Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Published byArnold Booker Modified over 8 years ago

Similar presentations

Presentation on theme: "INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014."— Presentation transcript:

1 INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014

2 Announcements PA4 due Tonight! No late days. – Canvas shuts down at 11:00pm, please submit earlier!

3 Security

4 Firewall Software or Hardware Separate local area network from Internet Protocol/Port, inbound & outbound

5 SQL Injection Common security risk What is SQL Injection – Go to site, insert malicious SQL Before hacking: – Understanding “Union” mysql clause – MySQL versions, latest version has: INFORMATION_SCHEMA.TABLES Take a look locally to understand the columns/etc

6 SQL Injection Try hacking this! http://uwinfo344.chunkaiw.com/trysqlinjection.php Strategy – Get it working normally – Find out how many columns in current table – Get database name via database() – Show all tables in current database – Identify table with sensitive info (and # rows it has) – Identify column names in sensitive table – Get sensitive info! What is my username & password? Groups of 2 Lab submission

7 SQL Injection Solution – Use PDO! – See PHP best practices slides – PDO, prepare, bind parameters, execute

8 Cross Site Scripting (XSS) Attack Common security risk What is XSS Attack? – Send victim compromised site url Try hacking this! (use Firefox) http://uwinfo344.chunkaiw.com/tryxssattack.php?name=Joe Strategy – Add JS to parameter, get it to show “compromised” alert box – Look at source code, understand how it works – Add JS to override the current onclick function and alert instead – Change override function to send 15x the payment entered Groups of 2 Lab submission Hint: Google jquery override onclick Hint: need to url encode the # tag

9 Cross Site Scripting (XSS) Attack A lot of browsers disable this But sanitize your inputs! Reject ones with script tags!

10 Validate Cookies Cookies are stored on client side User can actually go change them! So if you assume cookie data is valid = Dangerous!!! A lot of websites will store “ID=XXX” in the cookie and the next time assume it’s real/valid/authenticated => not true!

11 Encrypt Passwords Encrypt passwords stored in your database If your system gets hacked, the passwords aren’t leaked

12 Sanitize HTML Same reason to prevent XSS Sanitize with PHP functions – http://www.php.net/manual/en/filter.filters.sanitize.php http://www.php.net/manual/en/filter.filters.sanitize.php C# Sanitize – http://msdn.microsoft.com/en-us/library/ff647397.aspx http://msdn.microsoft.com/en-us/library/ff647397.aspx

13 Questions?

Download ppt "INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014."

Similar presentations

Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Introduction to InfoSec – Recitation 8 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 8 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google