SlideShare a Scribd company logo

Practical Web Attacks

Rastislav Turek
Rastislav Turek
Technology
1 of 12
Web application attacks – practical demonstration Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
Agenda Unvalidates Parameters  Access Control Flaws  Session Management Flaws  Cross Site Scripting (XSS)  Injection flaws  Improper Error Handling  AJAX Security           www.nethemba.com       
Unvalidated Parameters Exploit Hidden Fields  Exploit Unchecked Email  Bypass Client Side JavaScript Validation           www.nethemba.com       
Access Controls Flaws Bypass a Path Based Access Control Scheme  Bypass Business Layer Access Control  Bypass Data Layer Access Control           www.nethemba.com       
Session Management Flaws Spoof an Authentication Cookie  Hijack a Session           www.nethemba.com       
Cross Site Scripting (XSS) Stored XSS  Reflected XSS  Cross Site Request Forgery (CSRF)           www.nethemba.com       
Injection flaws Blind SQL injection  Numeric SQL injection  String SQL injection  XPATH injection           www.nethemba.com       
Improper Error Handling Fail Open Authentication Scheme           www.nethemba.com       
AJAX Security Client Side Filtering  Same Origin Policy (SOP) Protection  XML Injection  JSON Injection  Dangerous Use of Eval           www.nethemba.com       
Used tools WebGoat project   http://www.owasp.org/index.php/Category:OWASP_WebGoat_P WebScarab   http://www.owasp.org/index.php/Category:OWASP_WebScarab Tamperdata http://tamperdata.mozdev.org/  LiveHTTPHeaders http://livehttpheaders.mozdev.org/  Add N Edit Cookies   https://addons.mozilla.org/en­US/firefox/addon/573          www.nethemba.com       
References New Web Applications Attacks   http://www.nethemba.com/new_web_attacks­nethe LAMP and PHP security hardening (in Slovak   language)   http://www.nethemba.com/php­sec.pdf          www.nethemba.com       
Thank you for listening! Ing. Pavol Lupták, CISSP, CEH pavol.luptak@nethemba.com          www.nethemba.com       

Recommended

Presentación1
Presentación1Presentación1
Presentación1EvelinRomina
 
CODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLCODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLAngie Quesada Cascante
 
Tercera clase maestria 2.
Tercera clase maestria 2.Tercera clase maestria 2.
Tercera clase maestria 2.Jose Alfredo Alfredo Sanchez
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018 Laura Hartwig
 
Practica obrian espejo
Practica obrian espejoPractica obrian espejo
Practica obrian espejoObrian Espejo
 
Practica Edgar Ortiz
Practica Edgar OrtizPractica Edgar Ortiz
Practica Edgar OrtizUniversidad Técnica de Ambato
 
Codigo de slideshare de medios de alma
Codigo de slideshare de medios de almaCodigo de slideshare de medios de alma
Codigo de slideshare de medios de almaeilencitaloquita2
 

Recommended

Presentación1
Presentación1Presentación1
Presentación1EvelinRomina
 
CODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLCODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLAngie Quesada Cascante
 
Tercera clase maestria 2.
Tercera clase maestria 2.Tercera clase maestria 2.
Tercera clase maestria 2.Jose Alfredo Alfredo Sanchez
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018 Laura Hartwig
 
Practica obrian espejo
Practica obrian espejoPractica obrian espejo
Practica obrian espejoObrian Espejo
 
Practica Edgar Ortiz
Practica Edgar OrtizPractica Edgar Ortiz
Practica Edgar OrtizUniversidad Técnica de Ambato
 
Codigo de slideshare de medios de alma
Codigo de slideshare de medios de almaCodigo de slideshare de medios de alma
Codigo de slideshare de medios de almaeilencitaloquita2
 
Keyword swarm
Keyword swarmKeyword swarm
Keyword swarmGraeemej
 
Mi pasión
Mi pasiónMi pasión
Mi pasiónpilcoedwin
 
Mới
MớiMới
MớiDung Trương
 
Practica Tics
Practica TicsPractica Tics
Practica TicsUniversidad Tecnica de Ambato
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6arqsantibal
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acostaguest7eb22f
 
Jager
JagerJager
Jagerpaskar
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Kampus Menyan
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009Brian Lockrey
 
Amir Khan Returns
Amir Khan ReturnsAmir Khan Returns
Amir Khan ReturnsSharifuzzaman Pintu
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactionsmpderritut
 
тв код
тв кодтв код
тв кодilia
 
Div id
Div idDiv id
Div idMarta Rincon
 
Paky
PakyPaky
PakyCecilia Paye
 
Clase lunes
Clase lunesClase lunes
Clase lunesshirley364
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PPncalleja
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigosangie mesen
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8msz
 
Synopsi Barcamp
Synopsi BarcampSynopsi Barcamp
Synopsi BarcampRastislav Turek
 
Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty bankyRastislav Turek
 
Fraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsFraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsBond Beebe Accountants & Advisors
 
OWASP Testing Guide v3
OWASP Testing Guide v3OWASP Testing Guide v3
OWASP Testing Guide v3Rastislav Turek
 

More Related Content

What's hot

Keyword swarm
Keyword swarmKeyword swarm
Keyword swarmGraeemej
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6arqsantibal
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acostaguest7eb22f
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Kampus Menyan
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009Brian Lockrey
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactionsmpderritut
 
тв код
тв кодтв код
тв кодilia
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PPncalleja
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigosangie mesen
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8msz
 

What's hot (18)

Keyword swarm
Keyword swarmKeyword swarm
Keyword swarm
 
Mi pasión
Mi pasiónMi pasión
Mi pasión
 
Mới
MớiMới
Mới
 
Practica Tics
Practica TicsPractica Tics
Practica Tics
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acosta
 
Jager
JagerJager
Jager
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009
 
Amir Khan Returns
Amir Khan ReturnsAmir Khan Returns
Amir Khan Returns
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactions
 
тв код
тв кодтв код
тв код
 
Div id
Div idDiv id
Div id
 
Paky
PakyPaky
Paky
 
Clase lunes
Clase lunesClase lunes
Clase lunes
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PP
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigos
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8
 

Viewers also liked

Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty bankyRastislav Turek
 
Socialne siete: navod pre deti
Socialne siete: navod pre detiSocialne siete: navod pre deti
Socialne siete: navod pre detiRastislav Turek
 
Slovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruSlovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruRastislav Turek
 
Sociálne siete a bezpečnosť
Sociálne siete a bezpečnosťSociálne siete a bezpečnosť
Sociálne siete a bezpečnosťRastislav Turek
 
Cuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionCuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionverenicecastro
 
Inbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosInbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosRicardo Marsili
 

Viewers also liked (15)

Synopsi Barcamp
Synopsi BarcampSynopsi Barcamp
Synopsi Barcamp
 
Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty banky
 
Fraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsFraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-Profits
 
OWASP Testing Guide v3
OWASP Testing Guide v3OWASP Testing Guide v3
OWASP Testing Guide v3
 
Socialne siete: navod pre deti
Socialne siete: navod pre detiSocialne siete: navod pre deti
Socialne siete: navod pre deti
 
Slovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruSlovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoru
 
Sociálne siete a bezpečnosť
Sociálne siete a bezpečnosťSociálne siete a bezpečnosť
Sociálne siete a bezpečnosť
 
23 at iwdk
23 at iwdk23 at iwdk
23 at iwdk
 
FranzDennisCV
FranzDennisCVFranzDennisCV
FranzDennisCV
 
Technology milestone
Technology milestoneTechnology milestone
Technology milestone
 
Lymphoma
LymphomaLymphoma
Lymphoma
 
Kelsey Old Resume
Kelsey Old ResumeKelsey Old Resume
Kelsey Old Resume
 
Cuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionCuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacion
 
Storyboard
StoryboardStoryboard
Storyboard
 
Inbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosInbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos Práticos
 

Similar to Practical Web Attacks

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation RevisedOntico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload PresentationOntico
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionseyelliando dias
 
High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)Stoyan Stefanov
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up360|Conferences
 
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityImplementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityJISC.AM
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!Cláudio André
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008mvitor
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Matthew Baya
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 

Similar to Practical Web Attacks (20)

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
 
Case Studies
Case StudiesCase Studies
Case Studies
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up
 
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityImplementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff University
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Using Wordpress 2009 04 29
Using Wordpress 2009 04 29
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 

More from Rastislav Turek

Dodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciDodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciRastislav Turek
 
Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Rastislav Turek
 
Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Rastislav Turek
 
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skKritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skRastislav Turek
 
SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0Rastislav Turek
 
Rodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRastislav Turek
 
Vraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláVraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláRastislav Turek
 
Pravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímPravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímRastislav Turek
 
Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Rastislav Turek
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Rastislav Turek
 

More from Rastislav Turek (12)

Dodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciDodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraci
 
Zmluva o spolupraci
Zmluva o spolupraciZmluva o spolupraci
Zmluva o spolupraci
 
Credit Card Frauds
Credit Card FraudsCredit Card Frauds
Credit Card Frauds
 
Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008
 
Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007
 
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skKritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
 
SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0
 
Rodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows Vista
 
Vraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláVraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidlá
 
Pravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímPravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosím
 
Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007
 

Recently uploaded

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Recently uploaded (20)

Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Practical Web Attacks

  • 1. Web application attacks – practical demonstration Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
  • 2. Agenda Unvalidates Parameters  Access Control Flaws  Session Management Flaws  Cross Site Scripting (XSS)  Injection flaws  Improper Error Handling  AJAX Security           www.nethemba.com       
  • 3. Unvalidated Parameters Exploit Hidden Fields  Exploit Unchecked Email  Bypass Client Side JavaScript Validation           www.nethemba.com       
  • 4. Access Controls Flaws Bypass a Path Based Access Control Scheme  Bypass Business Layer Access Control  Bypass Data Layer Access Control           www.nethemba.com       
  • 5. Session Management Flaws Spoof an Authentication Cookie  Hijack a Session           www.nethemba.com       
  • 6. Cross Site Scripting (XSS) Stored XSS  Reflected XSS  Cross Site Request Forgery (CSRF)           www.nethemba.com       
  • 7. Injection flaws Blind SQL injection  Numeric SQL injection  String SQL injection  XPATH injection           www.nethemba.com       
  • 8. Improper Error Handling Fail Open Authentication Scheme           www.nethemba.com       
  • 9. AJAX Security Client Side Filtering  Same Origin Policy (SOP) Protection  XML Injection  JSON Injection  Dangerous Use of Eval           www.nethemba.com       
  • 10. Used tools WebGoat project   http://www.owasp.org/index.php/Category:OWASP_WebGoat_P WebScarab   http://www.owasp.org/index.php/Category:OWASP_WebScarab Tamperdata http://tamperdata.mozdev.org/  LiveHTTPHeaders http://livehttpheaders.mozdev.org/  Add N Edit Cookies   https://addons.mozilla.org/en­US/firefox/addon/573          www.nethemba.com       
  • 11. References New Web Applications Attacks   http://www.nethemba.com/new_web_attacks­nethe LAMP and PHP security hardening (in Slovak   language)   http://www.nethemba.com/php­sec.pdf          www.nethemba.com       
  • 12. Thank you for listening! Ing. Pavol Lupták, CISSP, CEH pavol.luptak@nethemba.com          www.nethemba.com