SlideShare a Scribd company logo

Top Web Security Threats - HACKViDHi

Download as PPTX, PDF
HACKViDHi
HACKViDHi

This presentation talks about top web security threats that any website should care about.

Technology
1 of 14
HACKViDHi - 2013 - All rights reserved Top Web Security Threats what’s at risk! HACKViDHi Request a free trial scan of your website @ http://hackvidhi.com Mail the presenter @ archana.Katiyar@hackvidhi.com Course in Web Programming Basics and Ethical HackingWeb Security Assurance Connect us at:
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance What will we be covering here? • Top 5 Web Security Threats • Injection flaws • Improper session management • Cross site scripting • Insecure Direct Object References • Cross site request forgery • About HACKViDHi
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance Top 5 Web Security Threats • Injection flaws • Improper session management • Cross site scripting • Insecure Direct Object References • Cross site request forgery
ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 1st : Injection Flaws Introduction • It can be of various types – • SQL • LDAP • XML • OS command • Xpath etc • Injection flaws occur when un-sanitized user data is used to create a query which is eventually interpreted and executed by an interpreter. • It is one of the easy to exploit threats! Attacker simply sends crafted text exploiting the syntax of targeted interpreter. Connect us at:
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 1st : Injection Flaws What’s at risk for website owner! • Injection attack can cause data to be modified or deleted. • Injection attack can be used to steal admin’s password to gain complete access of the website. • It can lead to website defacement, reduced credibility among customers etc. • In worst case, this attack can lead to complete website takeover!
ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 2nd : Improper Session Management Introduction • Most of the web resources are exposed only to authenticated users and authentication is done using session management. • Different modules are normally written by different developers, each may use different way of session management resulting in flaws in loginlogout areas. • Increasing use of AJAX is also making it tough as normally developers tend to forget using session management in the functions called ONLY using AJAX. Connect us at:
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 2nd : Improper Session Management What’s at risk for website owner! • The attacker can hijack user’s account and then the attacker can perform all the legitimate actions that a genuine user can do. • If attacker gains access to a high privilege account, he can perform severe actions. • It can lead to stolen customer’s data, reduced credibility of website etc. • This attack can lead to huge business impact!
ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 3rd: Cross Site Scripting (XSS) Introduction • This is the most prevalent web application security flaw. • Attacker exploits java script interpreter in the browser. • XSS flaws occur when an application includes user supplied data in a page without properly validating that content. • Detecting XSS flaw is very easy. Connect us at:
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 3rd: Cross Site Scripting (XSS) What’s at risk for website owner! • Its impact is not very severe still enough for impacting business. • Attacker can hijack user’s sessions. • Website defacement. • Redirect users to other website (read it competitor's website).
ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 4th: Insecure Direct Object References Introduction • This is a category of improper session management. • Suppose I am a user of a website and my user id 10, on accessing my details, the page shows url – http://www.hackvidhi.com/userId=10. Now I enter http://www.hackvidhi.com/userId=11 and I can see the details of user with id 11! • This means allowing authorized users to view data which they are not supposed to see. Connect us at:
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 4th: Insecure Direct Object References What’s at risk for website owner! • Confidential data exposure. • Unauthorized data modification. • Website credibility will be reduced causing huge business impact.
ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 5th: Cross Site Request Forgery (CSRF) Introduction • CSRF is to trick victim to open a malicious page containing a request to affected website. When user opens malicious page that request is submitted. If user is authenticated, the attack results in success. • Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. • Detection of CSRF flaws is fairly easy via penetration testing. Connect us at:
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance 5th: Cross Site Request Forgery (CSRF) What’s at risk for website owner! • Attackers can cause victims to change any data the victim is allowed to change or perform any other function the victim is authorized to use, including state changing requests, like logout or even login. • So this is in a way similar to hijacking victim’s session. • Website credibility will be reduced causing huge business impact.
HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance About HACKViDHi At HackVidhi our vision is to provide fast, efficient and reliable penetration testing services to our clients. We specialize in testing consumer facing Web Applications and believe in building a safer and secure web world to transact in. We are offering a free trial scan of your website, you can request it @http://hackvidhi.com/index.php. We also offer a free course in web programming and ethical hacking, enrolment for the course is now open, reserve your seat @ http://hackvidhi.com/courses.php. Please email us at contactus@hackvidhi.com for any queries.

Recommended

At risk in retail banking
At risk in retail bankingAt risk in retail banking
At risk in retail bankingMohammad Ibrahim Fheili
 
Internet Threats
Internet ThreatsInternet Threats
Internet ThreatsDominikaJoanna
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 

Recommended

At risk in retail banking
At risk in retail bankingAt risk in retail banking
At risk in retail bankingMohammad Ibrahim Fheili
 
Internet Threats
Internet ThreatsInternet Threats
Internet ThreatsDominikaJoanna
 
11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)11th Website Security Statistics -- Presentation Slides (Q1 2011)
11th Website Security Statistics -- Presentation Slides (Q1 2011)Jeremiah Grossman
 
Web Security
Web SecurityWeb Security
Web SecurityGerald Villorente
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Security in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudSecurity in Web 2.0, Social Web and Cloud
Security in Web 2.0, Social Web and CloudITDogadjaji.com
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Jim Manico
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Web Security
Web SecurityWeb Security
Web SecurityRandy Connolly
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Canada
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesJeremiah Grossman
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Web security
Web securityWeb security
Web securityrakesh bandaru
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site SecuritySteven Cahill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityYnon Perek
 
Online Retail Risk Management
Online Retail Risk ManagementOnline Retail Risk Management
Online Retail Risk Managementiamwire
 
Extreme security in web servers
Extreme security in web serversExtreme security in web servers
Extreme security in web serversDaniel Garcia (a.k.a cr0hn)
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Web Security
Web SecurityWeb Security
Web SecurityDipika Bambhaniya
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Web security
Web securityWeb security
Web securityPadam Banthia
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

More Related Content

Viewers also liked

Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Canada
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web SecurityBill Condo
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security RisksSperasoft
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesJeremiah Grossman
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilitiesManish Chaurasia
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site SecuritySteven Cahill
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityYnon Perek
 
Online Retail Risk Management
Online Retail Risk ManagementOnline Retail Risk Management
Online Retail Risk Managementiamwire
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-AreaOrange Tsai
 

Viewers also liked (19)

Web Security
Web SecurityWeb Security
Web Security
 
Cisco Study: State of Web Security
Cisco Study: State of Web Security Cisco Study: State of Web Security
Cisco Study: State of Web Security
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Modern Web Security
Modern Web SecurityModern Web Security
Modern Web Security
 
Top 10 Web App Security Risks
Top 10 Web App Security RisksTop 10 Web App Security Risks
Top 10 Web App Security Risks
 
Statistics - Top Website Vulnerabilities
Statistics - Top Website VulnerabilitiesStatistics - Top Website Vulnerabilities
Statistics - Top Website Vulnerabilities
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
Web security
Web securityWeb security
Web security
 
Risks threats and vulnerabilities
Risks threats and vulnerabilitiesRisks threats and vulnerabilities
Risks threats and vulnerabilities
 
Web Server Web Site Security
Web Server Web Site SecurityWeb Server Web Site Security
Web Server Web Site Security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Online Retail Risk Management
Online Retail Risk ManagementOnline Retail Risk Management
Online Retail Risk Management
 
Extreme security in web servers
Extreme security in web serversExtreme security in web servers
Extreme security in web servers
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 
Web Security
Web SecurityWeb Security
Web Security
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web security
Web securityWeb security
Web security
 
網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area網頁安全 Web security 入門 @ Study-Area
網頁安全 Web security 入門 @ Study-Area
 

Recently uploaded

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 

Recently uploaded (20)

What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Top Web Security Threats - HACKViDHi

  • 1. HACKViDHi - 2013 - All rights reserved Top Web Security Threats what’s at risk! HACKViDHi Request a free trial scan of your website @ http://hackvidhi.com Mail the presenter @ archana.Katiyar@hackvidhi.com Course in Web Programming Basics and Ethical HackingWeb Security Assurance Connect us at:
  • 2. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance What will we be covering here? • Top 5 Web Security Threats • Injection flaws • Improper session management • Cross site scripting • Insecure Direct Object References • Cross site request forgery • About HACKViDHi
  • 3. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance Top 5 Web Security Threats • Injection flaws • Improper session management • Cross site scripting • Insecure Direct Object References • Cross site request forgery
  • 4. ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 1st : Injection Flaws Introduction • It can be of various types – • SQL • LDAP • XML • OS command • Xpath etc • Injection flaws occur when un-sanitized user data is used to create a query which is eventually interpreted and executed by an interpreter. • It is one of the easy to exploit threats! Attacker simply sends crafted text exploiting the syntax of targeted interpreter. Connect us at:
  • 5. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 1st : Injection Flaws What’s at risk for website owner! • Injection attack can cause data to be modified or deleted. • Injection attack can be used to steal admin’s password to gain complete access of the website. • It can lead to website defacement, reduced credibility among customers etc. • In worst case, this attack can lead to complete website takeover!
  • 6. ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 2nd : Improper Session Management Introduction • Most of the web resources are exposed only to authenticated users and authentication is done using session management. • Different modules are normally written by different developers, each may use different way of session management resulting in flaws in loginlogout areas. • Increasing use of AJAX is also making it tough as normally developers tend to forget using session management in the functions called ONLY using AJAX. Connect us at:
  • 7. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 2nd : Improper Session Management What’s at risk for website owner! • The attacker can hijack user’s account and then the attacker can perform all the legitimate actions that a genuine user can do. • If attacker gains access to a high privilege account, he can perform severe actions. • It can lead to stolen customer’s data, reduced credibility of website etc. • This attack can lead to huge business impact!
  • 8. ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 3rd: Cross Site Scripting (XSS) Introduction • This is the most prevalent web application security flaw. • Attacker exploits java script interpreter in the browser. • XSS flaws occur when an application includes user supplied data in a page without properly validating that content. • Detecting XSS flaw is very easy. Connect us at:
  • 9. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 3rd: Cross Site Scripting (XSS) What’s at risk for website owner! • Its impact is not very severe still enough for impacting business. • Attacker can hijack user’s sessions. • Website defacement. • Redirect users to other website (read it competitor's website).
  • 10. ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 4th: Insecure Direct Object References Introduction • This is a category of improper session management. • Suppose I am a user of a website and my user id 10, on accessing my details, the page shows url – http://www.hackvidhi.com/userId=10. Now I enter http://www.hackvidhi.com/userId=11 and I can see the details of user with id 11! • This means allowing authorized users to view data which they are not supposed to see. Connect us at:
  • 11. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Follow us at: Web Security Assurance 4th: Insecure Direct Object References What’s at risk for website owner! • Confidential data exposure. • Unauthorized data modification. • Website credibility will be reduced causing huge business impact.
  • 12. ACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical HackingWeb Security Assurance 5th: Cross Site Request Forgery (CSRF) Introduction • CSRF is to trick victim to open a malicious page containing a request to affected website. When user opens malicious page that request is submitted. If user is authenticated, the attack results in success. • Since browsers send credentials like session cookies automatically, attackers can create malicious web pages which generate forged requests that are indistinguishable from legitimate ones. • Detection of CSRF flaws is fairly easy via penetration testing. Connect us at:
  • 13. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance 5th: Cross Site Request Forgery (CSRF) What’s at risk for website owner! • Attackers can cause victims to change any data the victim is allowed to change or perform any other function the victim is authorized to use, including state changing requests, like logout or even login. • So this is in a way similar to hijacking victim’s session. • Website credibility will be reduced causing huge business impact.
  • 14. HACKViDHi - 2013 - All rights reserved Course in Web Programming Basics and Ethical Hacking Connect us at: Web Security Assurance About HACKViDHi At HackVidhi our vision is to provide fast, efficient and reliable penetration testing services to our clients. We specialize in testing consumer facing Web Applications and believe in building a safer and secure web world to transact in. We are offering a free trial scan of your website, you can request it @http://hackvidhi.com/index.php. We also offer a free course in web programming and ethical hacking, enrolment for the course is now open, reserve your seat @ http://hackvidhi.com/courses.php. Please email us at contactus@hackvidhi.com for any queries.