SlideShare una empresa de Scribd logo

Web application security

Vikas Thange
Vikas Thange

This presentation is helpful to learn about the web vulnerabilities, and to developers to secure the web application.

Empresariales
1 de 27
Sixth Outline Level  Seventh Outline Level  Eighth Outline Level Ninth Outline LevelClick to edit Master text styles Web Application Security Vikas Thange
Topics 1 What is Web Security 2 Why Web Security? 3 Proxy Server – Paros Proxy 4 Web Vulnerability 5 Web Vulnerability Types 6 SQL Injection 7 Other Types
What is Web Security 1 Web application security is a branch of information security that deals specifically with security of websites and web applications. 2 At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. 3 Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.
Why Web Security 1 We value our privacy 2 We value our client’s important data 3 We want to make everyone’s web presence safer and better 4 We must remember , it’s the users who uses the system 5 Users can be good as well as bad
Proxy Server 1 A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers 2 A client connects to the proxy server, requesting some service, such as a file, web page, or other resource, available from a different server. 3 The proxy server evaluates the request according to its filtering rules. If the request is validated by the filter, the proxy provides the resource
Use of Proxy Server 1 To apply access policy to network services or content, e.g. to block undesired sites. 2 To log / audit usage, i.e. to provide company employee Internet usage reporting. 3 To bypass security/ parental controls. 4 To scan transmitted content for malware before delivery. 5 To scan outbound content, e.g., for data leak protection. 6 To circumvent regional restrictions.
Sparos Proxy Server Tool
Web Vulnerability A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Weakness in custom Web Application, architecture, design, configuration, or code.
Web Vulnerability Types 1 SQL Injection 2 Code Injection 3 XSS or Cross Site Scripting 4 CSRF or Cross Site Request Forgery 5 To scan outbound content, e.g., for data leak protection. 6 Session Security 7 Input Validation
How Bad is it? **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
How Bad is it? **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
How Bad is it? 31,373 Sites Tested Summary Threat % of Vuln. No. of Vulns Vuln. % No. of Sites Classification Sites Brute Force 66 0.04% 66 0.21% Content Spoofing 663 0.45% 218 0.69% Cross Site Scripting 100,059 67.59% 26,531 84.57% Directory Indexing 292 0.20% 168 0.54% HTTP Response Splitting 4,487 3.03% 3,062 9.76% Information Leakage 20,518 13.86% 4,924 15.70% Insufficient Authentication 84 0.06% 1 0.00% Insufficient Authorization 23 0.02% 4 0.01% Insufficient Session Expiration 46 0.03% 1 0.00% OS Commanding 143 0.10% 44 0.14% Path Traversal 426 0.29% 374 1.19% Predictable Resource Location 651 0.44% 173 0.55% SQL Injection 19,607 13.25% 8,277 26.38% SSI Injection 950 0.64% 298 0.95% XPath Injection 14 0.01% 6 0.02% 148,029 100.00% 44,147 **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
SQL Injection What is SQL Injection? • It is a trick to inject SQL query/command as an input What do you need? possibly via web pages. What you should look for? • Many web pages take parameters from web user, and What if you can't find any page make SQL query to the database. that takes input? How do you test if it is vulnerable? • Take for instance when a user login, web page that user name and password and make SQL query to the database But why ' or 1=1--? to check if a user has valid name and password. How to avoid SQL Injection? • With SQL Injection, it is possible for us to send crafted Where can I get more info? user name and/or password field that will change the SQL query and thus grant us something else.
SQL Injection What is SQL Injection? • Little Sql and programming Knowledge What do you need? • No tool required What you should look for? What if you can't find any page • Any Web Browser that takes input? How do you test if it is vulnerable? • Sql injection attak dictonary But why ' or 1=1--? How to avoid SQL Injection? Where can I get more info?
SQL Injection What is SQL Injection? • Try to look for pages that allow you to submit data, What do you need? i.e: login page, search page, feedback, etc. What you should look for? • Sometimes, HTML pages use POST command to send What if you can't find any page parameters to another ASP page. Therefore, you may not that takes input? see the parameters in the URL. However, you can check How do you test if it is vulnerable? the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some But why ' or 1=1--? HTML codes: How to avoid SQL Injection? <FORM action=Search/search.asp method=post> <input type=hidden name=A value=C> Where can I get more info? </FORM> Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).
SQL Injection What is SQL Injection? What is SQL Injection? • You should look for pages like ASP, JSP, CGI, or PHP web What do you need? pages. Try to look especially for URL that takes parameters, like: What you should look for? What if you can't find any page http://duck/index.asp?id=10 that takes input? How do you test if it is vulnerable? But why ' or 1=1--? How to avoid SQL Injection? Where can I get more info?
SQL Injection What is SQL injection? What is SQL Injection? • Start with a single quote trick. Input something like: What do you need? hi' or 1=1-- Into login, or password, or even in the URL. Example: What you should look for? - Login: hi' or 1=1-- What if you can't find any page - Pass: hi' or 1=1-- that takes input? - http://duck/index.asp?id=hi' or 1=1— How do you test if it is How do you tet if it is vulnerable? vulnerable? • If you must do this with a hidden field, just download But why ' or 1=1--? the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example: How to avoid SQL Injection? Where can I get more info? <FORM action=http://duck/Search/search.asp method=post> <input type=hidden name=A value="hi' or 1=1--"> </FORM> If luck is on your side, you will get login without any login name or password.
SQL Injection What is SQL injection? What is SQL Injection? • Other than bypassing login, it is also possible to view What do you need? extra information that is not normally available. Take an asp page that will link you to another page with the What you should look for? following URL: What if you can't find any page that takes input? http://duck/index.asp?category=food How do you test if it is How do you tet if it is vulnerable? vulnerable? • In the URL, 'category' is the variable name, and 'food' is But why ' or 1=1--? the value assigned to the variable. In order to do that, an How to avoid SQL Injection? ASP might contain the following code Where can I get more info? v_cat = request("category") sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'" set rs=conn.execute(sqlstr)
SQL Injection What is SQL Injection? • As we can see, our variable will be wrapped into v_cat What do you need? and thus the SQL statement should become: What you should look for? SELECT * FROM product WHERE PCategory='food' What if you can't find any page that takes input? The query should return a resultset containing one or How do you test if it is more rows that match the WHERE condition, in this case, vulnerable? 'food'. But Why ‘ or 1=1--? • Now, assume that we change the URL into something How to avoid SQL Injection? like this: Where can I get more info? http://duck/index.asp?category=food' or 1=1-- Now, our variable v_cat equals to "food' or 1=1-- ", if we Eg. http://testasp.vulnweb.com/ substitute this in the SQL query, we will have: http://www.altoromutual.com SELECT * FROM product WHERE PCategory='food' or 1=1--'
SQL Injection What is SQL Injection? • Filter out character like single quote, double quote, slash, What do you need? back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from: What you should look for? - Input from users What if you can't find any page - Parameters from URL that takes input? - Values from cookie How do you test if it is vulnerable? For numeric value, convert it to an integer before parsing But why ' or 1=1--? it into SQL statement. Or using ISNUMERIC to make sure it is an integer. How to avoid SQL Injection? Where can I get more info?
SQL Injection What is SQL Injection? • http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6 What do you need? • http://www.blackhat.com/presentations/win-usa- What you should look for? 01/Litchfield/BHWin01Litchfield.doc What if you can't find any page that takes input? • http://www.owasp.org/asac/input_validation/sql.shtml How do you test if it is vulnerable? • http://www.sensepost.com/misc/SQLinsertion.htm But why ' or 1=1--? • http://www.digitaloffense.net/wargames01/IOWargame How to avoid SQL Injection? s.ppt Where can I get more info? • http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6 • http://www.spidynamics.com/whitepapers/WhitepaperS QLInjection.pdf
Code Injection • Code Injection is the general name for a lot of types of attacks which depend on inserting code, which is interpreted by the application. • Such an attack may be performed by adding strings of characters into a cookie or argument values in the URI. • This attack makes use of lack of accurate input/output data validation, for example: 1. class of allowed characters (standard regular expressions classes or custom) 2. data format 3. amount of expected data 4. for numerical input, its values
Code Injection When a programmer uses the eval() function and operates on the data inside it, and these data may be altered by the attacker, then it's only one step closer to Code Injection. The example below shows how to use the eval() function: $myvar = "varname"; $x = $_GET['arg']; eval("$myvar = $x;"); The code above which smells like a rose may be used to perform a Code Injection attack. Example: passing in the URI /index.php?arg=1; phpinfo() While exploiting bugs like these, the attacker doesn't have to limit himself only to a Code Injection attack. The attacker may attempt himself to use Command Injection technique, for example. /index.php?arg=1; system(‘dir')
Cross Site Scripting Flaw (XSS) • Cross site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into otherwise benign and trusted web sites • Cross site scripting flaws are the most prevalent flaw in web applications today • Cross site scripting attacks occur when an attacker uses a web application to send malicious code , generally in the form of a browser side script, to a different end user. • To avoid XSS attack we recommend validating input against a rigorous positive specification of what is expected
Client Server Architecture
Cross Site Scripting Flaw (XSS) Session id, cookies.
Session Hijacking

Recomendados

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 

Recomendados

A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
Noppadol Songsakaew
 
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) EuropeWakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Wakanda and the top 5 security risks - JS.everyrwhere(2012) Europe
Alexandre Morgaut
 
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meetingOWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum Top 10 A3 - 6th meeting
OWASP Khartoum
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Sql injection bypassing hand book blackrose
Sql injection bypassing hand book blackroseSql injection bypassing hand book blackrose
Sql injection bypassing hand book blackrose
Noaman Aziz
 
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4Hackers Ranchoddas Webcast Series - Bypassing Modern WAF's Exemplified...
Garage4hackers.com
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
Marco Morana
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
Nikola Milosevic
 
PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
Haitham Raik
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
Bulent Buyukkahraman
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
Aaron Hnatiw
 
t r
t rt r
t r
electronicmingle01
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
Sandro Gauci
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
tmd800
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
Sasha Goldshtein
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
Imaginea
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
kunwaratul hax0r
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
bilcorry
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
Prathan Phongthiproek
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)
Wail Hassan
 
Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
Security Ninja
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
Security Ninja
 

Más contenido relacionado

La actualidad más candente

PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
Haitham Raik
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
Dmitry Evteev
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
Aaron Hnatiw
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
Haitham Raik
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
Paul Lemon
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
Imaginea
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
baoyin
 
Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)
Wail Hassan
 

La actualidad más candente (20)

PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014PCI security requirements secure coding and code review 2014
PCI security requirements secure coding and code review 2014
 
Axoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing ServicesAxoss Web Application Penetration Testing Services
Axoss Web Application Penetration Testing Services
 
Methods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall EngMethods to Bypass a Web Application Firewall Eng
Methods to Bypass a Web Application Firewall Eng
 
Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017Beyond OWASP Top 10 - Hack In Paris 2017
Beyond OWASP Top 10 - Hack In Paris 2017
 
t r
t rt r
t r
 
Web Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And ExploitationWeb Application Firewalls Detection, Bypassing And Exploitation
Web Application Firewalls Detection, Bypassing And Exploitation
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Phpnw security-20111009
Phpnw security-20111009Phpnw security-20111009
Phpnw security-20111009
 
Web application penetration testing
Web application penetration testingWeb application penetration testing
Web application penetration testing
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
AuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login formAuthN & AuthZ testing: it’s not only about the login form
AuthN & AuthZ testing: it’s not only about the login form
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan GandhiReliable and fast security audits - The modern and offensive way-Mohan Gandhi
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
 
香港六合彩
香港六合彩香港六合彩
香港六合彩
 
Module 14 (sql injection)
Module 14 (sql injection)Module 14 (sql injection)
Module 14 (sql injection)
 

Similar a Web application security

Sql injection whitepaper
Sql injection whitepaperSql injection whitepaper
Sql injection whitepaper
Manish Godawat
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
Geoffrey Vandiest
 

Similar a Web application security (20)

Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010Injecting simplicity not SQL BSides Las Vegas 2010
Injecting simplicity not SQL BSides Las Vegas 2010
 
Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010Injecting simplicity not SQL RSA Europe 2010
Injecting simplicity not SQL RSA Europe 2010
 
SecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know itSecurityBSides London - Agnitio: it's static analysis but not as we know it
SecurityBSides London - Agnitio: it's static analysis but not as we know it
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)Infosec girls training-hackcummins-college-jan-2020(v0.1)
Infosec girls training-hackcummins-college-jan-2020(v0.1)
 
Sql injection whitepaper
Sql injection whitepaperSql injection whitepaper
Sql injection whitepaper
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Web hackingtools cf-summit2014
Web hackingtools cf-summit2014Web hackingtools cf-summit2014
Web hackingtools cf-summit2014
 
SQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop ItSQL Injection: How It Works, How to Stop It
SQL Injection: How It Works, How to Stop It
 
OWASPTop 10
OWASPTop 10OWASPTop 10
OWASPTop 10
 
csf_ppt.pptx
csf_ppt.pptxcsf_ppt.pptx
csf_ppt.pptx
 
Secure SDLC for Software
Secure SDLC for Software Secure SDLC for Software
Secure SDLC for Software
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
seminar report on Sql injection
seminar report on Sql injectionseminar report on Sql injection
seminar report on Sql injection
 
Making Web Development "Secure By Default"
Making Web Development "Secure By Default" Making Web Development "Secure By Default"
Making Web Development "Secure By Default"
 
Secure software development presentation
Secure software development presentationSecure software development presentation
Secure software development presentation
 
Make your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More SafeMake your Azure PaaS Deployment More Safe
Make your Azure PaaS Deployment More Safe
 
SQL injection
SQL injectionSQL injection
SQL injection
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 
Web hackingtools 2015
Web hackingtools 2015Web hackingtools 2015
Web hackingtools 2015
 

Último

Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
lizamodels9
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
amitlee9823
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Dipal Arora
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
daisycvs
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
amitlee9823
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
rajveerescorts2022
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
Matteo Carbone
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
amitlee9823
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Sheetaleventcompany
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Dipal Arora
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
lizamodels9
 

Último (20)

Monthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptxMonthly Social Media Update April 2024 pptx.pptx
Monthly Social Media Update April 2024 pptx.pptx
 
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
Russian Call Girls In Gurgaon ❤️8448577510 ⊹Best Escorts Service In 24/7 Delh...
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
Call Girls Kengeri Satellite Town Just Call 👗 7737669865 👗 Top Class Call Gir...
 
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service AvailableCall Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
Call Girls Pune Just Call 9907093804 Top Class Call Girl Service Available
 
Value Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and painsValue Proposition canvas- Customer needs and pains
Value Proposition canvas- Customer needs and pains
 
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
Enhancing and Restoring Safety & Quality Cultures - Dave Litwiller - May 2024...
 
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
Quick Doctor In Kuwait +2773`7758`557 Kuwait Doha Qatar Dubai Abu Dhabi Sharj...
 
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
Call Girls Jp Nagar Just Call 👗 7737669865 👗 Top Class Call Girl Service Bang...
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
👉Chandigarh Call Girls 👉9878799926👉Just Call👉Chandigarh Call Girl In Chandiga...
 
Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1Katrina Personal Brand Project and portfolio 1
Katrina Personal Brand Project and portfolio 1
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
Insurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usageInsurers' journeys to build a mastery in the IoT usage
Insurers' journeys to build a mastery in the IoT usage
 
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service BangaloreCall Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
Call Girls Hebbal Just Call 👗 7737669865 👗 Top Class Call Girl Service Bangalore
 
Business Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture conceptBusiness Model Canvas (BMC)- A new venture concept
Business Model Canvas (BMC)- A new venture concept
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
Chandigarh Escorts Service 📞8868886958📞 Just📲 Call Nihal Chandigarh Call Girl...
 
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best ServicesMysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
Mysore Call Girls 8617370543 WhatsApp Number 24x7 Best Services
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 

Web application security

  • 1. Sixth Outline Level  Seventh Outline Level  Eighth Outline Level Ninth Outline LevelClick to edit Master text styles Web Application Security Vikas Thange
  • 2. Topics 1 What is Web Security 2 Why Web Security? 3 Proxy Server – Paros Proxy 4 Web Vulnerability 5 Web Vulnerability Types 6 SQL Injection 7 Other Types
  • 3. What is Web Security 1 Web application security is a branch of information security that deals specifically with security of websites and web applications. 2 At a high level, Web application security draws on the principles of application security but applies them specifically to Internet and Web systems. 3 Typically web applications are developed using programming languages such as PHP, Java EE, Java, Python, Ruby, ASP.NET, C#, VB.NET or Classic ASP.
  • 4. Why Web Security 1 We value our privacy 2 We value our client’s important data 3 We want to make everyone’s web presence safer and better 4 We must remember , it’s the users who uses the system 5 Users can be good as well as bad
  • 5. Proxy Server 1 A proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers 2 A client connects to the proxy server, requesting some service, such as a file, web page, or other resource, available from a different server. 3 The proxy server evaluates the request according to its filtering rules. If the request is validated by the filter, the proxy provides the resource
  • 6. Use of Proxy Server 1 To apply access policy to network services or content, e.g. to block undesired sites. 2 To log / audit usage, i.e. to provide company employee Internet usage reporting. 3 To bypass security/ parental controls. 4 To scan transmitted content for malware before delivery. 5 To scan outbound content, e.g., for data leak protection. 6 To circumvent regional restrictions.
  • 8. Web Vulnerability A vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Weakness in custom Web Application, architecture, design, configuration, or code.
  • 9. Web Vulnerability Types 1 SQL Injection 2 Code Injection 3 XSS or Cross Site Scripting 4 CSRF or Cross Site Request Forgery 5 To scan outbound content, e.g., for data leak protection. 6 Session Security 7 Input Validation
  • 10. How Bad is it? **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
  • 11. How Bad is it? **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
  • 12. How Bad is it? 31,373 Sites Tested Summary Threat % of Vuln. No. of Vulns Vuln. % No. of Sites Classification Sites Brute Force 66 0.04% 66 0.21% Content Spoofing 663 0.45% 218 0.69% Cross Site Scripting 100,059 67.59% 26,531 84.57% Directory Indexing 292 0.20% 168 0.54% HTTP Response Splitting 4,487 3.03% 3,062 9.76% Information Leakage 20,518 13.86% 4,924 15.70% Insufficient Authentication 84 0.06% 1 0.00% Insufficient Authorization 23 0.02% 4 0.01% Insufficient Session Expiration 46 0.03% 1 0.00% OS Commanding 143 0.10% 44 0.14% Path Traversal 426 0.29% 374 1.19% Predictable Resource Location 651 0.44% 173 0.55% SQL Injection 19,607 13.25% 8,277 26.38% SSI Injection 950 0.64% 298 0.95% XPath Injection 14 0.01% 6 0.02% 148,029 100.00% 44,147 **Web Application Security Consortium (WASC) http://www.webappsec.org/projects/statistics/
  • 13. SQL Injection What is SQL Injection? • It is a trick to inject SQL query/command as an input What do you need? possibly via web pages. What you should look for? • Many web pages take parameters from web user, and What if you can't find any page make SQL query to the database. that takes input? How do you test if it is vulnerable? • Take for instance when a user login, web page that user name and password and make SQL query to the database But why ' or 1=1--? to check if a user has valid name and password. How to avoid SQL Injection? • With SQL Injection, it is possible for us to send crafted Where can I get more info? user name and/or password field that will change the SQL query and thus grant us something else.
  • 14. SQL Injection What is SQL Injection? • Little Sql and programming Knowledge What do you need? • No tool required What you should look for? What if you can't find any page • Any Web Browser that takes input? How do you test if it is vulnerable? • Sql injection attak dictonary But why ' or 1=1--? How to avoid SQL Injection? Where can I get more info?
  • 15. SQL Injection What is SQL Injection? • Try to look for pages that allow you to submit data, What do you need? i.e: login page, search page, feedback, etc. What you should look for? • Sometimes, HTML pages use POST command to send What if you can't find any page parameters to another ASP page. Therefore, you may not that takes input? see the parameters in the URL. However, you can check How do you test if it is vulnerable? the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some But why ' or 1=1--? HTML codes: How to avoid SQL Injection? <FORM action=Search/search.asp method=post> <input type=hidden name=A value=C> Where can I get more info? </FORM> Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).
  • 16. SQL Injection What is SQL Injection? What is SQL Injection? • You should look for pages like ASP, JSP, CGI, or PHP web What do you need? pages. Try to look especially for URL that takes parameters, like: What you should look for? What if you can't find any page http://duck/index.asp?id=10 that takes input? How do you test if it is vulnerable? But why ' or 1=1--? How to avoid SQL Injection? Where can I get more info?
  • 17. SQL Injection What is SQL injection? What is SQL Injection? • Start with a single quote trick. Input something like: What do you need? hi' or 1=1-- Into login, or password, or even in the URL. Example: What you should look for? - Login: hi' or 1=1-- What if you can't find any page - Pass: hi' or 1=1-- that takes input? - http://duck/index.asp?id=hi' or 1=1— How do you test if it is How do you tet if it is vulnerable? vulnerable? • If you must do this with a hidden field, just download But why ' or 1=1--? the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly. Example: How to avoid SQL Injection? Where can I get more info? <FORM action=http://duck/Search/search.asp method=post> <input type=hidden name=A value="hi' or 1=1--"> </FORM> If luck is on your side, you will get login without any login name or password.
  • 18. SQL Injection What is SQL injection? What is SQL Injection? • Other than bypassing login, it is also possible to view What do you need? extra information that is not normally available. Take an asp page that will link you to another page with the What you should look for? following URL: What if you can't find any page that takes input? http://duck/index.asp?category=food How do you test if it is How do you tet if it is vulnerable? vulnerable? • In the URL, 'category' is the variable name, and 'food' is But why ' or 1=1--? the value assigned to the variable. In order to do that, an How to avoid SQL Injection? ASP might contain the following code Where can I get more info? v_cat = request("category") sqlstr="SELECT * FROM product WHERE PCategory='" & v_cat & "'" set rs=conn.execute(sqlstr)
  • 19. SQL Injection What is SQL Injection? • As we can see, our variable will be wrapped into v_cat What do you need? and thus the SQL statement should become: What you should look for? SELECT * FROM product WHERE PCategory='food' What if you can't find any page that takes input? The query should return a resultset containing one or How do you test if it is more rows that match the WHERE condition, in this case, vulnerable? 'food'. But Why ‘ or 1=1--? • Now, assume that we change the URL into something How to avoid SQL Injection? like this: Where can I get more info? http://duck/index.asp?category=food' or 1=1-- Now, our variable v_cat equals to "food' or 1=1-- ", if we Eg. http://testasp.vulnweb.com/ substitute this in the SQL query, we will have: http://www.altoromutual.com SELECT * FROM product WHERE PCategory='food' or 1=1--'
  • 20. SQL Injection What is SQL Injection? • Filter out character like single quote, double quote, slash, What do you need? back slash, semi colon, extended character like NULL, carry return, new line, etc, in all strings from: What you should look for? - Input from users What if you can't find any page - Parameters from URL that takes input? - Values from cookie How do you test if it is vulnerable? For numeric value, convert it to an integer before parsing But why ' or 1=1--? it into SQL statement. Or using ISNUMERIC to make sure it is an integer. How to avoid SQL Injection? Where can I get more info?
  • 21. SQL Injection What is SQL Injection? • http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=6 What do you need? • http://www.blackhat.com/presentations/win-usa- What you should look for? 01/Litchfield/BHWin01Litchfield.doc What if you can't find any page that takes input? • http://www.owasp.org/asac/input_validation/sql.shtml How do you test if it is vulnerable? • http://www.sensepost.com/misc/SQLinsertion.htm But why ' or 1=1--? • http://www.digitaloffense.net/wargames01/IOWargame How to avoid SQL Injection? s.ppt Where can I get more info? • http://www.wiretrip.net/rfp/p/doc.asp?id=60&iface=6 • http://www.spidynamics.com/whitepapers/WhitepaperS QLInjection.pdf
  • 22. Code Injection • Code Injection is the general name for a lot of types of attacks which depend on inserting code, which is interpreted by the application. • Such an attack may be performed by adding strings of characters into a cookie or argument values in the URI. • This attack makes use of lack of accurate input/output data validation, for example: 1. class of allowed characters (standard regular expressions classes or custom) 2. data format 3. amount of expected data 4. for numerical input, its values
  • 23. Code Injection When a programmer uses the eval() function and operates on the data inside it, and these data may be altered by the attacker, then it's only one step closer to Code Injection. The example below shows how to use the eval() function: $myvar = "varname"; $x = $_GET['arg']; eval("$myvar = $x;"); The code above which smells like a rose may be used to perform a Code Injection attack. Example: passing in the URI /index.php?arg=1; phpinfo() While exploiting bugs like these, the attacker doesn't have to limit himself only to a Code Injection attack. The attacker may attempt himself to use Command Injection technique, for example. /index.php?arg=1; system(‘dir')
  • 24. Cross Site Scripting Flaw (XSS) • Cross site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into otherwise benign and trusted web sites • Cross site scripting flaws are the most prevalent flaw in web applications today • Cross site scripting attacks occur when an attacker uses a web application to send malicious code , generally in the form of a browser side script, to a different end user. • To avoid XSS attack we recommend validating input against a rigorous positive specification of what is expected
  • 26. Cross Site Scripting Flaw (XSS) Session id, cookies.

Notas del editor

  1. &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; Window.open(‘http://google.com’);
  2. &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; Window.open(‘http://google.com’);
  3. &lt;SCRIPT&gt;alert(document.cookie);&lt;/SCRIPT&gt; Window.open(‘http://google.com’);