Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Published bySamuel Fields Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring."— Presentation transcript:

1 Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005

2 Web Application Vulnerabilities  Cross Site Scripting (XSS) with JavaScript injection  SQL Injection  Cross Site Scripting (XSS) with JavaScript injection  SQL Injection

3 Cross Site Scripting (XSS)  Allows attackers to run scripts from remote sites  Can be used to steal your cookies  Allows masquerading  Allows attackers to run scripts from remote sites  Can be used to steal your cookies  Allows masquerading

4 How does this happen?  Not validating data  Printing query_string directly to screen  Not validating data  Printing query_string directly to screen

5 How can I tell?  Find page that prints data from query_string  Create link as follows:  Page.cgi? alert(‘I am vulnerable’)  If popup box is displayed, you are vulnerable to XSS  Find page that prints data from query_string  Create link as follows:  Page.cgi? alert(‘I am vulnerable’)  If popup box is displayed, you are vulnerable to XSS

6 How can I prevent this?  Validate / Sanitize your input!!!!!  Languages provide build it functions for this  Treat all input as evil input  Validate / Sanitize your input!!!!!  Languages provide build it functions for this  Treat all input as evil input

7 What you will do in lab  Look at a XSS exploit.  Have your cookie stolen by this script.  Look at a XSS exploit.  Have your cookie stolen by this script.

8 SQL Injection  Allows attackers to interact more directly with your database than you intend  Can be used to bypass security  Can be used for information discovery  Allows attackers to interact more directly with your database than you intend  Can be used to bypass security  Can be used for information discovery

9 How does this happen?  Not validating data  Including user input directly in SQL statements  Form input  URL parameters  Not validating data  Including user input directly in SQL statements  Form input  URL parameters

10 How can I tell?  Use ‘ and “ in input boxes on your site and see if it causes error messages  Google for SQL error messages on your site  Use ‘ and “ in input boxes on your site and see if it causes error messages  Google for SQL error messages on your site

11 How can I prevent this?  Validate / Sanitize your input!!!!!  Languages provide built in functions for this  Treat all input as evil input  Validate / Sanitize your input!!!!!  Languages provide built in functions for this  Treat all input as evil input

12 What you will do in lab  Explore the possibilities of SQL Injection on a vulnerable website  See how big of a problem this is and learn how to prevent it.  Explore the possibilities of SQL Injection on a vulnerable website  See how big of a problem this is and learn how to prevent it.

13 Questions?

Download ppt "Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
SecuBat: An Automated Web Vulnerability Detection Framework

SecuBat: An Automated Web Vulnerability Detection Framework
Webgoat.

Webgoat.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Similar presentations

Ads by Google