Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.

Published byPosy Jackson Modified over 8 years ago

Similar presentations

Presentation on theme: "WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas."— Presentation transcript:

1 WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas

2 Introduction to Languages

3 Languages  PHP  Javascript  SQL  HTML

4 PHP  Interpreted Server Side  Dynamic  Handles GET/POST  Manages Sessions  Has Own Set of Vulnerabilities  Not Covered Here

5 PHP

6  Session Demo  10.176.169.7/web_demo/sample.php

7 Javascript  Dynamic  Embedded in HTML  Interpreted Client Side!!!

8 Javascript  Demo time!  10.176.169.7/web_demo/js.html

9 SQL  Query Databases  Most Common for CTFs  Used to Access Data  Usernames  Passwords  Credit Card #s  Fun Stuff

10 SQL  To select a user: SELECT * from users WHERE name = 'Bob';  The username is determined at runtime, so let’s make it: SELECT * from users WHERE name = '$name';  For example, if $name is “Joe”: SELECT * from users WHERE name = 'Joe';

11 HTML  Describes Layout of Webpage  Sometimes Contains Debug Info  Usually not very interesting...

12 HTTP  Protocol that provides the way to communicate over the web  It is stateless and asynchronous  Simulate state with sessions  Your browser keeps session information  The server uses this to keep track of your state  Example: Shopping Cart  Session has an ID tied to a cart in database  Every page you visit has to establish your identity

13 HTTP Requests  Methods  GET – asks server for information  POST – gives server data  PUT – tells server to modify or create data  DELETE – tells server to delete data  Examples  GET shows your profile on a webpage  POST is used to upload your picture  PUT changes your bio  DELETE gets rid of the embarrassing picture

14 HTTP Request Parameters  Along with URL and method, requests carry data in the form of parameters  GET  Visible from URL: http://www.facespace.com/profile.php?id=13  Can be used easily in hyperlinks  POST  Not visible in URL or link, embedded in request  We can still alter these

15 Parameter Tampering

16 Overview  Very basic attack on HTTP protocol  Exploits server’s misguided trust in data from user

17 Example – Game High Scores Web Server Give me a game Here’s one

18 Example – Game High Scores Web Server Game (Local) Score

19 Example – Game High Scores Web Server Game (Local) Score Nice! Here’s how I did…

20 Attack – Game High Scores Web Server Game (Local) Score Nice! Here’s how I SAY I did…

21 Example – PayPal Merchant I want to buy this Pay for it with PayPal

22 Example – PayPal PayPal Here’s how much I owe you. Merchant Sounds good.

23 Example – PayPal PayPal Tell them you paid Thanks! I paid Merchant

24 Attack – PayPal PayPal Here’s how much I say I owe you. Merchant Sounds good.

25 Attack – PayPal PayPal Tell them you paid Thanks! I paid what you said Merchant

26 Tools and Demo  Firefox  TamperData  Live HTTP Headers  BurpSuite

27 Mitigation  Never trust the integrity of data that a user can edit  Web services can allow servers to talk and bypass the user

28 END  End of Week 1

Download ppt "WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas."

Similar presentations

CS 4720 RESTfulness CS 4720 – Web & Mobile Systems.

CS 4720 RESTfulness CS 4720 – Web & Mobile Systems.
Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
HTML Form Processing Learning Web Design – Chapter 9, pp 143-163 Squirrel Book – Chapter 11, pp 251-266.

HTML Form Processing Learning Web Design – Chapter 9, pp Squirrel Book – Chapter 11, pp
Master’s course Bioinformatics Data Analysis and Tools Lecture 6: Internet Basics Centre for Integrative Bioinformatics.

Master’s course Bioinformatics Data Analysis and Tools Lecture 6: Internet Basics Centre for Integrative Bioinformatics.
INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.

INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.
Multiple Tiers in Action

Multiple Tiers in Action
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Creating your website Using Plain HTML. What is HTML? ► Web pages are authored in HyperText Markup Language (HTML) ► Plain text is marked up with tags,

Creating your website Using Plain HTML. What is HTML? ► Web pages are authored in HyperText Markup Language (HTML) ► Plain text is marked up with tags,
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!

INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
269200 Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
1 Open Source Programming. -Introduction to PHP -PHP installation /wamp server installation for PHP environment -PHP syntax -PHP variables -PHP Strings.

1 Open Source Programming. -Introduction to PHP -PHP installation /wamp server installation for PHP environment -PHP syntax -PHP variables -PHP Strings.
MIS 301 Information Systems in Organizations Dave Salisbury ( )

MIS 301 Information Systems in Organizations Dave Salisbury ( )
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Similar presentations

Ads by Google