Presentation is loading. Please wait.

Presentation is loading. Please wait.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Published byLouisa White Modified over 8 years ago

Similar presentations

Presentation on theme: "The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash."— Presentation transcript:

1 The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash

2 The attacks ● SQL Injection – first order: non-persistent – second order: persistent

3 The attacks ● Cross Channel Scripting – Similar to XSS and SQLI (contains all non-XSS, non- SQLI code injection vulnerabilites) – examples: ● Xpath Injection: unsanitzed data used in XML ● Malicious File Upload ● Open Redirects: (http://www.vulnerable.com?redirect=http://www.attacker.com) ● Path Traversal (http://foo.com/../../barfile)

4 The attacks ● Session Management – credentials sent over unencrypted HTTP – weak password recovery questions – weak CAPTCHAs – predicable authentication id values – insecure session cookies

5 The attacks ● Cross-Site Request Forgery – Alice is logged into her bank account – Trudy sends Alice an e-mail containing a link with a request to transfer money to Trudy's account ● could require a click ( ) ● or not ( ) – When the request is sent by Alice (eg by attempting to view the image), her authentication cookie is sent with it

6 The attacks ● SSL/Server Config – misconfigurations in the web server or SSL

7 Information Leakage ● Various methods of gaining sensitive information such as database names, source code or user names – die() function – path vulnerabilities

Download ppt "The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash."

Similar presentations

Webgoat.

Webgoat.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Vulnerability Assessment Course Applications Assessment.

Vulnerability Assessment Course Applications Assessment.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Chapter 4 Application Security Knowledge and Test Prep

Chapter 4 Application Security Knowledge and Test Prep
March Intensive: XSS Exploits

March Intensive: XSS Exploits
Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google