+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

Past, Present and Future By Eoin Keary and Jim Manico

Web Security Never, ever, trust user inputs Supankar.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Workshop 3 Web Application Security Li Weichao March

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Prevent Cross-Site Scripting (XSS) attack

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Chapter 8 Cookies And Security JavaScript, Third Edition.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Cross Site Scripting and its Issues By Odion Oisamoje.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.

Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Javascript worms By Benjamin Mossé SecPro

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Group 18: Chris Hood Brett Poche

Module: Software Engineering of Web Applications

Building Secure ColdFusion Applications

CSCE 548 Student Presentation Ryan Labrador

Web Application Vulnerabilities

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Defense in Depth Web Server Custom HTTP Handler Input Validation

CSC 495/583 Topics of Software Security Intro to Web Security

Lecture 2 - SQL Injection

Protecting Against Common Web Application Vulnerabilities

Exploring DOM-Based Cross Site Attacks

Enterprise Class Security Scanner

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

+ Websites Vulnerabilities

+ Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities. The need to Discover Security Vulnerabilities. SQL Injection example detection prevention Cross Site Scripting HTTP Parameter Pollution (HPP)

+ Expand of The Internet With the large expansion of the technology, and the enormous manufacturing and production of all the types of smart phones,tablets and internet based devices.

+ Use of the Internet all of these devices have helped raising the number of the internet users, from all the ages, with all of their educational backgrounds. to reach the consumers and users; almost every college, government org, hospital and trading company moved to ”On-line Services"

+ Examples

+ Importance of the Internet so now a day the internet is Currently the main medium organizations are depending on for many real life applications. Because of that dependency on the internet in all types of transactions; the web is carrying enormous amount of sensitive information from all the types.

+ The need to Discover Security Vulnerabilities. All of that amount of sensitive information, was an attraction for the Web Attackers to get illegal use of that information. these attacks have increased in the past years. So, to keep the safety of information and keeping websites security, we have the need to "Discover Security Vulnerabilities"

+ How to find Security Vulnerabilities. Some times the programs view of their code will be narrow. And because of their confidence in their code, they usually don't find the v ulnerability in their websites and applications.

+ White Hat Hackers. To find the vulnerabilities of your application/website, you have to think as an attacker (white hat hackers), and try to find the limit of your project immunity against many types of attacks, such as : Remote code execution SQL injection Format string vulnerabilities Cross Site Scripting (XSS) HTTP Parameter Pollution (HPP) After testing we fix the vulnerabilities to reject any attack

+ SQL Injection It’s a major type of websites vulnerabilities. the SQL injection can be found when the application accepts data from the user. Finally taking that data without proper validation to be used to build SQL query, leads to harm our expose your sensitive information.

+ SQL Injection - Example string Query= "SELECT * FROM users WHERE username = "'" + username + "' AND password = '" + password + "'"; string Query= "SELECT * FROM users WHERE username= 'joe' AND password = 'example' OR 'a'='a'

+ SQL Injection - Prevention 1. Prepared Statements (Parameterized Queries) 2. Stored Procedures 3. Escaping All User Supplied Input

+ Cross Site Scripting (XSS) Cross Site Scripting occurs when the data provided by the attacker is saved by the server, and then displayed permanently on "normal" pages returned to other users XSS forces a website to echo attacker-supplied executable code, which then loads in a user’s Web browser. That is, the user is the intended victim. That XSS exploit code, typically written in HTML/JavaScript, does not execute on the server. but execute within the Web browser. Also, XSS enables the theft of Web browser cookies, which can then be reused to hijack online user accounts, such as: Web banks, Web mail blogs, any other website feature accessible with a username and password.

+ Cross Site Scripting (XSS)- types 1. NonPersistent it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. 2. Persistent it occur in either community content driven websites or Web mail sites and do not require specially crafted links for execution. 3.Server-side versus DOM-based vulnerabilities persistent XSS much more dangerous than non-persistent because the user has no means of defending himself. Once a hacker has his exploit code in place, he’ll again advertise the URL to the infected

+ Cross Site Scripting (XSS)- Examples

+ Cross Site Scripting (XSS)- prevention 1. Contextual output encoding/escaping of string input 2. Safely validating untrusted HTML input 3. Cookie security 4. Disabling scripts 5. Emerging defensive technologies, including: 1. Content Security Policy. 2. JavaScript sandbox tools. 3. auto-escaping templates.

+ HTTP Parameter Pollution (HPP) Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values.

+ HTTP Parameter Pollution (HPP) – Example نتائج &q= اختبار &q= الجامعة

+ HTTP Parameter Pollution (HPP) – Example p= نتائج &p= اختبار &p= الجامعة

+ HTTP Parameter Pollution (HPP) – Example Input validation – Encoded query string delimiters Use safe methods – Parameter precedence – Channel (GET/POST/Cookie) validation Raise awareness – The client can provide the same parameter twice (or more)

+ Thank you