WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.

Slides:



Advertisements
Similar presentations
CS 4720 RESTfulness CS 4720 – Web & Mobile Systems.
Advertisements

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
Servlets and a little bit of Web Services Russell Beale.
HTML Form Processing Learning Web Design – Chapter 9, pp Squirrel Book – Chapter 11, pp
Master’s course Bioinformatics Data Analysis and Tools Lecture 6: Internet Basics Centre for Integrative Bioinformatics.
INTRODUCTION The Group WEB BROWSER FOR RELATION Goals.
Multiple Tiers in Action
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Creating your website Using Plain HTML. What is HTML? ► Web pages are authored in HyperText Markup Language (HTML) ► Plain text is marked up with tags,
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
INTRO TO MAKING A WEBSITE Mark Zhang.  HTML  CSS  Javascript  PHP  MySQL  …That’s a lot of stuff!
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
1 Open Source Programming. -Introduction to PHP -PHP installation /wamp server installation for PHP environment -PHP syntax -PHP variables -PHP Strings.
MIS 301 Information Systems in Organizations Dave Salisbury ( )
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Server-side Scripting Powering the webs favourite services.
Web application architecture
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
COMP 321 Week 7. Overview HTML and HTTP Basics Dynamic Web Content ServletsMVC Tomcat in Eclipse Demonstration Lab 7-1 Introduction.
 Cookie is small information stored in text file on user’s hard drive by web server.  This information is later used by web browser to retrieve information.
JavaScript – Quiz #9 Lecture Code:
Feedback #2 (under assignments) Lecture Code:
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
1 Welcome to CSC 301 Web Programming Charles Frank.
HTML FORMS GET/POST METHODS. HTML FORMS HTML Forms HTML forms are used to pass data to a server. A form can contain input elements like text fields, checkboxes,
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
PHP. $_GET / $_POST / $_SESSION PHP uses predefined variables to provide access to important information about the server and requests from a browser.
Case Study Dynamic Website - Three Tier Architecture
Crash Course in Web Hacking
Web Database Programming Week 7 Session Management & Authentication.
CP476 Internet Computing CGI1 Cookie –Cookie is a mechanism for a web server recall info of accessing of a client browser –A cookie is an object sent by.
WEB SECURITY WEEK 2 Computer Security Group University of Texas at Dallas.
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
WEB SECURITY WORKSHOP TEXSAW 2015 Presented by Jiayang Wang and Corrin Thompson.
WEB SERVER SOFTWARE FEATURE SETS
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
Web Technologies Lecture 6 State preservation. Motivation How to keep user data while navigating on a website? – Authenticate only once – Store wish list.
Display Page (HTML/CSS)
COSC 2328 – Web Programming.  PHP is a server scripting language  It’s widely-used and free  It’s an alternative to Microsoft’s ASP and Ruby  PHP.
8-Mar-16 More About Servlets Session Tracking. Persistent information A server site typically needs to maintain two kinds of persistent (remembered) information:
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
Persistence Maintaining state: Queries. State is the Problem What is state? facebook status logins (which user are you?) conversations talking about what?
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
CX Introduction to Web Programming
Web Programming Language
Tonga Institute of Higher Education IT 141: Information Systems
Introduction to Dynamic Web Programming
Section 6.3 Server-side Scripting
World Wide Web policy.
Web Software Model CS 4640 Programming Languages for Web Applications
Client / Session Identification Cookies
Introduction Web Environments
MIT GSL 2018 week 1 | day 4 Introduction to Web Development II.
Tonga Institute of Higher Education IT 141: Information Systems
Lecture 2 - SQL Injection
PHP and Forms.
Secure Web Programming
Tonga Institute of Higher Education IT 141: Information Systems
Web Programming Language
Back end Development CS Programming Languages for Web Applications
Client-Server Model: Requesting a Web Page
Back end Development CS Programming Languages for Web Applications
Presentation transcript:

WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas

Introduction to Languages

Languages  PHP  Javascript  SQL  HTML

PHP  Interpreted Server Side  Dynamic  Handles GET/POST  Manages Sessions  Has Own Set of Vulnerabilities  Not Covered Here

PHP

 Session Demo  /web_demo/sample.php

Javascript  Dynamic  Embedded in HTML  Interpreted Client Side!!!

Javascript  Demo time!  /web_demo/js.html

SQL  Query Databases  Most Common for CTFs  Used to Access Data  Usernames  Passwords  Credit Card #s  Fun Stuff

SQL  To select a user: SELECT * from users WHERE name = 'Bob';  The username is determined at runtime, so let’s make it: SELECT * from users WHERE name = '$name';  For example, if $name is “Joe”: SELECT * from users WHERE name = 'Joe';

HTML  Describes Layout of Webpage  Sometimes Contains Debug Info  Usually not very interesting...

HTTP  Protocol that provides the way to communicate over the web  It is stateless and asynchronous  Simulate state with sessions  Your browser keeps session information  The server uses this to keep track of your state  Example: Shopping Cart  Session has an ID tied to a cart in database  Every page you visit has to establish your identity

HTTP Requests  Methods  GET – asks server for information  POST – gives server data  PUT – tells server to modify or create data  DELETE – tells server to delete data  Examples  GET shows your profile on a webpage  POST is used to upload your picture  PUT changes your bio  DELETE gets rid of the embarrassing picture

HTTP Request Parameters  Along with URL and method, requests carry data in the form of parameters  GET  Visible from URL:  Can be used easily in hyperlinks  POST  Not visible in URL or link, embedded in request  We can still alter these

Parameter Tampering

Overview  Very basic attack on HTTP protocol  Exploits server’s misguided trust in data from user

Example – Game High Scores Web Server Give me a game Here’s one

Example – Game High Scores Web Server Game (Local) Score

Example – Game High Scores Web Server Game (Local) Score Nice! Here’s how I did…

Attack – Game High Scores Web Server Game (Local) Score Nice! Here’s how I SAY I did…

Example – PayPal Merchant I want to buy this Pay for it with PayPal

Example – PayPal PayPal Here’s how much I owe you. Merchant Sounds good.

Example – PayPal PayPal Tell them you paid Thanks! I paid Merchant

Attack – PayPal PayPal Here’s how much I say I owe you. Merchant Sounds good.

Attack – PayPal PayPal Tell them you paid Thanks! I paid what you said Merchant

Tools and Demo  Firefox  TamperData  Live HTTP Headers  BurpSuite

Mitigation  Never trust the integrity of data that a user can edit  Web services can allow servers to talk and bypass the user

END  End of Week 1

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.