Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Slides:



Advertisements
Similar presentations
Webgoat.
Advertisements

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
System and Network Security Practices COEN 351 E-Commerce Security.
Server-Side vs. Client-Side Scripting Languages
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Vulnerability Assessment NIKTO.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Security+ Guide to Network Security Fundamentals, Third Edition
Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.
Browser Exploitation Framework (BeEF) Lab
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
SiteLock Internet Security: Big Threats for Small Business.
Chapter 6: Hostile Code Guide to Computer Network Security.
Static VS Dynamic websites. 1-What are the advantages and disadvantages? 2- Which one should you choose and why?
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
HTTP and Server Security James Walden Northern Kentucky University.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Software Security Testing Vinay Srinivasan cell:
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.
© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Web Applications Testing By Jamie Rougvie Supported by.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
WEB SERVER SOFTWARE FEATURE SETS
Computer Security By Duncan Hall.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
● The most common website platform ● User friendly-easy to edit ● Constantly improving-updates, plugins, themes Why WordPress?
Web Application Security
Building Secure ColdFusion Applications
TMG Client Protection 6NPS – Session 7.
Chapter 7: Identifying Advanced Attacks
TOPIC: Web Security (Part-4)
Common Methods Used to Commit Computer Crimes
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Penetration Test Debrief
Secure Software Confidentiality Integrity Data Security Authentication
Security mechanisms and vulnerabilities in .NET
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Protecting Against Common Web Application Vulnerabilities
Security: Attacks & Countermeasures
Web Application Development Using PHP
Presentation transcript:

Web Security Group 5 Adam Swett Brian Marco

Why Web Security? Web sites and web applications constantly growing Complex business applications are now delivered over the web Increased “web hacking” activity Web Worms (Sammy) Firewalls?

Difficulties In Traditional Hacking Modern networks more secure Firewalls being used in all network rollouts OS vendors patching hole quickly Increased maturity in coding

Firewalls

Lab Sections SQL Injection –Basic –Blind Cross Site Scripting (XSS) –Basics –Cookie Stealing –Java Scripting Default Pages CGI Vulnerabilities –Vulnerable Scripts –Nikto

SQL Injection Exploits a security vulnerability present in the database layer of an application –With Errors –Blind –Automated

SQL Injection

Cross Site Scripting SecurityFocus cataloged over 1,400 issues. WhiteHat Security has Identified over 1,500 in custom web applications. 8 in 10 websites have XSS. Tops the Web Hacking Incident Database (WHID)

Cross Site Scripting Cookie Stealing –One of the most common uses of XSS –Allows you to impersonate someone Can Lead To Session Hijacking –HTTP is stateless –Only verifies at the beginning of session

Cross Site Scripting Java Script –Can be written by anyone and executed on any computer over the web –Most people have Java Script enabled making it very dangerous

Cross Site Scripting Java Script Examples – –black hat search engine optimization (SEO) – –Click-fraud – –Distributed Denial of Service – –Force access of illegal content – –Hack other websites (IDS sirens) – –Distributed spam (Outlook Web Access) – –Distributed blog spam – –Vote tampering – –De-Anonymize people – –etc.

Cross Site Scripting

Default Pages Careless hosting Gives the ability to browse and retreive a complete directory on the web server Happens when the default page is missing Not-so-strict Web server configuration

Default Pages

CGI Vulnerabilities A number of widely distributed CGI scripts contain known security holes Finding the scripts and exploiting them can be time consuming Usually well documented on the web Some can be worth it

CGI Vulnerabilities Nph-test-cgi –Script included with all old versions of Apache web Server –Allows user to view all files on the computer

Nph-test-cgi

Nikto Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired) GPL

Nikto

Sources NetSquare Blackhat Asia Presentation Whitehat Security Spi Dynamics

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.