Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud = Web, Web = Hacked! Fabio Viggiani. Why Web Apps? Every organization exposes web apps Most common entry point Image source:

Published byLeon Richardson Modified over 9 years ago

Similar presentations

Presentation on theme: "Cloud = Web, Web = Hacked! Fabio Viggiani. Why Web Apps? Every organization exposes web apps Most common entry point Image source:"— Presentation transcript:

1 Cloud = Web, Web = Hacked! Fabio Viggiani

2 Why Web Apps? Every organization exposes web apps Most common entry point Image source: http://i.imgur.com Image source: https://www.flickr.com/photos/ brianklug/6870002408

3 Focus SQL injection, XSS… again with that old stuff??? Well, we DO find them every day! Why?

4 Demo Environment

5 Let’s hack! Basic stuff – warm up and understand Cross Site Scripting (XSS) SQL injection Image source: http://gizmodo.com/5498412/sql-injection-license-plate-hopes-to-foil-euro-traffic-cameras

6 We should be able to fix this XSS filters available online Prepared statements – easy and well documented Let’s do it

7 Let’s hack, again. Image source: http://www.ekantipur.com

8 Demo Environment

9 2nd order SQL injection

10 What went wrong? Best practices Input validation / Output encoding Whitelist / Blacklist Localized fixes Code structure Default behaviors

11 We hack once again. For real now.

12

13

Download ppt "Cloud = Web, Web = Hacked! Fabio Viggiani. Why Web Apps? Every organization exposes web apps Most common entry point Image source:"

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Webgoat.

Webgoat.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
A Demo of and Preventing XSS in.NET Applications.

A Demo of and Preventing XSS in.NET Applications.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.

A case for business.  College Curriculums Lacks security module Not updated  Programmers Hard to find Lack formal training unaware.
Project 7 Discussion Section XSS and SQL Injection in Rails.

Project 7 Discussion Section XSS and SQL Injection in Rails.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Peter Torres, Tim Poley CS526 Spring 2009.  What is SQL Injection?  Basic Example  Case Studies  Defensive Techniques  Demo.

Peter Torres, Tim Poley CS526 Spring  What is SQL Injection?  Basic Example  Case Studies  Defensive Techniques  Demo.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Basic Web Application Security. User Input Kick Your Arse.

Basic Web Application Security. User Input Kick Your Arse.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Similar presentations

Ads by Google