Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Secure coding is the practice of developing software securely by avoiding security vulnerabilities. It involves understanding the application's attack surface and using techniques like input validation, secure authentication, access control, and encrypting sensitive data. The OWASP organization provides free tools and guidelines to help developers code securely, such as their Top 10 security risks and cheat sheets on issues like injection, authentication, and access control. Developers should use static and dynamic application security testing tools to identify vulnerabilities and continuously learn about secure coding best practices.
Cross site scripting (xss) attacks issues and defense - by sandeep kumbharSandeep Kumbhar
Introduction
Impact of XSS attacks
Types of XSS attacks
Detection of XSS attacks
Prevention of XSS attacks
At client side
At Server-side
Conclusion
References
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Cross-Site Scripting (XSS) is a security vulnerability that allows malicious code to be injected into web pages viewed by other users. There are three main types of XSS attacks: non-persistent reflects the user's input back without filtering; persistent stores the input and displays it later to other users; and DOM-based exploits vulnerabilities in client-side scripts. XSS attacks are used to hijack user accounts, steal cookies, and conduct phishing scams. Developers can prevent XSS by sanitizing all user input, using encoding on untrusted fields, and keeping software updated.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
This presentation is from Null/OWASP/G4H November Bangalore MeetUp 2014.
technology.inmobi.com/events/null-owasp-g4h-november-meetup
Talk Outline:-
A) Reflective-(Non-Persistent Cross-site Scripting)
- What is Reflective Cross-site scripting.
- Testing for Reflected Cross site scripting
How to Test
- Black Box testing
- Bypass XSS filters
- Gray Box testing
Tools
Defending Against Reflective Cross-site scripting.
Examples of Reflective Cross-Site Scripting Attacks.
B) Stored -(Persistent Cross-site Scripting)
What is Stored Cross-site scripting.
How to Test
- Black Box testing
- Gray Box testing
Tools
Defending Against Stored Cross-site scripting.
Examples of Stored Cross-Site Scripting Attacks.
In this presentation I have tried to figure out common loop holes through which web applications may fall prey to the attackers, common tools used in the trade and some preventive security measures to put us on a safer side.
An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.
Cross-site scripting (XSS) is an injection attack where malicious scripts are injected into otherwise trusted sites. There are three main types of XSS attacks: reflected XSS occurs via URLs, stored XSS occurs when scripts are stored in a database and delivered to users, and DOM-based XSS modifies the DOM environment. XSS attacks can lead to issues like session hijacking, phishing, and port scanning. Developers can prevent XSS by validating and encoding untrusted data, and using HTTP-only and secure flags for cookies.
Cross Site Scripting (XSS) is a type of vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types: persistent XSS saves the attack script on the server; reflected XSS executes a script based on user-supplied input; and DOM-based XSS occurs when active browser content processes untrusted user input. Attackers use XSS to steal session cookies or other private information that can be used to impersonate users.
Application Security Architecture and Threat ModellingPriyanka Aash
95% of attacks are against “Web Servers and Web Applications”
Security Architecture and SDLC
3 Tier – Web App Architecture
Would you trust the code?
Traditional SDLC
Secure SDLC
SAST vs. DAST
The document discusses web application security and provides an overview of common vulnerabilities like SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). It summarizes the OWASP Top 10 list of most critical web app security risks, including injection flaws, broken authentication, sensitive data exposure, and more. The document also offers best practices for developing more securely, like using prepared statements, validating and sanitizing input, and implementing authentication and session management properly.
The document discusses broken access control vulnerabilities. It defines broken access control as when a user is able to perform actions or access content they should not be authorized for. It provides examples of insecure direct object references and missing functional level access controls, which were merged into the broken access control category in OWASP 2017. The document also outlines potential impacts of broken access control and recommendations for remediation such as validating object references and authorization for all referenced objects.
Csrf / Xsrf Basics defines CSRF as a type of web application vulnerability that allows a malicious website to send unauthorized requests to a vulnerable website using active sessions of its authorized users. CSRF tricks the victim into loading a page that contains a malicious request, which inherits the victim's identity and privileges to perform an undesired function like changing passwords. CSRF attacks target functions that cause state changes on the server but can also access sensitive data. The synchronizer token pattern is a server-side prevention technique that establishes a token on the server to validate submissions through a corresponding token in a hidden form field, marking tokens as invalid after single use.
Ajax enables asynchronous communication between the client and server in web applications. While this improves the user experience, it also increases security risks. Ajax applications have a larger attack surface since client-side code can directly access server-side functions. Cross-site scripting attacks are also more dangerous as injected scripts can make authenticated requests without reloading the page. Bridges used to connect Ajax applications to third-party services can act as open proxies and expose vulnerabilities in those other systems if not properly secured. Developers must validate all user-supplied inputs to Ajax functions to prevent attacks.
The document summarizes the OWASP Top 10 risks for 2013 and provides details on each risk. It introduces the new title for the risks as the "Top 10 Most Critical Web Application Security Risks" and notes they are now based on a risk rating methodology. Injection, XSS, and broken authentication remain the top risks. The document provides examples and recommendations for avoiding each risk.
The document provides an overview of PHP security. It discusses common threats like session hijacking, SQL injection, and cross-site scripting (XSS) attacks. It explains how each threat works and recommendations for preventing them, such as using encryption, validating all user input, and escaping special characters when outputting data. The document is intended to help PHP developers learn about key security risks and best practices.
Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends.
It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation.
It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to .
It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.
How to Harden the Security of Your .NET WebsiteDNN
What keeps IT managers awake at night? Worrying whether their website is protected against security vulnerabilities and exploits.
In this presentation, Ash Prasad, Director of Engineering at DNN, gives IT managers suggestions on how to secure their .NET websites.
Ash shares the tools and techniques he employs to harden the security of websites. If you’re managing .NET websites, this presentation will arm you with tips you can apply right away.
The document discusses pentesting thick client applications. It begins with introducing thick clients and why testing them is important. It then covers common thick client architectures, vulnerabilities, tools used for testing like decompilers and network sniffers, challenges like intercepting encrypted traffic, and solutions to those challenges like using Burp's non-HTTP proxy. It ends with checklists, example applications to practice on, and references for further reading.
The path of secure software by Katy AntonDevSecCon
This document discusses 10 controls (C1 through C10) for developing secure software. Each control is described in 1-2 pages and addresses how it mitigates many of the top 10 risks from the OWASP list, including injection, XSS, sensitive data exposure, access control issues, and more. Specific techniques are provided, such as query parameterization to prevent SQL injection, output encoding to prevent XSS, validating all input, secure authentication and authorization practices, encrypting data, and centralized error handling.
This document discusses security test automation. It defines security testing and some key terms like vulnerability, spoofing, and SQL injection. It recommends tools from the OWASP project like ZAP and describes how to integrate ZAP into an automation workflow. An example workflow is described that uses ZAP to find issues like password autocomplete, application errors, and missing security headers. Integrating security scans with CI builds is advocated to improve security with little additional effort.
The OWASP Top Ten is an expert consensus of the most critical web application security threats. If properly understood, it is an invaluable framework to prioritize efforts and address flaws that expose your organization to attack.
This webcast series presents the OWASP Top 10 in an abridged format, interpreting the threats for you and providing actionable offensive and defensive best practices. It is ideal for all IT/development stakeholders that want to take a risk-based approach to Web application security.
How to Test for the OWASP Top Ten webcast focuses on tell tale markers of the OWASP Top Ten and techniques to hunt them down:
• Vulnerability anatomy – how they present themselves
• Analysis of vulnerability root cause and protection schemas
• Test procedures to validate susceptibility (or not) for each threat
This document discusses various web application security vulnerabilities like injection, cross-site scripting (XSS), cross-site request forgery (CSRF), security misconfiguration, and insecure direct object references. It provides examples of each vulnerability and methods for preventing them, such as input validation, output encoding, using parameterized queries, and generating unique identifiers. The document also covers topics like HTTP, sessions, cookies and the importance of keeping software updated.
My presentation about Web Apps security threats. Macedonian Code Camp conference 2013.
“Every program has at least two purposes: the one for which it was written, and another for which it wasn't.”
-Alan J. Perlis
Css sf azure_8-9-17-protecting_web_apps_stephen coty_alAlert Logic
The document discusses strategies for protecting web applications from security threats. It begins by examining the types of attacks organizations face, including application attacks, brute force attacks, and suspicious activity. It then covers hacker reconnaissance methods such as crawling websites, using vulnerability scanners, and searching open forums and the dark web. The document outlines how attacks can escalate from exploiting web applications to gaining privileged access. It concludes by providing recommendations for developing a secure code, access management policies, patch management, monitoring strategies, and staying informed of the latest vulnerabilities.
This webcast's agenda is:
1. Introduction to the OWASP Top TEN.
2. How to integrate the OWASP Top Ten in your SDLC.
3. How the OWASP Top Ten maps to compliance, standards and other drivers.
Django (Web Applications that are Secure by Default)Kishor Kumar
* Django is a Web Application Framework, written in Python
* Allows rapid, secure and agile web development.
* Write better web applications in less time & effort.
The document provides an overview of the top 5 vulnerabilities according to the OWASP Top 10 list - Injection, Broken Authentication and Session Management, Cross-Site Scripting (XSS), Insecure Direct Object References, and Security Misconfiguration. For each vulnerability, the document defines the vulnerability, provides examples, and lists recommendations for mitigating the risk.
Similar to Vulnerabilities in modern web applications (20)
React Native vs Flutter - SSTech SystemSSTech System
Your project needs and long-term objectives will ultimately choose which of React Native and Flutter to use. For applications using JavaScript and current web technologies in particular, React Native is a mature and trustworthy choice. For projects that value performance and customizability across many platforms, Flutter, on the other hand, provides outstanding performance and a unified UI development experience.
Discover the Power of ONEMONITAR: The Ultimate Mobile Spy App for Android Dev...onemonitarsoftware
Unlock the full potential of mobile monitoring with ONEMONITAR. Our advanced and discreet app offers a comprehensive suite of features, including hidden call recording, real-time GPS tracking, message monitoring, and much more.
Perfect for parents, employers, and anyone needing a reliable solution, ONEMONITAR ensures you stay informed and in control. Explore the key features of ONEMONITAR and see why it���s the trusted choice for Android device monitoring.
Share this infographic to spread the word about the ultimate mobile spy app!
Efficient hot work permit software for safe, streamlined work permit management and compliance. Enhance safety today. Contact us on +353 214536034.
https://sheqnetwork.com/work-permit/
introduction of Ansys software and basic and advance knowledge of modelling s...sachin chaurasia
Ansys Mechanical enables you to solve complex structural engineering problems and make better, faster design decisions. With the finite element analysis (FEA) solvers available in the suite, you can customize and automate solutions for your structural mechanics problems and parameterize them to analyze multiple design scenarios. Ansys Mechanical is a dynamic tool that has a complete range of analysis tools.
CViewSurvey Digitech Pvt Ltd that works on a proven C.A.A.G. model.bhatinidhi2001
CViewSurvey is a SaaS-based Web & Mobile application that provides digital transformation to traditional paper surveys and feedback for customer & employee experience, field & market research that helps you evaluate your customer's as well as employee's loyalty.
With our unique C.A.A.G. Collect, Analysis, Act & Grow approach; business & industry’s can create customized surveys on web, publish on app to collect unlimited response & review AI backed real-time data analytics on mobile & tablets anytime, anywhere. Data collected when offline is securely stored in the device, which syncs to the cloud server when connected to any network.
What is OCR Technology and How to Extract Text from Any Image for FreeTwisterTools
Discover the fascinating world of Optical Character Recognition (OCR) technology with our comprehensive presentation. Learn how OCR converts various types of documents, such as scanned paper documents, PDFs, or images captured by a digital camera, into editable and searchable data. Dive into the history, modern applications, and future trends of OCR technology. Get step-by-step instructions on how to extract text from any image online for free using a simple tool, along with best practices for OCR image preparation. Ideal for professionals, students, and tech enthusiasts looking to harness the power of OCR.
Sami provided a beginner-friendly introduction to Amazon Web Services (AWS), covering essential terms, products, and services for cloud deployment. Participants explored AWS' latest Gen AI offerings, making it accessible for those starting their cloud journey or integrating AI into coding practices.
React and Next.js are complementary tools in web development. React, a JavaScript library, specializes in building user interfaces with its component-based architecture and efficient state management. Next.js extends React by providing server-side rendering, routing, and other utilities, making it ideal for building SEO-friendly, high-performance web applications.
COMPSAC 2024 D&I Panel: Charting a Course for Equity: Strategies for Overcomi...Hironori Washizaki
Hironori Washizaki, "Charting a Course for Equity: Strategies for Overcoming Challenges and Promoting Inclusion in the Metaverse", IEEE COMPSAC 2024 D&I Panel, 2024.
IN Dubai [WHATSAPP:Only (+971588192166**)] Abortion Pills For Sale In Dubai** UAE** Mifepristone and Misoprostol Tablets Available In Dubai** UAE
CONTACT DR. SINDY Whatsapp +971588192166* We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai** Sharjah** Abudhabi** Ajman** Alain** Fujairah** Ras Al Khaimah** Umm Al Quwain** UAE** Buy cytotec in Dubai +971588192166* '''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol** Cytotec” +971588192166* ' Dr.SINDY ''BUY ABORTION PILLS MIFEGEST KIT** MISOPROSTOL** CYTOTEC PILLS IN DUBAI** ABU DHABI**UAE'' Contact me now via What's App… abortion pills in dubai Mtp-Kit Prices
abortion pills available in dubai/abortion pills for sale in dubai/abortion pills in uae/cytotec dubai/abortion pills in abu dhabi/abortion pills available in abu dhabi/abortion tablets in uae
… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all** Cytotec Abortion Pills are Available In Dubai / UAE** you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pills in Dubai** UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if it's beyond 6 months. Our Abu Dhabi** Ajman** Al Ain** Dubai** Fujairah** Ras Al Khaimah (RAK)** Sharjah** Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical** medical and surgical abortion methods for early through late second trimester** including the Abortion By Pill Procedure (RU 486** Mifeprex** Mifepristone** early options French Abortion Pill)** Tamoxifen** Methotrexate and Cytotec (Misoprostol). The Abu Dhabi** United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used** 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need for surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi** United Arab Emirates** uses the latest medications for medical abortions (RU-486** Mifeprex** Mifegyne** Mifepristone** early options French abortion pill)** Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi** United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our
NBFC Software: Optimize Your Non-Banking Financial CompanyNBFC Softwares
NBFC Software: Optimize Your Non-Banking Financial Company
Enhance Your Financial Services with Comprehensive NBFC Software
NBFC software provides a complete solution for non-banking financial companies, streamlining banking and accounting functions to reduce operational costs. Our software is designed to meet the diverse needs of NBFCs, including investment banks, insurance companies, and hedge funds.
Key Features of NBFC Software:
Centralized Database: Facilitates inter-branch collaboration and smooth operations with a unified platform.
Automation: Simplifies loan lifecycle management and account maintenance, ensuring efficient delivery of financial services.
Customization: Highly customizable to fit specific business needs, offering flexibility in managing various loan types such as home loans, mortgage loans, personal loans, and more.
Security: Ensures safe and secure handling of financial transactions and sensitive data.
User-Friendly Interface: Designed to be intuitive and easy to use, reducing the learning curve for employees.
Cost-Effective: Reduces the need for additional manpower by automating tasks, making it a budget-friendly solution. Benefits of NBFC Software:
Go Paperless: Transition to a fully digital operation, eliminating offline work.
Transparency: Enables managers and executives to monitor various points of the banking process easily.
Defaulter Tracking: Helps track loan defaulters, maintaining a healthy loan management system.
Increased Accessibility: Cutting-edge technology increases the accessibility and usability of NBFC operations. Request a Demo Now!
2. Introduction
• Trend in modern application design is to move applications into a
remote server .
• Consistent and quick updates
• Application monitoring
• and lower requirements on local hardware performance.
• eg Office 365, Google Docs etc.
• Need good quality of Internet connection
• Security
4. Penetration Testing Tools
• Higher Security risk of remotely run applications has to be
verified, expressed, and minimized.
• Main goal - improve the application security via pointing
out its security flaws.
• There are two basic phases of the testing
– Reconnaissance
– Application Exploitation
5. Reconnaisance Phase
• Passive
• gather as much info about targeted network.
• network itself not accesed.
• Active
• interact directly with targeted devices.
• to identify OS, running services and potential vulnerabilities.
• Application Scanning
• automatized scanning of web applications.
• results can present a general idea of the application
• guidance in exploiting existing flaws.
6. Passive Phase
• Maltego
– OSINT (Open Source Intelligence) type.
– group of tools using publicly available data.
– uses lists of indexes and databases to search for info.
• Discover Scripts
– OSINT type.
– integrates search and scanning utilities in Kali linux OS
7. Active Phase
• Ettercap
– open source multi platform tool for network traffic sniffing
– it can capture comm. between two users in a network.
– used for gather sensitive informations like password.
• Nmap
– it can find connected networks end devices,open ports.
– it can build a network map
– versions of OS, services and running daemons etc
8. Application Scanning
• Arachni
– automatized multi-platform tool for security audits.
– using asynchronous HTTP requests, parallel processing of javascript
op's and multi-thread scanning.
– integreted browser engine , scans web app using advan. tec
• OWASP ZAP (Zed Attack Proxy)
– Proxy ( comm. capturing) , Scanner (passive,active) Fuzzer (sequ.
sends dangerous payload to identify vulnerability), spider(traverse all
web pages) ,forced browsing (discover direct access to files stored
on the server)
9. Web Application Exploitation
• SQL Tools
– SQLMap
• open source tool for testing database part of web app
• typical exploitation is SQL injection
• in case of succesfull exploitation, the SQLmap can access shell
• data can be saved in a file ,if attack is succesfull
– NoSQLMap
• currently supports only MongoDB, but extensions of NoSQL databases
like CouchDB, Redis and Cassandra are planned.
• attack itself can take a few minutes , depends on scope.
10. Web Application Exploitation
• Password Attacks
– Hashcat
• open source tool supporting many hash algorithms.(SHA,MD)
• computation run either on CPU or GPU (parallelized arch)
– cudaHashcat for Nvidia
– oclHashcat for AMD
• hashcat contains following attack modes
– straight (classical dictionary attack)
– combination (words connected from multiple dictionaries)
– brute-force (mask specification allows to omit unused password comb.)
11. Web Application Exploitation
• Burp Suite
• Web Vulnerability Scanner
• Proxy (captures and modify communication)
• Spider (create map of web application and send forms)
• Intruder (realizes attack based on performed analysis)
• Repeater (repeatedly modifies HTTP requests &analyze replies)
• Sequencer (analyzes the level of security tokens randomness)
12. Web Application Exploitation
• BeEF (Browser Exploitation Framework)
– focused on XSS attacks
– BeEF is modular framework
– main functionality is hooking process.
13. Web Application Vulnerabilities
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Insecure Direct Object Reference
• SQL Injection
• Broken Authentication and Session Management
14. Cross Site Scripting (XSS)
• Malicious code that can change the look and function of a
legitimate web application.
• More widespread now because of move to more rich
Internet applications using dynamic content and JavaScript
and the latest AJAX trend.
• It can be identified using OWASP ZAP and exploit using
BeEF.
15. Cross Site Scripting (XSS)
• Impact of XSS
– Data residing in web page can
be sent anywhere in the
world.
– Facilitates many other types of
attacks (CSRF, Session
Attacks)
– site's behaviour can be
hijacked.
17. Preventing XSS
• Escape all user input when it is displayed
– Escaping converts the output to harmless html entities
• <script> becomes <script>
• but still displayed as <script>
• Ensure your filter uses a white list approach
– Filters based on blacklisting have historically been flawed
• E.g. PHP, Ruby on Rails sanitize method
– New encoding schemes can easily bypass filters that use a blacklist
approach
18. Cross Site Request Forgery (CSRF)
• A CSRF attack forces a logged-on victim's browser to send
a pre-authenticated request to a vulnerable web
application.
• Occurs when an authenticated user unknowingly initiates
a request
• XSS facilitates CSRF via “Link Injection”
19. Cross Site Request Forgery (CSRF)
http://yourbank.com/transfer?
to_account=my_account_number&amount=all_of_your_money
20. Preventing CSRF
• Add a secondary authentication mechanism
–Such as an impossible to guess token
• Require a confirmation page before executing potentially
dangerous actions
• Eliminate XSS vulnerabilities
• Use POST as your form action and only accept POST
requests on the server for sensitive data !
21. Insecure Direct Object Reference
• A direct object reference occurs when a developer
exposes a reference to an internal implementation object,
such as a file, directory, database record, or key, as a URL
or form parameter.
• Attackers can manipulate those references to access other
objects without authorization.
• E.g. /BankAccount.jsp?acct_nmbr=123
–The hacker modifies the parameter to view another
users account
23. Session Attacks
Session Fixation Session Hijacking
• The hacker predicts a valid session
key (usually via phishing)
• The hacker masquerades as another
user by stealing the users session id
(usually via XSS)
25. Preventing Direct Object Reference
• Properly validate data!
• All input data MUST be validated server side for each request – client
side validation is EASILY bypassed
• Do not expose internals to the user
• Such as IDs (if possible/necessary)
• Use an indirect reference map with hard to guess keys
(hash)
• POST /BankAccount.jsp?acct_nmbr=d83OJdm3
• The server then uses the key to get the real value
»Key: d83OJdm3 value: 123
26. SQL Injection
• SQL injection is a security
vulnerability that occurs in the
database layer of an application.
• Its source is the incorrect escaping
of dynamically-generated string
literals embedded in SQL
statements.
27. SQL Injection
• Login Example Attack
– Text in blue is your SQL code, Text in orange is the hacker input,
black text is your application code
• Dynamically Build SQL String performing authentication:
– “SELECT * FROM users WHERE login = ‘” + userName + “’ and
password= ‘” + password + “’”;
• Hacker logs in as: ‘ or ‘’ = ‘’; --
– SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ and
password=‘’
29. Preventing SQL Injection
• Use Prepared Statements (aka Parameterized Queries)
– $id=1234
– “select * from accounts where id = “ + $id
vs
– “select * from accounts where id =1234”
• Escape questionable characters (ticks, --, semi-colon, brackets,
etc.)
• Validate input
– Strong typing
• If the id parameter is a number, try parsing it into an integer
30. Broken Authentication and Session Management
• Account credentials and
session tokens are often
not properly protected.
• Attackers compromise
passwords, keys, or
authentication tokens to
assume other user's
identities.
31. Authentication Checks
• Never store passwords in plaintext
– Encrypt or Hash+Salt (preferred)
• Architect applications to check every request to see that the authentication
data is still valid
• Issue a new session token when a change in privilege occurs
• If you absolutely must use “remember me” functionality, use a difficult to
guess authentication cookie
• Authentication data is sent with every request, so protect it
32. Preventing Authentication and Session Attacks
• Use built in session management!
• Use secure randomly generated session keys to make
prediction impossible
–Don’t expose the user to session ids if possible
• Use reasonable session timeouts