Nikola Milosevic, profile picture
Uploaded byNikola Milosevic
PPT, PDF959 views

Owasp Serbia: sqli,xss

Predrag Cujanovic from OWASP Serbia talking about Cross site scripting, SQL injection and insecure cryptographic storage. Presentation was held on 9.7.2012. on faculty of Electrical Engineering, University of Belgrade.

Embed presentation

Downloaded 32 times
Predrag Cujanović Kontakt • mail: predrag@cujanovic.com • blog: http://www.cujanovic.com • tw: http://www.twitter.com/cujanovic • fb: http://www.facebook.com/predrag.cujanovic
Sadržaj: • Cross side scripting (XSS) napad • SQL injection (SQLi) napad • Insecure cryptographic storage • Primeri
Cross side scripting (XSS) napad • Šta je XSS napad? • Tipovi XSS napada • Opasnost XSS napada • Kako sprečiti XSS napad?
Šta je XSS napad?
Tipovi XSS napada • Non-Persistent (Reflected) • Persistent (Stored) • DOM Based
Opasnost XSS napada XSS Shell
Opasnost XSS napada Cookie stealing Phishing
Kako sprečiti XSS napad? • Filtriranjem podataka preko već predefinisanih php funkcija: strip_tags, htmlspecialchars, htmlentities • Izbegavati pisanje sopstvenih funkcija samo za ovu namenu
SQL injection (SQLi) napad  Šta je SQLi napad?  Tipovi SQLi napada  Opasnost SQLi napada  Kako sprečiti SQLi napad?
Šta je SQLi napad?
Tipovi SQLi napada  Incorrectly filtered escape characters (SELECT * FROM users WHERE name = '' OR '1'='1' -- ';)  Incorrect type handling (SELECT * FROM userinfo WHERE id=1;DROP TABLE users;)  Blind SQL injection (SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='1';)  Time Based SQL injection (download_key=1' AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99))) AND 'uzOQ'='uzOQ)
Opasnost SQLi napada  Pristup podacima u bazi (UNION SELECT 1,2,3,4--)  Izmena, brisanje podataka u bazi – DROP users;  Čitanje fajlova - load_file('/etc/passwd') ili load_file(0x2f6574632f706173737764) funkcija  Pravnjenje novih fajlova - INTO OUTFILE '/var/www/victim.com/shell.php'
Kako sprečiti SQLi napad?  mysql_real_escape_string funkcija  is_numeric funkcija  cast to int – (int)
Insecure cryptographic storage
Insecure cryptographic storage 0. koristiti neki hash algoritam 1. ne korisiti zastrarele hash algoritme (md5 je zvanično mrtav) 2. korisiti salt, najbolje ih ne čuvati u bazi (primer Wordpress) 3. korisiti dva različita hash algoritma (sha1($salt.(des($salt.$pass.$salt))))
Insecure cryptographic storage oclHashcat-plus
Hvala na pažnji :) Pitanja?

More Related Content

PDF
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress
byDamir Bodor
 
PPTX
Machine learning (ML) and natural language processing (NLP)
byNikola Milosevic
 
PPTX
Machine learning prediction of stock markets
byNikola Milosevic
 
PPTX
Veštačka inteligencija
byNikola Milosevic
 
PPT
XSS SQLi sigurnost
byPrelovacMedia
 
PPTX
AI an the future of society
byNikola Milosevic
 
PPTX
Classifying intangible social innovation concepts using machine learning and ...
byNikola Milosevic
 
PPT
SNS uputstvo za ostavljanje komentara - SNSNET
byzabrinutigradjanin
 
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress
byDamir Bodor
 
Machine learning (ML) and natural language processing (NLP)
byNikola Milosevic
 
Machine learning prediction of stock markets
byNikola Milosevic
 
Veštačka inteligencija
byNikola Milosevic
 
XSS SQLi sigurnost
byPrelovacMedia
 
AI an the future of society
byNikola Milosevic
 
Classifying intangible social innovation concepts using machine learning and ...
byNikola Milosevic
 
SNS uputstvo za ostavljanje komentara - SNSNET
byzabrinutigradjanin
 

More from Nikola Milosevic

PPT
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
PPT
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
PPT
Sigurnosne prijetnje i mjere zaštite IT infrastrukture
byNikola Milosevic
 
PPT
OWASP Serbia - A6 security misconfiguration
byNikola Milosevic
 
PDF
Malware
byNikola Milosevic
 
PDF
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
byNikola Milosevic
 
PDF
Http and security
byNikola Milosevic
 
PDF
Sentiment analysis for Serbian language
byNikola Milosevic
 
PPTX
Extracting patient data from tables in clinical literature
byNikola Milosevic
 
PPTX
Equity forecast: Predicting long term stock market prices using machine learning
byNikola Milosevic
 
PPTX
Mašinska analiza sentimenta rečenica na srpskom jeziku
byNikola Milosevic
 
PPT
Software Freedom day Serbia - Owasp open source resenja
byNikola Milosevic
 
PPTX
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
PPT
Malware
byNikola Milosevic
 
ODP
Android(1)
byNikola Milosevic
 
PPTX
BelBi2016 presentation: Hybrid methodology for information extraction from ta...
byNikola Milosevic
 
PPTX
Supporting clinical trial data curation and integration with table mining
byNikola Milosevic
 
PPTX
Table mining and data curation from biomedical literature
byNikola Milosevic
 
PPTX
Serbia2
byNikola Milosevic
 
PDF
Android business models
byNikola Milosevic
 
OWASP Serbia - A5 cross-site request forgery
byNikola Milosevic
 
OWASP Serbia - A3 broken authentication and session management
byNikola Milosevic
 
Sigurnosne prijetnje i mjere zaštite IT infrastrukture
byNikola Milosevic
 
OWASP Serbia - A6 security misconfiguration
byNikola Milosevic
 
Malware
byNikola Milosevic
 
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
byNikola Milosevic
 
Http and security
byNikola Milosevic
 
Sentiment analysis for Serbian language
byNikola Milosevic
 
Extracting patient data from tables in clinical literature
byNikola Milosevic
 
Equity forecast: Predicting long term stock market prices using machine learning
byNikola Milosevic
 
Mašinska analiza sentimenta rečenica na srpskom jeziku
byNikola Milosevic
 
Software Freedom day Serbia - Owasp open source resenja
byNikola Milosevic
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
byNikola Milosevic
 
Malware
byNikola Milosevic
 
Android(1)
byNikola Milosevic
 
BelBi2016 presentation: Hybrid methodology for information extraction from ta...
byNikola Milosevic
 
Supporting clinical trial data curation and integration with table mining
byNikola Milosevic
 
Table mining and data curation from biomedical literature
byNikola Milosevic
 
Serbia2
byNikola Milosevic
 
Android business models
byNikola Milosevic
 

Owasp Serbia: sqli,xss

  • 2.
    Predrag Cujanović Kontakt • mail:predrag@cujanovic.com • blog: http://www.cujanovic.com • tw: http://www.twitter.com/cujanovic • fb: http://www.facebook.com/predrag.cujanovic
  • 3.
    Sadržaj: • Cross sidescripting (XSS) napad • SQL injection (SQLi) napad • Insecure cryptographic storage • Primeri
  • 4.
    Cross side scripting(XSS) napad • Šta je XSS napad? • Tipovi XSS napada • Opasnost XSS napada • Kako sprečiti XSS napad?
  • 5.
  • 6.
    Tipovi XSS napada •Non-Persistent (Reflected) • Persistent (Stored) • DOM Based
  • 7.
  • 9.
    Opasnost XSS napada Cookiestealing Phishing
  • 10.
    Kako sprečiti XSSnapad? • Filtriranjem podataka preko već predefinisanih php funkcija: strip_tags, htmlspecialchars, htmlentities • Izbegavati pisanje sopstvenih funkcija samo za ovu namenu
  • 11.
    SQL injection (SQLi)napad  Šta je SQLi napad?  Tipovi SQLi napada  Opasnost SQLi napada  Kako sprečiti SQLi napad?
  • 12.
  • 13.
    Tipovi SQLi napada  Incorrectly filtered escape characters (SELECT * FROM users WHERE name = '' OR '1'='1' -- ';)  Incorrect type handling (SELECT * FROM userinfo WHERE id=1;DROP TABLE users;)  Blind SQL injection (SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='1';)  Time Based SQL injection (download_key=1' AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99))) AND 'uzOQ'='uzOQ)
  • 14.
    Opasnost SQLi napada  Pristup podacima u bazi (UNION SELECT 1,2,3,4--)  Izmena, brisanje podataka u bazi – DROP users;  Čitanje fajlova - load_file('/etc/passwd') ili load_file(0x2f6574632f706173737764) funkcija  Pravnjenje novih fajlova - INTO OUTFILE '/var/www/victim.com/shell.php'
  • 15.
    Kako sprečiti SQLinapad?  mysql_real_escape_string funkcija  is_numeric funkcija  cast to int – (int)
  • 16.
  • 17.
    Insecure cryptographic storage 0.koristiti neki hash algoritam 1. ne korisiti zastrarele hash algoritme (md5 je zvanično mrtav) 2. korisiti salt, najbolje ih ne čuvati u bazi (primer Wordpress) 3. korisiti dva različita hash algoritma (sha1($salt.(des($salt.$pass.$salt))))
  • 18.
  • 19.
    Hvala na pažnji:) Pitanja?