Predrag CujanovićKontakt• mail: predrag@cujanovic.com• blog: http://www.cujanovic.com• tw: http://www.twitter.com/cujanovi...
Sadržaj:• Cross side scripting (XSS) napad• SQL injection (SQLi) napad• Insecure cryptographic storage• Primeri
Cross side scripting (XSS) napad• Šta je XSS napad?• Tipovi XSS napada• Opasnost XSS napada• Kako sprečiti XSS napad?
Šta je XSS napad?
Tipovi XSS napada• Non-Persistent (Reflected)• Persistent (Stored)• DOM Based
Opasnost XSS napadaXSS Shell
Opasnost XSS napadaCookie stealingPhishing
Kako sprečiti XSS napad?• Filtriranjem podataka preko već predefinisanih php  funkcija: strip_tags, htmlspecialchars, html...
SQL injection (SQLi) napad  Šta je SQLi napad?  Tipovi SQLi napada  Opasnost SQLi napada  Kako sprečiti SQLi napad?
Šta je SQLi napad?
Tipovi SQLi napada    Incorrectly filtered escape characters(SELECT * FROM users WHERE name =  OR 1=1 -- ;)    Incorrect...
Opasnost SQLi napada    Pristup podacima u bazi (UNION SELECT 1,2,3,4--)    Izmena, brisanje podataka u bazi – DROP user...
Kako sprečiti SQLi napad?    mysql_real_escape_string funkcija    is_numeric funkcija    cast to int – (int)
Insecure cryptographic storage
Insecure cryptographic storage0. koristiti neki hash algoritam1. ne korisiti zastrarele hash algoritme (md5 je zvanično mr...
Insecure cryptographic storage      oclHashcat-plus
Hvala na pažnji :)Pitanja?
Owasp Serbia: sqli,xss
Owasp Serbia: sqli,xss
Upcoming SlideShare
Loading in …5
×

Owasp Serbia: sqli,xss

1,104 views

Published on

Predrag Cujanovic from OWASP Serbia talking about Cross site scripting, SQL injection and insecure cryptographic storage. Presentation was held on 9.7.2012. on faculty of Electrical Engineering, University of Belgrade.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,104
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
30
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Owasp Serbia: sqli,xss

  1. 1. Predrag CujanovićKontakt• mail: predrag@cujanovic.com• blog: http://www.cujanovic.com• tw: http://www.twitter.com/cujanovic• fb: http://www.facebook.com/predrag.cujanovic
  2. 2. Sadržaj:• Cross side scripting (XSS) napad• SQL injection (SQLi) napad• Insecure cryptographic storage• Primeri
  3. 3. Cross side scripting (XSS) napad• Šta je XSS napad?• Tipovi XSS napada• Opasnost XSS napada• Kako sprečiti XSS napad?
  4. 4. Šta je XSS napad?
  5. 5. Tipovi XSS napada• Non-Persistent (Reflected)• Persistent (Stored)• DOM Based
  6. 6. Opasnost XSS napadaXSS Shell
  7. 7. Opasnost XSS napadaCookie stealingPhishing
  8. 8. Kako sprečiti XSS napad?• Filtriranjem podataka preko već predefinisanih php funkcija: strip_tags, htmlspecialchars, htmlentities• Izbegavati pisanje sopstvenih funkcija samo za ovu namenu
  9. 9. SQL injection (SQLi) napad Šta je SQLi napad? Tipovi SQLi napada Opasnost SQLi napada Kako sprečiti SQLi napad?
  10. 10. Šta je SQLi napad?
  11. 11. Tipovi SQLi napada Incorrectly filtered escape characters(SELECT * FROM users WHERE name = OR 1=1 -- ;) Incorrect type handling(SELECT * FROM userinfo WHERE id=1;DROP TABLE users;) Blind SQL injection(SELECT booktitle FROM booklist WHERE bookId = OOk14cd AND 1=1;) Time Based SQL injection(download_key=1 AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99))) AND uzOQ=uzOQ)
  12. 12. Opasnost SQLi napada Pristup podacima u bazi (UNION SELECT 1,2,3,4--) Izmena, brisanje podataka u bazi – DROP users; Čitanje fajlova - load_file(/etc/passwd) iliload_file(0x2f6574632f706173737764) funkcija Pravnjenje novih fajlova - INTO OUTFILE /var/www/victim.com/shell.php
  13. 13. Kako sprečiti SQLi napad? mysql_real_escape_string funkcija is_numeric funkcija cast to int – (int)
  14. 14. Insecure cryptographic storage
  15. 15. Insecure cryptographic storage0. koristiti neki hash algoritam1. ne korisiti zastrarele hash algoritme (md5 je zvanično mrtav)2. korisiti salt, najbolje ih ne čuvati u bazi (primer Wordpress)3. korisiti dva različita hash algoritma (sha1($salt.(des($salt.$pass.$salt))))
  16. 16. Insecure cryptographic storage oclHashcat-plus
  17. 17. Hvala na pažnji :)Pitanja?

×