Presentation is loading. Please wait.

Presentation is loading. Please wait.

Welcome to Blackhat! Blackhat Security Briefings New Orleans- Feb 2002 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat New Orleans – Feb 2002; Timothy M.

Published byEmil Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Welcome to Blackhat! Blackhat Security Briefings New Orleans- Feb 2002 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat New Orleans – Feb 2002; Timothy M."— Presentation transcript:

1 Welcome to Blackhat! Blackhat Security Briefings New Orleans- Feb 2002 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

2 Web Vulnerability and SQL Injection Countermeasures Securing your servers from the most insidious of attacks: The demands of the Global Marketplace have made web development more complex than ever. With customer demands and competitive influences, the functions our applications must be capable of performing constantly push our development into new areas. Even with enterprise firewall solutions, hardened servers, and up-to-date web server software in place and properly configured, poor design methodology can leave our systems open for attack. Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

3 Session Overview Part I: ∙ Vulnerabilities Client-side HTML, URL Manipulation, SQL Injection ∙ Countermeasures Input Validation, Data Sanitation, Variable Typing, Procedure Structure, Permissions and ACL’s. Part II: ∙ Live Demos highlighting real-word sites with different issues, participant involvement and brainstorming (Time Permitting) Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

4 Part I Vulnerabilites ∙ Client-side HTML ∙ URL Manipulation ∙ SQL Injection Countermeasures ∙ Implementation/Setup∙ Input Validation ∙ Data Sanitation∙ Variable Typing ∙ Procedure Structure∙ Permissions and ACL’s Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

5 Vulnerabilities – Session Demos Client-side HTML Issues ∙ Web Forms ∙ Input/Select controls ∙ Hidden Fields URL Manipulation ∙ Editing the URL ∙ Session variables ∙ Cookies SQL Injection ∙ The possibilities are endless! Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

6 Countermeasures- Session Demos Implementation and Setup ∙ ADODB Connection Strings and DSN’s ∙ ODBC Error reporting ∙ Custom error pages Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

7 Countermeasures- Session Demos Input Validation ∙ Consider ALL input EVIL! ∙ Querystring count checking ∙ Data Type Validation ∙ Value/Length Checking ∙ Extents/Boundary Checking ∙ Host submission limits per unit of time Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

8 Countermeasures- Session Demos Data Sanitation ∙ REPLACE function ∙ RegExp function ∙ Custom functions / explicit declarations Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

9 Countermeasures- Session Demos Variable Typing ∙ Command object ∙ Parameter declaration ∙ Command type declaration ∙ Execute as methods Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

10 Countermeasures- Session Demos SQL Stored Procedure Structure ∙ Use stored procedures whenever possible ∙ Type cast variables ∙ Create and use Views as table sources ∙ Avoid “Select *” statements for performance as well as security ∙ sp_executeSQL procedure for ad hoc queries Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

11 Countermeasures- Session Demos Permissions and ACL’s. ∙ Open views, but lock down tables ∙ Use groups ∙ lock down xp_cmdshell, xp_sendmail or remove ∙ SQL Service context ∙ Integrated/Mixed security Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

12 Part II Live Web Demos and Feedback ∙ Expose potentially insecure implementations of web applications ∙ Discuss potential vulnerabilities and exploits ∙ Mitigation and Prevention Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

13 Web Vulnerabilities- Live Demos Real-world web application issues and feedback Discussion Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

14 THANK YOU! Additional Resources: http://www.hammerofgod.com emailto:thor@hammerofgod.com http://www.securityfocus.com http://www.securityfocus.com http://www.securityfocus.com http://www.sqlsecurity.com http://www.sqlsecurity.com http://www.sqlsecurity.com http://heap.nologin.net/aspsec.html http://heap.nologin.net/aspsec.html http://heap.nologin.net/aspsec.html http://security.devx.com/bestdefense/default.asp http://security.devx.com/bestdefense/default.asp http://security.devx.com/bestdefense/default.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/database/dat abase.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/database/dat abase.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/database/dat abase.asp http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/database/dat abase.asp Blackhat New Orleans – Feb 2002; Timothy M. Mullen, AnchorIS.Com; thor@hammerofgod.com

Download ppt "Welcome to Blackhat! Blackhat Security Briefings New Orleans- Feb 2002 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat New Orleans – Feb 2002; Timothy M."

Similar presentations

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
 2004 Prentice Hall, Inc. All rights reserved. Chapter 23 – ASP.NET Outline 23.1 Introduction 23.2.NET Overview 23.2.1.NET Framework 23.2.2 ASP (Active.

 2004 Prentice Hall, Inc. All rights reserved. Chapter 23 – ASP.NET Outline 23.1 Introduction 23.2.NET Overview NET Framework ASP (Active.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Chapter 9 Using the SqlDataSource Control. References 2206-1.aspx.

Chapter 9 Using the SqlDataSource Control. References aspx.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.

Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;

Welcome to Blackhat! Blackhat Security Briefings Amsterdam 2001 Timothy M. Mullen AnchorIS.Com, Inc. Blackhat Amsterdam, 2001 Timothy M. Mullen, AnchorIS.Com;
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google