Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Predrag CujanovićKontakt• mail: predrag@cujanovic.com• blog: http://www.cujanovic.com• tw: http://www.twitter.com/cujanovi...
Sadržaj:• Cross side scripting (XSS) napad• SQL injection (SQLi) napad• Insecure cryptographic storage• Primeri
Cross side scripting (XSS) napad• Šta je XSS napad?• Tipovi XSS napada• Opasnost XSS napada• Kako sprečiti XSS napad?
Šta je XSS napad?
Tipovi XSS napada• Non-Persistent (Reflected)• Persistent (Stored)• DOM Based
Opasnost XSS napadaXSS Shell
Opasnost XSS napadaCookie stealingPhishing
Kako sprečiti XSS napad?• Filtriranjem podataka preko već predefinisanih php  funkcija: strip_tags, htmlspecialchars, html...
SQL injection (SQLi) napad  Šta je SQLi napad?  Tipovi SQLi napada  Opasnost SQLi napada  Kako sprečiti SQLi napad?
Šta je SQLi napad?
Tipovi SQLi napada    Incorrectly filtered escape characters(SELECT * FROM users WHERE name =  OR 1=1 -- ;)    Incorrect...
Opasnost SQLi napada    Pristup podacima u bazi (UNION SELECT 1,2,3,4--)    Izmena, brisanje podataka u bazi – DROP user...
Kako sprečiti SQLi napad?    mysql_real_escape_string funkcija    is_numeric funkcija    cast to int – (int)
Insecure cryptographic storage
Insecure cryptographic storage0. koristiti neki hash algoritam1. ne korisiti zastrarele hash algoritme (md5 je zvanično mr...
Insecure cryptographic storage      oclHashcat-plus
Hvala na pažnji :)Pitanja?
Owasp Serbia: sqli,xss
Owasp Serbia: sqli,xss
Upcoming SlideShare
Loading in …5
×

0

Share

Download to read offline

Owasp Serbia: sqli,xss

Download to read offline

Predrag Cujanovic from OWASP Serbia talking about Cross site scripting, SQL injection and insecure cryptographic storage. Presentation was held on 9.7.2012. on faculty of Electrical Engineering, University of Belgrade.

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Owasp Serbia: sqli,xss

  1. 1. Predrag CujanovićKontakt• mail: predrag@cujanovic.com• blog: http://www.cujanovic.com• tw: http://www.twitter.com/cujanovic• fb: http://www.facebook.com/predrag.cujanovic
  2. 2. Sadržaj:• Cross side scripting (XSS) napad• SQL injection (SQLi) napad• Insecure cryptographic storage• Primeri
  3. 3. Cross side scripting (XSS) napad• Šta je XSS napad?• Tipovi XSS napada• Opasnost XSS napada• Kako sprečiti XSS napad?
  4. 4. Šta je XSS napad?
  5. 5. Tipovi XSS napada• Non-Persistent (Reflected)• Persistent (Stored)• DOM Based
  6. 6. Opasnost XSS napadaXSS Shell
  7. 7. Opasnost XSS napadaCookie stealingPhishing
  8. 8. Kako sprečiti XSS napad?• Filtriranjem podataka preko već predefinisanih php funkcija: strip_tags, htmlspecialchars, htmlentities• Izbegavati pisanje sopstvenih funkcija samo za ovu namenu
  9. 9. SQL injection (SQLi) napad Šta je SQLi napad? Tipovi SQLi napada Opasnost SQLi napada Kako sprečiti SQLi napad?
  10. 10. Šta je SQLi napad?
  11. 11. Tipovi SQLi napada Incorrectly filtered escape characters(SELECT * FROM users WHERE name = OR 1=1 -- ;) Incorrect type handling(SELECT * FROM userinfo WHERE id=1;DROP TABLE users;) Blind SQL injection(SELECT booktitle FROM booklist WHERE bookId = OOk14cd AND 1=1;) Time Based SQL injection(download_key=1 AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99))) AND uzOQ=uzOQ)
  12. 12. Opasnost SQLi napada Pristup podacima u bazi (UNION SELECT 1,2,3,4--) Izmena, brisanje podataka u bazi – DROP users; Čitanje fajlova - load_file(/etc/passwd) iliload_file(0x2f6574632f706173737764) funkcija Pravnjenje novih fajlova - INTO OUTFILE /var/www/victim.com/shell.php
  13. 13. Kako sprečiti SQLi napad? mysql_real_escape_string funkcija is_numeric funkcija cast to int – (int)
  14. 14. Insecure cryptographic storage
  15. 15. Insecure cryptographic storage0. koristiti neki hash algoritam1. ne korisiti zastrarele hash algoritme (md5 je zvanično mrtav)2. korisiti salt, najbolje ih ne čuvati u bazi (primer Wordpress)3. korisiti dva različita hash algoritma (sha1($salt.(des($salt.$pass.$salt))))
  16. 16. Insecure cryptographic storage oclHashcat-plus
  17. 17. Hvala na pažnji :)Pitanja?

Predrag Cujanovic from OWASP Serbia talking about Cross site scripting, SQL injection and insecure cryptographic storage. Presentation was held on 9.7.2012. on faculty of Electrical Engineering, University of Belgrade.

Views

Total views

1,300

On Slideshare

0

From embeds

0

Number of embeds

1

Actions

Downloads

32

Shares

0

Comments

0

Likes

0

×