Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn."— Presentation transcript:

1 Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn

2 What is Web 2.0? Second generation of world wide web. Transition on world wide web for computing platform, social networking sites, communication tools and other internet based services. Download and upload (distributed developer) Simple, Interactive, attractive Facebook, Wikipedia, MySpace, Ebay.

3 Ajax, Flash(RIA), HTML/CSS, JS, DOM SOAP,REST,XML-RPC HTTP/HTTPS Web Service | Ajax, Web Server SOA|SAAS, API Scripted web Engine Web Services Application server Web service Endpoint email NewsDocument RSS feeds Internet Database Inter net BLOG Web 2.0 Architecture Web Service Web Client Web Server

4 Web Security Threats 1. Cross-site scripting 2. XML Poisoning 3. Malicious Ajax Code Execution 4. RSS injection 5. Dynamic Code Obfuscation 6. WSDL Scanning and Enumeration 7. Client Side validation in AJAX routines 8. Web services routing 9. Parameter manipulation 10. XPATH injection in SOAP message

5 Dynamic Code Obfuscation  Attack - code Obfuscation – Encryption Algorithm - Attacker places an encrypted code on user’s computer and destroys his data. - Difficult to detect actual(malicious) code, embedded in web page - Anti-viruses can not detect it.  Solution: De-obfuscation - Reverse engineering process in which the obfuscated code is decrypted to original code.

6 Dynamic Code Obfuscation Network De-Obfuscator SECURED WEB SITE

7 Demo Network De-Obfuscator !! WARNING !!

8 Cross site scripting Dynamic content Input parameter from user – Display on same page Malicious JavaScript code from a particular Web site gets executed on the victim’s browser Username Password SubmitCancel New User SignUP! WelCome to Web.com response.sendRedirect (“login.jsp?ErrorMessage (“invalid username”)”); response.sendRedirect (“login.jsp? ErrorMessage (){ };

9 Detection: Can be detected easily by many single-user detector firewall. </Script pattern. Suggested Solution: Do not display JavaScript when it is not required. Filter user input, whenever there seems to have chances of attack. Encoded output based on the input coming from user.

10 Conclusion Web 2.0 is an emerging technology Web Services such as AJAX,RIA have improved the overall effectiveness and efficiency of web applications. Increased WEB 2.0 security awareness, secure coding practices and secure deployments offer the best defense against any attack.

11 Reference [1] O’Reilly, T.(2005)What Is Web 2.0:Design Patterns and Business Models for the Next Generation of Software, O’Reilly publication (September 30,2005) [2] Dr. Cobb, M. (2007) Dynamic code obfuscation: New threat requires innovative defenses, Information Security Magazine (August 3, 2007). [3] Shah, S. (2006) Top 10 Web 2.0 attack vectors (October 4, 2006) [4] Shah,S.(2007) Hacking Web 2.0 - Defending Ajax and Web Services, HITB, Dubai (April 5,2007). [5] Linder, P.(2002) Preventing Cross-site Scripting Attacks (February 20, 2002.)

Download ppt "Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Pulan Yu School of Informatics Indiana University Bloomington Web service based Varuna.Net.

Pulan Yu School of Informatics Indiana University Bloomington Web service based Varuna.Net.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?

1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Internet Infrastructure and Emerging Technologies Term project Internet Infrastructure and Emerging Technologies Term project.

Internet Infrastructure and Emerging Technologies Term project Internet Infrastructure and Emerging Technologies Term project.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

Similar presentations

Ads by Google