Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Slides:

Advertisements

Similar presentations

Advertisements

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Barracuda Web Application Firewall

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

OWASP Mobile Top 10 Why They Matter and What We Can Do

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Copyright © 2008, CIBER Norge AS 1 Web Application Security Nina Ingvaldsen 22 nd October 2008.

A Security Review Process for Existing Software Applications

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Standalone Java Application vs. Java Web Application

Security Testing Case Study 360logica Software Testing Services.

Software Security Testing Vinay Srinivasan cell:

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Attacking Applications: SQL Injection & Buffer Overflows.

CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.

Chapter 10 Security and Encryption. Objectives Explain the nature of a threat model Be able to construct a threat model Be aware of common threats to.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

(see online resources, e.g. SY306 Web and Databases for Cyber Operations Slide Set #9: CGI with Python.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

Group 18: Chris Hood Brett Poche

Module: Software Engineering of Web Applications

Web Application Protection Against Hackers and Vulnerabilities

Module: Software Engineering of Web Applications

Introduction to Dynamic Web Programming

Chapter 7: Identifying Advanced Attacks

Cross-Site Scripting Travis Deyarmin.

CS 371 Web Application Programming

Example – SQL Injection

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

A Security Review Process for Existing Software Applications

Security of web applications.

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

CS5123 Software Validation and Quality Assurance

PHP Forms and Databases.

Presentation transcript:

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server  ______________ user input controls file access location – the “double-dot attack”  ______________ user input controls file naming in such a way as to get a program to read, write or delete files that should be protected  Denial of Service user input controls causes application to consume excessive resources or simply stop executing due to unacceptable input  _______________ user input controls causes the application to reveal confidential information perhaps this information can be used as part of a more sophisticated attack

more common associated risks  ________________ user input controls injects HTML or script commands into Web application causing the Web application to breach its security  ______________ user input injects commands, often via meta-characters, that cause a server to perform unintended functions  Buffer Overflows user input controls exceeds limits in a way that allows the attacker to control application behavior

Before Mitigation  user interface  files  parameters of externally-invoked methods  network sockets/ports  URLs (passed to Web servers)  cookies  network certificates

Mitigation Techniques

Escaping individual characters is a particularly effective way of mitigating XSS. CharacterEquivalent HTML escape “&#34 #&#35 &&#38 ‘&#39 (&#40 )&#41 /&#47 ;&#59 <&#60 >&#62