SlideShare ist ein Scribd-Unternehmen logo

Intro to Web Application Security

Als PPT, PDF herunterladen
Rob Ragan
Rob Ragan

Introduction to Web Application Security presented at for the Penn State Information Assurance Club (Fall 2007)

Technologie
1 von 35
Information Assurance Club 2007 Understanding Web Application Security
What is Application Security? ,[object Object],[object Object],[object Object],[object Object]
 
 
Application Layer VS Network Layer ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Test Your Hacking Knowledge ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Why Should I Care? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Attacks Shift Towards Application Layer ,[object Object],[object Object],[object Object]
How Do Attackers Do It? ,[object Object],[object Object],[object Object],[object Object]
HyperText Transfer Protocol (HTTP) GET /index.html HTTP/1.1 Host: www.example.com HTTP/1.1 200 OK Date: Mon, 23 April 2007 22:38:34 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8
HTTPS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Transparent Proxy ,[object Object],[object Object],[object Object],[object Object]
Authentication Common Problems ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Authentication Best Practices ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
State Problems ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Session Best Practices ,[object Object],[object Object],[object Object],[object Object],[object Object]
Access Control ,[object Object],[object Object],[object Object],[object Object],[object Object]
Broken Access Control ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Cross-Site Scripting (XSS) ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XSS Vulnerability Pattern ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Two Types of XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Cross-site Scripting - Tricks ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XSS Real World Example ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
 
XSS– Input Filters ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
PSU Webmail XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
View Passwords ,[object Object]
CSRF (Sea-Surf) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Injection Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SQL Injection – Example ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Prevent SQL Injection ,[object Object],[object Object],[object Object],[object Object],[object Object]
Injection Demo SQL Injection: Almost every IST student’s web application is vulnerable https://my.3c.ist.psu.edu/jeb5010/customer.php?Name ='%20OR%201=1-- Remote Code Execution: http://scripts.cac.psu.edu/pxn126/finger.cgi
Conclusion ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Where can I learn more? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Questions? Ask questions and I'll try to answer them

Empfohlen

Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 

Empfohlen

Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
Xss attack
Xss attackXss attack
Xss attackManjushree Mashal
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Cybersecurity Education and Research Centre
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Xss ppt
Xss pptXss ppt
Xss pptpenetration Tester
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101Narudom Roongsiriwong, CISSP
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Web security
Web securityWeb security
Web securityPadam Banthia
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 

Weitere ähnliche Inhalte

Was ist angesagt?

Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Web application security
Web application securityWeb application security
Web application securityKapil Sharma
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security VulnerabilitiesMarius Vorster
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesScott Hurrey
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingAnurag Srivastava
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defensesMohammed A. Imran
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internetRohan Bharadwaj
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Web application security I
Web application security IWeb application security I
Web application security IMd Syed Ahamad
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissanceNishaYadav177
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 

Was ist angesagt? (20)

Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Web application security
Web application securityWeb application security
Web application security
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Xss ppt
Xss pptXss ppt
Xss ppt
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Web security
Web securityWeb security
Web security
 
Cross site scripting attacks and defenses
Cross site scripting attacks and defensesCross site scripting attacks and defenses
Cross site scripting attacks and defenses
 
Software security
Software securitySoftware security
Software security
 
Different types of attacks in internet
Different types of attacks in internetDifferent types of attacks in internet
Different types of attacks in internet
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Web application security I
Web application security IWeb application security I
Web application security I
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Footprinting and reconnaissance
Footprinting and reconnaissanceFootprinting and reconnaissance
Footprinting and reconnaissance
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 

Andere mochten auch

Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansRob Ragan
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskRob Ragan
 
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingTenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingRob Ragan
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuRob Ragan
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Rob Ragan
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerRob Ragan
 
Interesting Water Facts
Interesting Water FactsInteresting Water Facts
Interesting Water FactsEason Chan
 
How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)Future Insights
 
23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!Usersnap
 
Google Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.orgGoogle Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.orgDrew Fustini
 
Instructivo casio g shock ga 100
Instructivo casio g shock ga 100Instructivo casio g shock ga 100
Instructivo casio g shock ga 100Israel González
 
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...Dawn Bazely
 
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016Purplegator
 
Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"Stefan Vermeulen
 
Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?Nigel Brindley
 
ESP8266をはじめよう
ESP8266をはじめようESP8266をはじめよう
ESP8266をはじめようKei Yoshimura
 
425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50Thanh Liem Vo
 

Andere mochten auch (18)

Social Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response PlansSocial Engineering: the Bad, Better, and Best Incident Response Plans
Social Engineering: the Bad, Better, and Best Incident Response Plans
 
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering RiskBSidesPGH - Never Surrender - Reducing Social Engineering Risk
BSidesPGH - Never Surrender - Reducing Social Engineering Risk
 
Tenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of BingTenacious Diggity - Skinny Dippin in a Sea of Bing
Tenacious Diggity - Skinny Dippin in a Sea of Bing
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
 
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
Black Hat 2011 - Pulp Google Hacking: The Next Generation Search Engine Hacki...
 
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet FarmerCloudBots - Harvesting Crypto Currency Like a Botnet Farmer
CloudBots - Harvesting Crypto Currency Like a Botnet Farmer
 
Interesting Water Facts
Interesting Water FactsInteresting Water Facts
Interesting Water Facts
 
How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)How to keep calm and ship it (Juozas Kaziukėnas)
How to keep calm and ship it (Juozas Kaziukėnas)
 
23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!23 Amazing Lessons Learned From Interviewing The World's Top Developers!
23 Amazing Lessons Learned From Interviewing The World's Top Developers!
 
Google Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.orgGoogle Summer of Code and BeagleBoard.org
Google Summer of Code and BeagleBoard.org
 
Bar exam tips
Bar exam tipsBar exam tips
Bar exam tips
 
Instructivo casio g shock ga 100
Instructivo casio g shock ga 100Instructivo casio g shock ga 100
Instructivo casio g shock ga 100
 
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
Overcoming Confirmation Bias en route to becoming an Active Bystander in Supp...
 
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
Social Mobile ads for Nurse & Allied Health Recruiting Feb 2016
 
Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"Webinar "Innovatie in e-commerce"
Webinar "Innovatie in e-commerce"
 
Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?Private sector skills - what value to the NHS?
Private sector skills - what value to the NHS?
 
ESP8266をはじめよう
ESP8266をはじめようESP8266をはじめよう
ESP8266をはじめよう
 
425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50425 cac tinh huong vi du ve lam sang x oa50
425 cac tinh huong vi du ve lam sang x oa50
 

Ähnlich wie Intro to Web Application Security

Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Sean Jackson
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAThuy_Dang
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application FirewallPort80 Software
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practicesphanleson
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP ApplicationsAditya Mooley
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009Paul Lemon
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Greg Sohl
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesVi Tính Hoàng Nam
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxsmile790243
 

Ähnlich wie Intro to Web Application Security (20)

Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
4.Xss
4.Xss4.Xss
4.Xss
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Session7-XSS & CSRF
Session7-XSS & CSRFSession7-XSS & CSRF
Session7-XSS & CSRF
 
Xss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEAXss.e xopresentation from eXo SEA
Xss.e xopresentation from eXo SEA
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Why You Need A Web Application Firewall
Why You Need A Web Application FirewallWhy You Need A Web Application Firewall
Why You Need A Web Application Firewall
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scriptingSecure Code Warrior - Cross site scripting
Secure Code Warrior - Cross site scripting
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
 
302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices302 Content Server Security Challenges And Best Practices
302 Content Server Security Challenges And Best Practices
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 
Security Tech Talk
Security Tech TalkSecurity Tech Talk
Security Tech Talk
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...Application Security Part 1 Threat Defense In Client Server Applications ...
Application Security Part 1 Threat Defense In Client Server Applications ...
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
 
logout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docxlogout.php Session Data after Logout Username Email . $_.docx
logout.php Session Data after Logout Username Email . $_.docx
 
Web Security
Web SecurityWeb Security
Web Security
 

Mehr von Rob Ragan

Nbt hacker fight
Nbt hacker fightNbt hacker fight
Nbt hacker fightRob Ragan
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsRob Ragan
 
DeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadDeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadRob Ragan
 
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingInterop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingRob Ragan
 
Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Rob Ragan
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireRob Ragan
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingRob Ragan
 

Mehr von Rob Ragan (7)

Nbt hacker fight
Nbt hacker fightNbt hacker fight
Nbt hacker fight
 
Expose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach PatternsExpose Yourself Without Insecurity: Cloud Breach Patterns
Expose Yourself Without Insecurity: Cloud Breach Patterns
 
DeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than DeadDeadDropSF - Better Red Than Dead
DeadDropSF - Better Red Than Dead
 
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and PhishingInterop 2017 - Defeating Social Engineering, BEC, and Phishing
Interop 2017 - Defeating Social Engineering, BEC, and Phishing
 
Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010Lord of the Bing - Black Hat USA 2010
Lord of the Bing - Black Hat USA 2010
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the Wire
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
 

Kürzlich hochgeladen

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 

Kürzlich hochgeladen (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 

Intro to Web Application Security

  • 1. Information Assurance Club 2007 Understanding Web Application Security
  • 2.
  • 3.  
  • 4.  
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10. HyperText Transfer Protocol (HTTP) GET /index.html HTTP/1.1 Host: www.example.com HTTP/1.1 200 OK Date: Mon, 23 April 2007 22:38:34 GMT Server: Apache/1.3.27 (Unix) (Red-Hat/Linux) Last-Modified: Wed, 08 Jan 2003 23:11:55 GMT Etag: "3f80f-1b6-3e1cb03b" Accept-Ranges: bytes Content-Length: 438 Connection: close Content-Type: text/html; charset=UTF-8
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.  
  • 25.
  • 26.
  • 27.
  • 28.
  • 29.
  • 30.
  • 31.
  • 32. Injection Demo SQL Injection: Almost every IST student’s web application is vulnerable https://my.3c.ist.psu.edu/jeb5010/customer.php?Name ='%20OR%201=1-- Remote Code Execution: http://scripts.cac.psu.edu/pxn126/finger.cgi
  • 33.
  • 34.
  • 35. Questions? Ask questions and I'll try to answer them