Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Published bySolomon James Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts."— Presentation transcript:

1 Web Application Security ECE 4112

2 ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts that reside on a Web Server Interacts with databases or other sources of dynamic content Examples include: search engines, webmail, shopping carts and portal systems

3 ECE 4112 - Internetwork Security Web Applications Breach the Perimeter

4 ECE 4112 - Internetwork Security Web Application Vulnerabilities Generally stem from improper handling of client requests and/or lack of input validation checking Web applications are publicly accessible Process data elements from within HTTP requests Fail to identify how data elements were captured – difficult to know what kind of validation and sanity checking to use

5 ECE 4112 - Internetwork Security The Root of the Issue: Input Validation Can be difficult to locate in a large code base Penetration testing used to expose problems Web applications subject to traditional forms of attack

6 ECE 4112 - Internetwork Security SQL Injection Vulnerabilities Stems from failure of developers to strip user input of potentially “nasty” characters prior to input use Can lead to varying levels of data/system access for attacker May allow read in or write out to files, execution of shell commands on underlying OS

7 ECE 4112 - Internetwork Security Locating SQL Injection Vulnerabilities Studying application inputs and inserting special characters Most popular database backends give informative error messages, yielding clues about SQL syntax http://www.abc.com/app.asp?user=jason&password=’ OR ‘1’=’1 http://www.abc.com/app.asp?user=jason&password=’

8 ECE 4112 - Internetwork Security Testing For SQL Injection

9 ECE 4112 - Internetwork Security JSP Code Example: String username = request.getParameter(“user”); String password = request.getParameter(“password”); String SQLQuery = “SELECT Username FROM Users WHERE Username = ‘” + username + “’ AND Password = ‘” + password + “’”; Statement stmt = dbConnection.createStatement(); ResultSet resultSet = stmt.executeuery(SQLQuery); String checkAuth = resultSet.getString(1); boolean authenticated = false; if(checkAuth == null) authenticated = false; else authenticated = true;

10 ECE 4112 - Internetwork Security Web Form Example: Login:‘ OR ‘1’=’1 Password:‘ OR ‘1’=’1 Now the SQL Query becomes: SELECT Username FROM Users WHERE Username = ‘’ OR ‘1’=’1’ AND Password = ‘’ OR ‘1’=’1’

11 ECE 4112 - Internetwork Security OS Commanding If a hacker can access your cmd.exe or a copy of it, he can use it to execute arbitrary commands on your web browser. In conjunction with tftp, a hacker could use this to download his own tools to the machine and compromise the machine further.

12 ECE 4112 - Internetwork Security Cross Site Scripting Also known as XSS Embed Javascript into page that executes on view Commonly used to display and redirect user cookie data Particularly vulnerable are message boards and web forms

13 ECE 4112 - Internetwork Security Cross Site Scripting Examples alert(document.cookie)  Can display user’s cookie which can contain session and authentication information Gmail XSS Vulnerability - Fixed  zx variable used in authentication can contain exploitable scripts Often the script text is converted to hex characters to hide its intent

14 ECE 4112 - Internetwork Security Phishing Attacks Attacker creates replica login page that forwards information to them Usually attack financial institutions Spread by email that persuades users to access the fake page and login October 2004, 1142 phishing sites up from 542 in September.

15 ECE 4112 - Internetwork Security Phishing Examples Citibank recent target  www.citibank.com/domain/email_scam.htm Newer sophisticated attacks being used by organized crime groups to collect credit card and social security numbers Email links can contain IP address instead of DNS name in email link

16 ECE 4112 - Internetwork Security Achilles Web Proxy Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly. By modifying parameters, a user can potentially alter the contents of hidden fields or gain access to additional resources. Can also be used to change cookie values.

17 ECE 4112 - Internetwork Security What you will do in this lab: Information Gathering using nmap and netcat SQL Injection OS Commanding Cross Site Scripting Phishing Attacks Achilles Web Proxy

18 ECE 4112 - Internetwork Security Resources Lecture Slides excerpted from:  http://www.securityfocus.com/infocus/1709  http://www.securityfocus.com/infocus/1722  http://www.securityfocus.com/infocus/1704  “Phishing spreads the net wider.” Computer Weekly. November 2004.  http://www.securitytracker.com/alerts/2004/Nov/1012289.html  “Cross-Site Scripting.” SPIDynamics.  “Top Web App Attack Methods and How to Combat Them.” SPIDynamics.  http://www.mavensecurity.com/achilles

Download ppt "Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Webgoat.

Webgoat.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Penetration Testing Training Day Capture the Flag Training.

Penetration Testing Training Day Capture the Flag Training.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Similar presentations

Ads by Google