS. SO WHAT IS THIS INTERNET.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to Application Penetration Testing
Acunetix Web Vulnerability Scanner
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HTTP and Server Security James Walden Northern Kentucky University.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
September 15, 2015 Laszlo Overview. 2 Copyright (c) 2007 Laszlo Systems, Inc. Laszlo Systems: Leader in RIA Software Pioneer of Rich Internet Applications.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Universiti Utara Malaysia Chapter 3 Introduction to ASP.NET 3.5.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building Rich Web Applications with Ajax Linda Dailey Paulson IEEE – Computer, October 05 (Vol.38, No.10) Presented by Jingming Zhang.
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
Web Applications Testing By Jamie Rougvie Supported by.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Scripting Languages Client Side and Server Side. Examples of client side/server side Examples of client-side side include: JavaScript Jquery (uses a JavaScript.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Main Concepts of Web Testing Telerik Software Academy Software Quality Assurance.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
THE ART OF REDIRECTION PUTTING MOBILE DEVICES WHERE YOU WANT THEM JASON BENGTSON, MLIS, AHIP EMERGING TECHNOLOGIES/ R&D LIBRARIAN UNIVERSITY OF NEW MEXICO.
CAESked Computer Aided Engineering Scheduler. Introduction Team Members: Chris Fruin & Jerry Grochowski What CAESked is: Web based class scheduling application.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
BRANDING YOURSELF FINAL DRAFT.
Web Programming Language
“New security software vendors are coming into the marketplace offering solutions that provide support to the development environment. Example vendors.
Javascript worms By Benjamin Mossé SecPro
CSCE 548 Student Presentation Ryan Labrador
Web Technologies Computing Science Thompson Rivers University
Objective % Select and utilize tools to design and develop websites.
Module: Software Engineering of Web Applications
Putting Mobile Devices Where You want them
Objective % Select and utilize tools to design and develop websites.
HTML Level II (CyberAdvantage)
Database Driven Websites
04 | Web Applications Gerry O’Brien | Technical Content Development Manager Paul Pardi | Senior Content Publishing Manager.
IS 360 Course Introduction
Riding Someone Else’s Wave with CSRF
CMP Creating Your Personal and Small Business Web Sites
Snippet Engine as a Database Server
Web Technologies Computing Science Thompson Rivers University
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9

Combatting the Web Vulnerability Threatwww.acunetix.com Company Overview Founded 2004 Pioneer in Web Application Security Unique Technology - AcuSensor OWASP Member Award Winning Software Fortune 500 Customers License Holder of IBM Patent Patent # 6,584,569

Combatting the Web Vulnerability Threatwww.acunetix.com WVS V9 in a nutshell - 1 of 2 FULL HTML5 support Improved crawling capabilities, with particular attention to dynamic pages using AJAX, JavaScript and Single Page Applications Improved support for Mobile friendly sites

Combatting the Web Vulnerability Threatwww.acunetix.com WVS V9 in a nutshell – 2 of 2 Detection of DOM based XSS Detection of Blind XSS (unique to WVS) Detection of new vulnerabilities Server Side Request Forgery (SSRF) XML External Entity (XXE) Mail Header Injection Host Header based attacks

Combatting the Web Vulnerability Threatwww.acunetix.com FULL HTML5 support New HTML / Script evaluation engine Same as the one used in Chrome / Safari Used in 40% of the world’s internet browsing Introduces FULL support for HTML5 34% of Alexa’s Top 100 sites implemented in HTML5 in Sept 2011 HTML5 will eventually replace Flash

Combatting the Web Vulnerability Threatwww.acunetix.com Improved Crawling capabilities Superior JavaScript evaluation Increased support for AJAX sites and other JavaScript based web sites Introduced support for Single Page Applications ( page_application) page_application You can only scan what has been crawled

Combatting the Web Vulnerability Threatwww.acunetix.com Improved support for Mobile Friendly sites – 1 of 2 1 billion smartphones used worldwide ( In Asia, Internet browsing from mobile increased threefold between 2011 and 2012 ( 2 versions of the same website – one for normal browsers, and another for mobiles, smartphones and tablets

Combatting the Web Vulnerability Threatwww.acunetix.com Improved support for Mobile Friendly sites – 2 of 2 WVS v9 detects mobile friendly sites at pre- crawl stage and gives option to focus the scan on one version of the site Our HTML / Script evaluation engine is the layout engine of choice for the default browsers in iPhone, Android, Blackberry and Amazon Kindle.

Combatting the Web Vulnerability Threatwww.acunetix.com Detection of DOM XSS – 1 of 2 3 types of XSS – Stored, Reflected and DOM based OWASP Top 10, 2013 classifies XSS as ‘Very Widespread’ Client scripts often process the Document Object Model (DOM) DOM can sometimes be manipulated so as to introduce custom scripts in the DOM

Combatting the Web Vulnerability Threatwww.acunetix.com Detection of DOM XSS – 2 of 2 Different from Stored or Reflected XSS, since payload is placed in the DOM (in the browser) and not on the page served by the web site Advanced techniques do not send payload to server, making exploitation completely invisible to the website’s owner Detection requires advanced interpretation of JavaScript

Combatting the Web Vulnerability Threatwww.acunetix.com Detection of Blind XSS - 1 of 2 Blind XSS is a type of Stored XSS where the payload is injected from one web application and executed in another web application Example: Hacker injects XSS on website in support request form XSS is executed when Support open the request from the Support portal

Combatting the Web Vulnerability Threatwww.acunetix.com Detection of Blind XSS - 2 of 2 Blind XSS detection requires AcuMonitor (Acunetix Vulnerability Verification Service (VVS) to be enabled How blind XSS works Acunetix WVS probes an XSS prone web form and tries to inject scripts in doing so. Scripts are stored in database, but never executed on main web application. After some time, the script is executed from other web application which makes web request to AcuMonitor

Combatting the Web Vulnerability Threatwww.acunetix.com Detection of Blind XSS - 3 of 3 VVS Admin Scan Web Site XSS stored in DB XSS loaded in backend webapp Script informs VVS VVS informs admin by

Combatting the Web Vulnerability Threatwww.acunetix.com Detection of New Vulnerabilities Server Side Request Forgery (SSRF) XML External Entity (XXE) Mail Header Injection Host Header based attacks

Combatting the Web Vulnerability Threatwww.acunetix.com Acunetix Blog Acunetix Facebook Page List of Checks Run by Acunetix WVS Contact Us Tel EMEA, Asia: / Tel Americas: