Presentation is loading. Please wait.

Presentation is loading. Please wait.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Published byPriscilla Floyd Modified over 8 years ago

Similar presentations

Presentation on theme: "1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks."— Presentation transcript:

1

2 1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks 8-Packages 9- References

3 Is the degree of weakness which allows the attackers to gain access to system information Vulnerabities types: Technological TCP/IP Protocol(ARP, Session hijacking) OS Weakness Network equipment(routers/firewalls). Configuration Unsecured user accounts Easily user passwords Unsecured defaults settings for an application Misconfigured network devices Security policy Lack of written policy Software/Hardware installation and changes don’t follow the policy No Disaster recovery plain Software bugs

4 Black hats Individuals with computing skills Malicious / Destructive activities Known as Crackers White hats Individuals with hacking skills Defensive purposes Known as Security Analysts Gray hats Individuals who works Offensive and defensive Script kidy A user with no knowledge of hacking. Download hacking utilities to launch attakcs. Hacktivist Hacker with political motivations.

5 Passive attacks No traffic sent from attacker Difficult to detect Like packet capturing (Wireshark, Snooping ) Active attacks Traffic must be sent from attacker Easily to detect Can access classified information Modify data on a system

6 Reconnaissance Gain information about targeted victim hosts/networks Scanning Identifying active hosts/open ports Gaining access Logging in to the host/network Maintaining access Install a backdoor/root kit Covering tracks Trying to hide the attack from the administrator

7 No single access control ever implemented Multiple layers of access control provides a security in depth No single point of failure Firewalls Block unwanted traffic Direct incoming traffic to more trust internal hosts Log traffic from/to internal(Private) network Based on access policy which (Permit or Deny) Cryptography

8 IDS -Intrusion Detection System- Application layer firewall Host based/Network based Passive device Offline connectivity The detection based on signature DB.

9 IPS – Intrusion Prevention System - Application layer firewall Host based/Network based Active device Online connectivity

10 Store, process, and deliver HTML/JAVA Scripts pages to a client using Hypertext Transfer Protocol. This page may contains Text, Images, Scripts, Style sheets Web client/Web agent is a web browser, or a web crawler In 1989 by Tim Berners-Lee as a project to exchange information World’s first web server called CERN httpd Ran on NeXTSTEP Workstation.

11 HTTP Protocol based on HTTP request methods: GET: Request data from a resource Data pairs sent In the URL Can be cached Remains in browser history Can be bookmarked should never used when exchange sensitive data have length restrictions Should be used only to retrieve data POST: Submit data to be processed. Data pairs sent in the HTTP message body Never cached Do not remain in the browser history Cannot be bookmarked Have no restrictions There are also Head, Put, Delete, Options, Connect, but out of presentation scope Cookies are used to store data between pages in the client, and session files in the servers http://testasp.vulnweb.com/search.asp?id=1

12 SQL Injection Cross-Site scripting XSS

13 SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution. - Retrieve Data - Destroy Data - Change Data

14 1-SQL : Try to load a Course with ID 1 http://192.168.1.21/Secuirty/sql/id.php?id=1http://192.168.1.21/Secuirty/sql/id.php?id=1 2-SQL : Try with ID 2 http://192.168.1.21/Secuirty/sql/id.php?id=3-1http://192.168.1.21/Secuirty/sql/id.php?id=3-1 3-SQL: Combine with other tables: http://192.168.1.21/Secuirty/sql/id.php?id=1+union+Select+*+from+users 4-SQL: To retrieve the DB name: http://192.168.1.21/Secuirty/sql/id.php?id=1+union%20select+1,2,database()

15

16 How to inject a JavaScript into HTML page either by GET or PORT method. XSS is very similar to SQL-Injection. In SQL-Injection we exploited the vulnerability by injecting SQL Queries as user inputs. In XSS, we inject code (basically client side scripting) to the remote server.

17 Types of Cross Site Scripting Non-Persistent Persistent

18 In case of Non-Persistent attack, it requires a user to visit the specially crafted link by the attacker. When the user visit the link, the crafted code will get executed by the user’s browser.

19 In case of persistent attack, the code injected by the attacker will be stored in a secondary storage device (mostly on a database). The damage caused by Persistent attack is more than the non-persistent attack. Here we will see how to hijack other user’s session by performing XSS

20 1-burpsuite_free_v1.5 2-SQL MAP 3-Nikto 4-Nessus 5-GoogleDorks 6-WebCrowler (HTTPTrack, Wget) 7-WebScarab (HTTP traffic interception)

21 https://www.owasp.org/ http://www.thegeekstuff.com/ http://www.w3schools.com/

Download ppt "1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Similar presentations

Ads by Google