Presentation is loading. Please wait.

Presentation is loading. Please wait.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Published byLorena Garrison Modified over 8 years ago

Similar presentations

Presentation on theme: "+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities."— Presentation transcript:

1 + Websites Vulnerabilities

2 + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities. The need to Discover Security Vulnerabilities. SQL Injection example detection prevention Cross Site Scripting HTTP Parameter Pollution (HPP)

3 + Expand of The Internet With the large expansion of the technology, and the enormous manufacturing and production of all the types of smart phones,tablets and internet based devices.

4 + Use of the Internet all of these devices have helped raising the number of the internet users, from all the ages, with all of their educational backgrounds. to reach the consumers and users; almost every college, government org, hospital and trading company moved to ”On-line Services"

5 + Examples

6 + Importance of the Internet so now a day the internet is Currently the main medium organizations are depending on for many real life applications. Because of that dependency on the internet in all types of transactions; the web is carrying enormous amount of sensitive information from all the types.

7 + The need to Discover Security Vulnerabilities. All of that amount of sensitive information, was an attraction for the Web Attackers to get illegal use of that information. these attacks have increased in the past years. So, to keep the safety of information and keeping websites security, we have the need to "Discover Security Vulnerabilities"

8 + How to find Security Vulnerabilities. Some times the programs view of their code will be narrow. And because of their confidence in their code, they usually don't find the v ulnerability in their websites and applications.

9 + White Hat Hackers. To find the vulnerabilities of your application/website, you have to think as an attacker (white hat hackers), and try to find the limit of your project immunity against many types of attacks, such as : Remote code execution SQL injection Format string vulnerabilities Cross Site Scripting (XSS) HTTP Parameter Pollution (HPP) After testing we fix the vulnerabilities to reject any attack

10 + SQL Injection It’s a major type of websites vulnerabilities. the SQL injection can be found when the application accepts data from the user. Finally taking that data without proper validation to be used to build SQL query, leads to harm our expose your sensitive information.

11 + SQL Injection - Example string Query= "SELECT * FROM users WHERE username = "'" + username + "' AND password = '" + password + "'"; string Query= "SELECT * FROM users WHERE username= 'joe' AND password = 'example' OR 'a'='a'

12 + SQL Injection - Prevention 1. Prepared Statements (Parameterized Queries) 2. Stored Procedures 3. Escaping All User Supplied Input

13 + Cross Site Scripting (XSS) Cross Site Scripting occurs when the data provided by the attacker is saved by the server, and then displayed permanently on "normal" pages returned to other users XSS forces a website to echo attacker-supplied executable code, which then loads in a user’s Web browser. That is, the user is the intended victim. That XSS exploit code, typically written in HTML/JavaScript, does not execute on the server. but execute within the Web browser. Also, XSS enables the theft of Web browser cookies, which can then be reused to hijack online user accounts, such as: Web banks, Web mail blogs, any other website feature accessible with a username and password.

14 + Cross Site Scripting (XSS)- types 1. NonPersistent it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser. 2. Persistent it occur in either community content driven websites or Web mail sites and do not require specially crafted links for execution. 3.Server-side versus DOM-based vulnerabilities persistent XSS much more dangerous than non-persistent because the user has no means of defending himself. Once a hacker has his exploit code in place, he’ll again advertise the URL to the infected

15 + Cross Site Scripting (XSS)- Examples

16 + Cross Site Scripting (XSS)- prevention 1. Contextual output encoding/escaping of string input 2. Safely validating untrusted HTML input 3. Cookie security 4. Disabling scripts 5. Emerging defensive technologies, including: 1. Content Security Policy. 2. JavaScript sandbox tools. 3. auto-escaping templates.

17 + HTTP Parameter Pollution (HPP) Supplying multiple HTTP parameters with the same name may cause an application to interpret values in unanticipated ways. By exploiting these effects, an attacker may be able to bypass input validation, trigger application errors or modify internal variables values.

18 + HTTP Parameter Pollution (HPP) – Example http://www.google.com/search?q= نتائج &q= اختبار &q= الجامعة

19 + HTTP Parameter Pollution (HPP) – Example http://search.yahoo.com/search;_ylt=Ajxtx6DKiSkS1pjEfg6zSMWbvZx4? p= نتائج &p= اختبار &p= الجامعة

20 + HTTP Parameter Pollution (HPP) – Example Input validation – Encoded query string delimiters Use safe methods – Parameter precedence – Channel (GET/POST/Cookie) validation Raise awareness – The client can provide the same parameter twice (or more)

21 + Thank you

Download ppt "+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Similar presentations

Ads by Google