SlideShare ist ein Scribd-Unternehmen logo

Web Vulnerabilities_NGAN Seok Chern

Quek Lilian
Quek Lilian
Technologie
1 von 16
Downloaden Sie, um offline zu lesen
WEBSITE VULNERABILITIES Ngan Seok Chern MCP | CEH | MVP – ASP / ASP.NET seokchern85@hotmail.com http://blog.scnetstudio.com
Agenda  Web application setup  Why attack  Type of attack & countermeasure
Web Application Setup
Why Attack ?  DefacingWebsite  Sealing credit card information  exploting server-side scripting  exploiting buffer overflow  and etc
Step 1. Scanning 2. Gather Information 3.Testing 4. Plan 5. Launch
Type of Attack  Cross-site Scripting / XSS Flaws  SQL Injection  Buffer Overflow  DirectoryTraversal  Error message interception attack  Web.config  and etc
Cross-site Scripting / XSS Flaws  Typically found in web applications which allow code injection by malicious users into the web pages viewed by other users.  JavaScript is commonly used.  During an attack "everything looks fine" to the end-user.  <script> </script>  Countermeasure :  Validate all your sources.  Filtering script output.
SQL Injection  SQL to manipulate database’s data  Execute from address bar, queries / searches.  SELECT fieldlist FROM table WHERE field = '$EMAIL';  SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x';  Countermeasure:  Check user input.  Validate and sanitize user input that passed to database.
Buffer Overflow  Where a process stores data in a buffer outside the memory the programmer set aside for it.  Countermeasure:  Validate input length.  Check and pay extra care on loop function which carry data.
Directory Traversal  Attacker able to browse directories and files.  Expose the directory structure of application and often the underlying web server and operating system.  Eg. “../Images/logo.gif”  Countermeasure:  Define access right to the protected area  Apply checks/hot fixes  Update web server with patches in timely manner
Error Message Attack  Based on error message that show.  Example:  Your password is incorrect.  Connecting to the database on ……. With …..is not unsuccessful.  Countermeasure:  Modify and display common error message.
Web.config  Connection String Information  Example:  Data Source=190.190.200.100,1433;Network Library=DBMSSOCN;Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;  Countermeasure:  Encrypt your web.config.  aspnet_regiis.exe -pef "connectionStrings Name" "C:InetpubwwwrootMySite" –prov "DataProtectionConfigurationProvider”
Web.config (Original)
Web.config (Encrypted)
Summary  Programmer played important roles.  Patches your server.
Thank you Q&A

Empfohlen

Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
Akansha Kesharwani
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior
 

Empfohlen

Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
ASP.NET View State - Security Issues
ASP.NET View State - Security IssuesASP.NET View State - Security Issues
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013 Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
Common Web Application Attacks
Common Web Application Attacks Common Web Application Attacks
Common Web Application Attacks
Ahmed Sherif
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Colin English
 
Broken access controls
Broken access controlsBroken access controls
Broken access controls
Akansha Kesharwani
 
Secure Code Warrior - Authentication
Secure Code Warrior - AuthenticationSecure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
Cenzic
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
Rashid Khatmey
 
Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangers
drkimsky
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
Adeel Javaid
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
Josh Sokol
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
dzhengo44
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
Roberto Suggi Liverani
 
IEEE KUET SPAC presentation
IEEE KUET SPAC presentationIEEE KUET SPAC presentation
IEEE KUET SPAC presentation
ahsanmm
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
Ashwini Paranjpe
 
Web App Footprints Discovery
Web App Footprints DiscoveryWeb App Footprints Discovery
Web App Footprints Discovery
Aung Khant
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
n|u - The Open Security Community
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
Ravikumar Paghdal
 
STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
Symantec
 
06 asp.net session08
06 asp.net session0806 asp.net session08
06 asp.net session08
Vivek chan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangers
drkimsky
 
Web App Footprints Discovery
Web App Footprints DiscoveryWeb App Footprints Discovery
Web App Footprints Discovery
Aung Khant
 

Was ist angesagt? (20)

Secure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusionSecure Code Warrior - Remote file inclusion
Secure Code Warrior - Remote file inclusion
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
Ajax Security Dangers
Ajax Security DangersAjax Security Dangers
Ajax Security Dangers
 
AJAX Security - LAC2016
AJAX Security - LAC2016AJAX Security - LAC2016
AJAX Security - LAC2016
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Using Proxies To Secure Applications And More
Using Proxies To Secure Applications And MoreUsing Proxies To Secure Applications And More
Using Proxies To Secure Applications And More
 
Error codes & custom 404s
Error codes & custom 404sError codes & custom 404s
Error codes & custom 404s
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Dzhengis 93098 ajax - security
Dzhengis 93098 ajax - securityDzhengis 93098 ajax - security
Dzhengis 93098 ajax - security
 
Web Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing MethodologyWeb Application Security 101 - 04 Testing Methodology
Web Application Security 101 - 04 Testing Methodology
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
IEEE KUET SPAC presentation
IEEE KUET SPAC presentationIEEE KUET SPAC presentation
IEEE KUET SPAC presentation
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Owasp first5 presentation
Owasp first5 presentationOwasp first5 presentation
Owasp first5 presentation
 
Web App Footprints Discovery
Web App Footprints DiscoveryWeb App Footprints Discovery
Web App Footprints Discovery
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 

Andere mochten auch

06 asp.net session08
06 asp.net session0806 asp.net session08
06 asp.net session08
Vivek chan
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016
Quick Heal Technologies Ltd.
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
Jeremiah Grossman
 
Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...
peihsin1980
 

Andere mochten auch (8)

STUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability AssessmentSTUDY: Website Vulnerability Assessment
STUDY: Website Vulnerability Assessment
 
06 asp.net session08
06 asp.net session0806 asp.net session08
06 asp.net session08
 
Cyber Security Predictions 2016
Cyber Security Predictions 2016Cyber Security Predictions 2016
Cyber Security Predictions 2016
 
15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years15 Years of Web Security: The Rebellious Teenage Years
15 Years of Web Security: The Rebellious Teenage Years
 
JavaScript Security
JavaScript SecurityJavaScript Security
JavaScript Security
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
 
Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...Secure development automatic identification and mitigation of application v...
Secure development automatic identification and mitigation of application v...
 
Slideshare.Com Powerpoint
Slideshare.Com PowerpointSlideshare.Com Powerpoint
Slideshare.Com Powerpoint
 

Ähnlich wie Web Vulnerabilities_NGAN Seok Chern

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 

Ähnlich wie Web Vulnerabilities_NGAN Seok Chern (20)

Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Web Security
Web SecurityWeb Security
Web Security
 
Attques web
Attques webAttques web
Attques web
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
Owasp web security
Owasp web securityOwasp web security
Owasp web security
 
Cyber ppt
Cyber pptCyber ppt
Cyber ppt
 
Jan 2008 Allup
Jan 2008 AllupJan 2008 Allup
Jan 2008 Allup
 
ieee
ieeeieee
ieee
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
 
Web application sec_3
Web application sec_3Web application sec_3
Web application sec_3
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 

Mehr von Quek Lilian

Expression studio overview_MVP Kok Chiann
Expression studio overview_MVP Kok ChiannExpression studio overview_MVP Kok Chiann
Expression studio overview_MVP Kok Chiann
Quek Lilian
 
Installation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanInstallation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP Padman
Quek Lilian
 
Exchange server 2010 overview_MVP Padman
Exchange server 2010 overview_MVP PadmanExchange server 2010 overview_MVP Padman
Exchange server 2010 overview_MVP Padman
Quek Lilian
 
Installing managing windows server 2008 r2_MVP Shaminda
Installing managing windows server 2008 r2_MVP ShamindaInstalling managing windows server 2008 r2_MVP Shaminda
Installing managing windows server 2008 r2_MVP Shaminda
Quek Lilian
 
SharePoint 2010 launch_MVP Sampath Perera
SharePoint 2010 launch_MVP Sampath PereraSharePoint 2010 launch_MVP Sampath Perera
SharePoint 2010 launch_MVP Sampath Perera
Quek Lilian
 
NUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul AmriNUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul Amri
Quek Lilian
 
Windows server 2008 r2 and web platform_MVP Fajar
Windows server 2008 r2 and web platform_MVP FajarWindows server 2008 r2 and web platform_MVP Fajar
Windows server 2008 r2 and web platform_MVP Fajar
Quek Lilian
 
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
Quek Lilian
 
Windows 7 For Students_MVP Jabez Gan
Windows 7 For Students_MVP Jabez GanWindows 7 For Students_MVP Jabez Gan
Windows 7 For Students_MVP Jabez Gan
Quek Lilian
 
Lkw Security Part 1_MVPs Azra & Sanjay
Lkw Security Part 1_MVPs Azra & SanjayLkw Security Part 1_MVPs Azra & Sanjay
Lkw Security Part 1_MVPs Azra & Sanjay
Quek Lilian
 
Sql2008 R2 Dw (Phua Chiu Kiang)
Sql2008 R2 Dw (Phua Chiu Kiang)Sql2008 R2 Dw (Phua Chiu Kiang)
Sql2008 R2 Dw (Phua Chiu Kiang)
Quek Lilian
 
Commercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev ChalermvongCommercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev Chalermvong
Quek Lilian
 
Commercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev ChalermvongCommercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev Chalermvong
Quek Lilian
 
Unveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy PradeepUnveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy Pradeep
Quek Lilian
 
Unveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy PradeepUnveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy Pradeep
Quek Lilian
 
Introduction To Virtualization_MVP Jabez Gan
Introduction To Virtualization_MVP Jabez GanIntroduction To Virtualization_MVP Jabez Gan
Introduction To Virtualization_MVP Jabez Gan
Quek Lilian
 
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok ChernVs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
Quek Lilian
 
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath PereraWindows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Quek Lilian
 

Mehr von Quek Lilian (20)

Sgug print copy pdf ll
Sgug print copy pdf llSgug print copy pdf ll
Sgug print copy pdf ll
 
Singapore MVP gazette
Singapore MVP gazetteSingapore MVP gazette
Singapore MVP gazette
 
Expression studio overview_MVP Kok Chiann
Expression studio overview_MVP Kok ChiannExpression studio overview_MVP Kok Chiann
Expression studio overview_MVP Kok Chiann
 
Installation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP PadmanInstallation and Adminstration of AD_MVP Padman
Installation and Adminstration of AD_MVP Padman
 
Exchange server 2010 overview_MVP Padman
Exchange server 2010 overview_MVP PadmanExchange server 2010 overview_MVP Padman
Exchange server 2010 overview_MVP Padman
 
Installing managing windows server 2008 r2_MVP Shaminda
Installing managing windows server 2008 r2_MVP ShamindaInstalling managing windows server 2008 r2_MVP Shaminda
Installing managing windows server 2008 r2_MVP Shaminda
 
SharePoint 2010 launch_MVP Sampath Perera
SharePoint 2010 launch_MVP Sampath PereraSharePoint 2010 launch_MVP Sampath Perera
SharePoint 2010 launch_MVP Sampath Perera
 
NUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul AmriNUS exam 70-432_MVP Choirul Amri
NUS exam 70-432_MVP Choirul Amri
 
Windows server 2008 r2 and web platform_MVP Fajar
Windows server 2008 r2 and web platform_MVP FajarWindows server 2008 r2 and web platform_MVP Fajar
Windows server 2008 r2 and web platform_MVP Fajar
 
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
 
Windows 7 For Students_MVP Jabez Gan
Windows 7 For Students_MVP Jabez GanWindows 7 For Students_MVP Jabez Gan
Windows 7 For Students_MVP Jabez Gan
 
Lkw Security Part 1_MVPs Azra & Sanjay
Lkw Security Part 1_MVPs Azra & SanjayLkw Security Part 1_MVPs Azra & Sanjay
Lkw Security Part 1_MVPs Azra & Sanjay
 
Sql2008 R2 Dw (Phua Chiu Kiang)
Sql2008 R2 Dw (Phua Chiu Kiang)Sql2008 R2 Dw (Phua Chiu Kiang)
Sql2008 R2 Dw (Phua Chiu Kiang)
 
Commercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev ChalermvongCommercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev Chalermvong
 
Commercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev ChalermvongCommercial Launch Win7 Dev Chalermvong
Commercial Launch Win7 Dev Chalermvong
 
Unveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy PradeepUnveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy Pradeep
 
Unveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy PradeepUnveiling Share Point 2010_MVP Joy Pradeep
Unveiling Share Point 2010_MVP Joy Pradeep
 
Introduction To Virtualization_MVP Jabez Gan
Introduction To Virtualization_MVP Jabez GanIntroduction To Virtualization_MVP Jabez Gan
Introduction To Virtualization_MVP Jabez Gan
 
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok ChernVs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
 
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath PereraWindows 2008 Active Directory Branch office Management_MVP Sampath Perera
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
 

Kürzlich hochgeladen

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Kürzlich hochgeladen (20)

Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 

Web Vulnerabilities_NGAN Seok Chern

  • 1. WEBSITE VULNERABILITIES Ngan Seok Chern MCP | CEH | MVP – ASP / ASP.NET seokchern85@hotmail.com http://blog.scnetstudio.com
  • 2. Agenda  Web application setup  Why attack  Type of attack & countermeasure
  • 4. Why Attack ?  DefacingWebsite  Sealing credit card information  exploting server-side scripting  exploiting buffer overflow  and etc
  • 6. Type of Attack  Cross-site Scripting / XSS Flaws  SQL Injection  Buffer Overflow  DirectoryTraversal  Error message interception attack  Web.config  and etc
  • 7. Cross-site Scripting / XSS Flaws  Typically found in web applications which allow code injection by malicious users into the web pages viewed by other users.  JavaScript is commonly used.  During an attack "everything looks fine" to the end-user.  <script> </script>  Countermeasure :  Validate all your sources.  Filtering script output.
  • 8. SQL Injection  SQL to manipulate database’s data  Execute from address bar, queries / searches.  SELECT fieldlist FROM table WHERE field = '$EMAIL';  SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x';  Countermeasure:  Check user input.  Validate and sanitize user input that passed to database.
  • 9. Buffer Overflow  Where a process stores data in a buffer outside the memory the programmer set aside for it.  Countermeasure:  Validate input length.  Check and pay extra care on loop function which carry data.
  • 10. Directory Traversal  Attacker able to browse directories and files.  Expose the directory structure of application and often the underlying web server and operating system.  Eg. “../Images/logo.gif”  Countermeasure:  Define access right to the protected area  Apply checks/hot fixes  Update web server with patches in timely manner
  • 11. Error Message Attack  Based on error message that show.  Example:  Your password is incorrect.  Connecting to the database on ……. With …..is not unsuccessful.  Countermeasure:  Modify and display common error message.
  • 12. Web.config  Connection String Information  Example:  Data Source=190.190.200.100,1433;Network Library=DBMSSOCN;Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;  Countermeasure:  Encrypt your web.config.  aspnet_regiis.exe -pef "connectionStrings Name" "C:InetpubwwwrootMySite" –prov "DataProtectionConfigurationProvider”
  • 15. Summary  Programmer played important roles.  Patches your server.