Welcome to Blackhat! Blackhat Security Briefings New Orleans- Feb 2002 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat New Orleans – Feb 2002; Timothy M.

Slides:



Advertisements
Similar presentations
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Advertisements

 2004 Prentice Hall, Inc. All rights reserved. Chapter 23 – ASP.NET Outline 23.1 Introduction 23.2.NET Overview NET Framework ASP (Active.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Chapter 9 Using the SqlDataSource Control. References aspx.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
AMNESIA: Analysis and Monitoring for NEutralizing SQL- Injection Attacks Published by Wiliam Halfond and Alessandro Orso Presented by El Shibani Omar CS691.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Tom Castiglia Hershey Technologies
Attacking Applications: SQL Injection & Buffer Overflows.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
APPLICATION PENETRATION TESTING Author: Herbert H. Thompson Presentation by: Nancy Cohen.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
Timothy Mullen, AnchorIS.Com Blackhat Vegas Grabbin’ Creds: Forcing SQL libs to deliver LM/NT challenge and response on the back channel… Timothy.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Web Applications Testing By Jamie Rougvie Supported by.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
DAT356 Hackers Paradise SQL Injection Attacks Doug Seven, Microsoft MVP Cofounder of SqlJunkies.com
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
ADO.NET AND STORED PROCEDURES - Swetha Kulkarni. RDBMS ADO.NET Provider  SqlClient  OracleClient  OleDb  ODBC  SqlServerCE System.Data.SqlClient.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
Dynamic SQL Writing Efficient Queries on the Fly ED POLLACK AUTOTASK CORPORATION DATABASE OPTIMIZATION ENGINEER.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Database and Cloud Security
Group 18: Chris Hood Brett Poche
Web Application Security
Module: Software Engineering of Web Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
Dynamic SQL Writing Efficient Queries on the Fly
SQL Injection.
Dynamic SQL: Writing Efficient Queries on the Fly
Security mechanisms and vulnerabilities in .NET
Dynamic SQL Writing Efficient Queries on the Fly
Chapter 23 – ASP.NET Outline 23.1 Introduction NET Overview
Defense in Depth Web Server Custom HTTP Handler Input Validation
Dynamic SQL: Writing Efficient Queries on the Fly
Lecture 2 - SQL Injection
Web Programming Language
Lecture 27 Security I April 4, 2018 Open news web sites.
Presentation transcript:

Welcome to Blackhat! Blackhat Security Briefings New Orleans- Feb 2002 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Web Vulnerability and SQL Injection Countermeasures Securing your servers from the most insidious of attacks: The demands of the Global Marketplace have made web development more complex than ever. With customer demands and competitive influences, the functions our applications must be capable of performing constantly push our development into new areas. Even with enterprise firewall solutions, hardened servers, and up-to-date web server software in place and properly configured, poor design methodology can leave our systems open for attack. Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Session Overview Part I: ∙ Vulnerabilities Client-side HTML, URL Manipulation, SQL Injection ∙ Countermeasures Input Validation, Data Sanitation, Variable Typing, Procedure Structure, Permissions and ACL’s. Part II: ∙ Live Demos highlighting real-word sites with different issues, participant involvement and brainstorming (Time Permitting) Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Part I Vulnerabilites ∙ Client-side HTML ∙ URL Manipulation ∙ SQL Injection Countermeasures ∙ Implementation/Setup∙ Input Validation ∙ Data Sanitation∙ Variable Typing ∙ Procedure Structure∙ Permissions and ACL’s Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Vulnerabilities – Session Demos Client-side HTML Issues ∙ Web Forms ∙ Input/Select controls ∙ Hidden Fields URL Manipulation ∙ Editing the URL ∙ Session variables ∙ Cookies SQL Injection ∙ The possibilities are endless! Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Countermeasures- Session Demos Implementation and Setup ∙ ADODB Connection Strings and DSN’s ∙ ODBC Error reporting ∙ Custom error pages Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Countermeasures- Session Demos Input Validation ∙ Consider ALL input EVIL! ∙ Querystring count checking ∙ Data Type Validation ∙ Value/Length Checking ∙ Extents/Boundary Checking ∙ Host submission limits per unit of time Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Countermeasures- Session Demos Data Sanitation ∙ REPLACE function ∙ RegExp function ∙ Custom functions / explicit declarations Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Countermeasures- Session Demos Variable Typing ∙ Command object ∙ Parameter declaration ∙ Command type declaration ∙ Execute as methods Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Countermeasures- Session Demos SQL Stored Procedure Structure ∙ Use stored procedures whenever possible ∙ Type cast variables ∙ Create and use Views as table sources ∙ Avoid “Select *” statements for performance as well as security ∙ sp_executeSQL procedure for ad hoc queries Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Countermeasures- Session Demos Permissions and ACL’s. ∙ Open views, but lock down tables ∙ Use groups ∙ lock down xp_cmdshell, xp_sendmail or remove ∙ SQL Service context ∙ Integrated/Mixed security Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Part II Live Web Demos and Feedback ∙ Expose potentially insecure implementations of web applications ∙ Discuss potential vulnerabilities and exploits ∙ Mitigation and Prevention Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Web Vulnerabilities- Live Demos Real-world web application issues and feedback Discussion Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

THANK YOU! Additional Resources: abase.asp abase.asp abase.asp abase.asp Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com;

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.