Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

SecuBat: An Automated Web Vulnerability Detection Framework

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Past, Present and Future By Eoin Keary and Jim Manico

Web Security Never, ever, trust user inputs Supankar.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Cross Site Scripting & SQL injection

EECS 354 Network Security Cross Site Scripting (XSS)

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Prevent Cross-Site Scripting (XSS) attack

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Web 2.0 Security James Walden Northern Kentucky University.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

Web Applications Testing By Jamie Rougvie Supported by.

1 The current lesson plans provided for in Webgoatv2 include Http Basics How to Perform Database Cross Site Scripting (XSS) How to Spoof an Authentication.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Cross Site Scripting and its Issues By Odion Oisamoje.

Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.

1 ECE 4112 Internetwork Security: Web Application Security 28 April 2005 John Owens Shantan Pesaru.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Javascript worms By Benjamin Mossé SecPro

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Group 18: Chris Hood Brett Poche

Web Application Security

CSCE 548 Student Presentation Ryan Labrador

Cross-Site Scripting Travis Deyarmin.

Example – SQL Injection

Application Security Namuo – CIS 160

Security of web applications.

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Protecting Against Common Web Application Vulnerabilities

Lecture 27 Security I April 4, 2018 Open news web sites.

Presentation transcript:

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005

Web Application Vulnerabilities  Cross Site Scripting (XSS) with JavaScript injection  SQL Injection  Cross Site Scripting (XSS) with JavaScript injection  SQL Injection

Cross Site Scripting (XSS)  Allows attackers to run scripts from remote sites  Can be used to steal your cookies  Allows masquerading  Allows attackers to run scripts from remote sites  Can be used to steal your cookies  Allows masquerading

How does this happen?  Not validating data  Printing query_string directly to screen  Not validating data  Printing query_string directly to screen

How can I tell?  Find page that prints data from query_string  Create link as follows:  Page.cgi? alert(‘I am vulnerable’)  If popup box is displayed, you are vulnerable to XSS  Find page that prints data from query_string  Create link as follows:  Page.cgi? alert(‘I am vulnerable’)  If popup box is displayed, you are vulnerable to XSS

How can I prevent this?  Validate / Sanitize your input!!!!!  Languages provide build it functions for this  Treat all input as evil input  Validate / Sanitize your input!!!!!  Languages provide build it functions for this  Treat all input as evil input

What you will do in lab  Look at a XSS exploit.  Have your cookie stolen by this script.  Look at a XSS exploit.  Have your cookie stolen by this script.

SQL Injection  Allows attackers to interact more directly with your database than you intend  Can be used to bypass security  Can be used for information discovery  Allows attackers to interact more directly with your database than you intend  Can be used to bypass security  Can be used for information discovery

How does this happen?  Not validating data  Including user input directly in SQL statements  Form input  URL parameters  Not validating data  Including user input directly in SQL statements  Form input  URL parameters

How can I tell?  Use ‘ and “ in input boxes on your site and see if it causes error messages  Google for SQL error messages on your site  Use ‘ and “ in input boxes on your site and see if it causes error messages  Google for SQL error messages on your site

How can I prevent this?  Validate / Sanitize your input!!!!!  Languages provide built in functions for this  Treat all input as evil input  Validate / Sanitize your input!!!!!  Languages provide built in functions for this  Treat all input as evil input

What you will do in lab  Explore the possibilities of SQL Injection on a vulnerable website  See how big of a problem this is and learn how to prevent it.  Explore the possibilities of SQL Injection on a vulnerable website  See how big of a problem this is and learn how to prevent it.

Questions?