Security vulnerabilities in software

•Download as PPTX, PDF•

0 likes•44 views

An introduction about security vulnerabilities in software. According to this presentation, you can know 2 popular vulnerabilities nowadays such as Session hijacking and Middle Attack. Moreover, you can know how to use the tool to explores and the best practices to apply

Software

Why does have this presentation?
 Sharing is learning
 Understand a little bit knowledge about Security
 How to use the tools to explore
2

Agenda
 Security vulnerabilities
 Data
 Cookies
 Tools
 How to explore it efficiency
3

Security vulnerabilities
 Data
 Sensitive
 Secure
 Redundant
Rubbish
Repeatable
 Corrective
 Cookies
4

Sensitive data
 What is type of information that an
attacker want to get?
 The personal information
 Money
 Documents
 What is type of information that
normal use should not be seen?
 CPR number on other side
 Fee on other side
5

Secure data
 Replace a valid data by an invalid
 Data protected (in third services) have
not allowed to change
6

Redundant data
 Rubbish data
 Browser send data to Service
 Browser receive data from
Service
 Repeatable
 An information is repeated
many times
7

Corrective data
 Required field
 Date time
 Disable field
 Break rule for validation
8

Cookies
 Make a copy the cookie and use that
cookie to send request to system
 From then on, keeps on accessing the
system using the cookie
9

Tools - Why use tool?
 Postman
 https://www.getpostman.com/
 Fiddler
 https://www.telerik.com/fiddler
 ARC
 Burp Suite
 https://portswigger.net/burp
10

Demo - Session hijacking
 Scenario: As an attacker, I want to send GET
and POST request to the system even
though I have been logged out
 Steps:
1. User logs in
2. Use Postman tool to make a copy the
cookie
3. User logs out
4. Use Postman tool keeps on accessing the
system using the cookie
11
log in
log out
User
Browser
Attacker

Demo - Middle Attack
 Scenario: As an attacker, I want to
change sender a document by another
one
 Steps:
1. User A add a document
2. Use fiddler to catch request
3. Replace sender from user A to user B
4. Send request to Service
12
Browser
Attacker
send
Service
send

How to explore efficiency
 Understanding clearly the logic of system
 Observation how the system work
 F12
 See the API work between Browser and Service
 Think the possible situations that can happen
 Based on the problems that customer reported in the specification
 Try to reproduce it
 Ask developer about the confused with the behavior of system
 What if question
 What expected outcome
13

Similar to Security vulnerabilities in software

Open Id, O Auth And Webservices

Myles Eftos

Daniel billing exploring the security testers toolbox

Romania Testing

U2F Case Study: Examining the U2F Paradox

FIDO Alliance

Understanding Cross-site Request Forgery

Daniel Miessler

How Software Works in system environment

ItcHcm1

Project 1 Template (Due on Week 4) Name: Date: Executive summary Briefly (no more than one page) describe the requirements and introduce the topics of the project. List three benefits of using Azure Explain what the company is struggling with and how the company could benefit from using the cloud. Explain Azure cloud types and deployment models Provide a detailed overview of Azure cloud types and deployment models. Define Azure termsExplain each term in detail: · tenant· management group· subscription· resource group· resourcesExplain the significance of FedRAMP Explain the need for certification by the Federal Risk and Authorization Management Program (FedRAMP) and what security assurance it provides. Propose an Azure governance model The governance model should include the following: · identity management · access management groups · security controls · network services · blueprintsReferences Include at least five references using 7th edition APA citation style. Cyber Domain Consultants 1 Cloud Services and Technology Olugbenga Adeyemo University of Maryland Global Campus CCA 610 9042 Cloud Services and Technologies Professor Mike Varnado October 15, 2022 IT Business Requirements Requirement analysis also referred to as requirements engineering is the way of identifying user’s projection for a new product. As Ballot online is transiting over to cloud functionalities one route to determine the requirements includes breaking up business requirements into functional and nonfunctional system. Functional requirements are the origin or heartbeat of a system, they analyze what the system need to fulfill. an example of functional is authenticating user’s logging into the system and sales system allowing user to record customer sales. Nonfunctional requirements describe the backing elements of functional requirements. Nonfunctional requirements read out how the system would act and is a restriction on that behavior. An example of non-functional requirement is Speed: speed determines how system manages workloads when using different applications at the same time. Functional Requirements for Ballot Online This requirement that describes what Ballot Online application ought to do. The functional requirement for ballot online will look like: 1.a. Client Focus: Client should be able to log in and out into the specific application. b. Unauthorized client or user should not be able to log in or access the application. c. System should allow new client to register without any issues. 2.Transaction, correction, adjustment, and cancellation: The voters should be able to adjust, make corrections, and cancel their vote before they cast their votes. 3.Authneticatio: System should restrict voters from casting multiple votes. b. There should be a notification when a vote is cast. c. Voters should see ballot display on one screen. 4. Authorization Level: During the voting session the system will give access to.

Project 1 Template (Due on Week 4)Name.docx

simonlbentley59018

firewalls

marvejoy341

Phishing is a threat to all users of the internet who intend to use the web for secure transactions. In the recent years the number of phishing attacks have increased drastically especially since the advent of ecommerce, net banking and other services that have an emphasis on security. Phishing is characterized as any malicious attack aided by a spoofed webpage to encourage users to input their security details. Phishing is largely done to retrieve passwords and security details of unsuspecting users. This paper details a new and more secure way to counteract the method of phishing

A novel way of integrating voice recognition and one time passwords to preven...

ijdpsjournal

Owasp top-10-mobile-risks-v-1-3 publish

Ali Kazmi

Secure Code Warrior - Robust error checking

Secure Code Warrior

INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx

SuhailShaik16

Real estate management system

SouvikSarkar75

1.8 Exercises 1. Distinguish between vulnerability, threat, and control. 2. Theft usually results in some kind of harm. For example, if someone steals your car, you may suffer financial loss, inconvenience (by losing your mode of transportation), and emotional upset (because of invasion of your personal property and space). List three kinds of harm a company might experience from theft of computer equipment. 3. List at least three kinds of harm a company could experience from electronic espionage or unauthorized viewing of confidential company materials. 4. List at least three kinds of damage a company could suffer when the integrity of a program or company data is compromised. 5. List at least three kinds of harm a company could encounter from loss of service, that is, failure of availability. List the product or capability to which access is lost, and explain how this loss hurts the company. 6. Describe a situation in which you have experienced harm as a consequence of a failure of computer security. Was the failure malicious or not? Did the attack target you specifically or was it general and you were the unfortunate victim? 7. Describe two examples of vulnerabilities in automobiles for which auto manufacturers have instituted controls. Tell why you think these controls are effective, somewhat effective, or ineffective. 8. One control against accidental software deletion is to save all old versions of a program. Of course, this control is prohibitively expensive in terms of cost of storage. Suggest a less costly control against accidental software deletion. Is your control effective against all possible causes of software deletion? If not, what threats does it not cover? 9. On your personal computer, who can install programs? Who can change operating system data? Who can replace portions of the operating system? Can any of these actions be performed remotely? 10. Suppose a program to print paychecks secretly leaks a list of names of employees earning more than a certain amount each month. What controls could be instituted to limit the vulnerability of this leakage? 11. Preserving confidentiality, integrity, and availability of data is a restatement of the concern over interruption, interception, modification, and fabrication. How do the first three concepts relate to the last four? That is, is any of the four equivalent to one or more of the three? Is one of the three encompassed by one or more of the four? 12. Do you think attempting to break in to (that is, obtain access to or use of) a computing system without authorization should be illegal? Why or why not? 13. Describe an example (other than the ones mentioned in this chapter) of data whose confidentiality has a short timeliness, say, a day or less. Describe an example of data whose confidentiality has a timeliness of more than a year. 14. Do you currently use any computer security control measures? If so, what? Against what attacks are you trying to protect? 15. Describe an example i ...

1.8 Exercises1. Distinguish between vulnerability, threat, and con.docx

hacksoni

Unit 5

KRAMANJANEYULU1

KMS (1)

Satyaki Mitra

Web PenTest Sample Report

Octogence

unit 2 -program security.pdf

KavithaK23

Web Application Security

Colin English

IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...

IRJET Journal

FIDO-U2F-Case-Study_Hanson.pptx

VladVlad504281

Similar to Security vulnerabilities in software (20)

Open Id, O Auth And Webservices

Daniel billing exploring the security testers toolbox

U2F Case Study: Examining the U2F Paradox

Understanding Cross-site Request Forgery

How Software Works in system environment

Project 1 Template (Due on Week 4)Name.docx

firewalls

A novel way of integrating voice recognition and one time passwords to preven...

Owasp top-10-mobile-risks-v-1-3 publish

Secure Code Warrior - Robust error checking

INTERNSHIPREVIEW-ISHAQ (1) [Recovered].pptx

Real estate management system

1.8 Exercises1. Distinguish between vulnerability, threat, and con.docx

Unit 5

KMS (1)

Web PenTest Sample Report

unit 2 -program security.pdf

Web Application Security

IRJET- Securing Internet Voting Protocol using Implicit Security Model and On...

FIDO-U2F-Case-Study_Hanson.pptx

Recently uploaded

We specialize in Psychic Readings, Psychic Love Spells, Binding Love Spells, Obsession Spells, Voodoo Spells, Lottery Spells, Marriage Spells, Black Magic Spells, Palm Readings & much more. Are you depressed? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? We perform this come-to-me love spell that works instantly with the aim of bringing back the victim to the person performing the magic. Have you lost your lover? Do u need to solve any relationship problem? Contact the powerful spells caster chief kule with love spells that work overnight and love spells that really work. Have you found yourself infatuated with a special someone you think could be the one? Are you looking for a spell to provide them with a nudge in the right direction? Or maybe the spell you cast didn’t achieve the results you were hoping for? Whether you’re new or versed in the ways of spell casting, we’re here to help. Today we’re going to provide you with a detailed guide on the types of love spells to cast. Not only that but there’s something for those who wish to find outside advice from more advanced spell casters. We’re also going to provide you with the top sites available to help you with your dilemma. Let’s begin our journey by educating ourselves on love magic and what a real love caster looks like. Love Magic and Love Casters Love magic made its first appearance back in Ancient Egypt and has been an active practice since. This type of magic is a branch of traditional magic and can be practiced in various ways. Typically the more common use of love magic is through the work of spells, but other methods look like Charms Rituals-LOVE Potions-Dolls and even Amulets If you are interested in becoming a love caster, be prepared for what’s to come. A genuine love caster knows that the art of love casting is no easy feat and shouldn’t be done casually. You should know that not only does it require you to be gifted spiritually, but you must be ready to serve others. Someone who is considered a real love caster has experience in all manner of spells, no matter the difficulty. Training yourself in attraction, commitment, and marriage spells is an excellent place to start. But this by no means will make you a professional. Practice your craft and expand your knowledge; understand that you will possess the ability to help others in time truly. Types of Love Spells What better way to start broadening your experiences with love spells than by learning more about them? These spells work like just about any other spell. Simply apply your intention, use a medium (sigils, mantras, candles, or charm bags), and top it off with establishing the belief that you will receive what you want. So what kind of spells are available and which ones suit your needs the best? Let’s take a look at the many options you have at your disposal.

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...

masabamasaba

Craft an AI & Machine Learning Pitch with our Editable Professional PowerPoint Template. Ignite your AI & Machine Learning pitch with our cutting-edge PowerPoint template tailored for the industry. Perfect for AI conferences, investor presentations, sales pitches to tech-focused companies, training sessions, and educational programs. - 20+ editable slides: Get a variety of options to choose from for your presentation. - Time-saving solution: Download, replace text/images with a few clicks. - User-friendly customization: Easy to use and personalize. - Modern and attractive design: Captivating visuals, sleek layout. - Tailored to your requirements: Fully alterable for customization. - Well-organized slides: Complete control over content. - Thematic specificity: Reflects healthcare industry with relevant graphics. - Showcase your business idea: Communicate value proposition effectively.

AI & Machine Learning Presentation Template

Presentation.STUDIO

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

masabamasaba

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

masabamasaba

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...

WSO2

Data spaces in distributed environments should be allowed to evolve in agile ways providing data space owners with large flexibility about which data they store. Agility and heterogeneity, however, jeopardize data exchanges because representations may build on varying ontologies and data consumers may not rely on the semantic correctness of their queries in the context of semantically heterogeneous, evolving data spaces. Graph data spaces are one example of a powerful model for representing and querying data whose semantics may change over time. To assert and enforce conditions on individual graph data spaces, shape languages (e.g SHACL) have been developed. We investigate the question of how querying and programming can be guarded by reasoning over SHACL constraints in a distributed setting and we sketch a picture of how a future landscape based on semantically heterogeneous data spaces might look like.

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Steffen Staab

At the recent Microsoft Ignite 2023 conference, Microsoft unveiled a groundbreaking strategy that will redefine enterprise work management. The plan involves integrating Microsoft’s key planning tools, Microsoft To Do, Microsoft Planner, and Microsoft Project for the web into a unified experience called “Microsoft Planner.” What does this new strategy from Microsoft mean for current users? Join us and learn how best to take advantage of this announcement while gaining a clear path on how to elevate the current state of Microsoft Planner from a basic task manager to a comprehensive tool for Enterprise Work Management using OnePlan. Learn how OnePlan’s integration with Microsoft Planner allows for strategic alignment with business goals through advanced features like strategic planning, portfolio management, resource management, financial management, and more!

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

OnePlan Solutions

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...

masabamasaba

WSO2CON2024 - It's time to go Platformless

WSO2

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

WSO2

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Jittipong Loespradit

Announcing Codolex 2.0 from GDK Software

Jim McKeeth

VTU technical seminar 8Th Sem on Scikit-learn

AmarnathKambale

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

masabamasaba

Looking for an efficient way to manage your finances? Look no further than our money management app. With easy-to-use features, you can track your expenses, create budgets, and monitor your savings goals all in one place. Our app provides real-time updates on your spending habits and helps you make smarter financial decisions. Take control of your finances today with our user-friendly money management app.

Right Money Management App For Your Financial Goals

Jhone kinadey

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

masabamasaba

The title is not connected to what is inside

shinachiaurasa2

In today's dynamic e-commerce landscape, the payment gateway emerges as a linchpin, ensuring smooth and secure transactions between buyers and sellers. In this discourse, we delve into the meticulous process of devising test cases tailored for scrutinizing payment gateways. Crafting precise test cases for payment gateways is a quintessential responsibility for testers operating within the service industry. This article meticulously explores pivotal scenarios integral to how to test payment gateways, coupled with essential guidelines for drafting effective test cases.

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

kalichargn70th171

WSO2CON 2024 - Does Open Source Still Matter?

WSO2

The fast-paced world of Agile development just got a turbo boost! Dive into this engaging talk on "Innovation at Speed: ChatGPT & the AI Transformation in Agile Development." Over the last few months, AI, including notable tools like Google Bard and Microsoft Co-Pilot, has been leveraged to supercharge Agile workflows. In this session, attendees will get an overview of the current AI landscape and its impact on development. They will learn why AI is the game-changer needed to embrace in the Agile lifecycle, offering that elusive X factor to multiply productivity. Real-world examples will be presented, and the challenges of implementing AI tools like ChatGPT within corporate environments will be discussed.

Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment

VictorSzoltysek

Recently uploaded (20)

%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...

AI & Machine Learning Presentation Template

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain

%in tembisa+277-882-255-28 abortion pills for sale in tembisa

WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...

Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...

Introducing Microsoft’s new Enterprise Work Management (EWM) Solution

%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...

WSO2CON2024 - It's time to go Platformless

WSO2Con2024 - Enabling Transactional System's Exponential Growth With Simplicity

MarTech Trend 2024 Book : Marketing Technology Trends (2024 Edition) How Data...

Announcing Codolex 2.0 from GDK Software

VTU technical seminar 8Th Sem on Scikit-learn

%in ivory park+277-882-255-28 abortion pills for sale in ivory park

Right Money Management App For Your Financial Goals

%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview

The title is not connected to what is inside

Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf

WSO2CON 2024 - Does Open Source Still Matter?

Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment

Security vulnerabilities in software

1. Security vulnerabilities 1

2. Why does have this presentation?  Sharing is learning  Understand a little bit knowledge about Security  How to use the tools to explore 2

3. Agenda  Security vulnerabilities  Data  Cookies  Tools  How to explore it efficiency 3

4. Security vulnerabilities  Data  Sensitive  Secure  Redundant Rubbish Repeatable  Corrective  Cookies 4

5. Sensitive data  What is type of information that an attacker want to get?  The personal information  Money  Documents  What is type of information that normal use should not be seen?  CPR number on other side  Fee on other side 5

6. Secure data  Replace a valid data by an invalid  Data protected (in third services) have not allowed to change 6

7. Redundant data  Rubbish data  Browser send data to Service  Browser receive data from Service  Repeatable  An information is repeated many times 7

8. Corrective data  Required field  Date time  Disable field  Break rule for validation 8

9. Cookies  Make a copy the cookie and use that cookie to send request to system  From then on, keeps on accessing the system using the cookie 9

10. Tools - Why use tool?  Postman  https://www.getpostman.com/  Fiddler  https://www.telerik.com/fiddler  ARC  Burp Suite  https://portswigger.net/burp 10

11. Demo - Session hijacking  Scenario: As an attacker, I want to send GET and POST request to the system even though I have been logged out  Steps: 1. User logs in 2. Use Postman tool to make a copy the cookie 3. User logs out 4. Use Postman tool keeps on accessing the system using the cookie 11 log in log out User Browser Attacker

12. Demo - Middle Attack  Scenario: As an attacker, I want to change sender a document by another one  Steps: 1. User A add a document 2. Use fiddler to catch request 3. Replace sender from user A to user B 4. Send request to Service 12 Browser Attacker send Service send

13. How to explore efficiency  Understanding clearly the logic of system  Observation how the system work  F12  See the API work between Browser and Service  Think the possible situations that can happen  Based on the problems that customer reported in the specification  Try to reproduce it  Ask developer about the confused with the behavior of system  What if question  What expected outcome 13

14. Q&A 14

Editor's Notes

The personal information CPR number or CVR number Money => Claim, Fee Document => Type of document, Sender, receiver
Replace a valid data by an invalid Replace sender document by another sender Data protected ( in third services) had been changed In creation case, there is a function called Adding lawyer to part. However, as an attacker, I can able to change information of that lawyer from Browser and send to Services What is type of information that normal use should not be seen? CPR number on other side Fee on other side
Browser send data to Service => Sending data is redundant information or not Example: When creating a part, the information about 'Postnummer' and 'By' (Postal code,Town) are sending the whole address of Danmark to Services Browser receive data from Service => Should just receive enough information to display Example: A meeting should use name and exchange ID for showing
Disable field An information show to user (disbale file - only see ) - ensure that user could not change when submit from Portal Break rule for validation Have to at least 5 characters
Why use tool? Fake information of user and able to send to server Interact a request between Browser and Servers and able to change information

Security vulnerabilities in software

Recommended

Recommended

More Related Content

Similar to Security vulnerabilities in software

Similar to Security vulnerabilities in software (20)

Recently uploaded

Recently uploaded (20)

Security vulnerabilities in software

Editor's Notes