Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Khaled Al-Sham’aa. What Is Security? Security is a measurement, not a characteristic. Security must be balanced with expense. Security must be.

Published byDonna Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Khaled Al-Sham’aa. What Is Security? Security is a measurement, not a characteristic. Security must be balanced with expense. Security must be."— Presentation transcript:

1 Security Khaled Al-Sham’aa

2 What Is Security? Security is a measurement, not a characteristic. Security must be balanced with expense. Security must be balanced with usability. Security must be part of the design.

3 Basic Steps Consider illegitimate uses of your application. Educate yourself. If nothing else: FILTER ALL INPUT DATA ESCAPE ALL OUTPUT DATA

4 Register Globals (1)

5 Register Globals (2)

6 Filtering (1)

7 Filtering (2)

8 Filtering (3)

9 Form Processing (1)

10 Form Processing (2)

11 Cross-Site Scripting (XSS)

12 Cross-Site Scripting (XSS) 1

13 Cross-Site Scripting (XSS) 2

14 Cross-Site Scripting (XSS) 3 htmlentities() strip_tags() utf8_decode()

15 Session Hijacking

16 SQL Injection (example 1)

17 SQL Injection (example 1) con. SELECT `id` FROM `logins` WHERE `username` = '$user' AND `password` = '$pwd' $user = “Khaled”; $pwd = “anything' OR 'x'='x”; SELECT `id` FROM `logins` WHERE `username` = 'Khaled' AND `password` = 'anything' OR 'x'='x'

18 SQL Injection (example 2) $query = “UPDATE usertable SET pwd='$pwd' WHERE uid='$uid' ”; $pwd = “abc”; $uid = “anything' or uid='admin'; -- ”; $query = “UPDATE usertable SET pwd='abc' WHERE uid= 'anything' or uid='admin'; -- ' ”;

19 Avoiding SQL Injection mysql_real_escape_string() for PHP version < 4.3.0 use addslashes() Prepared Statements

20 Questions

Download ppt "Security Khaled Al-Sham’aa. What Is Security? Security is a measurement, not a characteristic. Security must be balanced with expense. Security must be."

Similar presentations

PHP SQL. Connection code:- mysql_connect(server, username, password); Connect to the Database Server with the authorised user and password. Eg $connect.

PHP SQL. Connection code:- mysql_connect("server", "username", "password"); Connect to the Database Server with the authorised user and password. Eg $connect.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.

Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.
CS144: Security. Smart Card OTP card Buffer Overflow Attack main() { if (login()) start_session(); return 0; } login() { char passwd[10]; gets(passwd);

CS144: Security. Smart Card OTP card Buffer Overflow Attack main() { if (login()) start_session(); return 0; } login() { char passwd[10]; gets(passwd);
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.

{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
PHP-MySQL By Jonathan Foss. PHP and MySQL Server Web Browser Apache PHP file PHP MySQL Client Recall the PHP architecture PHP can communicate with a MySQL.

PHP-MySQL By Jonathan Foss. PHP and MySQL Server Web Browser Apache PHP file PHP MySQL Client Recall the PHP architecture PHP can communicate with a MySQL.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
PHP Security.

PHP Security.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.

PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.
Securing Ruby on Rails CIS 6939 Web Engineering with Ruby on Rails University of North Florida Stephen Jones 8 July 2007.

Securing Ruby on Rails CIS 6939 Web Engineering with Ruby on Rails University of North Florida Stephen Jones 8 July 2007.

Similar presentations

Ads by Google