Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN 6710 - Section A – TR 9:30-10:45 CRN 10570 – Section B – TR 5:30-6:45.

Slides:



Advertisements
Similar presentations
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Advertisements

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Computer viruses Hardware theft Software Theft Unauthorized access by hackers Information Theft Computer Crimes.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
A Demo of and Preventing XSS in.NET Applications.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Introduction to Application Penetration Testing
GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Cameron Simpson.
Session 11: Security with ASP.NET
OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
The OWASP Way Understanding the OWASP Vision and the Top Ten.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Ryan Dewhurst - 20th March 2012 Web Application (PHP) Security.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Deconstructing API Security
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Securing Java Applications
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
//ALPHA.1 OWASP Knoxville Application Security Then and Now. Make a Difference Now 2015 June 11 Phil Agcaoili.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Copyright © The OWASP Foundation This work is available under the Creative Commons SA 2.5 license The OWASP Foundation OWASP Denver February 2012.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
Don’t click on that! Kevin Hill.  Spam: Unwanted commercial ◦ Advertising ◦ Comes from people wanting to sell you stuff. ◦ Headers may be forged.
Web Application Vulnerabilities
Security Autodesk DevDays rEvolution
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
TOPIC: Web Security (Part-4)
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Vulnerability Chaining Every Low Issue Has its big impact
J. Bradley Sanso H. Tschofenig
Security in Moodle plugins
Intro to Ethical Hacking
Cross-Site Request Forgeries: Exploitation and Prevention
Riding Someone Else’s Wave with CSRF
What is Phishing? Pronounced “Fishing”
Mr. Justin “JET” Turner CSCI 3000 – Fall 2016 Section DA MW 4:05-5:20
Presentation transcript:

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45

OWASP Top 10 – Data Exposure Sensitive Data Exposure Stored in clear text (especially in backups) Transmitted in clear text (including internally) Old/Weak Algorithms

OWASP Top 10 – Access Control Missing Function Level Access Control UI contain links to unauthorized functions Authentication checks missing Server only using information provided by the client for checks

OWASP Top 10 - CSRF Cross-Site Request Forgery State changing functions are a focus of this kind of attack This is where an attacker can send a fake page request, with given, predictable, variables to do something the user may not have wanted to Think about someone logged into their bank on one tab, browsing the internet on another tab, they click on a malicious link that causes them to transfer funds with their bank account

OWASP Top 10 – Vulnerabilities Using Components with Known Vulnerabilities Generally speaking, keeping your software up to date can prevent this Sometimes a security patch is released, but it is not overly specific as to which versions of the software it needs to be applied to, and you may not realize you need it It can be especially difficult with open source software that does not maintain a clear and readable list of patches and versions they should be applied to

OWASP Top 10 – Redirects Unvalidated Redirects and Forwards If your code performs a redirect, ensure you have hard coded where the redirect will go If you must make a decision based on user input, make sure you properly validate the information provided If the user can pass the page they want to be redirected to, ensure you maintain a whitelist of allowed pages to redirect to

OWASP Top 10 Many of the top 10 vulnerabilities to watch out for are fairly bad on their own, but significantly worse when combined with others Having a series of these issues in your application can cause major issues over time, as they are discovered by attackers

Security Implications Having vulnerabilities in your system can have several different resulting issues System outage (due to data destruction/etc) User issues with using the system Reputation of the parent company System vandalism (injected advertisements for competitors, etc) Theft of data (sensitive or otherwise) Loss of revenue

Lab 8 – Web Security Create two (2) web pages Page 1 should contain an example of a form vulnerable to SQL Injection Page 2 should contain the exact same form with the vulnerability prevented Include the links to both pages and an example of what to enter to see a safe SQL Injection Ensure that I can see how the SQL Injection succeeds/fails

Next Week Thu Nov 19 Lab/Term Project working day Reminders: Lab 8 – Web Security due on Dec 3 rd Term Project is due on Dec 10 th If you want to get partial credit for any assignments, the last day they will be accepted is Dec 3 rd at Midnight D2L will lock out submissions at that time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.