Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Published byNeal Houston Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now."— Presentation transcript:

1 Web Security Group 5 Adam Swett Brian Marco

2 Why Web Security? Web sites and web applications constantly growing Complex business applications are now delivered over the web Increased “web hacking” activity Web Worms (Sammy) Firewalls?

3 Difficulties In Traditional Hacking Modern networks more secure Firewalls being used in all network rollouts OS vendors patching hole quickly Increased maturity in coding

4 Firewalls

5 Lab Sections SQL Injection –Basic –Blind Cross Site Scripting (XSS) –Basics –Cookie Stealing –Java Scripting Default Pages CGI Vulnerabilities –Vulnerable Scripts –Nikto

6 SQL Injection Exploits a security vulnerability present in the database layer of an application –With Errors –Blind –Automated

7 SQL Injection

8

9 Cross Site Scripting SecurityFocus cataloged over 1,400 issues. WhiteHat Security has Identified over 1,500 in custom web applications. 8 in 10 websites have XSS. Tops the Web Hacking Incident Database (WHID)

10 Cross Site Scripting Cookie Stealing –One of the most common uses of XSS –Allows you to impersonate someone Can Lead To Session Hijacking –HTTP is stateless –Only verifies at the beginning of session

11 Cross Site Scripting Java Script –Can be written by anyone and executed on any computer over the web –Most people have Java Script enabled making it very dangerous

12 Cross Site Scripting Java Script Examples – –black hat search engine optimization (SEO) – –Click-fraud – –Distributed Denial of Service – –Force access of illegal content – –Hack other websites (IDS sirens) – –Distributed email spam (Outlook Web Access) – –Distributed blog spam – –Vote tampering – –De-Anonymize people – –etc.

13 Cross Site Scripting

14 Default Pages Careless hosting Gives the ability to browse and retreive a complete directory on the web server Happens when the default page is missing Not-so-strict Web server configuration

15 Default Pages

16 CGI Vulnerabilities A number of widely distributed CGI scripts contain known security holes Finding the scripts and exploiting them can be time consuming Usually well documented on the web Some can be worth it

17 CGI Vulnerabilities Nph-test-cgi –Script included with all old versions of Apache web Server –Allows user to view all files on the computer

18 Nph-test-cgi

19 Nikto Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired) GPL

20 Nikto

21 Sources NetSquare Blackhat Asia Presentation Whitehat Security Spi Dynamics

Download ppt "Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now."

Similar presentations

Webgoat.

Webgoat.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.

Lesson 14-Desktop Protection. Overview Protect against malicious code. Use the Internet. Protect against physical tampering.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Vulnerability Assessment NIKTO.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Vulnerability Assessment NIKTO.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.

By Ben Pratt and Clint Forseth.  Ben Pratt ◦ Primary Role: Course Mgmt. Sys. Admin ◦ Secondary Roles: Printer Server Admin, Web Application Firewall.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.

Information Networking Security and Assurance Lab National Chung Cheng University WebGoat.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
SiteLock Internet Security: Big Threats for Small Business.

SiteLock Internet Security: Big Threats for Small Business.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.

Similar presentations

Ads by Google