Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting.

Published byMelissa Walton Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting."— Presentation transcript:

1 © 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting  Unvalidated data sent to a browser 2. Injection Flaws  User supplied data (unvalidated) sent to SQL  This is the consensus of security experts globally  Some of the best are right here in Central Texas!  http://www.youtube.com/watch?v=GsRbpshqqII http://www.youtube.com/watch?v=GsRbpshqqII

2 © 2009 Stephen Wolff Application Security 2 Spring, 2009 SQL Basic Terminology  SQL is a Relational Database Management System - RDBMS  Table - Rows that have the same attributes  Row - collection of related information  Column - attributes of an object, e.g., an Employee  Primary Key - unique for each row NameEmp#TitleMgrPay Dick101SalesSpot$50 Jane102ITSpot$60 Spot103ExecBoD$100 Employee Table

3 © 2009 Stephen Wolff Application Security 3 Spring, 2009 SQL Basic Query Format  Select – From – Where  SELECT * FROM employee WHERE (emp# = 102)  This will return which can be used or printed.  SELECT * FROM employee WHERE (TRUE) will return all rows. Jane102ITSpot$60 tablename condition

4 © 2009 Stephen Wolff Application Security 4 Spring, 2009 Other SQL Syntax  -- is the comment sequence used for documenting code. It causes the SQL interpreter to ignore all else that follows.  ; ends one SQL statement and starts another.  ‘ in matched sets is used to enclose a character string.

5 © 2009 Stephen Wolff Application Security 5 Spring, 2009 SQL Injection Tutorial (YouTube)  www.youtube.com/watch?v=z7eXjBvB2B4&feature=chan nel_page www.youtube.com/watch?v=z7eXjBvB2B4&feature=chan nel_page  Note: there are plenty of SQL Injection automated tools available, and of course, some are better than others.

6 © 2009 Stephen Wolff Application Security 6 Spring, 2009 Simple XSS Tutorial (YouTube)  Stored and Reflected XSS  Similar, but reflected doesn’t require login credentials!  Failure on both due to no input or output sanitization. Stored www.youtube.com/watch?v=7M-R6U2i5iI&feature=related www.youtube.com/watch?v=7M-R6U2i5iI&feature=related Reflected www.youtube.com/watch?v=V79Dp7i4LRM&feature=channel www.youtube.com/watch?v=V79Dp7i4LRM&feature=channel

7 © 2009 Stephen Wolff Application Security 7 Spring, 2009 Final Thoughts…  Why consider Application Security?  It’s the most current category of vulnerabilities and attacks, it is widespread, and it is devastating.  Barriers to entry (code skilz) are high but coming down, i.e., more tools like MetaSploit  On Whitehat side: more teaching of secure coding practices, groups like OWASP More tools like MetaSploit, WebGoat  Significant local expertise! Rsnake, Matt Tesauro, The Denim Group, others in OWASP

Download ppt "© 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting."

Similar presentations

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
3/5/2009Computer systems1 Analyzing System Using Data Dictionaries Computer System: 1. Data Dictionary 2. Data Dictionary Categories 3. Creating Data Dictionary.

3/5/2009Computer systems1 Analyzing System Using Data Dictionaries Computer System: 1. Data Dictionary 2. Data Dictionary Categories 3. Creating Data Dictionary.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.

Copyright © 2011 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 14 Web Database Programming Using PHP.
PHP (2) – Functions, Arrays, Databases, email and sessions.

PHP (2) – Functions, Arrays, Databases, and sessions.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Transaction Processing Systems, & Management Information Systems.

Transaction Processing Systems, & Management Information Systems.
Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.

Check That Input Preventing SQL Injection Attacks By Andrew Morton For CS 410.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
MIS 5211.001 Week 11 Site:

MIS Week 11 Site:
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google