Chapter 13 Security Methods Part 2. xss.php Script 13.4 on page 419 ss.php

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

Cross Site Scripting (XSS)

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Web Security Never, ever, trust user inputs Supankar.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Chapter 2 HTML Basics Key Concepts

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

EECS 354 Network Security Cross Site Scripting (XSS)

Team Members: Brad Stancel,

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

HTML Character Entities. Character Entities Some characters have a special meaning in HTML, like the less than sign (

XSS: Cross Site Scripting Alan Geleynse. Example

PHP Form Processing. Using Forms in PHP  Two steps to process  Display the form  Process the submitted data.

Multiple Tiers in Action

Chapter 4 Application Security Knowledge and Test Prep

PHP Form Processing. Using Forms in PHP  Two steps to process  Display the form  Process the submitted data.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Security & VanillaCMS An XSS Introduction and Attack Demonstration.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Stupid Browser Tricks with PHP and JavaScript By Chris Winikka.

Web Forms with PHP COEN 351. Displaying and processing a simple form if( array_key_exists(‘my name’,$_POST)){ print “Hello, “.$_POST[‘my_name’]; } else.

Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Advance web Programming Chapter 3: MySQL Date: 28 April 2014 Dr. Mogeeb A. A. Mosleh .

JavaScript: Control Structures September 27, 2005 Slides modified from Internet & World Wide Web: How to Program (3rd) edition. By Deitel, Deitel,

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Prevent Cross-Site Scripting (XSS) attack

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1.  Describe the anatomy of a web page  Format the body of a web page with block-level elements including headings, paragraphs, lists, and blockquotes.

12 1 Redirection CGI/Perl Programming By Diane Zak.

Web Design (3) HTML tags. Back to your web design ! Open Brackets Click on the drop down box on the left. Last time, you clicked on ‘Open Folder’ but.

PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.

HTML B OOT C AMP Chapter 11 Frames Kirkwood Continuing Education © Copyright 2015, Fred McClurg All Rights Reserved.

Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

Suzanne Sultan1 Line Breaks, Paragraphs, lists Lab3.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

High Points CSCI 1710 Fall The Internet Packet switching Arpanet Cold War.

Part 2 Lecture 9 PHP Superglobals and Form Handling.

Chapter 3 Creating Dynamic Web Sites Part 1. Large Sites ”complex sites demand compartmentalization of some HTML or PHP code”.

Mozilla. Why mozilla Main Components Browser features Loads very quickly Personal toolbar with your locations Can turn off pop-up windows good control.

Chapter 1 Web Page Building Blocks. Elements, Attributes & Values ElementAttr 1Value 1Attr 2Value 2.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

Working with Forms in PHP HTTP GET / POST, Validation, Escaping, Input Types, Submitting Arrays, URL Redirecting, PHP Superglobals Svetlin Nakov Technical.

Since you’ll need a place for the user to enter a search query. Every form must have these basic components: – The submission type defined with the method.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Data Validation. 2 Objective : To ensure that the application is robust against all forms of input data, whether obtained from the user, infrastructure,

Basics of Web Design 1 Copyright © 2016 Pearson Education, Inc., Hoboken NJ.

Copyright © Terry Felke-Morris WEB DEVELOPMENT & DESIGN FOUNDATIONS WITH HTML5 7 TH EDITION Chapter 2 Key Concepts 1 Copyright © Terry Felke-Morris.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Pentesting without Pentesters - Automating Security Testing with Functional Testing Test Cases Authors: Lavakumar Kuppan Ankita Gupta.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:

Group 18: Chris Hood Brett Poche

Module: Software Engineering of Web Applications

CSCE 548 Student Presentation Ryan Labrador

Web Systems Development (CSC-215)

PHP: Security issues FdSc Module 109 Server side scripting and

Web Systems Development (CSC-215)

Chapter 13 Security Methods Part 2.

Creating Dynamic Web Sites Part 2

Using Symbols on your pages

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Presentation transcript:

Chapter 13 Security Methods Part 2

xss.php Script 13.4 on page ss.php ss.php ch13\xss.php Enter alert(“Ha!”);

XSS Attacks It could create a pop-up window Steal cookies Redirect the browser to other sites.

htmlentities() Turn problem characters into HTML entities (taken literally. No special meaning.) & -> & “ -> " < > -> >

strip_tags() Removes all HTML and PHP tags

calculator.php Script 13.4 on pages alculator.php alculator.php ch13\calculator.php

filter_var() if(filter_var($var,FILTER_VALIDATE_INT) if(filter_var($var,FILTER_VALIDATE_INT, array(‘min_range’ => 1, ‘max_range’ => 120))

Validation Filters FILTER_VALIDATE_ FILTER_VALIDATE_FLOAT FILTER_VALIDATE_INT FILTER_VALIDATE_URL