Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

Published byWilla Singleton Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users."— Presentation transcript:

1 1 Avoiding Hacker Attacks

2 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users.

3 3 Getting Started Start with the Databound ComboBox from last class: http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2011_04_12_Hacker_Attacks/ http://www.cse.usf.edu/~turnerr/Software_Systems_Development/ Downloads/2011_04_12_Hacker_Attacks/ File Alt_Databound_Combo_Box.zip Download Extract Build and run

4 4 Hacker Attacks Any time we accept user input and put it into a command string, there is a danger of hacker attacks. A user can enter information that subverts the command we meant to give and makes it do something else. Example: Connection String Parameter attack https://www.defcon.org/images/defcon-18/dc-18-presentations/Alonso- Palazon/DEFCON-18-Alonso-Palazon-String.pdf https://www.defcon.org/images/defcon-18/dc-18-presentations/Alonso- Palazon/DEFCON-18-Alonso-Palazon-String.pdf Thanks to student Ryan Wheeler for this reference!

5 5 The Connection String String cs = "server=scorpius.eng.usf.edu; " + "User=" + tbUserName.Text + ";" + "Password=" + tbPassword.Text; At run time: server=scorpius.eng.usf.edu;User=wpusr40;Password=xxxxx Connection string is a series of pairs separated by semicolors. If a parameter appears multiple times, the last one wins. The user can type a semicolon in the password box and add his own parameter to the connection string.

6 The Threat If you don't prevent this kind of attack an unscrupulous user can redirect your application to any server of his choice. 6

7 7 A Connection String Parameter Attack Password: xxxxx;server=sql2k508.discountasp.net

8 8 A Connection String Parameter Attack Toby, I don't think we are on scorpius any more!

9 9 Customer Selected

10 10 Defense Against the Dark Arts To foil this attack, scan user inputs for semicolons. Reject any input including a semicolon.

11 11 Checking for Semicolons private void btnLogIn_Click(object sender, EventArgs e) { String cs = "server=scorpius.eng.usf.edu; " + "User=" + tbUserName.Text + ";" + "Password=" + tbPassword.Text; if ((tbUserName.Text.IndexOf(';') >= 0) || (tbPassword.Text.IndexOf(';') >= 0)) { MessageBox.Show("Invalid input"); return; } Select_Customer sc = new Select_Customer(cs); this.Hide(); sc.ShowDialog(); this.Show(); }

12 12 Foiled Attack Password: xxxxx;server=sql2k508.discountasp.net

Download ppt "1 Avoiding Hacker Attacks. 2 Objectives You will be able to Avoid certain hacker attacks and crashes due to bad inputs from users."

Similar presentations

1 Northwind Traders Order Entry. 2 Northwind Traders Call Center Add an Order Entry capability to the Northwind Traders Call Center application. Start.

1 Northwind Traders Order Entry. 2 Northwind Traders Call Center Add an Order Entry capability to the Northwind Traders Call Center application. Start.
Excel Services IV: Allow user input Overview: Be selective When you use Excel Services to publish an Excel 2007 spreadsheet to your Microsoft Office SharePoint.

Excel Services IV: Allow user input Overview: Be selective When you use Excel Services to publish an Excel 2007 spreadsheet to your Microsoft Office SharePoint.
Annotated User Input Screens from EM Oracle Custom Install Install.

Annotated User Input Screens from EM Oracle Custom Install Install.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Form Basics CS380 1. Web Data  Most interesting web pages revolve around data  examples: Google, IMDB, Digg, Facebook, YouTube, Rotten Tomatoes  can.

Form Basics CS Web Data  Most interesting web pages revolve around data  examples: Google, IMDB, Digg, Facebook, YouTube, Rotten Tomatoes  can.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.

C. Edward Chow Presented by Mousa Alhazzazi C. Edward Chow Presented by Mousa Alhazzazi Design Principles for Secure.
INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.

INTERNET THREATS AND HOW TO PROTECT YOUR COMPUTER -BRIAN ARENDT.
Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.

Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.
Email Evidence.

Evidence.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Telerik Software Academy ASP.NET Web Forms Data Validation, Data Validators, Validation Groups Telerik Software Academy

Telerik Software Academy ASP.NET Web Forms Data Validation, Data Validators, Validation Groups Telerik Software Academy
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
JavaScript, Fourth Edition

JavaScript, Fourth Edition
11 Updating a Database Table Textbook Chapter 14.

11 Updating a Database Table Textbook Chapter 14.
Internet Forms and Database Bob Kisel Amgraf, Inc.

Internet Forms and Database Bob Kisel Amgraf, Inc.
COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.

COMPREHENSIVE Windows Tutorial 5 Protecting Your Computer.

Similar presentations

Ads by Google