Prezentarea "Securitatea Aplicatiilor Online" de la ODO

1,465 views
1,395 views

Published on

Prezentarea "Securitatea Aplicatiilor Online" de la ODO realizata de Berescu Ciprian de la Play the Balls.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,465
On SlideShare
0
From Embeds
0
Number of Embeds
152
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Prezentarea "Securitatea Aplicatiilor Online" de la ODO

  1. 1. Securitatea aplicatiilor online
  2. 2. Vulnerabilitati
  3. 3. Solutii folosite <ul><li>Servere WEB (IIS, Apache) </li></ul><ul><li>Database (MySql,Oracle, MSSQL) </li></ul><ul><li>Interpretoare (Php, PERL, ASP) </li></ul>
  4. 4. Codul scris <ul><li>SQL injection </li></ul><ul><li>XSS </li></ul><ul><li>CSRF/XSRF </li></ul><ul><li>Email Injection </li></ul><ul><li>Directory traversal </li></ul>
  5. 5. Network <ul><ul><li>MITM attack </li></ul></ul>
  6. 6. SQL Injection <ul><li>Atac asupra bazei de date </li></ul>http://www.example.com/view.php?id_cat=4 &quot;SELECT * FROM data WHERE id_category = &quot; + $_GET[‘id’] + &quot;;&quot; http://www.example.com/view.php?id_cat=4 OR 1=1 &quot;SELECT * FROM data WHERE id = 1 OR 1=1;&quot; OR 1=1
  7. 7. why ? <ul><li>Furtul de informatii </li></ul><ul><li>Alterarea datelor </li></ul><ul><li>Just for the fun of it </li></ul><ul><li>Se intampla si la case mai mari </li></ul><ul><ul><li>2007 Microsoft UK </li></ul></ul><ul><ul><li>2007 UN web site </li></ul></ul><ul><ul><li>2008 Kaspersky website </li></ul></ul>
  8. 8. Protectie <ul><li>Tot input-ul trebuie verificat </li></ul><ul><li>Criptarea datelor importante </li></ul><ul><li>Backup zilnic </li></ul><ul><li>Update la database server </li></ul>
  9. 9. Demonstratie
  10. 10. XSS <ul><li>Input-ul nu este verificat </li></ul><ul><li>Este acceptat input-ul de HTML </li></ul><ul><li>Tipuri : </li></ul><ul><ul><li>Non-persistent </li></ul></ul><ul><ul><li>Persistent </li></ul></ul>
  11. 11. Non-persistent http://www.example.com?search.php?s= <script>alert(document.cookie)</script>
  12. 12. Rezultatul :
  13. 13. persistent
  14. 14. CSRF/XSRF <ul><li>Impotriva site-urilor care folosesc autentificarile din coockie/session </li></ul><ul><li>“ Hacker-ul” – are informatii despre site-ul pe care victima are access </li></ul><img src=“http://www.other-example.com?deleteuser.php?u=vasile” />
  15. 15. Email injection
  16. 16. Codul din spate Nu verificam input-ul String-ul trimis la serverul de mail :
  17. 17. Directory traversal HTTP requests
  18. 19. MITM attack
  19. 20. <ul><li>Transferul datelor </li></ul>
  20. 21. Demonstratie
  21. 22. Concluzii <ul><li>Verifica tot input-ul </li></ul><ul><li>Informatii criptate </li></ul><ul><li>Back-up </li></ul><ul><li>Users can’t be trusted </li></ul><ul><li>Fii paranoic </li></ul>

×