Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Ch 1: Web Application (In)security
Ch 2: Core Defense Mechanisms
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 129S: 9: Attacking Data Stores (Part 2 of 2)Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S: Securing Web Applications Ch 1-2Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Ch 1: Web Application (In)security
Ch 2: Core Defense Mechanisms
Teacher: Sam Bowne
Website: https://samsclass.info/129S/129S_F16.shtml
CNIT 129S - Ch 3: Web Application TechnologiesSam Bowne
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
The Open Web Application Security Project, is an online community that produces freely-available articles, methodologies, documentation, tools, and technologies in the field of web application security.
One of those projects, The OWASP Top Ten, provides a powerful awareness document for web application security. The OWASP Top Ten represents a broad consensus about what the most critical web application security flaws are.
The OWASP team recently released the 2017 revised and updated version of the ten most critical web application security risks and so we’ve created these flash cards for you, your friends, and your colleagues (especially product and engineering :) to test your knowledge and learn more about these important issues.
Company-wide security awareness is a powerful way to improve the overall security of your organization. So adorn your waiting rooms, cubicles, and snack rooms with these flash cards for easy learning and remembrance.
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
CNIT 121: 12 Investigating Windows Systems (Part 2 of 3)Sam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
CNIT 121: 6 Discovering the Scope of the Incident & 7 Live Data CollectionSam Bowne
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia.
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course based on "Incident Response & Computer Forensics, Third Edition" by by Jason Luttgens, Matthew Pepe, and Kevin Mandia".
Ch 1: Real-World Incidents
Teacher: Sam Bowne
Website: https://samsclass.info/121/121_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
This is a presentation I gave at DEF CON 23, in the Packet Hacking Village.
CNIT 129S: Ch 7: Attacking Session Management Sam Bowne
Slides for a college course based on "The Web Application Hacker's Handbook", 2nd Ed.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/129S/129S_F16.shtml
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Slides for a college course at City College San Francisco. Based on "Hacking Exposed Mobile: Security Secrets & Solutions", by Bergman, Stanfield, Rouse, Scambray, Geethakumar, Deshmukh, Matsumoto, Steven and Price, McGraw-Hill Osborne Media; 1 edition (July 9, 2013) ISBN-10: 0071817018.
Instructor: Sam Bowne
Class website: https://samsclass.info/128/128_S17.shtml
CNIT 127 Ch 5: Introduction to heap overflowsSam Bowne
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
Slides for a college course based on "DNS Security" by Anestis Karasaridis.
Teacher: Sam Bowne
Twitter: @sambowne
Website: https://samsclass.info/40/40_F16.shtml
For a college course at CCSF taught by Sam Bowne.
https://samsclass.info/129S/129S_S18.shtml
Based on "The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws 2nd Edition", by Dafydd Stuttard , Marcus Pinto; ISBN-10: 1118026470
There are some government vehicles which transports the wastage to recycling plants, but those are not efficient in their work
Government came with many awareness programs which are didn’t effected the people, so that the construction waste is increasing daily
There are many recycling plants in India , but there is not a particular transport system to transport the construction waste
The people also not aware of the recycled products which available in low cost
Some recycling plants are closed due to there is no transportation of the waste to the plants for recycling purpose
There are some government vehicles which transports the wastage to recycling plants, but those are not efficient in their work
Government came with many awareness programs which are didn’t effected the people, so that the construction waste is increasing daily
There are many recycling plants in India , but there is not a particular transport system to transport the construction waste
The people also not aware of the recycled products which available in low cost
Some recycling plants are closed due to there is no transportation of the waste to the plants for recycling purpose
There are some government vehicles which transports the wastage to recycling plants, but those are not efficient in their work
Government came with many awareness programs which are didn’t effected the people, so that the construction waste is increasing daily
There are many recycling plants in India , but there is not a particular transport system to transport the construction waste
The people also not aware of the recycled products which available in low cost
Some recycling plants are closed due to there is no transportation of the waste to the plants for recycling purpose
There are some government vehicles which transports the wastage to recycling plants, but those are not efficient in their work
Government came with many awareness programs which are didn’t effected the people, so that the construction waste is increasing daily
There are many recycling plants in India , but there is not a particular transport system to transport the construction waste
The people also not aware of the recycled products which available in low cost
Some recycling plants are closed due to there is no transportation of the waste to the plants for recycling purpose
There are some government vehicles which transports the wastage to recycling plants, but those are not efficient in their work
Government came with many awareness programs which are didn’t effected the people, so that the construction waste is increasing daily
There are many recycling plants in India , but there is not a particular transport system to transport the construction waste
The people also not aware of the recycled products which available in low cost
Some recycling plants are closed due to there is no transportation of the waste to the plants for recycling purpose
There are some government vehicles which transports the wastage to recycling plants,
6.1 Identify correct descriptions or statements about the security issues:
Authentication
authorization
Data integrity
Auditing
Malicious code
Website attacks
6.2 Identify the deployment descriptor element names, and their structure, that declare the following:
A security constraint
A web resource
The login configuration
A security role
6.3 Given authentication type: BASIC, DIGEST, FORM, and CLIENT-CERT, identify the correct definition of its mechanism.
7.1 Identify which attribute scopes are thread-safe:
Local variables
Instance variables
Class variables
Request attributes
Session attributes
Context attributes
7.2 Identify correct statements about differences between the multithreaded and single-threaded servlet models.
7.3 Identify the interface used to declare that a servlet must use the single thread model.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Model Attribute Check Company Auto PropertyCeline George
In Odoo, the multi-company feature allows you to manage multiple companies within a single Odoo database instance. Each company can have its own configurations while still sharing common resources such as products, customers, and suppliers.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
4. 1. Asking the Oracle
• "Remember me" function sets a permanent
cookie
• Containing an encrypted string that contains
• Name, User ID, and volatile data to make it
unique and unpredictable, including machine IP
address
• Screen name also saved in encrypted form as
ScreenName
5. Assumption
• It's OK to use same encryption algorithm to
encrypt both cookies
• But user can control ScreenName
• And the app decrypts that cookie, showing the
result on the screen
6. The Attack
• Copy the RememberMe cookie into the
ScreenName cookie
• The app decrypts it and shows the result
• Now change screen name to
7. The Attack
• Log out, log back in, and copy the new
ScreenName cookie to the RememberMe cookie
• Attacker is now admin!
• Encryption was 3DES and unbreakable, but it
didn't matter
8. Hack Steps
• Look for items that are encrypted, not hashed
• With data from the user
• Substitute other encrypted values
• Try to cause an error that reveals the decrypted
value
9. 2. Fooling a Password
Change Function
• Form for password change asks for
• Username
• Existing password
• New password
• Confirm new password
10. 2. Fooling a Password
Change Function
• Administrators have a form that can change any
password, implemented by the same server-side
script
• Administrator's form doesn't ask for existing
password
11. The Assumption
• When a request comes in without an existing
password, that indicates that it came from an
administrator
12. The Attack
• Submit a password change without any existing
password
• Reset anyone's password
• This really happened in the AOL AIM Enterprise
Gateway application
13. Hack Steps
• Try deleting each parameter, one by one
• Delete the name as well as the value
• Try it at each step of the process
14. 3. Proceeding to Checkout
• Assumption
• Users will perform steps in sequence
• A user on the last step must have entered
payment details
15. The Attack
• "Forced Browsing"
• Circumvent controls that make the steps
occur in sequence
• Proceed directly from step 2 to step 4
• Get product without paying for it
16. Hack Steps
• Try skipping stages, doing a single stage more
than once, and doing earlier stages after later
ones
• Stages may use different URLs or parameter
values
• Guess assumptions and violate them
• Watch for interesting error messages
17. 4. Rolling Your Own
Insurance
• App lets users obtain quotes for insurance, and,
if desired, submit an insurance application online
• It used a dozen stages
• 1. Applicant submits basic information, and
either preferred monthly premium or amount of
desired insurance payout
• App computes values the applicant did not
specify
18. 4. Rolling Your Own
Insurance
• 2. Across several stages, applicant supplies
other personal details: health, occupation,
pastimes, etc.
• 3. Finally application is sent to an underwriter
• Underwriter uses the same web app to review
the details and decide whether to approve the
application, or modify the initial quote to
reflect additional risks
19. 4. Rolling Your Own
Insurance
• Each stage uses a shared component to
process each parameter of user data
• Component parsed all data in each POST
request into name/value pairs and updated state
information
20. Assumption
• Each request will contain only the parameters
requested in the current HTML form
• Developers did not consider a user who
submitted extra parameters
21. The Attack
• Supply valid data at earlier stage
• But then overwrite it with later requests
resetting the same value
• No validation was performed on the
unexpected parameters
• Allowed an XSS injection that revealed personal
information of other applicants
22. The Attack
• Purchase insurance at an arbitrary price
• Replace monthly premium at later stages
• Force approval
• Underwriter sets parameters in same web app
to indicate disapproval
• Attacker can set them, bypassing the actual
underwriter
23. Hack Steps
• Take parameters from one stage, and add them
to requests from another stage
• Take parameters used by one type of user and
try submitting them as another type of user
24. 5. Breaking the Bank
• App lets existing bank customers register for
online banking
• Collects name, address and date of birth
• But no PIN or any other secret
• Forwards request to back-end system
• Mails an application pack to the customer
containing instructions, a phone number for
activation, and a one-time password
25. Assumption
• Designers regarded this process as safe, with three
layers of protection
• Some personal data required to start the process
to deter impostors
• Secret one-time password sent by mail; difficult
for attacker to steal
• Customer required to call in and authenticate with
personal information and selected digits from a
PIN
27. The Attack
• Same data object used for online banking and
registration
• Account details shown on main e-banking page
were generated from the customer number
• Main banking application required several levels
of authentication and access control to access
the data
28. Attack Steps
• 1. Log in with valid credentials
• 2. Using the authenticated session, go to
registration function and submit a different
customer's personal information
• The app overwrites the CCustomer object with
a new object relating to the targeted customer
• 3. Return to the main application functionality
and access the other customer's account
29. Fundamental Flaw
• Same database object can be written two ways
• 1. Main banking function allows writing after
strict authentication
• These designers think the user is known
• 2. Registration function allows writing without
authentication
• These users are unknown
30. 6. Beating a Business Limit
• Financial personnel can transfer funds between
company bank accounts and customers and
suppliers
• Application prevents must users from
performing transfers over $10,000
• Larger transfers require a senior manager's
approval
31. The Code
• Any transaction that's too large requires
approval
32. The Attack
• Transfer a negative amount
• Such as -$100,000.00
• No approval required because it's below
$10,000.00
• Money flows in opposite direction
34. 7. Cheating on Bulk
Discounts
• Users order software products
• Discount if a bundle of items purchased
together
• 25% discount for buying antivirus, firewall,
and antispam all together
35. Assumption
• Discount applied when items added to shopping
basket
• Developers assumed that shopper would buy
everything in the basket
36. The Attack
• Add every item possible to the basket
• Get discounted price
• Remove unwanted items from basket
• Discounted price persists
37. 8. Escaping from Escaping
• Found in the web interface for a NIDS
• User-controlled input placed in an operating
system command
• Developers understood the code injection risk
• Added backslash to escape these characters:
• ; | & < > ' space newline
38. The Attack
• Developers forgot to escape the backslash itself
• Attacker enters
• foo;ls
• Application converts it to
• foo;ls
• Which allows the ; to get through unescaped
39. 9. Invalidating Input
Validation
• Input validation system
• SQL injection filter changes all quotes to
double-quotes
• Will be interpreted as literal quotes, not
metacharacters
• Length limit truncates all input to 128 characters
41. The Attack
• Submit a username of 127 a's followed by a
single quotation mark, and password foo
• aaaaa[...]aaaaa'
• App adds another ', but the length limit removes
it
• This causes a SQL syntax error
• SELECT * FROM users WHERE username =
'aaaaa[..]aaaaa'' and password =
'foo'
42. The Attack
• Submit the same username, and a password of
• or 1=1--
• Query becomes this, bypassing the login
• SELECT * FROM users WHERE username =
'aaaaa[..]aaaaa'' and password = 'or
1=1--'
• '' is interpreted as a literal ', not a metacharacter
43. Detecting This Error
• Submit strings like this, look for SQL errors
• Vulnerabilities occur when input passes through
sequential validation steps
• One step can undo another step
44. 10. Abusing a Search
Function
• Application provides access to a huge archive of
information
• Accessible only to paying subscribers
• Provided powerful search engine
• Anonymous user can perform a query to see what's
available
• But must pay to read the found articles
45. Assumption
• User cannot get useful information from the
search function before paying
• Document titles were typically cryptic, like
• "Annual Results 2010"
• "Press Release 08-03-2011"
• Etc.
46. The Attack
• Query searches full text of documents
• Guess at contents, and deduce them from the
number of found documents
• Like blind SQL injection
47.
48. Real-World Application
• Authors have used this technique to brute-force
a password from a configuration file stored in a
wiki
• With these searches
50. Assumption
• There's no important information in the error
message
• Because the user can get all that data by
inspecting requests and responses from the
browser anyway
51. The Flaw
• Error message was not built from the browser's
information
• It came from a stored container on the server-
side
• Not session-based
• Error condition copies data to the container, and
then displays information copied from that
container
52. Race Condition
• If two users have errors at nearly the same time
• One user's data is copied to the container
• But then displayed to a different user
53. Exploitation
• This is even worse than the race condition
• Attacker polls error container URL repeatedly
• Log results each time they change, and get
54. 12. Racing Against the
Login
• Robust, multistage login process
• Users required to supply several different
credentials
• Authentication mechanism had been subjected
to numerous design reviews and penetration
tests
• Owners had high confidence in it
55. The Bug
• Occasionally a customer logged in and gained
access to a different user's account
• This seemed random and non-repeatable
• Eventually the bank discovered that this
happened when two users logged in at precisely
the same time
• But not reliably
56. The Flaw
• Application stored a key identifier about each
newly authenticated user in a static,
nonsession, variable
• This variable's value was read back an instant
later
• If a different thread, processing another login,
wrote to that variable in between, the account
would change
57. Race Condition
• Application was using static storage to hold
information that should have been stored on a
per-thread or per-session basis
• This is called a "race condition"
• A brief moment of vulnerability
• To exploit it, attacker must "win the race"
58. Avoiding Logic Flaws
• Document every aspect of the application's
design thoroughly
• So an outsider can understand every
assumption the designer made
59. • Require clear comments in source code
documenting:
• The purpose and intended use of each
component
• Assumptions made by each component about
anything that is outside of its direct control
• References to all client code that uses the
component
Avoiding Logic Flaws
60. • During security review, reflect on every
assumption made in the design
• Imagine circumstanced that violate those
assumptions
• Focus on conditions that user can control
Avoiding Logic Flaws
61. • During security review, think laterally about:
• Ways the app handles unexpected user
behavior
• Potential side effects of any dependencies
and interoperation between code components
and application functions
Avoiding Logic Flaws