SlideShare a Scribd company logo

Web security

D
dogangcr

about the web security,social engineering and current cyberwar bdgngcr.wordpress.com

Technology
1 of 31
Web Security
• Introduction to Security • CyberWar between countries • Owasp WebGoat&Web Scarab&demo • Beef&demo • SET+QR code • Future of Web Security Index
1 Introduction to Security
Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it. Schneier on Security
This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems. Schneier on Security-2
• Israeli Bombing of Syria’s nuclear reactor • Russia’s DDOS Attack on Estonia. • Russia’s use of DDOS and spoofed attack to augment their war in South Ossetia • North Korea’s partially successful DDOS of US government website and South Korea. Cyberwar
Case Study-Stuxnet
• http://vimeo.com/25118844 • http://www.youtube.com/watch?v=7g0pi4J8auQ Case Study-Stuxnet-2
“We are all connected on a vast global network and whoever controls the network controls the world.” Case Study-Stuxnet-3
HBGary Sony FBI Conference Capture T Flag CIA Sabu & Tor Browser lulzsec
• Sql Injection? • String based sql injection • Numeric based sql injection • Concurrence? • Xpath Injection ? • Qr Code? Before we start?
2 Web app
• The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition: • A1 Injection • A2 Broken Authentication and Session Management (was formerly A3) • A3 Cross-Site Scripting (XSS) (was formerly A2) • A4 Insecure Direct Object References • A5 Security Misconfiguration (was formerly A6) • A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) • A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) • A8 Cross-Site Request Forgery (CSRF) (was formerly A5) • A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) • A10 Unvalidated Redirects and Forwards Owasp top ten vulnerability
3
Overview • A Sql Injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. Sql Injection
Threat Modeling • SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. • SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections. • The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity Sql Injection-2
Risk Factors • The platform affected can be: • Language: SQL • Platform: Any (requires interaction with a SQL database) • Sql injection has become a common issue with database- driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. Sql Injection-3
string query = "SELECT * FROM items WHERE owner = "'" + userName + "' AND itemname = '" + ItemName.Text + "'"; C# Sql Injection-4
Examples: •SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password = ''; •SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`'; • # Hash comment /* C-style comment -- - SQL comment ;%00 Nullbyte ` Backtick Sql Injection-5
How To Solve Sql Injection Problem? Sql injection-6
Parameterized Query In C#,Mysql The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within an web application. Sql Injection-7
Demo Sql Injection-8
It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BEEF
Notable Features • BeEF provides an integratable framework that demonstrates the impact of browser security issues in real-time. Development has focused on creating a modular framework. This has made module development a quick and simple process. • Browser exploitation modules • Keystroke logging • Browser proxying • Integration with Metasploit • Plugin detection • Intranet service exploitation • Phonegap modules • Social Engineering BEEF-2
DEMO BEEF-3
Phishing Facebook with QR Code
Java Applet Attack The Java Applet Attack considers as one of the most successful and popular methods for compromising a system.Popular because we can create the infected Java applet very easily,we can clone any site we want that will load the applet very fast and successful because it affects all the platforms.The only difficulty is how to deliver the Java Applet properly in order to trick our victims. The Java applet Attack vector affects: Windows Systems Linux Systems and Mac OS X SET
• http://resources.infosecinstitute.com/the-rise-of-cyber- weapons-and-relative-impact-on-cyberspace/ • http://nakedsecurity.sophos.com/ References
Questions
Thanks for listening...

Recommended

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013 The eCore Group
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 

Recommended

Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Secure Coding 2013
Secure Coding 2013 Secure Coding 2013
Secure Coding 2013 The eCore Group
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesAleksandar Bozinovski
 
OWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksOWASP Top 10 - The Ten Most Critical Web Application Security Risks
OWASP Top 10 - The Ten Most Critical Web Application Security RisksAll Things Open
 
OWASP TOP 10
OWASP TOP 10OWASP TOP 10
OWASP TOP 10Robert MacLean
 
Ch08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System VulnerabilitiesCh08 Microsoft Operating System Vulnerabilities
Ch08 Microsoft Operating System Vulnerabilitiesphanleson
 
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationOwasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentation
Owasp A9 USING KNOWN VULNERABLE COMPONENTS IT 6873 presentationDerrick Hunter
 
Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software EngineeringRohitha Liyanagama
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Owasp
Owasp Owasp
Owasp penetration Tester
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testingshwetaupadhyay
 
Security testing
Security testingSecurity testing
Security testingTabăra de Testare
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and SecretsEng Teong Cheah
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx0567Padma
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 

More Related Content

What's hot

Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesAnant Shrivastava
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOWASP Delhi
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesMohammed A. Imran
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWebsecurify
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeAleksandar Bozinovski
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurationsMegha Sahu
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security TestingvodQA
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information SecurityShannon Cuthbertson
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testingshwetaupadhyay
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkMark Jayson Fuentes
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and SecretsEng Teong Cheah
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseSecurity Innovation
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with examplePrateek Chauhan
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactTom Eston
 

What's hot (20)

Secure Software Engineering
Secure Software EngineeringSecure Software Engineering
Secure Software Engineering
 
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known VulnerabilitiesUnderstanding The Known: OWASP A9 Using Components With Known Vulnerabilities
Understanding The Known: OWASP A9 Using Components With Known Vulnerabilities
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
How to find Zero day vulnerabilities
How to find Zero day vulnerabilitiesHow to find Zero day vulnerabilities
How to find Zero day vulnerabilities
 
Owasp
Owasp Owasp
Owasp
 
Web Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security ToolkitWeb Application Security 101 - 03 Web Security Toolkit
Web Application Security 101 - 03 Web Security Toolkit
 
Microsoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable CodeMicrosoft Fakes, Unit Testing the (almost) Untestable Code
Microsoft Fakes, Unit Testing the (almost) Untestable Code
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real world
 
security misconfigurations
security misconfigurationssecurity misconfigurations
security misconfigurations
 
Introduction to Security Testing
Introduction to Security TestingIntroduction to Security Testing
Introduction to Security Testing
 
Using Splunk for Information Security
Using Splunk for Information SecurityUsing Splunk for Information Security
Using Splunk for Information Security
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
 
Security testing
Security testingSecurity testing
Security testing
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
Managing Application Config and Secrets
Managing Application Config and SecretsManaging Application Config and Secrets
Managing Application Config and Secrets
 
The New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the ChaseThe New OWASP Top Ten: Let's Cut to the Chase
The New OWASP Top Ten: Let's Cut to the Chase
 
Sql injections - with example
Sql injections - with exampleSql injections - with example
Sql injections - with example
 
Automated Penetration Testing With Core Impact
Automated Penetration Testing With Core ImpactAutomated Penetration Testing With Core Impact
Automated Penetration Testing With Core Impact
 

Similar to Web security

csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx0567Padma
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Ravindra Singh Rathore
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxprasadGade6
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET Journal
 
Sample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginSample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginnaveendurga557
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecurityNicholas Davis
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securityNicholas Davis
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxsiti829412
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaSecurity Date
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackIJRESJOURNAL
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngVõ Thái Lâm
 

Similar to Web security (20)

csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)Sql injections (Basic bypass authentication)
Sql injections (Basic bypass authentication)
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
IRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & MitigationIRJET - SQL Injection: Attack & Mitigation
IRJET - SQL Injection: Attack & Mitigation
 
Sample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for loginSample PPT Format.pptx E-commerce website for login
Sample PPT Format.pptx E-commerce website for login
 
Software Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical SecuritySoftware Security (Vulnerabilities) And Physical Security
Software Security (Vulnerabilities) And Physical Security
 
Software security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical securitySoftware security (vulnerabilities) and physical security
Software security (vulnerabilities) and physical security
 
eti.pptx
eti.pptxeti.pptx
eti.pptx
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Op2423922398
Op2423922398Op2423922398
Op2423922398
 
DBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptxDBMS Vulnerabilities And Threats.pptx
DBMS Vulnerabilities And Threats.pptx
 
Luis Grangeia IBWAS
Luis Grangeia IBWASLuis Grangeia IBWAS
Luis Grangeia IBWAS
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Owasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0betaOwasp Backend Security Project 1.0beta
Owasp Backend Security Project 1.0beta
 
Devoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection AttackDevoid Web Application From SQL Injection Attack
Devoid Web Application From SQL Injection Attack
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 

Web security

  • 2. Introduction to Security • CyberWar between countries • Owasp WebGoat&Web Scarab&demo • Beef&demo • SET+QR code • Future of Web Security Index
  • 3. 1 Introduction to Security
  • 4. Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice. They just can't help it. Schneier on Security
  • 5. This kind of thinking is not natural for most people. It's not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don't have to exploit the vulnerabilities you find, but if you don't see the world that way, you'll never notice most security problems. Schneier on Security-2
  • 6. • Israeli Bombing of Syria’s nuclear reactor • Russia’s DDOS Attack on Estonia. • Russia’s use of DDOS and spoofed attack to augment their war in South Ossetia • North Korea’s partially successful DDOS of US government website and South Korea. Cyberwar
  • 9. “We are all connected on a vast global network and whoever controls the network controls the world.” Case Study-Stuxnet-3
  • 10. HBGary Sony FBI Conference Capture T Flag CIA Sabu & Tor Browser lulzsec
  • 11. • Sql Injection? • String based sql injection • Numeric based sql injection • Concurrence? • Xpath Injection ? • Qr Code? Before we start?
  • 12. 2 Web app
  • 13. The OWASP Top 10 - 2013 Release Candidate includes the following changes as compared to the 2010 edition: • A1 Injection • A2 Broken Authentication and Session Management (was formerly A3) • A3 Cross-Site Scripting (XSS) (was formerly A2) • A4 Insecure Direct Object References • A5 Security Misconfiguration (was formerly A6) • A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection) • A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access) • A8 Cross-Site Request Forgery (CSRF) (was formerly A5) • A9 Using Known Vulnerable Components (new but was part of former A6 – Security Misconfiguration) • A10 Unvalidated Redirects and Forwards Owasp top ten vulnerability
  • 14. 3
  • 15. Overview • A Sql Injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands. Sql Injection
  • 16. Threat Modeling • SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. • SQL Injection is very common with PHP and ASP applications due to the prevalence of older functional interfaces. Due to the nature of programmatic interfaces available, J2EE and ASP.NET applications are less likely to have easily exploited SQL injections. • The severity of SQL Injection attacks is limited by the attacker’s skill and imagination, and to a lesser extent, defense in depth countermeasures, such as low privilege connections to the database server and so on. In general, consider SQL Injection a high impact severity Sql Injection-2
  • 17. Risk Factors • The platform affected can be: • Language: SQL • Platform: Any (requires interaction with a SQL database) • Sql injection has become a common issue with database- driven web sites. The flaw is easily detected, and easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind. Sql Injection-3
  • 18. string query = "SELECT * FROM items WHERE owner = "'" + userName + "' AND itemname = '" + ItemName.Text + "'"; C# Sql Injection-4
  • 19. Examples: •SELECT * FROM Users WHERE username = '' OR 1=1 -- -' AND password = ''; •SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3`'; • # Hash comment /* C-style comment -- - SQL comment ;%00 Nullbyte ` Backtick Sql Injection-5
  • 20. How To Solve Sql Injection Problem? Sql injection-6
  • 21. Parameterized Query In C#,Mysql The purpose of these code samples is to demonstrate to the web developer how to avoid SQL Injection when building database queries within an web application. Sql Injection-7
  • 23. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. BEEF
  • 24. Notable Features • BeEF provides an integratable framework that demonstrates the impact of browser security issues in real-time. Development has focused on creating a modular framework. This has made module development a quick and simple process. • Browser exploitation modules • Keystroke logging • Browser proxying • Integration with Metasploit • Plugin detection • Intranet service exploitation • Phonegap modules • Social Engineering BEEF-2
  • 26.
  • 28. Java Applet Attack The Java Applet Attack considers as one of the most successful and popular methods for compromising a system.Popular because we can create the infected Java applet very easily,we can clone any site we want that will load the applet very fast and successful because it affects all the platforms.The only difficulty is how to deliver the Java Applet properly in order to trick our victims. The Java applet Attack vector affects: Windows Systems Linux Systems and Mac OS X SET
  • 29. • http://resources.infosecinstitute.com/the-rise-of-cyber- weapons-and-relative-impact-on-cyberspace/ • http://nakedsecurity.sophos.com/ References