Cloud = Web, Web = Hacked! Fabio Viggiani. Why Web Apps? Every organization exposes web apps Most common entry point Image source:

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Cross Site Scripting & SQL injection

WebGoat & WebScarab “What is computer security for $1000 Alex?”

A Demo of and Preventing XSS in.NET Applications.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.

Project 7 Discussion Section XSS and SQL Injection in Rails.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Peter Torres, Tim Poley CS526 Spring  What is SQL Injection?  Basic Example  Case Studies  Defensive Techniques  Demo.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Basic Web Application Security. User Input Kick Your Arse.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

SQL Injection Timmothy Boyd CSE 7330.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

April 14, 2008 Secure Coding Faculty Workshop Web Application Security: Exercise Development Approaches James Walden

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Varun Sharma Application Consulting and Engineering (ACE) Team, Microsoft India.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

MIS Week 7 Site:

Okalo Daniel Ikhena Dr. V. Z. Këpuska December 7, 2007.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Web Applications Testing By Jamie Rougvie Supported by.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Images were sourced from the following web sites: Slide 2:commons.wikimedia.org/wiki/File:BorromeanRing...commons.wikimedia.org/wiki/File:BorromeanRing...

Zac Fenigshtien  Introduction: 3 Tier Architecture  SQL Injection ◦ Parameter Sandboxing ◦ Blacklisting, Whitelisting.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Defense In Depth: Minimizing the Risk of SQL Injection

Web Application Security

Web Application Vulnerabilities

An Introduction to Web Application Security

Unity 5 JumpStart Part 4: Sound Effects Shahed Chowdhuri

Security: Exploits & Countermeasures

Cross-Site Scripting Travis Deyarmin.

Key Points Unfolding the Situations to Drill a Framework in PHP

Static Detection of Cross-Site Scripting Vulnerabilities

Web Application Security

Example – SQL Injection

SE604: Software Testing and QA Secure SW Development for QA Lecture#3

Application Security Namuo – CIS 160

Security of web applications.

Web Application Security

Adventures in Haacking

Zach Garcia Keith Reiter

Universal Apps For Windows 10 Shahed Chowdhuri

Security: Exploits & Countermeasures

Lecture 27 Security I April 4, 2018 Open news web sites.

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

Cloud = Web, Web = Hacked! Fabio Viggiani

Why Web Apps? Every organization exposes web apps Most common entry point Image source: Image source: brianklug/

Focus SQL injection, XSS… again with that old stuff??? Well, we DO find them every day! Why?

Demo Environment

Let’s hack! Basic stuff – warm up and understand Cross Site Scripting (XSS) SQL injection Image source:

We should be able to fix this XSS filters available online Prepared statements – easy and well documented Let’s do it

Let’s hack, again. Image source:

Demo Environment

2nd order SQL injection

What went wrong? Best practices Input validation / Output encoding Whitelist / Blacklist Localized fixes Code structure Default behaviors

We hack once again. For real now.