Daniel Kouril Sven Gabriel

Slides:



Advertisements
Similar presentations
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SQL Injection and Buffer overflow
Threats and Attacks Principles of Information Security, 2nd Edition
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
Introduction to Application Penetration Testing
Cyber Crimes.
Approaches to Application Security – DSM
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
A Security Review Process for Existing Software Applications
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
Exploitation: Buffer Overflow, SQL injection, Adobe files Source:
Software Security Testing Vinay Srinivasan cell:
APRICOT 2015 Security Day Cooperation between Security Teams and Network Operators: Actionable Intelligence on ShellShock Arnold S. Yoon Information Security.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
CAPTURE THE FLAG Introductions beer brew man dutchrowboat.
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Microsoft ISA Server 2000 Presented by Ricardo Diaz Ryan Fansa.
© A10 Networks, Inc. Distributed Prevention of DoS Collaboration is key.
The Web Web Design. 3.2 The Web Focus on Reading Main Ideas A URL is an address that identifies a specific Web page. Web browsers have varying capabilities.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Presented by Martin Šimek Ransomware, Internet of Things and Botnets vs. Control.
Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.
Database and Cloud Security
Network security Vlasov Illia
SQL Injection.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Ilija Jovičić Sophos Consultant.
ETHICAL HACKING WHAT EXACTLY IS ETHICAL HACKING ? By : Bijay Acharya
WEB APPLICATION TESTING
Security Testing Methods
World Wide Web policy.
Theodore Lawson CSCE548 Student Presentation, Topic #2
Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)
Daniel Kouril, Ivo Nutar Masaryk University
Intelligence Driven Defense, The Next Generation SOC
State of the Internet Security – Q2 2017
Penetration Testing following OWASP
A Security Review Process for Existing Software Applications
Module 22 (Metasploit Introduction)
CIT 480: Securing Computer Systems
Spoofing Basics Presentation developed by A.F.M Bakabillah Cyber Security and Networking Consultant MCSA: Messaging, MCSE RHCE ITIL CEH.
HTML Level II (CyberAdvantage)
Myths About Web Application Security That You Need To Ignore.
Risk of the Internet At Home
Unit 1.6 Systems security Lesson 2
Network Security: DNS Spoofing, SQL Injection, ARP Poisoning
CSC 495/583 Topics of Software Security Intro to Web Security
Backtrack Metasploit and SET
Web Application Penetration Testing ‘17
Brute force attacks, DDOS, Botnet, Exploit, SQL injection
Chapter 4: Protecting the Organization
Lecture 2 - SQL Injection
Cyber Operation and Penetration Testing Social Engineering Attack and Web-based Exploitation Cliff Zou University of Central Florida.
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Internet Security by Alan S H Lam 2019/4/9.
WJEC GCSE Computer Science
6. Application Software Security
Presentation transcript:

Daniel Kouril Sven Gabriel Security Training Daniel Kouril Sven Gabriel Zamereni, predstaveni EGI Conference 2016, Amsterdam

Agenda Brief technical introduction Capture-the-Flag Game Purpose of introduction, audience, roles of attendees, skills needed

Requirements Chrome browser v.38 or higher is required Not chromium, FF, IE; any common OS

Cyber Attacks

Attack & Incentives Getting (unauthorized) access to data Cyber espionage, money stealing Disruption of services Blackmailing, demonstration of capabilities Modification of data Damage reputation Misuse resources Botnets Ransomware, bitcoins, spam

Attackers’ behavior Striving to overcome security precautions Hiding their activities Often try to stay unnoticed for a long time No attribution

(d)DoS example Overloading the service and/or network with common requests Reflected attacks Hiding origin IP address spoofing Amplifications Some protocols return significantly longer responses than requests NTP, SNMP, DNS Hard to attribute, prevent

Typical attackers’ steps Select target Find vulnerability, weakness Find a way to exploit vulnerability or bypass security Make the target work for attacker

Vulnerabilities Different types Programming error Design flaw Misconfiguration Weak protection Human error CVE – directory of known vulnerabilities CVE-YYYY-id unique identifier Known vs. Zero-day Unpatched known vulnerabilities expose a major threat

SQL Injections Insufficient sanitization of users’ input Consider an application managing users “SELECT * FROM users WHERE name =‘” + userName + “‘;” userName == “sveng” yields: SELECT * FROM users WHERE name =‘sveng‘; userName == “' OR '1'='1 -- ” yields: SELECT * FROM users WHERE name = '' OR '1'='1 -- ‘; Typical programming error, from wikipedia; also add sql queries, …

Finding vulnerabilities Collect information about the target Estimate weaknesses Manual vs. automated probing Often blackbox-style analysis

Metasploit Framework Tool for development and testing exploits Directory of exploit codes Text-based console (msfconsole), controlled by commands show exploit – list of exploits use <exploit> - activate a particular exploit show options – display variables to set set RHOST <IP> show payload – show what will be injected exploit – trigger the exploitation process Web exists

Game You’re an attacker who is trying to take over a remote machine You will exercise the techniques described earlier The goal is to use the remote machine to reflect a DoS attack about another victim DoS’ing the target Damaging reputation of the “reflector”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.