Presenter Deddie Tjahjono.  Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How.

Slides:



Advertisements
Similar presentations
ETHICAL HACKING A LICENCE TO HACK
Advertisements

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.
Hands on Demonstration for Testing Security in Web Applications
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
The Ecommerce Security Environment For most law-abiding citizens, the internet holds the promise of a global marketplace, providing access to people and.
Barracuda Web Application Firewall
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
SiteLock Internet Security: Big Threats for Small Business.
Web Application Security Assessment and Vulnerability Assessment.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web Application Security
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Evolving Threats. Application Security - Understanding the Problem DesktopTransportNetworkWeb Applications Antivirus Protection Encryption (SSL) Firewalls.
1 Title ECI: Anatomy of a Cyber Investigation Who Are the Actors.
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Brad Baker CS526 May 7 th, /7/ Project goals 2. Test Environment 3. The Problem 4. Some Solutions 5. ModSecurity Overview 6. ModSecurity.
Demystifying Backdoor Shells and IRC Bots: The Risk … By : Jonathan.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Dan Johnson. What is a hashing function? Fingerprint for a given piece of data Typically generated by a mathematical algorithm Produces a fixed length.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Web Applications on the battlefield Alain Abou Tass.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Javascript worms By Benjamin Mossé SecPro
Web Application Protection Against Hackers and Vulnerabilities
Penetration Test Debrief
E-commerce Application Security
HTML Level II (CyberAdvantage)
Defense in Depth Web Server Custom HTTP Handler Input Validation
Brute force attacks, DDOS, Botnet, Exploit, SQL injection
Lecture 2 - SQL Injection
Unit 32 Every class minute counts! 2 assignments 3 tasks/assignment
Enterprise Class Security Scanner
Presentation transcript:

Presenter Deddie Tjahjono

 Introduction  Website Application Layer  Why Web Application Security  Web Apps Security Scanner  About  Feature  How it Works  Conclusion

 What is Website Application Layer ?  Website Application Security

 Web Apps Security Concerns  Web Security Facts

 Bring grave security risks:  Available 24x7x365  Publicly available for legitimate users and hackers  Direct access to backend databases  Most web applications are custom-made  These custom applications are the most susceptible to attack.  Lack of awareness equating web security to network security.

Why Organizations Need to Worry  Who ‘s Being Hacked ?  Choice Point Inc ($15m)  University of Southern California ($140k +)  Microsoft (Website defacement)  PayPal (Account information stolen; cost unknown)  Victoria’s Secret ($50k fine)  Hotmail (XSS detected – not fixed)  Amazon (XSS detected – not fixed)  Petco (credit cards of 500k customers stolen)

 TJX Companies Inc 40 million customer cards stolen USA, Hong Kong, Sweden, UK and Ireland. Lawsuits to date account for about US$ 5 to 10 million Government of Canada launching an investigation Breach probably started in 2003 and discovered in December  Many more.. References :

 Gartner: 75% of Website hacks happen at the web application level.  Cisco: 95% of web applications have serious flaws,  80% of which are vulnerable to Cross Site Scripting  Acunetix Research through Free Audits (published): 70% of sites scanned have medium to high risk vulnerabilities including:  SQL Injection  XSS  Source Code Disclosure

 Closure.  Lost Customer confidence, trust and reputation.  Lost Brand equity.  Downtime.  Lost revenues and profits.  Ban on processing credit cards.  Repair the damage.  New security policies.  Legal implications including fines and damages.

 Most Common Vulnerabilities :  SQL Injection  Cross-Site Scripting (XSS)  Local File Inclusion (LFI)  Remote File Inclusion (RFI)

Protecting Yourself :

 Audit your web applications for exploitable vulnerabilities regularly and consistently.  Three main components :  Crawling Component  Attacking Component  Analysis Modules

 Crawler (File and Website Directory)  Vulnerability Scanner  SQL Injection  XSS (Cross-Site Scripting)  Local File Inclusion  Remote File Inclusion  Advanced SQL Injection (Union-Based for MySQL)  Possible Admin Entrance Search  Directory Listing Detection  Report Output

 Discovery or Crawling Process Stage  Automated Scan / Attacking Stage  Reporting Stage

 SQL Injection  Error Generation  Cross-Site Scripting  Request / Response Match  Local File Inclusion & Remote File Inclusion  Possible Admin Entrance  Dictionary Attack  Advanced SQL Injection  Union-Based

 a code injection technique that exploits a security vulnerability occurring in the database layer of an application.  SQL Injection Types :  Error-Based SQL Injection  Union-Based SQL Injection  Blind SQL Injection

 Error Based :  Asking the DB a Question that will cause a error, and obtaining information from the error.  Union-Based :  The SQL Union is used to combine the results of two or more SELECT SQL into a single result. Really useful for SQL Injection.  Blind :  Asking the DB about true/false question and using whether valid page returned or not.

 Error Generation Method :  By injecting the character in the original SQL request to generate a syntax error which could result in an SQL error message displayed in the HTTP reply.

 Type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client- side script into web pages viewed by other users.

 Request / response match  On every request relevant request data is matched against extracted code  A match of given length is treated as a potential XSS attempt  Matching is applied to code only

 Technique that allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation.  Local File Inclusion :  Allows attacker to access all the files on the server  Remote File Inclusion :  allows attacker to include file from external servers

 A Feature that tries to get possible admin entrance on the target website  Use Dictionary Attack method

 Dictionary attack :  technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.  Contrast with brute force attack, this method tries only those possibilities which are most likely to succeed

Main Interface

Attacking StageAdvanced Attack Stage

Possible Admin EntranceCheck For Updates

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.