Web Security
Category <ul><li>The methodology of web hacking
Automated vulnerability scanning software
Common vulnerability by platform : Apache
SQL Injection
Attack web service
Hacking web application management </li></ul>
<ul>The methodology of web hacking </ul><ul><li>Profile the infrastructure
Attack web server
Survey the application
Attack the authentication mechanism
Attack the authorization schemes
Perform a functional analysis
Exploit the data connectivity
Attack the management interfaces
Attack the client
Launch a denial-of-service attack </li></ul>
Profile the infrastructure <ul><li>Is there special client necessary to connect to the application ?
What transports does it use ?
Over which ports ?
How many servers are there ?
Is there a load balancer ?
What is the make and model of the Web server
Are external sites relied on for some functionality ? </li></ul>
Attack Web Server <ul><li>Attacking about vulnerabilities of the web server (Apache, IIS, etc...) over port 80.
The sheer number of Web server software vulnerabilities that have been published makes this one of the first and usually m...
Survey the Application <ul><li>Surveying a Web application attempts to discern what application technology are deployed. <...
Attack the Authentication Mechanism <ul><li>Hack authentication include automated password guessing attack.
Spoofing token within a cookie </li></ul>
Attack the Authorization Schemes <ul><li>About changing the user principle (altering form or cookie values)
Requesting hidden objects with guessable names
attacks, escalating privileges, and tunneling privileged commands to the SQL server </li></ul>
Perform a Functional Analysis <ul><li>Attempt about function analysis each application, component (input, tracking)
Attempted fault injection is central to software security testing
referred to as input validation attacks </li></ul>
Exploit the Data Connectivity <ul><li>most devastating attacks on Web applications actually relate to the back-end database
Web developers tend to focus on the most efficient way to make this connection,rather than the most secure. </li></ul>
Attack the Management Interfaces <ul><li>examine some of the most common management platforms and vulnerabilities associat...
Attack the Client <ul><li>Web application security holes, with an emphasis on server-side flaws. But what about the client...
since there have been some devastating attacks against the Web user community over the years, including cross-site scripti...
Launch a Denial-of-Service Attack <ul><li>If attacker hasn’t gotten in at this point in the methodology, the last refuge o...
t is typically carried out by issuing a flood of traffic to a site, drowning out legitimate requests </li></ul>
AUTOMATED VULNERABILITY SCANNING SOFTWARE
Server Discovery <ul><li>Internet Footprinting </li><ul><li>footprinting as the process of creating a complete profile of ...
Registered DNS domain names and related data
Administrative contact for an Internet presence </li></ul></ul></ul>
#whois -h whois.crsnic.net mthai
#whois -h whois.crsnic.net mthai.com
<ul><li>DNS Interrogation </li><ul><li>Defined domain name over DNS zone transfer used “nslookup” command to explain about...
<ul><li>Ping </li><ul><li>The most basic approach to server discovery is to send ICMP Echo Requests (typically implemented...
<ul><li>Discovery Using Port Scanning </li><ul><li>A port scan attempts to connect to a specific set of TCP and/or UDP por...
TCP scanport call “TCP SYN scans”
Obviously, Web Server are used few service port to acting Web. </li></ul></ul>
 
<ul><li>Dealing with Virtual Servers </li><ul><li>One issue that can skew the outcome of server discovery is load balancin...
<ul><li>Service Discovery </li><ul><li>Identify what port are running HTTP call serice discovery. </li></ul></ul>
D:> fscan -qp 80,81,88,443, 8888,9090,10000 192.168.234.1-254 FScan v1.12 - Command line port scanner. Copyright 2000 (c) ...
<ul><li>Server Identification </li><ul><li>The server will identify the called banner grabbing is specified using the serv...
<ul><li>Dealing with SSL </li><ul><li>Netcat and Fscan Tool can't connect to SSL. Hacker use a tool to connect to ssl is c...
dummycert.pem a certificate to be used in connection with ssl. </li></ul></ul>
 
COMMON VULNERABILITIES BY PLATFORM : Apache
<ul><li>Apache </li><ul><li>Apache has a well-earned reputation for security and performance. But Apache 1.3 is the pseudo...
<ul><li>Long Slash Directory Listing </li><ul><li>Long URLs passing through the mod_negotiate, mod_dir, and mod_autoindex ...
The concept is simple
but requires a few trial runs to perfect against a server.AURL with a large number of trailing slashes
Note that most Apache servers cannot handle at all aURLlonger than about 8,000 characters. </li></ul></ul>
<ul><li>Long Slash Countermeasures </li><ul><li>The error is fixed in Apache 1.3.19; however, the problem can also be addr...
The mod_dir and mod_autoindex modules are included in default builds of the server. </li></ul><li>Solution </li><ul><li>./...
<ul><li>Multiview Directory Listing </li><ul><li>Apache will resist just about any attempt to obtain directory listings wi...
But, The attack can be performed directly on the URL with a browser or from the command line using netcat </li></ul></ul>
 
<ul><li>Multiview Countermeasures </li><ul><li>The first defense is a clean document root. No unnecessary files should be ...
Unnecessary files include password files, developer notes, old data, backup versions of the site, and any file that will n...
Upcoming SlideShare
Loading in...5
×

Web Security

577
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
577
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
29
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Web Security

  1. 1. Web Security
  2. 2. Category <ul><li>The methodology of web hacking
  3. 3. Automated vulnerability scanning software
  4. 4. Common vulnerability by platform : Apache
  5. 5. SQL Injection
  6. 6. Attack web service
  7. 7. Hacking web application management </li></ul>
  8. 8. <ul>The methodology of web hacking </ul><ul><li>Profile the infrastructure
  9. 9. Attack web server
  10. 10. Survey the application
  11. 11. Attack the authentication mechanism
  12. 12. Attack the authorization schemes
  13. 13. Perform a functional analysis
  14. 14. Exploit the data connectivity
  15. 15. Attack the management interfaces
  16. 16. Attack the client
  17. 17. Launch a denial-of-service attack </li></ul>
  18. 18. Profile the infrastructure <ul><li>Is there special client necessary to connect to the application ?
  19. 19. What transports does it use ?
  20. 20. Over which ports ?
  21. 21. How many servers are there ?
  22. 22. Is there a load balancer ?
  23. 23. What is the make and model of the Web server
  24. 24. Are external sites relied on for some functionality ? </li></ul>
  25. 25. Attack Web Server <ul><li>Attacking about vulnerabilities of the web server (Apache, IIS, etc...) over port 80.
  26. 26. The sheer number of Web server software vulnerabilities that have been published makes this one of the first and usually most fruitful areas of research for a Web hacker. </li></ul>
  27. 27. Survey the Application <ul><li>Surveying a Web application attempts to discern what application technology are deployed. </li></ul>
  28. 28. Attack the Authentication Mechanism <ul><li>Hack authentication include automated password guessing attack.
  29. 29. Spoofing token within a cookie </li></ul>
  30. 30. Attack the Authorization Schemes <ul><li>About changing the user principle (altering form or cookie values)
  31. 31. Requesting hidden objects with guessable names
  32. 32. attacks, escalating privileges, and tunneling privileged commands to the SQL server </li></ul>
  33. 33. Perform a Functional Analysis <ul><li>Attempt about function analysis each application, component (input, tracking)
  34. 34. Attempted fault injection is central to software security testing
  35. 35. referred to as input validation attacks </li></ul>
  36. 36. Exploit the Data Connectivity <ul><li>most devastating attacks on Web applications actually relate to the back-end database
  37. 37. Web developers tend to focus on the most efficient way to make this connection,rather than the most secure. </li></ul>
  38. 38. Attack the Management Interfaces <ul><li>examine some of the most common management platforms and vulnerabilities associated with Web application management. </li></ul>
  39. 39. Attack the Client <ul><li>Web application security holes, with an emphasis on server-side flaws. But what about the client side?
  40. 40. since there have been some devastating attacks against the Web user community over the years, including cross-site scripting. </li></ul>
  41. 41. Launch a Denial-of-Service Attack <ul><li>If attacker hasn’t gotten in at this point in the methodology, the last refuge of a defeated mind is denial of service (DoS)
  42. 42. t is typically carried out by issuing a flood of traffic to a site, drowning out legitimate requests </li></ul>
  43. 43. AUTOMATED VULNERABILITY SCANNING SOFTWARE
  44. 44. Server Discovery <ul><li>Internet Footprinting </li><ul><li>footprinting as the process of creating a complete profile of a target’s information technology infrastructure, Is primarily carried out using the “whois”. “whois” are including </li><ul><li>Assigned Internet IP address ranges
  45. 45. Registered DNS domain names and related data
  46. 46. Administrative contact for an Internet presence </li></ul></ul></ul>
  47. 47. #whois -h whois.crsnic.net mthai
  48. 48. #whois -h whois.crsnic.net mthai.com
  49. 49. <ul><li>DNS Interrogation </li><ul><li>Defined domain name over DNS zone transfer used “nslookup” command to explain about how many of server, IP address each server. </li></ul></ul>
  50. 50. <ul><li>Ping </li><ul><li>The most basic approach to server discovery is to send ICMP Echo Requests (typically implemented via the ping utility) to potentially valid hostnames or IP addresses </li></ul></ul>
  51. 51. <ul><li>Discovery Using Port Scanning </li><ul><li>A port scan attempts to connect to a specific set of TCP and/or UDP ports and determine if a service exists there.
  52. 52. TCP scanport call “TCP SYN scans”
  53. 53. Obviously, Web Server are used few service port to acting Web. </li></ul></ul>
  54. 55. <ul><li>Dealing with Virtual Servers </li><ul><li>One issue that can skew the outcome of server discovery is load balancing and virtual servers. </li></ul></ul>
  55. 56. <ul><li>Service Discovery </li><ul><li>Identify what port are running HTTP call serice discovery. </li></ul></ul>
  56. 57. D:> fscan -qp 80,81,88,443, 8888,9090,10000 192.168.234.1-254 FScan v1.12 - Command line port scanner. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com Scan started at Fri Feb 15 15:13:33 2002 192.168.234.1 80/tcp 192.168.234.34 80/tcp 192.168.234.34 443/tcp 192.168.234.34 8000/tcp 192.168.234.148 80/tcp 192.168.234.148 443/tcp 192.168.234.148 8000/tcp Scan finished at Fri Feb 15 15:14:19 2002 Time taken: 4826 ports in 45.705 secs (105.59 ports/sec)
  57. 58. <ul><li>Server Identification </li><ul><li>The server will identify the called banner grabbing is specified using the server's HTTP respond header reading are analyzed by analysis of the server to each feld. </li></ul></ul>
  58. 59. <ul><li>Dealing with SSL </li><ul><li>Netcat and Fscan Tool can't connect to SSL. Hacker use a tool to connect to ssl is call sslproxy to connect with a specific instead localport a 5000 port to connect to server port 443.
  59. 60. dummycert.pem a certificate to be used in connection with ssl. </li></ul></ul>
  60. 62. COMMON VULNERABILITIES BY PLATFORM : Apache
  61. 63. <ul><li>Apache </li><ul><li>Apache has a well-earned reputation for security and performance. But Apache 1.3 is the pseudo gap with add-on components, called &quot;modules&quot;. </li></ul></ul>
  62. 64. <ul><li>Long Slash Directory Listing </li><ul><li>Long URLs passing through the mod_negotiate, mod_dir, and mod_autoindex modules
  63. 65. The concept is simple
  64. 66. but requires a few trial runs to perfect against a server.AURL with a large number of trailing slashes
  65. 67. Note that most Apache servers cannot handle at all aURLlonger than about 8,000 characters. </li></ul></ul>
  66. 68. <ul><li>Long Slash Countermeasures </li><ul><li>The error is fixed in Apache 1.3.19; however, the problem can also be addressed with a more thorough Apache configuration.
  67. 69. The mod_dir and mod_autoindex modules are included in default builds of the server. </li></ul><li>Solution </li><ul><li>./configure --disable-module=dir --disable-module=autoindex </li></ul></ul>
  68. 70. <ul><li>Multiview Directory Listing </li><ul><li>Apache will resist just about any attempt to obtain directory listings without explicit permission from the server administrator.
  69. 71. But, The attack can be performed directly on the URL with a browser or from the command line using netcat </li></ul></ul>
  70. 73. <ul><li>Multiview Countermeasures </li><ul><li>The first defense is a clean document root. No unnecessary files should be present in any directory.
  71. 74. Unnecessary files include password files, developer notes, old data, backup versions of the site, and any file that will never be touched by a browser or required by the application.
  72. 75. Directory listing vulnerabilities are only threatening when sensitive data can be discovered. </li></ul><li>Multiview is enabled in the Options directive between <Directory> tags. It is not enabled by default. </li></ul>
  73. 76. <ul><li>mod_rewrite File Access </li><ul><li>Released a fix for a vulnerability that would allow a user to access any file on the Web server, even those outside the document root.
  74. 77. Unfortunately, it is not easy to identify when a server is using mod_rewrite, or if the configuration is vulnerable.
  75. 78. A vulnerable server has a RewriteRule that maps a URL to a local page that is referenced by it's complete pathname. </li></ul></ul>
  76. 79. <ul><li>mod_rewrite File Access
  77. 80. A vulnerable rule :
  78. 81. RewriteRule /more-icons/(.*) /home/httpd/icons/$1
  79. 82. A rule that is not vulnerable :
  80. 83. RewriteRule /more-icons/(.*) /icons/$1 </li></ul>
  81. 84. <ul><li>Mod_rewrite Countermeasures </li><ul><li>As you may have already guessed from the previous discussion, specify RewriteRules that use generic pathnames. </li></ul></ul>
  82. 85. <ul><li>mod_auth_*sql Injection </li><ul><li>Mighty tick mark (‘) can be inserted into requests. This allows a user to create arbitrary SQL commands, the simplest of which spoof the site’s authentication </li></ul><li>mod_auth_*sql Countermeasures </li><ul><li>Upgrade the mod_auth_*sql package that you are using. It is necessary to stop and restart the Apache Web server after updating these packages </li></ul></ul>
  83. 86. SQL INJECTION
  84. 87. <ul><li>SQL Injection </li><ul><li>The exploits available to the SQL injection technique vary from innocuous error-generating characters to full command-line execution.
  85. 88. No particular database vendor is more secure than another against these exploits.
  86. 89. SQL server is just more equal than others! </li></ul></ul>
  87. 90. <ul><li>SQL Injection </li><ul><li>problems: the single quote (’), also known as the tick.
  88. 91. A common SQL structure uses the tick to delimit variables within the query </li></ul></ul>strSQL = &quot;select userid from users where password = '&quot; + password + &quot;'&quot;;
  89. 92. <ul><li>A Walk in the ODBC Woods </li></ul>
  90. 93. <ul><li>A Walk in the ODBC Woods </li><ul><li>If the tick generates a VBScript error or no error at all, move on to the next parameter.
  91. 94. The unclosed quotation mark indicates a vulnerable query. Plus, the error contains “@UserID=182”, which provides us with a field name and the specific UserID we have been assigned. </li></ul></ul>
  92. 95. <ul><li>A Walk in the ODBC Woods </li><ul><li>Let’s see what the comment (--) generates.
  93. 96. That the data are being passed to a stored procedure named getAdminHome1. </li></ul></ul>
  94. 97. <ul><li>A Walk in the ODBC Woods </li><ul><li>if our original UserID was 182 and UserID 180 is an admin, thenwemight be tempted to rewrite the UserID parameter.
  95. 98. SQL injection has been relegated to a minor input validation error. </li></ul></ul>
  96. 99. <ul><li>A Walk in the ODBC Woods </li><ul><li>What happens if we throw a space (+) into the mix?
  97. 100. Generate an ODBC error once more, but the @UserID variable has not been declared. This drives home the point of how difficult it is to break a stored procedure.
  98. 101. The SiteID variable is placed into the SiteID portion of the SQL statement. </li></ul></ul>
  99. 102. <ul><li>A Walk in the ODBC Woods </li><ul><li>What if we hadn’t bothered to include the SQL comment the first time around?
  100. 103. can change our UserID. Unfortunately, there are now two UserID parameters in the function call. </li></ul></ul>
  101. 104. <ul><li>A Walk in the ODBC Woods </li><ul><li>As another point of academic interest, consider a different method of submitting multiple parameters:
  102. 105. ASP receives the SiteID argument as “SiteID=12, 12”. The stored procedure sees this as: </li><ul><li>@name = 12, 12 </li></ul></ul></ul>
  103. 106. <ul><li>Common Countermeasures </li><ul><li>Robust Error Handling </li><ul><li>Never pass raw ODBC or other errors to the user. Use generic error pages and error handlers
  104. 107. the best way to accomplish this is through the “try, catch, finally” method of exception handling. </li></ul></ul></ul>
  105. 108. <ul><li>Common Countermeasures </li><ul><li>Parameter Lists </li><ul><li>Place user-supplied data into specific variables.
  106. 109. String concatenation is the bane of a secure SQL statement because it provides the easiest way for a user to manipulate the statement with tick marks.
  107. 110. Input validation should be performed on the Web server and items in the database should be strongly typed.
  108. 111. A field that only uses numeric values should be a type INT, not a VARCHAR. </li></ul></ul></ul>
  109. 112. <ul><li>Common Countermeasures </li><ul><li>Stored Procedures </li><ul><li>They require a specific number of parameters in specific places in a specific format.
  110. 113. Improved performance is often a byproduct of stored procedures. </li></ul></ul></ul>
  111. 114. <ul><li>Common Countermeasures </li><ul><li>Running with Least Privilege </li><ul><li>The database application should run in a least-privilege situation.
  112. 115. Also, the user account that the Web server uses should have limited functionality.
  113. 116. Doesn’t have to write to the Master database or perform backup duties </li></ul></ul></ul>
  114. 117. <ul><li>Common Countermeasures </li><ul><li>Protecting the Schema </li><ul><li>Table names, column names, and SQL structures should not appear in the HTML comment tags. </li></ul></ul></ul>
  115. 118. ATTACKING WEB SERVICE
  116. 119. <ul><li>What is a Web Service </li><ul><li>Web Services (WS) is an application program or working in one style service.
  117. 120. It will be run applications from other applications (php, asp, java, python) through web pages.
  118. 121. Service of a document that describes WS features of Corporate Services.
  119. 122. And offered the public aware WS users can search without having to know physical address of an application or program.
  120. 123. Web Services is a new generation of services in the web industry. Users simply pull services On the Web. Language is the core of the Web development XML. </li></ul></ul>
  121. 124. <ul><li>SOAP
  122. 125. SOAP (Simple Object Access Protocol) protocol to run Component to run across a cross-platform, cross language (asp.net, c #, php, perl, java, python, delphi). this protocol works with HTTP protocol and message format to communicate with language XML. </li></ul>
  123. 127. <ul><li>WSDL </li><ul><li>WSDL (Web Service Description Language) language that describe the features of Web Services and how to interact with Web Services in a language that supervision of W3C (World Wide Web Consortium) most popular use XML. </li><ul><li>The <types> and <message> elements define the format of the messages that can be passed
  124. 128. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).
  125. 129. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP. </li></ul></ul></ul>
  126. 130. <ul><li>WSDL . </li><ul><li>The <types> and <message> elements define the format of the messages that can be passed
  127. 131. The <portType> element defines the semantics of the message passing (for example, request-only, request-response, response-only).
  128. 132. The <binding> element specifies various encodings over a specified transport such as HTTP, HTTPS, or SMTP.
  129. 133. The <service> element defines the endpoint for the service (a URL). </li></ul></ul>
  130. 134. <ul><li>UDDI </li><ul><li>UDDI (Universal Description, Discovery and Integration) is a collection of Web Services in Internet The same source so users can search easily. If the comparison easy. Yellow pages to look like we used to view phone number. </li></ul></ul>
  131. 135. <ul><li>DISCO </li><ul><li>Discovery of Web Services (DISCO) is a Microsoft proprietary technology available within their .NET Server operating system and other .NET-related products.
  132. 136. To publish a deployed Web service using DISCO, you simply need to create a .disco file and place it in the Web service’s virtual root directory (vroot) along with the other service-related files (such as .asmx, .wsdl, .xsd, and other file types).
  133. 137. The .disco document is an XML document that contains links to other resources that describe the Web service, much like a WSDL file containing the interface contract. </li></ul></ul>
  134. 138. <ul><li>SAMPLE WEB SERVICES HACKS </li><ul><li>DISCO and WSDL Disclosure </li><ul><li>Microsoft Web services (.asmx files) may cough up DISCO and/or WSDL information simply by appending special arguments to the service request. </li></ul></ul></ul>http://www.victim.com/service.asmx <ul><ul><ul><li>DISCO or WSDL information can be displayed by appending ?disco or ?wsdl to this URL as shown below: </li></ul></ul></ul>http://www.victim.com/service.asmx?disco or http://www.victim.com/service.asmx?wdsl
  135. 140. <ul><li>DISCO and WSDL Disclosure Countermeasures </li><ul><li>The only way to ensure that DISCO or WSDL information doesn’t end up in the hands of intruders is to avoid creating the relevant .wsdl, .discomap, .disco, and .xsd files for the service. </li></ul></ul>
  136. 141. <ul><li>BASICS OF WEB SERVICE SECURITY </li><ul><li>Web Services Security Measures </li><ul><li>Authentication </li><ul><li>Using standard HTTP authentication technic, such as Basic, Digest, Windows Integrated, and SSL client-side certificates. </li></ul><li>XML Security </li><ul><li>XML Signature A specification for describing digital signatures using XML, providing authentication, message integrity, and nonrepudiation for XML documents.
  137. 142. XML Encryption A companion to XML Signature, it addresses the encryption and decryption of XML documents and portions of those documents. </li></ul></ul></ul></ul>
  138. 143. <ul><li>BASICS OF WEB SERVICE SECURITY </li><ul><li>Web Services Security Measures </li><ul><li>XML Security </li><ul><li>XML Key Management Specification (XKMS) Defines messages and protocols for registering and distributing public keys, permitting secure key distribution to unknown transaction partners.
  139. 144. Security Assertion Markup Language (SAML) Format for sharing authentication and authorization information.
  140. 145. Extensible Access Control Markup Language (XACML) An XML format forinformation access policies. </li></ul><li>SSL </li><ul><li>SSL be used in conjunction with Web services to protect against no-brainer eavesdropping and tampering attacks. </li></ul></ul></ul></ul>
  141. 146. Hacking Web Application Management
  142. 147. <ul><li>WEB SERVER ADMINISTRATION </li><ul><li>Telnet. </li><ul><li>Telnet is still currently running, but because a Telnet connection to a clean text. Then, Telnet is allowing the eavesdropping easier. </li></ul><li>SSH </li><ul><li>Secure Shell (SSH) has been the mainstay of secure remote management for years (more secure than Telnet, at least).
  143. 148. SSH1 also vulnerable to attack makes it easy. You should use SSH2 to which the security is higher. </li></ul></ul></ul>
  144. 149. <ul><li>WEB SERVER ADMINISTRATION </li><ul><li>Proprietary Management Ports </li><ul><li>Set the port for the web server to manage the vendors are usually set to We can use these ports to make a handle. </li></ul></ul></ul>
  145. 151. <ul><li>WEB CONTENT MANAGEMENT </li><ul><li>FTP </li><ul><li>DON’T RUN FTP ON YOUR WEB SERVERS! There’s just too much risk that someone will guess an account password or find an exploit that will give them the ability to write to the filesystem, and then it’s only a short hop to Web defacement (or worse)
  146. 152. The only exception we’d make to this rule is if access to the FTP service is restricted to a certain small range of IP addresses. </li></ul></ul></ul>
  147. 153. <ul><li>WEB CONTENT MANAGEMENT </li><ul><li>SSH/scp </li><ul><li>Secure Shell version 2 (SSH2) is a recommended protocol for remote Web server management (given that it is properly maintained).
  148. 154. There is a utility called Secure Copy (scp) that is available to connect to SSH services and perform file transfers right over (authenticated and encrypted) SSH tunnels. </li></ul></ul></ul>
  149. 155. <ul><li>WebDEV </li><ul><li>The following list shows some of the more offensive WebDAV methods: </li><ul><li>MKCOL ”Make Collection,” for creating a collection of resources on the Web server.
  150. 156. POST Used to post files to collections (this is a standard HTTP method that will likely see different use with WebDAV).
  151. 157. DELETE Need we say what effect this might have?
  152. 158. PUT Another standard HTTP method that is leveraged by WebDAV to upload content.
  153. 159. MOVE If unable to deface a Web server, hackers may just move the content around.
  154. 160. COPY Yes, it has an overwrite feature. </li></ul></ul></ul>
  155. 161. Question ?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×