SlideShare a Scribd company logo

Practical Web Attacks

Rastislav Turek
Rastislav Turek
Technology
1 of 12
Web application attacks – practical demonstration Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
Agenda Unvalidates Parameters  Access Control Flaws  Session Management Flaws  Cross Site Scripting (XSS)  Injection flaws  Improper Error Handling  AJAX Security           www.nethemba.com       
Unvalidated Parameters Exploit Hidden Fields  Exploit Unchecked Email  Bypass Client Side JavaScript Validation           www.nethemba.com       
Access Controls Flaws Bypass a Path Based Access Control Scheme  Bypass Business Layer Access Control  Bypass Data Layer Access Control           www.nethemba.com       
Session Management Flaws Spoof an Authentication Cookie  Hijack a Session           www.nethemba.com       
Cross Site Scripting (XSS) Stored XSS  Reflected XSS  Cross Site Request Forgery (CSRF)           www.nethemba.com       
Injection flaws Blind SQL injection  Numeric SQL injection  String SQL injection  XPATH injection           www.nethemba.com       
Improper Error Handling Fail Open Authentication Scheme           www.nethemba.com       
AJAX Security Client Side Filtering  Same Origin Policy (SOP) Protection  XML Injection  JSON Injection  Dangerous Use of Eval           www.nethemba.com       
Used tools WebGoat project   http://www.owasp.org/index.php/Category:OWASP_WebGoat_P WebScarab   http://www.owasp.org/index.php/Category:OWASP_WebScarab Tamperdata http://tamperdata.mozdev.org/  LiveHTTPHeaders http://livehttpheaders.mozdev.org/  Add N Edit Cookies   https://addons.mozilla.org/en­US/firefox/addon/573          www.nethemba.com       
References New Web Applications Attacks   http://www.nethemba.com/new_web_attacks­nethe LAMP and PHP security hardening (in Slovak   language)   http://www.nethemba.com/php­sec.pdf          www.nethemba.com       
Thank you for listening! Ing. Pavol Lupták, CISSP, CEH pavol.luptak@nethemba.com          www.nethemba.com       

Recommended

Presentación1
Presentación1Presentación1
Presentación1EvelinRomina
 
CODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLCODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLAngie Quesada Cascante
 
Tercera clase maestria 2.
Tercera clase maestria 2.Tercera clase maestria 2.
Tercera clase maestria 2.Jose Alfredo Alfredo Sanchez
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018 Laura Hartwig
 
Practica obrian espejo
Practica obrian espejoPractica obrian espejo
Practica obrian espejoObrian Espejo
 
Practica Edgar Ortiz
Practica Edgar OrtizPractica Edgar Ortiz
Practica Edgar OrtizUniversidad Técnica de Ambato
 
Codigo de slideshare de medios de alma
Codigo de slideshare de medios de almaCodigo de slideshare de medios de alma
Codigo de slideshare de medios de almaeilencitaloquita2
 

Recommended

Presentación1
Presentación1Presentación1
Presentación1EvelinRomina
 
CODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLCODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLAngie Quesada Cascante
 
Tercera clase maestria 2.
Tercera clase maestria 2.Tercera clase maestria 2.
Tercera clase maestria 2.Jose Alfredo Alfredo Sanchez
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018 Laura Hartwig
 
Practica obrian espejo
Practica obrian espejoPractica obrian espejo
Practica obrian espejoObrian Espejo
 
Practica Edgar Ortiz
Practica Edgar OrtizPractica Edgar Ortiz
Practica Edgar OrtizUniversidad Técnica de Ambato
 
Codigo de slideshare de medios de alma
Codigo de slideshare de medios de almaCodigo de slideshare de medios de alma
Codigo de slideshare de medios de almaeilencitaloquita2
 
Keyword swarm
Keyword swarmKeyword swarm
Keyword swarmGraeemej
 
Mi pasión
Mi pasiónMi pasión
Mi pasiónpilcoedwin
 
Mới
MớiMới
MớiDung Trương
 
Practica Tics
Practica TicsPractica Tics
Practica TicsUniversidad Tecnica de Ambato
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6arqsantibal
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acostaguest7eb22f
 
Jager
JagerJager
Jagerpaskar
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Kampus Menyan
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009Brian Lockrey
 
Amir Khan Returns
Amir Khan ReturnsAmir Khan Returns
Amir Khan ReturnsSharifuzzaman Pintu
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactionsmpderritut
 
тв код
тв кодтв код
тв кодilia
 
Div id
Div idDiv id
Div idMarta Rincon
 
Paky
PakyPaky
PakyCecilia Paye
 
Clase lunes
Clase lunesClase lunes
Clase lunesshirley364
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PPncalleja
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigosangie mesen
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8msz
 
Synopsi Barcamp
Synopsi BarcampSynopsi Barcamp
Synopsi BarcampRastislav Turek
 
Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty bankyRastislav Turek
 
Fraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsFraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsBond Beebe Accountants & Advisors
 
OWASP Testing Guide v3
OWASP Testing Guide v3OWASP Testing Guide v3
OWASP Testing Guide v3Rastislav Turek
 

More Related Content

What's hot

Keyword swarm
Keyword swarmKeyword swarm
Keyword swarmGraeemej
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6arqsantibal
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acostaguest7eb22f
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Kampus Menyan
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009Brian Lockrey
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactionsmpderritut
 
тв код
тв кодтв код
тв кодilia
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PPncalleja
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigosangie mesen
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8msz
 

What's hot (18)

Keyword swarm
Keyword swarmKeyword swarm
Keyword swarm
 
Mi pasión
Mi pasiónMi pasión
Mi pasión
 
Mới
MớiMới
Mới
 
Practica Tics
Practica TicsPractica Tics
Practica Tics
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acosta
 
Jager
JagerJager
Jager
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009
 
Amir Khan Returns
Amir Khan ReturnsAmir Khan Returns
Amir Khan Returns
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactions
 
тв код
тв кодтв код
тв код
 
Div id
Div idDiv id
Div id
 
Paky
PakyPaky
Paky
 
Clase lunes
Clase lunesClase lunes
Clase lunes
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PP
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigos
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8
 

Viewers also liked

Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty bankyRastislav Turek
 
Socialne siete: navod pre deti
Socialne siete: navod pre detiSocialne siete: navod pre deti
Socialne siete: navod pre detiRastislav Turek
 
Slovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruSlovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruRastislav Turek
 
Sociálne siete a bezpečnosť
Sociálne siete a bezpečnosťSociálne siete a bezpečnosť
Sociálne siete a bezpečnosťRastislav Turek
 
Cuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionCuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionverenicecastro
 
Inbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosInbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosRicardo Marsili
 

Viewers also liked (15)

Synopsi Barcamp
Synopsi BarcampSynopsi Barcamp
Synopsi Barcamp
 
Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty banky
 
Fraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsFraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-Profits
 
OWASP Testing Guide v3
OWASP Testing Guide v3OWASP Testing Guide v3
OWASP Testing Guide v3
 
Socialne siete: navod pre deti
Socialne siete: navod pre detiSocialne siete: navod pre deti
Socialne siete: navod pre deti
 
Slovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruSlovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoru
 
Sociálne siete a bezpečnosť
Sociálne siete a bezpečnosťSociálne siete a bezpečnosť
Sociálne siete a bezpečnosť
 
23 at iwdk
23 at iwdk23 at iwdk
23 at iwdk
 
FranzDennisCV
FranzDennisCVFranzDennisCV
FranzDennisCV
 
Technology milestone
Technology milestoneTechnology milestone
Technology milestone
 
Lymphoma
LymphomaLymphoma
Lymphoma
 
Kelsey Old Resume
Kelsey Old ResumeKelsey Old Resume
Kelsey Old Resume
 
Cuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionCuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacion
 
Storyboard
StoryboardStoryboard
Storyboard
 
Inbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosInbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos Práticos
 

Similar to Practical Web Attacks

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation RevisedOntico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload PresentationOntico
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionseyelliando dias
 
High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)Stoyan Stefanov
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up360|Conferences
 
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityImplementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityJISC.AM
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!Cláudio André
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008mvitor
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Matthew Baya
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 

Similar to Practical Web Attacks (20)

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
 
Case Studies
Case StudiesCase Studies
Case Studies
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up
 
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityImplementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff University
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Using Wordpress 2009 04 29
Using Wordpress 2009 04 29
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 

More from Rastislav Turek

Dodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciDodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciRastislav Turek
 
Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Rastislav Turek
 
Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Rastislav Turek
 
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skKritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skRastislav Turek
 
SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0Rastislav Turek
 
Rodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRastislav Turek
 
Vraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláVraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláRastislav Turek
 
Pravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímPravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímRastislav Turek
 
Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Rastislav Turek
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Rastislav Turek
 

More from Rastislav Turek (12)

Dodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciDodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraci
 
Zmluva o spolupraci
Zmluva o spolupraciZmluva o spolupraci
Zmluva o spolupraci
 
Credit Card Frauds
Credit Card FraudsCredit Card Frauds
Credit Card Frauds
 
Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008
 
Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007
 
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skKritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
 
SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0
 
Rodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows Vista
 
Vraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláVraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidlá
 
Pravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímPravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosím
 
Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007
 

Recently uploaded

Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 

Recently uploaded (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

Practical Web Attacks

  • 1. Web application attacks – practical demonstration Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
  • 2. Agenda Unvalidates Parameters  Access Control Flaws  Session Management Flaws  Cross Site Scripting (XSS)  Injection flaws  Improper Error Handling  AJAX Security           www.nethemba.com       
  • 3. Unvalidated Parameters Exploit Hidden Fields  Exploit Unchecked Email  Bypass Client Side JavaScript Validation           www.nethemba.com       
  • 4. Access Controls Flaws Bypass a Path Based Access Control Scheme  Bypass Business Layer Access Control  Bypass Data Layer Access Control           www.nethemba.com       
  • 5. Session Management Flaws Spoof an Authentication Cookie  Hijack a Session           www.nethemba.com       
  • 6. Cross Site Scripting (XSS) Stored XSS  Reflected XSS  Cross Site Request Forgery (CSRF)           www.nethemba.com       
  • 7. Injection flaws Blind SQL injection  Numeric SQL injection  String SQL injection  XPATH injection           www.nethemba.com       
  • 8. Improper Error Handling Fail Open Authentication Scheme           www.nethemba.com       
  • 9. AJAX Security Client Side Filtering  Same Origin Policy (SOP) Protection  XML Injection  JSON Injection  Dangerous Use of Eval           www.nethemba.com       
  • 10. Used tools WebGoat project   http://www.owasp.org/index.php/Category:OWASP_WebGoat_P WebScarab   http://www.owasp.org/index.php/Category:OWASP_WebScarab Tamperdata http://tamperdata.mozdev.org/  LiveHTTPHeaders http://livehttpheaders.mozdev.org/  Add N Edit Cookies   https://addons.mozilla.org/en­US/firefox/addon/573          www.nethemba.com       
  • 11. References New Web Applications Attacks   http://www.nethemba.com/new_web_attacks­nethe LAMP and PHP security hardening (in Slovak   language)   http://www.nethemba.com/php­sec.pdf          www.nethemba.com       
  • 12. Thank you for listening! Ing. Pavol Lupták, CISSP, CEH pavol.luptak@nethemba.com          www.nethemba.com