SlideShare ist ein Scribd-Unternehmen logo

AW-Infs201101067.pptx

Als PPTX, PDF herunterladen
A
AnonymousDevil2

Cryptography

Daten & Analysen
1 von 46
PRESENTATION Abdul Wahab Infs-201101067
TOPICS TO BE COVERED -CROSS-SITE SCRIPTING -CROSS SITE REQUEST FORGERY -SESSION MANAGEMENT -SQL INJECTION -SECURE SOFTWARE TESTING -REPLICATION OF VULNERABILITIES AND EXPLOITATION
CROSS-SITE SCRIPTING •Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. •Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
CONT.. •If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system. •As a result, the attacker can steal the user’s active session cookie.
TYPES STORE XSS: Takes place when the malicious payload is stored in a database. It renders to other users when data is requested—if there is no output encoding or sanitization. Reflected XSS: Occurs when a web application sends attacker-provided
TYPES strings to a victim’s browser so that the browser executes part of the string as code. The payload echoes back in response. DOM-based XSS: Takes place when an attacker injects a script into a response. The attacker can read and manipulate the document object
TYPES model (DOM) data to craft a malicious URL. The attacker uses this URL to trick a user into clicking it. If the user clicks the link, the attacker can steal the user’s active session information, keystrokes, and so on.
PREVENTIONS Strategies to prevent XSS attacks include these: •Never trust user input. •Perform user input validation.
•Ensure that web application development aligns with OWASP’s XSS Prevention Cheat Sheet. •After remediation, perform penetration testing to confirm it was successful.
CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. CONT..
A Cross Site Request Forgery attack exploits a vulnerability in a Web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent. CONT… Social engineering platforms are often used by attackers to launch a CSRF attack.
This tricks the victim into clicking a URL that contains a maliciously crafted, unauthorized request for a particular Web application. TO PERFORM THIS ATTACK To carry out a successful CSRF attack, consider the following : •The success of a CSRF attack depends on a user’s session with a vulnerable application. The attack will only be successful if the user is in an active session with the vulnerable application
•An attacker must find a valid URL to maliciously craft. The URL needs to have a state-changing effect on the target application. CONT.. •An attacker also needs to find the right values for the URL parameters. Otherwise, the target application might reject the malicious request.
SESSION MANAGEMENT Session management is used to facilitate secure interactions between a user and some service or application and applies to a sequence of requests and responses associated with that particular user.
CONT… Session tokens serve to identify a user’s session within the HTTP traffic being exchanged between the application and all of its users. Each request and response made will have an associated session token which allows the application to remember distinct information about the client using it.
CONT… Each request and response made will have an associated session token which allows the application to remember distinct information about the client using it. Session cookies were designed to help manage sessions
P REVENTIONS • Setting secure HTTP flags on cookies : Avoid sending sensitive traffic over unencrypted channels, i.e. HTTP. Setup the secure flag, which will ensure that data is transmitted over encrypted protocols such as HTTPS.
C ONT.. • Generation of new session cookies New session token generation should be ensured at every step of the authentication and interaction process, i.e. when a
CONT… user visits an application or website and when the user gets authenticated. • Session cookies configuration Session tokens should not be easily guessable, they should be long, unique and unpredictable. Doing so will decrease the chances of an attacker being successful in using brute force
t o figure out the session token. The expiration time of persistent cookies should be no longer than 30 minutes, SQL INJECTION •A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.
CONT… •A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
CONT… •SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. SQL injection attack occurs when:
CONT… 1. An unintended data enters a program from an untrusted source. 2. The data is used to dynamically construct a SQL query PREVENTIONS • Train and maintain awareness • Don’t trust any user input
• U se whitelists, not blacklists • Adopt the latest technologies • Employ verified mechanisms
SECURE SOFTWARE TESTING Cybersecurity has turned into a major concern as hacking activities have reached threatening levels. It directly causes a breach against your personal information and it is essential to understand the different forms of cyber-attacks that can impact an individual or an organization.
C O NT… It is surprising to know that approximately $5.2 trillion in value would be put at stake due to cyberattacks during the period between 2019 and 2023.
The correct use of software testing measures is seen as the key to rest rict hacking incidents. In the past few years, this process has been gaining popularity and software testing has emerged as a trusted shield against cyber attacks. CONT… You can easily include software testing as part of your organization’s working model. The most basic step is to hire a
team of software experts skilled in security designing. Fur thermore, it is important to put in place specific quality criteria throughout the pipeline for ensuring enhanced safety. This arrangement will maintain security at all levels as the process crosses different stages of the pipeline.
C ONT... PENETRATION TESTING : Penetration testing is a technique that highly resembles a cyberattack or actually an intentional cyber-attack made on the application to identify all the system vulnerabilities. Moreover, penetration testing is a highly effective practice that helps meet
CONT… the goals related to web application security as it helps to improve the Web Application Firewall or protection. Intelligent System Security Checks Penetration testing is more of a test design arrangement made to work on security against any attempt made on hacking. Even the tools used during penetration testing are made to
CONT… replicate the cyber-attacks with the objective of getting over any system vulnerabilities. Underline Weak Segments Another significant aspect of using the penetration testing approach is to identify weak links within the software code. The practice improves the scope for protecting the personal
CONT… user data, card details, or any transactional record that might be at threat. Added Network Security Penetration testing is a powerful technique that could help developers and software testers to work on improving the high-speed internet like 5G network security as well as applications running on the network.
CONT…
REPLICATION OF VULNERABILITIES AND EXPLOITATION Poor data backup and recovery : With the recent threat of ransomware looming large, along with traditional disasters and other failures, organizations have a pressing need to back up and recover data. Unfortunately, many organizations don't excel in this area due to a lack of sound backup and recovery options.
PREVENTION Most organizations need a multi backup and recovery strategy. This should include data center storage snapshots and replication, database storage, tape or disk backups, and end user storage (often cloud-based). Poor network segmentation and monitoring Many attackers rely on weak network segmentation and monitoring to gain full access to systems in a network subnet
CONT… once they've gained initial access. This huge cybersecurity vulnerability has been common in many large enterprise networks for many years. Organizations should focus on carefully controlling network access among systems within subnets, and building better detection and alerting strategies for lateral movement
PREVENTION between systems that have no business communicating with one another. Weak authentication and credential management One of the most common causes of compromise and breaches for this cybersecurity vulnerability is a lack of sound credential management. People use the same
CONT… password over and over, and many systems and services support weak authentication practices. For most organizations, implementing stringent password controls can help. This may consist of longer passwords, more complex passwords, more frequent password changes or some combination of these principles.
PREVENTION Poor security awareness The most common cause of successful phishing, pretexting and other social engineering attacks is a lack of sound security awareness training and end-user validation. Organizations are still struggling with how to train users to look for social engineering attempts and report them.
CONT… More organizations need to conduct regular training exercises, including phishing tests, pretexting and additional social engineering as needed. Many training programs are available to help reinforce security awareness concepts
REFRENCES https://www.techtarget.com/searchsecurity/feature/How-to-fix-the-top-5- cybersecurity- vulnerabilities https://continuoustesting.dev/2021/08/11/understanding-the-role-of-software-testing-in-cyber- security/ https://impactqa.medium.com/what-is-the-role-of-software-testing-in-cyber- security- b539dae2feae https://www.synopsys.com/glossary/what-is-
csrf.html#:~:text=Definition,has%20in%20an%20authenticated%20us er. https://owasp.org/www-community/attacks/csrf THANK YOU

Empfohlen

Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxInfosectrain3
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
Network security
Network securityNetwork security
Network securityAshish Gaurkhede
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 

Empfohlen

Domain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxDomain 5 of the CEH Web Application Hacking.pptx
Domain 5 of the CEH Web Application Hacking.pptxInfosectrain3
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Top 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerTop 20 certified ethical hacker interview questions and answer
Top 20 certified ethical hacker interview questions and answerShivamSharma909
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 
C01461422
C01461422C01461422
C01461422IOSR Journals
 
Network security
Network securityNetwork security
Network securityAshish Gaurkhede
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application SecurityPrateek Jain
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tipstcellsn
 
How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Globally.docx
Globally.docxGlobally.docx
Globally.docxGermanERuizCorrales
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Research Paper
Research PaperResearch Paper
Research PaperDavid Chaponniere
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfDigital Auxilio Technologies
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking Јаѓќеѕн Јажѕшаф
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
T04505103106
T04505103106T04505103106
T04505103106IJERA Editor
 
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptxjanani603976
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...IJERA Editor
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Delhi Call girls
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 

Weitere ähnliche Inhalte

Ähnlich wie AW-Infs201101067.pptx

How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?Osei Fortune
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approachIdexcel Technologies
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfDigital Auxilio Technologies
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?Peter Wood
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackTechSecIT
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSebastien Deleersnyder
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasuresidescitation
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptxVIRAJDEY1
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...IJERA Editor
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With ExamplesAlwin Thayyil
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 

Ähnlich wie AW-Infs201101067.pptx (20)

How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?How Can I Reduce The Risk Of A Cyber-Attack?
How Can I Reduce The Risk Of A Cyber-Attack?
 
Application security testing an integrated approach
Application security testing an integrated approachApplication security testing an integrated approach
Application security testing an integrated approach
 
Globally.docx
Globally.docxGlobally.docx
Globally.docx
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
Research Paper
Research PaperResearch Paper
Research Paper
 
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...A Multidimensional View of Critical Web Application Security Risks: A Novel '...
A Multidimensional View of Critical Web Application Security Risks: A Novel '...
 
Best Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdfBest Security Practices for Web Application Development.pdf
Best Security Practices for Web Application Development.pdf
 
Network security, seriously?
Network security, seriously?Network security, seriously?
Network security, seriously?
 
Ethical hacking
Ethical hacking Ethical hacking
Ethical hacking
 
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless AttackAn Introduction of SQL Injection, Buffer Overflow & Wireless Attack
An Introduction of SQL Injection, Buffer Overflow & Wireless Attack
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
T04505103106
T04505103106T04505103106
T04505103106
 
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptx
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
Behavior Analysis Of Malicious Web Pages Through Client Honeypot For Detectio...
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
 

Kürzlich hochgeladen

Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Delhi Call girls
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxolyaivanovalion
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...SUHANI PANDEY
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxJohnnyPlasten
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...amitlee9823
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Delhi Call girls
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxolyaivanovalion
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxfirstjob4
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightDelhi Call girls
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...shivangimorya083
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Researchmichael115558
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusTimothy Spann
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxolyaivanovalion
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfMarinCaroMartnezBerg
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfadriantubila
 

Kürzlich hochgeladen (20)

Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
Best VIP Call Girls Noida Sector 39 Call Me: 8448380779
 
Halmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFxHalmar dropshipping via API with DroFx
Halmar dropshipping via API with DroFx
 
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
VIP Model Call Girls Hinjewadi ( Pune ) Call ON 8005736733 Starting From 5K t...
 
Log Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptxLog Analysis using OSSEC sasoasasasas.pptx
Log Analysis using OSSEC sasoasasasas.pptx
 
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get CytotecAbortion pills in Doha Qatar (+966572737505 ! Get Cytotec
Abortion pills in Doha Qatar (+966572737505 ! Get Cytotec
 
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
Call Girls Indiranagar Just Call 👗 7737669865 👗 Top Class Call Girl Service B...
 
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
Call Girls in Sarai Kale Khan Delhi 💯 Call Us 🔝9205541914 🔝( Delhi) Escorts S...
 
Edukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFxEdukaciniai dropshipping via API with DroFx
Edukaciniai dropshipping via API with DroFx
 
Introduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptxIntroduction-to-Machine-Learning (1).pptx
Introduction-to-Machine-Learning (1).pptx
 
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Saket (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 nightCheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
Cheap Rate Call girls Sarita Vihar Delhi 9205541914 shot 1500 night
 
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
Vip Model Call Girls (Delhi) Karol Bagh 9711199171✔️Body to body massage wit...
 
Discover Why Less is More in B2B Research
Discover Why Less is More in B2B ResearchDiscover Why Less is More in B2B Research
Discover Why Less is More in B2B Research
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and Milvus
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
Midocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFxMidocean dropshipping via API with DroFx
Midocean dropshipping via API with DroFx
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in KishangarhDelhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
Delhi 99530 vip 56974 Genuine Escort Service Call Girls in Kishangarh
 
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
(NEHA) Call Girls Katra Call Now 8617697112 Katra Escorts 24x7
 
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdfAccredited-Transport-Cooperatives-Jan-2021-Web.pdf
Accredited-Transport-Cooperatives-Jan-2021-Web.pdf
 

AW-Infs201101067.pptx

  • 2. TOPICS TO BE COVERED -CROSS-SITE SCRIPTING -CROSS SITE REQUEST FORGERY -SESSION MANAGEMENT -SQL INJECTION -SECURE SOFTWARE TESTING -REPLICATION OF VULNERABILITIES AND EXPLOITATION
  • 3. CROSS-SITE SCRIPTING •Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. •Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it.
  • 4. CONT.. •If the app or website lacks proper data sanitization, the malicious link executes the attacker’s chosen code on the user’s system. •As a result, the attacker can steal the user’s active session cookie.
  • 5. TYPES STORE XSS: Takes place when the malicious payload is stored in a database. It renders to other users when data is requested—if there is no output encoding or sanitization. Reflected XSS: Occurs when a web application sends attacker-provided
  • 6. TYPES strings to a victim’s browser so that the browser executes part of the string as code. The payload echoes back in response. DOM-based XSS: Takes place when an attacker injects a script into a response. The attacker can read and manipulate the document object
  • 7. TYPES model (DOM) data to craft a malicious URL. The attacker uses this URL to trick a user into clicking it. If the user clicks the link, the attacker can steal the user’s active session information, keystrokes, and so on.
  • 8. PREVENTIONS Strategies to prevent XSS attacks include these: •Never trust user input. •Perform user input validation.
  • 9. •Ensure that web application development aligns with OWASP’s XSS Prevention Cheat Sheet. •After remediation, perform penetration testing to confirm it was successful.
  • 10.
  • 11. CROSS SITE REQUEST FORGERY Cross-Site Request Forgery (CSRF) is an attack that forces authenticated users to submit a request to a Web application against which they are currently authenticated. CSRF attacks exploit the trust a Web application has in an authenticated user. CONT..
  • 12. A Cross Site Request Forgery attack exploits a vulnerability in a Web application if it cannot differentiate between a request generated by an individual user and a request generated by a user without their consent. CONT… Social engineering platforms are often used by attackers to launch a CSRF attack.
  • 13. This tricks the victim into clicking a URL that contains a maliciously crafted, unauthorized request for a particular Web application. TO PERFORM THIS ATTACK To carry out a successful CSRF attack, consider the following : •The success of a CSRF attack depends on a user’s session with a vulnerable application. The attack will only be successful if the user is in an active session with the vulnerable application
  • 14. •An attacker must find a valid URL to maliciously craft. The URL needs to have a state-changing effect on the target application. CONT.. •An attacker also needs to find the right values for the URL parameters. Otherwise, the target application might reject the malicious request.
  • 15. SESSION MANAGEMENT Session management is used to facilitate secure interactions between a user and some service or application and applies to a sequence of requests and responses associated with that particular user.
  • 16. CONT… Session tokens serve to identify a user’s session within the HTTP traffic being exchanged between the application and all of its users. Each request and response made will have an associated session token which allows the application to remember distinct information about the client using it.
  • 17. CONT… Each request and response made will have an associated session token which allows the application to remember distinct information about the client using it. Session cookies were designed to help manage sessions
  • 18.
  • 19. P REVENTIONS • Setting secure HTTP flags on cookies : Avoid sending sensitive traffic over unencrypted channels, i.e. HTTP. Setup the secure flag, which will ensure that data is transmitted over encrypted protocols such as HTTPS.
  • 20. C ONT.. • Generation of new session cookies New session token generation should be ensured at every step of the authentication and interaction process, i.e. when a
  • 21. CONT… user visits an application or website and when the user gets authenticated. • Session cookies configuration Session tokens should not be easily guessable, they should be long, unique and unpredictable. Doing so will decrease the chances of an attacker being successful in using brute force
  • 22. t o figure out the session token. The expiration time of persistent cookies should be no longer than 30 minutes, SQL INJECTION •A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application.
  • 23. CONT… •A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system.
  • 24. CONT… •SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server. SQL injection attack occurs when:
  • 25. CONT… 1. An unintended data enters a program from an untrusted source. 2. The data is used to dynamically construct a SQL query PREVENTIONS • Train and maintain awareness • Don’t trust any user input
  • 26. • U se whitelists, not blacklists • Adopt the latest technologies • Employ verified mechanisms
  • 27.
  • 28. SECURE SOFTWARE TESTING Cybersecurity has turned into a major concern as hacking activities have reached threatening levels. It directly causes a breach against your personal information and it is essential to understand the different forms of cyber-attacks that can impact an individual or an organization.
  • 29. C O NT… It is surprising to know that approximately $5.2 trillion in value would be put at stake due to cyberattacks during the period between 2019 and 2023.
  • 30. The correct use of software testing measures is seen as the key to rest rict hacking incidents. In the past few years, this process has been gaining popularity and software testing has emerged as a trusted shield against cyber attacks. CONT… You can easily include software testing as part of your organization’s working model. The most basic step is to hire a
  • 31. team of software experts skilled in security designing. Fur thermore, it is important to put in place specific quality criteria throughout the pipeline for ensuring enhanced safety. This arrangement will maintain security at all levels as the process crosses different stages of the pipeline.
  • 32.
  • 33. C ONT... PENETRATION TESTING : Penetration testing is a technique that highly resembles a cyberattack or actually an intentional cyber-attack made on the application to identify all the system vulnerabilities. Moreover, penetration testing is a highly effective practice that helps meet
  • 34. CONT… the goals related to web application security as it helps to improve the Web Application Firewall or protection. Intelligent System Security Checks Penetration testing is more of a test design arrangement made to work on security against any attempt made on hacking. Even the tools used during penetration testing are made to
  • 35. CONT… replicate the cyber-attacks with the objective of getting over any system vulnerabilities. Underline Weak Segments Another significant aspect of using the penetration testing approach is to identify weak links within the software code. The practice improves the scope for protecting the personal
  • 36. CONT… user data, card details, or any transactional record that might be at threat. Added Network Security Penetration testing is a powerful technique that could help developers and software testers to work on improving the high-speed internet like 5G network security as well as applications running on the network.
  • 38. REPLICATION OF VULNERABILITIES AND EXPLOITATION Poor data backup and recovery : With the recent threat of ransomware looming large, along with traditional disasters and other failures, organizations have a pressing need to back up and recover data. Unfortunately, many organizations don't excel in this area due to a lack of sound backup and recovery options.
  • 39. PREVENTION Most organizations need a multi backup and recovery strategy. This should include data center storage snapshots and replication, database storage, tape or disk backups, and end user storage (often cloud-based). Poor network segmentation and monitoring Many attackers rely on weak network segmentation and monitoring to gain full access to systems in a network subnet
  • 40. CONT… once they've gained initial access. This huge cybersecurity vulnerability has been common in many large enterprise networks for many years. Organizations should focus on carefully controlling network access among systems within subnets, and building better detection and alerting strategies for lateral movement
  • 41. PREVENTION between systems that have no business communicating with one another. Weak authentication and credential management One of the most common causes of compromise and breaches for this cybersecurity vulnerability is a lack of sound credential management. People use the same
  • 42. CONT… password over and over, and many systems and services support weak authentication practices. For most organizations, implementing stringent password controls can help. This may consist of longer passwords, more complex passwords, more frequent password changes or some combination of these principles.
  • 43. PREVENTION Poor security awareness The most common cause of successful phishing, pretexting and other social engineering attacks is a lack of sound security awareness training and end-user validation. Organizations are still struggling with how to train users to look for social engineering attempts and report them.
  • 44. CONT… More organizations need to conduct regular training exercises, including phishing tests, pretexting and additional social engineering as needed. Many training programs are available to help reinforce security awareness concepts