Your SlideShare is downloading. ×
0
Securitatea aplicatiilor online
Vulnerabilitati
Solutii folosite <ul><li>Servere WEB (IIS, Apache) </li></ul><ul><li>Database (MySql,Oracle, MSSQL) </li></ul><ul><li>Inte...
Codul scris <ul><li>SQL injection </li></ul><ul><li>XSS </li></ul><ul><li>CSRF/XSRF </li></ul><ul><li>Email Injection </li...
Network <ul><ul><li>MITM attack </li></ul></ul>
SQL Injection <ul><li>Atac asupra bazei de date </li></ul>http://www.example.com/view.php?id_cat=4 &quot;SELECT * FROM dat...
why ? <ul><li>Furtul de informatii </li></ul><ul><li>Alterarea datelor </li></ul><ul><li>Just for the fun of it </li></ul>...
Protectie <ul><li>Tot input-ul trebuie verificat </li></ul><ul><li>Criptarea datelor importante </li></ul><ul><li>Backup z...
Demonstratie
XSS <ul><li>Input-ul nu este verificat </li></ul><ul><li>Este acceptat input-ul de HTML </li></ul><ul><li>Tipuri : </li></...
Non-persistent http://www.example.com?search.php?s= <script>alert(document.cookie)</script>
Rezultatul :
persistent
CSRF/XSRF <ul><li>Impotriva site-urilor care folosesc  autentificarile din coockie/session </li></ul><ul><li>“ Hacker-ul” ...
Email injection
Codul din spate Nu verificam input-ul String-ul trimis la serverul de mail :
Directory traversal HTTP requests
 
MITM attack
<ul><li>Transferul datelor </li></ul>
Demonstratie
Concluzii <ul><li>Verifica tot input-ul </li></ul><ul><li>Informatii criptate </li></ul><ul><li>Back-up  </li></ul><ul><li...
Upcoming SlideShare
Loading in...5
×

Prezentarea "Securitatea Aplicatiilor Online" de la ODO

1,338

Published on

Prezentarea "Securitatea Aplicatiilor Online" de la ODO realizata de Berescu Ciprian de la Play the Balls.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,338
On Slideshare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Prezentarea "Securitatea Aplicatiilor Online" de la ODO"

  1. 1. Securitatea aplicatiilor online
  2. 2. Vulnerabilitati
  3. 3. Solutii folosite <ul><li>Servere WEB (IIS, Apache) </li></ul><ul><li>Database (MySql,Oracle, MSSQL) </li></ul><ul><li>Interpretoare (Php, PERL, ASP) </li></ul>
  4. 4. Codul scris <ul><li>SQL injection </li></ul><ul><li>XSS </li></ul><ul><li>CSRF/XSRF </li></ul><ul><li>Email Injection </li></ul><ul><li>Directory traversal </li></ul>
  5. 5. Network <ul><ul><li>MITM attack </li></ul></ul>
  6. 6. SQL Injection <ul><li>Atac asupra bazei de date </li></ul>http://www.example.com/view.php?id_cat=4 &quot;SELECT * FROM data WHERE id_category = &quot; + $_GET[‘id’] + &quot;;&quot; http://www.example.com/view.php?id_cat=4 OR 1=1 &quot;SELECT * FROM data WHERE id = 1 OR 1=1;&quot; OR 1=1
  7. 7. why ? <ul><li>Furtul de informatii </li></ul><ul><li>Alterarea datelor </li></ul><ul><li>Just for the fun of it </li></ul><ul><li>Se intampla si la case mai mari </li></ul><ul><ul><li>2007 Microsoft UK </li></ul></ul><ul><ul><li>2007 UN web site </li></ul></ul><ul><ul><li>2008 Kaspersky website </li></ul></ul>
  8. 8. Protectie <ul><li>Tot input-ul trebuie verificat </li></ul><ul><li>Criptarea datelor importante </li></ul><ul><li>Backup zilnic </li></ul><ul><li>Update la database server </li></ul>
  9. 9. Demonstratie
  10. 10. XSS <ul><li>Input-ul nu este verificat </li></ul><ul><li>Este acceptat input-ul de HTML </li></ul><ul><li>Tipuri : </li></ul><ul><ul><li>Non-persistent </li></ul></ul><ul><ul><li>Persistent </li></ul></ul>
  11. 11. Non-persistent http://www.example.com?search.php?s= <script>alert(document.cookie)</script>
  12. 12. Rezultatul :
  13. 13. persistent
  14. 14. CSRF/XSRF <ul><li>Impotriva site-urilor care folosesc autentificarile din coockie/session </li></ul><ul><li>“ Hacker-ul” – are informatii despre site-ul pe care victima are access </li></ul><img src=“http://www.other-example.com?deleteuser.php?u=vasile” />
  15. 15. Email injection
  16. 16. Codul din spate Nu verificam input-ul String-ul trimis la serverul de mail :
  17. 17. Directory traversal HTTP requests
  18. 19. MITM attack
  19. 20. <ul><li>Transferul datelor </li></ul>
  20. 21. Demonstratie
  21. 22. Concluzii <ul><li>Verifica tot input-ul </li></ul><ul><li>Informatii criptate </li></ul><ul><li>Back-up </li></ul><ul><li>Users can’t be trusted </li></ul><ul><li>Fii paranoic </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×