SlideShare a Scribd company logo

compsec_incomplete_mediation.pptx

Download as PPTX, PDF
K
KabadaSori

this is fake ppt

Technology
1 of 5
Ambo University Computer Security
Incomplete Mediation Incomplete mediation occurs when the application accepts incorrect data from the user What happens if someone fills in: DOB: 98764874236492483649247836489236492 •Buffer overflow? DOB: ’; DROP DATABASE clients; •SQL injection?
Cont…  If data exchanged between components of the system (such as client and server) is compromised or altered system may fail.  Example: Form data submitted from a web browser may be altered before reaching the server  The data is exchanged between a web client and server as part of URL (in GET mode). This URL may be intercepted by an adversary and be changed, thus server receiving unexpected input.  http://www.wiu.edu/users/mfbg/submit?user=‘binto’&operation=‘v iewaccount’  An adversary can intercept this and change the operation into, say, “changepassword”, or much worse, something invalid. This confuses the server and the server may shutdown.
Time-Of-Check To Time-Of-Use (TOCTTOU) Also known as “race condition” errors A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect.
Cont… This attack, which depends on multithreaded applications, can be delivered in one of two ways: interference caused by untrusted processes (essentially a piece of code that slips into a sequence between steps of a secure programs), and interference caused by a trusted process, which may have the "same'' privileges. Without proper controls, different processes can interfere with each other.

Recommended

Microsoft Sync Framework (part 1) ABTO Software Lecture Garntsarik
Microsoft Sync Framework (part 1) ABTO Software Lecture GarntsarikMicrosoft Sync Framework (part 1) ABTO Software Lecture Garntsarik
Microsoft Sync Framework (part 1) ABTO Software Lecture Garntsarik
ABTO Software
 
Difference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long PollingDifference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long Polling
jeetendra mandal
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
ijiert bestjournal
 
Client server computing
Client server computingClient server computing
Client server computing
StudsPlanet.com
 
Work with data in ASP.NET
Work with data in ASP.NETWork with data in ASP.NET
Work with data in ASP.NET
Peter Gfader
 
CQRS and what it means for your architecture
CQRS and what it means for your architectureCQRS and what it means for your architecture
CQRS and what it means for your architecture
Richard Banks
 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.ppt
Jayaprasanna4
 
BITM3730Week9(1).pptx
BITM3730Week9(1).pptxBITM3730Week9(1).pptx
BITM3730Week9(1).pptx
MattMarino13
 

Recommended

Microsoft Sync Framework (part 1) ABTO Software Lecture Garntsarik
Microsoft Sync Framework (part 1) ABTO Software Lecture GarntsarikMicrosoft Sync Framework (part 1) ABTO Software Lecture Garntsarik
Microsoft Sync Framework (part 1) ABTO Software Lecture Garntsarik
ABTO Software
 
Difference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long PollingDifference between Client Polling vs Server Push vs Websocket vs Long Polling
Difference between Client Polling vs Server Push vs Websocket vs Long Polling
jeetendra mandal
 
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATIONFRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
FRONT END AND BACK END DATABASE SECURITY IN THREE TIER WEB APPLICATION
ijiert bestjournal
 
Client server computing
Client server computingClient server computing
Client server computing
StudsPlanet.com
 
Work with data in ASP.NET
Work with data in ASP.NETWork with data in ASP.NET
Work with data in ASP.NET
Peter Gfader
 
CQRS and what it means for your architecture
CQRS and what it means for your architectureCQRS and what it means for your architecture
CQRS and what it means for your architecture
Richard Banks
 
session and cookies.ppt
session and cookies.pptsession and cookies.ppt
session and cookies.ppt
Jayaprasanna4
 
BITM3730Week9(1).pptx
BITM3730Week9(1).pptxBITM3730Week9(1).pptx
BITM3730Week9(1).pptx
MattMarino13
 
Technique for authenticating network users
Technique for authenticating network usersTechnique for authenticating network users
Technique for authenticating network users
Tal Lavian Ph.D.
 
Lecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptxLecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptx
Balkrishanpatidar
 
13 ijcse-01233
13 ijcse-0123313 ijcse-01233
13 ijcse-01233
Shivlal Mewada
 
BITM3730 Networking.pdf
BITM3730 Networking.pdfBITM3730 Networking.pdf
BITM3730 Networking.pdf
MattMarino13
 
Java Networking
Java NetworkingJava Networking
Java Networking
68SachinYadavSYCS
 
SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1
Ben Abdallah Helmi
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycle
Gopakumar Kunduveetil
 
SCWCD : The web client model
SCWCD : The web client modelSCWCD : The web client model
SCWCD : The web client model
Ben Abdallah Helmi
 
BITM3730 11-1.pptx
BITM3730 11-1.pptxBITM3730 11-1.pptx
BITM3730 11-1.pptx
MattMarino13
 
Study of http
Study of httpStudy of http
Study of http
Dhairya Joshi
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
Sending the data already gathered from the client to the Server
Sending the data already gathered from the client to the ServerSending the data already gathered from the client to the Server
Sending the data already gathered from the client to the Server
hussam242
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
Sumanth Damarla
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 
Secure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injection
Secure Code Warrior
 
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET Journal
 
KMS (1)
KMS (1)KMS (1)
KMS (1)
Satyaki Mitra
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
Quek Lilian
 
S18 das
S18 dasS18 das
S18 das
Bulat Bazarbayev
 
Non functional performance requirements v2.2
Non functional performance requirements v2.2Non functional performance requirements v2.2
Non functional performance requirements v2.2
Ian McDonald
 
Spirit of silence and speak.pptx
Spirit of silence and speak.pptxSpirit of silence and speak.pptx
Spirit of silence and speak.pptx
KabadaSori
 
Speaking in the Spirit.pptx
Speaking in the Spirit.pptxSpeaking in the Spirit.pptx
Speaking in the Spirit.pptx
KabadaSori
 

More Related Content

Similar to compsec_incomplete_mediation.pptx

Lecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptxLecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptx
Balkrishanpatidar
 
Sending the data already gathered from the client to the Server
Sending the data already gathered from the client to the ServerSending the data already gathered from the client to the Server
Sending the data already gathered from the client to the Server
hussam242
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
Quek Lilian
 

Similar to compsec_incomplete_mediation.pptx (20)

Technique for authenticating network users
Technique for authenticating network usersTechnique for authenticating network users
Technique for authenticating network users
 
Lecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptxLecture32-Web-based-testing-II.pptx
Lecture32-Web-based-testing-II.pptx
 
13 ijcse-01233
13 ijcse-0123313 ijcse-01233
13 ijcse-01233
 
BITM3730 Networking.pdf
BITM3730 Networking.pdfBITM3730 Networking.pdf
BITM3730 Networking.pdf
 
Java Networking
Java NetworkingJava Networking
Java Networking
 
SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1SCWCD : The web client model : CHAP : 1
SCWCD : The web client model : CHAP : 1
 
Web (HTTP) request to response life cycle
Web (HTTP) request to response life cycleWeb (HTTP) request to response life cycle
Web (HTTP) request to response life cycle
 
SCWCD : The web client model
SCWCD : The web client modelSCWCD : The web client model
SCWCD : The web client model
 
BITM3730 11-1.pptx
BITM3730 11-1.pptxBITM3730 11-1.pptx
BITM3730 11-1.pptx
 
Study of http
Study of httpStudy of http
Study of http
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
Sending the data already gathered from the client to the Server
Sending the data already gathered from the client to the ServerSending the data already gathered from the client to the Server
Sending the data already gathered from the client to the Server
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
 
Secure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injectionSecure Code Warrior - NoSQL injection
Secure Code Warrior - NoSQL injection
 
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
IRJET- Continuous Auditing Approach to the Cloud Service Addressing Attri...
 
KMS (1)
KMS (1)KMS (1)
KMS (1)
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 
S18 das
S18 dasS18 das
S18 das
 
Non functional performance requirements v2.2
Non functional performance requirements v2.2Non functional performance requirements v2.2
Non functional performance requirements v2.2
 

More from KabadaSori

Spirit of silence and speak.pptx
Spirit of silence and speak.pptxSpirit of silence and speak.pptx
Spirit of silence and speak.pptx
KabadaSori
 
communicationpresentation-151125220210-lva1-app6891.pdf
communicationpresentation-151125220210-lva1-app6891.pdfcommunicationpresentation-151125220210-lva1-app6891.pdf
communicationpresentation-151125220210-lva1-app6891.pdf
KabadaSori
 

More from KabadaSori (7)

Spirit of silence and speak.pptx
Spirit of silence and speak.pptxSpirit of silence and speak.pptx
Spirit of silence and speak.pptx
 
Speaking in the Spirit.pptx
Speaking in the Spirit.pptxSpeaking in the Spirit.pptx
Speaking in the Spirit.pptx
 
1 Fundamentals of EDP (2).pptx
1 Fundamentals of EDP (2).pptx1 Fundamentals of EDP (2).pptx
1 Fundamentals of EDP (2).pptx
 
08ui.pptx
08ui.pptx08ui.pptx
08ui.pptx
 
communicationpresentation-151125220210-lva1-app6891.pdf
communicationpresentation-151125220210-lva1-app6891.pdfcommunicationpresentation-151125220210-lva1-app6891.pdf
communicationpresentation-151125220210-lva1-app6891.pdf
 
cellular.ppt
cellular.pptcellular.ppt
cellular.ppt
 
chapter 1.pptx
chapter 1.pptxchapter 1.pptx
chapter 1.pptx
 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

compsec_incomplete_mediation.pptx

  • 2. Incomplete Mediation Incomplete mediation occurs when the application accepts incorrect data from the user What happens if someone fills in: DOB: 98764874236492483649247836489236492 •Buffer overflow? DOB: ’; DROP DATABASE clients; •SQL injection?
  • 3. Cont…  If data exchanged between components of the system (such as client and server) is compromised or altered system may fail.  Example: Form data submitted from a web browser may be altered before reaching the server  The data is exchanged between a web client and server as part of URL (in GET mode). This URL may be intercepted by an adversary and be changed, thus server receiving unexpected input.  http://www.wiu.edu/users/mfbg/submit?user=‘binto’&operation=‘v iewaccount’  An adversary can intercept this and change the operation into, say, “changepassword”, or much worse, something invalid. This confuses the server and the server may shutdown.
  • 4. Time-Of-Check To Time-Of-Use (TOCTTOU) Also known as “race condition” errors A race condition attack happens when a computing system that’s designed to handle tasks in a specific sequence is forced to perform two or more operations simultaneously. This technique takes advantage of a time gap between the moment a service is initiated and the moment a security control takes effect.
  • 5. Cont… This attack, which depends on multithreaded applications, can be delivered in one of two ways: interference caused by untrusted processes (essentially a piece of code that slips into a sequence between steps of a secure programs), and interference caused by a trusted process, which may have the "same'' privileges. Without proper controls, different processes can interfere with each other.