SlideShare a Scribd company logo

Injection flaws

Download as PPTX, PDF
DANISH INAMDAR
DANISH INAMDAR

As long as code and data cannot be distinguished by machines, Injection attacks will prevail. Injection flaws are very prevalent, particularly in legacy code. Injection flaws occur when an application sends untrusted data to an interpreter. This talk will focus on different injection flaws, challenges associated with it and possible ways to mitigate it.

Related slideshows

Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
1 of 22
INJECTION FLAWS DANISH INAMDAR Security Researcher
What are Injection Flaws??  Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context.  Weakness in an application whereby foreign input subverts the otherwise legitimate use of a subsystem.  Injection flaws allow attackers to relay malicious code through an application to another system
Is Your Web App Vulnerable to Injection?  User Supplied data is not validated , filtered or sanitized by Application.  Hostile data is supplied directly to dynamic queries or non parameterized calls for the interpreter without context-aware escaping.  Hostile data is used with ORM search parameters such that search evaluates out to include sensitive or all records.
Different types of Injection flaws Different subsystems == Different flaws  SQL Injection  Command Injection  HTML Injection  LDAP Injection  XML Injection  IMAP/SMTP Injection

Recommended for you

Xss attack
Xss attackXss attack
Xss attack

An XSS attack is a type of vulnerability that allows malicious scripts to be injected into web pages viewed by other users. There are three main types: reflected XSS occurs when a link containing malicious code is clicked; stored XSS injects code directly into a vulnerable website, potentially affecting many users; DOM-based XSS involves injecting code into a website hosted on a user's local system, allowing the attacker to access that user's browser privileges. The document provides examples of how XSS attacks work and can be used to hijack accounts, insert hostile content, steal cookies, and redirect users.

 
by Manjushree Mashal
cyber attacknetworkingxss
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity

SQL injection is a code injection technique that attacks data-driven applications. It involves inserting malicious SQL statements into entry fields that are then executed by the database. There are different types of SQL injection attacks, including directly injecting code to immediately execute or injecting into persistent storage to be triggered later. Injection can occur through user input, cookies, or server variables. Prevention techniques aim to stop these types of attacks from harming databases.

 
by Sanad Bhowmik
sql injection in cybersecurity
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques

This document discusses SQL injection and techniques to prevent it. SQL injection occurs when malicious SQL statements are inserted into an entry field to exploit vulnerabilities in the underlying database. Attackers can use SQL injection to bypass login screens or retrieve sensitive data. To prevent SQL injection, developers should escape special characters in user input before submitting queries, use prepared statements with bound parameters, and validate and sanitize all input. Input escaping involves using database-specific escape functions like mysql_real_escape_string() to avoid unintended SQL commands. Proper input validation and escaping helps prevent SQL injection attacks.

 
by SongchaiDuangpan
SQL Injection: Database Query  Dynamic script to look into database  “Direct” access to database  Possible to issue CRUD statements and many more….
SQL Injection : Query database
Command Injection  Web application performs operating system tasks  Execute external programs/script  List files etc. ping –c <user_input> Protection using Command Execution API os.system(ping –c 127.0.0.1)
HTML Injection  Possible to include HTML Tags like iframe , fake forms, XSS also possible….  Can be used in phishing attacks

Recommended for you

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION

This document discusses SQL injection (SQLI), which is a code injection technique used to attack data-driven applications. SQLI works by inserting malicious SQL statements into entry fields for execution on the backend database. This allows attackers to read sensitive data, modify database contents, and perform administration tasks. The document outlines common SQLI attack methods like error-based and union-based techniques. It also categorizes SQLI attacks as in-band, inferential/blind, or out-of-band based on how results are returned. Examples are provided to illustrate how SQLI exploits vulnerabilities in dynamic SQL queries.

 
by Mentorcs
sql injection in details
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)

Cross-site scripting (XSS) is a type of vulnerability in web applications that allows attackers to inject client-side scripts. There are three main types of XSS - reflected XSS occurs when malicious scripts are included in links or requests to the server, stored XSS happens when scripts are stored on the server through forums or comments, and local XSS executes without contacting the server through PDFs or Flash. XSS can lead to compromised user accounts, denial of service attacks, or access to users' local machines. Developers can prevent XSS through input validation, encoding output, and keeping software updated.

 
by vinayh.vaghamshi _
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...

OWASP Top 10- A2 broken authentication and session management at Mahidol University on April 28, 2016

 
by Noppadol Songsakaew
authenticationowasp top 10broken authentication
XML Injection  Web App talks to backend web services  Web app’s logic converts parameter’s to XML web services (as SOAP,…)
XML Injection
LDAP Injection  Lightweight Directory Access protocol  It is used to access information directories like users, user information, software, computers.
LDAP Injection  Insert Special characters like(*,|,&,…) leading to exposure of user’s confidential data

Recommended for you

Sql injection
Sql injectionSql injection
Sql injection

The document discusses SQL injection, including its types, methodology, attack queries, and prevention. SQL injection is a code injection technique where a hacker manipulates SQL commands to access a database and sensitive information. It can result in identity spoofing, modifying data, gaining administrative privileges, denial of service attacks, and more. The document outlines the steps of a SQL injection attack and types of queries used. Prevention methods include minimizing privileges, coding standards, and firewalls.

 
by Zidh
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack

SQL injection is a code injection technique used to attack data-driven applications that use SQL queries to access a backend database. An attacker can insert malicious SQL statements into the login form of a web application to gain unauthorized access to the database. The document discusses what SQL injection is, types of SQL injection like in-band and out-of-band, and provides examples. It also notes that SQL injection is a serious problem that can allow attackers to delete, modify or steal data. Suggested solutions include input validation, prepared statements, and minimizing database privileges.

 
by Rayudu Babu
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection

• What is SQL injection ? • Why is it harmful? • Types of SQL injection attacks. • How to identify SQL injection vulnerability. • Exploiting SQL injection. • How to protect Web Application from SQL injection.

 
by Eguardian Global Services
#cybersecurity #meetup #sql #sqlinjection
IMAP/SMTP Injection  This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications.  We need to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
State of Web framework Security  Anti CSRF tokens – can easily turned off/miss-configurations  Templates escapes user input – just HTML escape ->XSS  Uses ORM – SQLi still possible https://rails-sqli.org/  We need to use secure APIs or write secure code
Can WAF solve the problem?  Web Application Firewalls are for Attack Detection and Prevention  Most of WAFs use blacklists. No vulnerability detection.
Protect Exploitation : RASP Runtime Application Self Protection • Detect both Attacks and Vulnerability • No Hardware Requirements • Inject Security at Runtime • Applies defense inside the application • Zero code Modification and Easy Integration • No use of Blacklists

Recommended for you

Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection

Web App Vulnerabilities - Slidepack on "CRLF injection" by Secure Code Warrior Limited and licensed under CC BY-ND 4.0

 
by Secure Code Warrior
hackingsecuritysoftware development
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution

This document discusses local file inclusion (LFI) vulnerabilities that can allow attackers to execute remote code. It explains how LFI works by dynamically including user-supplied files, and how attackers can use path traversal and null bytes to read arbitrary local files. It then describes how attackers can use LFI to execute reverse shells on the target server by including a PHP script that opens a remote connection. The document provides examples of vulnerable PHP functions and common files that can be read. It concludes by recommending input validation and whitelisting of allowed files to defend against LFI attacks.

 
by n|u - The Open Security Community
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks

Directory traversal, also known as path traversal, allows attackers to access files and directories outside of the web server's designated root folder. This can lead to attacks like file inclusion, where malicious code is executed on the server, and source code disclosure, where sensitive application code is revealed. Local file inclusion allows attackers to include files from the local web server, while remote file inclusion includes files from external websites, potentially allowing remote code execution on the vulnerable server.

 
by Raghav Bisht
hackingowasp
RASP by API Instrumentation and Dynamic White-list  Monkey Patching  Lexical Analysis and Token Generation  Context Determination
Injection flaws
Injection flaws
Injection flaws

Recommended for you

Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is a web security vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. There are three main types of XSS attacks: reflected XSS, stored XSS, and DOM-based XSS. XSS has been one of the top vulnerabilities on the OWASP Top Ten list for many years. While XSS attacks can compromise user sessions and steal sensitive data, developers can prevent XSS through proper input sanitization and output encoding. As web applications continue to grow in use, jobs in web application security and penetration testing are also expected to increase significantly in the coming years.

 
by Daniel Tumser
scriptingxsscross-site
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)

This document provides an introduction to SQL injection basics. It defines SQL injection as executing a SQL query or statement by injecting it into a user input field. The document outlines why SQL injection is studied, provides a sample database structure, and describes generic SQL queries and operators like UNION and ORDER BY. It also categorizes different types of SQL injection and attacks. The remainder of the document previews upcoming topics on blind SQL injection, data extraction techniques, and prevention.

 
by n|u - The Open Security Community
sqlinjectionsqli
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship

This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist

 
by n|u - The Open Security Community
securityinformation securitysecurity news
Challenges  Ideal RASP should have minimum performance impact.  Need to do adapt more secure techniques in combination with RASP.  Minimal configuration and Easy Deployment.  Implementing Preventing measures to avoid session Hijacking, Credentials etc.
Thank You

More Related Content

What's hot

Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
ashish20012
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
Valency Networks
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
Sanad Bhowmik
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
SongchaiDuangpan
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
Mentorcs
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
vinayh.vaghamshi _
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Sql injection
Sql injectionSql injection
Sql injection
Zidh
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
Eguardian Global Services
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
Secure Code Warrior
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
Raghav Bisht
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
n|u - The Open Security Community
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
n|u - The Open Security Community
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
Ivan Novikov
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
Napendra Singh
 

What's hot (20)

Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injection
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
Xss attack
Xss attackXss attack
Xss attack
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
SQL injection prevention techniques
SQL injection prevention techniquesSQL injection prevention techniques
SQL injection prevention techniques
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Xss (cross site scripting)
Xss (cross site scripting)Xss (cross site scripting)
Xss (cross site scripting)
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
How to identify and prevent SQL injection
How to identify and prevent SQL injection How to identify and prevent SQL injection
How to identify and prevent SQL injection
 
Secure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injectionSecure Code Warrior - CRLF injection
Secure Code Warrior - CRLF injection
 
Local File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code ExecutionLocal File Inclusion to Remote Code Execution
Local File Inclusion to Remote Code Execution
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
SSRF workshop
SSRF workshop SSRF workshop
SSRF workshop
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 

Similar to Injection flaws

OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
Vaibhav Gupta
 
Application Attacks & Application Layer Attacks
Application Attacks & Application Layer AttacksApplication Attacks & Application Layer Attacks
Application Attacks & Application Layer Attacks
LearningwithRayYT
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
AlienVault
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
Marco Morana
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Injection attacks
Injection attacksInjection attacks
Injection attacks
Adamu Muhammad
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
drewz lin
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
Sampath Bhargav Pinnam
 
IRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability ScannerIRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability Scanner
IRJET Journal
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
SamsonMuoki
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
n|u - The Open Security Community
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
Alok Babu
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
AmardeepKumar621436
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
ankitmehta21
 

Similar to Injection flaws (20)

OWASP Top 10 Project
OWASP Top 10 ProjectOWASP Top 10 Project
OWASP Top 10 Project
 
Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007Application Security Vulnerabilities: OWASP Top 10 -2007
Application Security Vulnerabilities: OWASP Top 10 -2007
 
Application Attacks & Application Layer Attacks
Application Attacks & Application Layer AttacksApplication Attacks & Application Layer Attacks
Application Attacks & Application Layer Attacks
 
Introduction to security testing raj
Introduction to security testing rajIntroduction to security testing raj
Introduction to security testing raj
 
How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM How to Detect SQL Injections & XSS Attacks with AlienVault USM
How to Detect SQL Injections & XSS Attacks with AlienVault USM
 
OWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root CausesOWASP Top 10 And Insecure Software Root Causes
OWASP Top 10 And Insecure Software Root Causes
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
ASP.NET security vulnerabilities
ASP.NET security vulnerabilitiesASP.NET security vulnerabilities
ASP.NET security vulnerabilities
 
Injection attacks
Injection attacksInjection attacks
Injection attacks
 
Top web apps security vulnerabilities
Top web apps security vulnerabilitiesTop web apps security vulnerabilities
Top web apps security vulnerabilities
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017Owasp top 10 web application security risks 2017
Owasp top 10 web application security risks 2017
 
IRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability ScannerIRJET - Web Vulnerability Scanner
IRJET - Web Vulnerability Scanner
 
Owasp Top 10 2017
Owasp Top 10 2017Owasp Top 10 2017
Owasp Top 10 2017
 
Owasp Top 10-2013
Owasp Top 10-2013Owasp Top 10-2013
Owasp Top 10-2013
 
Web security 2010
Web security 2010Web security 2010
Web security 2010
 
Security Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptxSecurity Threats and Vulnerabilities-2.pptx
Security Threats and Vulnerabilities-2.pptx
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Software Security Testing
Software Security TestingSoftware Security Testing
Software Security Testing
 

Recently uploaded

Risks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdfRisks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdf
Home
 
Effective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedinEffective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedin
DivyaMehta193660
 
A study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD methodA study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD method
Dr. Afreen Nasir
 
Building Digital Products & Content Leadership
Building Digital Products & Content LeadershipBuilding Digital Products & Content Leadership
Building Digital Products & Content Leadership
Rajesh Math
 
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITYTEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
AaSs197122
 
Call India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.pptCall India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.ppt
Best International calling app on the market
 
At the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentationAt the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentation
Vanda Pokecz
 
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
ankitamarik05
 
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC WorkshopWorkshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
saastr
 
2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx
Dale Wells
 
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
NETWAYS
 
calcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptxcalcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptx
Skmch
 
Recruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitmentRecruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitment
Rashi427200
 
Pengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anakPengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anak
DeviDamayanti53
 
Biography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdfBiography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdf
AbdulSadickZutah
 
the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2
Rashi427200
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
NETWAYS
 
stackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jesterstackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jester
NETWAYS
 
Destyney Duhon personal brand exploration
Destyney Duhon personal brand explorationDestyney Duhon personal brand exploration
Destyney Duhon personal brand exploration
minxxmaree
 
HERO.pdf hero company working cap management project
HERO.pdf hero company working cap management projectHERO.pdf hero company working cap management project
HERO.pdf hero company working cap management project
SambalpurTokaSatyaji
 

Recently uploaded (20)

Risks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdfRisks & Business Risks Reduce - investment.pdf
Risks & Business Risks Reduce - investment.pdf
 
Effective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedinEffective-Recruitment-Strategies and leveraging linkedin
Effective-Recruitment-Strategies and leveraging linkedin
 
A study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD methodA study on drug utilization evaluation of bronchodilators using DDD method
A study on drug utilization evaluation of bronchodilators using DDD method
 
Building Digital Products & Content Leadership
Building Digital Products & Content LeadershipBuilding Digital Products & Content Leadership
Building Digital Products & Content Leadership
 
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITYTEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
TEST WORTHINESS: VALIDITY, RELIABILITY, PRACTICALITY
 
Call India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.pptCall India - AmanTel on the App Store.ppt
Call India - AmanTel on the App Store.ppt
 
At the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentationAt the intersection of SEO & Product - Vanda Pokecz presentation
At the intersection of SEO & Product - Vanda Pokecz presentation
 
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
Marketing Articles and ppt on how to do marketing ..Challenges faced during M...
 
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC WorkshopWorkshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
Workshop Wednesday with SaaStr CEO Jason Lemkin - VC Workshop
 
2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx2024-07-07 Transformed 06 (shared slides).pptx
2024-07-07 Transformed 06 (shared slides).pptx
 
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...
 
calcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptxcalcaneal fracture seminar by dr vishu.pptx
calcaneal fracture seminar by dr vishu.pptx
 
Recruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitmentRecruitment articles and posts- different & effective ways of recruitment
Recruitment articles and posts- different & effective ways of recruitment
 
Pengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anakPengukuran berat badan anak dan tinggi badan anak
Pengukuran berat badan anak dan tinggi badan anak
 
Biography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdfBiography of the late Mrs. Stella Atsupui Eddah.pdf
Biography of the late Mrs. Stella Atsupui Eddah.pdf
 
the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2the sparks foundation JOB READINESS- how to be job ready. task 2
the sparks foundation JOB READINESS- how to be job ready. task 2
 
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...
 
stackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jesterstackconf 2024 | On-Prem is the new Black by AJ Jester
stackconf 2024 | On-Prem is the new Black by AJ Jester
 
Destyney Duhon personal brand exploration
Destyney Duhon personal brand explorationDestyney Duhon personal brand exploration
Destyney Duhon personal brand exploration
 
HERO.pdf hero company working cap management project
HERO.pdf hero company working cap management projectHERO.pdf hero company working cap management project
HERO.pdf hero company working cap management project
 

Injection flaws

  • 2. What are Injection Flaws??  Injection flaws are a class of security vulnerability that allows a user to “break out” of the web application context.  Weakness in an application whereby foreign input subverts the otherwise legitimate use of a subsystem.  Injection flaws allow attackers to relay malicious code through an application to another system
  • 3. Is Your Web App Vulnerable to Injection?  User Supplied data is not validated , filtered or sanitized by Application.  Hostile data is supplied directly to dynamic queries or non parameterized calls for the interpreter without context-aware escaping.  Hostile data is used with ORM search parameters such that search evaluates out to include sensitive or all records.
  • 4. Different types of Injection flaws Different subsystems == Different flaws  SQL Injection  Command Injection  HTML Injection  LDAP Injection  XML Injection  IMAP/SMTP Injection
  • 5. SQL Injection: Database Query  Dynamic script to look into database  “Direct” access to database  Possible to issue CRUD statements and many more….
  • 6. SQL Injection : Query database
  • 7. Command Injection  Web application performs operating system tasks  Execute external programs/script  List files etc. ping –c <user_input> Protection using Command Execution API os.system(ping –c 127.0.0.1)
  • 8. HTML Injection  Possible to include HTML Tags like iframe , fake forms, XSS also possible….  Can be used in phishing attacks
  • 9. XML Injection  Web App talks to backend web services  Web app’s logic converts parameter’s to XML web services (as SOAP,…)
  • 11. LDAP Injection  Lightweight Directory Access protocol  It is used to access information directories like users, user information, software, computers.
  • 12. LDAP Injection  Insert Special characters like(*,|,&,…) leading to exposure of user’s confidential data
  • 13. IMAP/SMTP Injection  This threat affects all applications that communicate with mail servers (IMAP/SMTP), generally webmail applications.  We need to verify the capacity to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not being properly sanitized.
  • 14. State of Web framework Security  Anti CSRF tokens – can easily turned off/miss-configurations  Templates escapes user input – just HTML escape ->XSS  Uses ORM – SQLi still possible https://rails-sqli.org/  We need to use secure APIs or write secure code
  • 15. Can WAF solve the problem?  Web Application Firewalls are for Attack Detection and Prevention  Most of WAFs use blacklists. No vulnerability detection.
  • 16. Protect Exploitation : RASP Runtime Application Self Protection • Detect both Attacks and Vulnerability • No Hardware Requirements • Inject Security at Runtime • Applies defense inside the application • Zero code Modification and Easy Integration • No use of Blacklists
  • 17. RASP by API Instrumentation and Dynamic White-list  Monkey Patching  Lexical Analysis and Token Generation  Context Determination
  • 21. Challenges  Ideal RASP should have minimum performance impact.  Need to do adapt more secure techniques in combination with RASP.  Minimal configuration and Easy Deployment.  Implementing Preventing measures to avoid session Hijacking, Credentials etc.