Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Published byDoris Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities."— Presentation transcript:

1 EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities

2 Web Attacks Overview Vulnerability to web attacks compromise the data and security of a computer network. They can bypass access controls, enable the viewing and theft of sensitive data, and result in financial loss. SQL Injection Manipulating the statements performed on a database by passing unfiltered user input into a SQL statement. Cross-Site Scripting (XSS) Injecting malicious code (often a client side scripting language, e.g. Javascript) into web pages viewed by other end-users, where “everything looks fine.”

3 Project Purpose Develop a tool that identifies XSS and SQL Injection vulnerabilities in the web forum assigned to us in the iCTF Competition. After scanning the VM’s source code files, this tool informs us of potential web attack vulnerabilities, so that we may: 1.Exploit these vulnerabilities in other teams’ forums 2.Patch our source files to prevent attacks on us Detecting XSS and SQL Injection Vulnerabilities

4 Project Obstacles Difficult to anticipate the different features of the VM: Type of forum and web server Amount of services and source files Amount and type of programming languages used to write source files (e.g. C++, Perl, Python, and Ruby) Detecting XSS and SQL Injection Vulnerabilities

5 Project Solution To anticipate the different features of the VM, this tool: Searches for all source code within the VM Examines the source code file suffix (e.g. pl, rb, py, php), and detects code abnormalities within the specific programming language To detect SQL injection vulnerabilities, this tool: Checks using regular expressions to identify special characters, such as '/[\'|\"]select|[\'|\"]SELECT/‘ Detecting XSS and SQL Injection Vulnerabilities

6 Project Solution To detect XSS vulnerabilities, this tool: Checks if user input variables are filtered for special scripting characters and words To learn how to exploit other teams’ VMs and defend ourselves, this tool: Outputs identified vulnerabilities within the source code Detecting XSS and SQL Injection Vulnerabilities

7 Tool Demo Detecting XSS and SQL Injection Vulnerabilities

Download ppt "EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities."

Similar presentations

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.

Web 2.0 security Kushal Karanjkar Under guidance of Prof. Richard Sinn.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Crawler-Based Search Engine By Ryan Caplet, Morris Wright and Bryan Chapman.

Crawler-Based Search Engine By Ryan Caplet, Morris Wright and Bryan Chapman.
A Security Analysis of the PHP language By Jonas Heineson Mattias Österberg.

A Security Analysis of the PHP language By Jonas Heineson Mattias Österberg.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Introduction to Application Penetration Testing

Introduction to Application Penetration Testing
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.
PHP Security.

PHP Security.

Similar presentations

Ads by Google