Submit Search
Upload
Lotus Security Part I
•
5 likes
•
1,263 views
Sanjaya K Saxena
Follow
Building Rock Solid Lotus Domino Security Part I - Essential Information Security Concepts
Read less
Read more
Technology
News & Politics
Report
Share
Report
Share
1 of 54
Recommended
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
jayeshpar2006
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
44CON
Domino testing presentation
Domino testing presentation
dominion
Domino security
Domino security
dominion
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
44CON
Lotus Security Part II
Lotus Security Part II
Sanjaya K Saxena
Statistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided Tour
Sanjaya K Saxena
Lotus Admin Training Part II
Lotus Admin Training Part II
Sanjaya K Saxena
Recommended
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
jayeshpar2006
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012
44CON
Domino testing presentation
Domino testing presentation
dominion
Domino security
Domino security
dominion
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012
44CON
Lotus Security Part II
Lotus Security Part II
Sanjaya K Saxena
Statistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided Tour
Sanjaya K Saxena
Lotus Admin Training Part II
Lotus Admin Training Part II
Sanjaya K Saxena
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
AndikSusilo4
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
HostedbyConfluent
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
More Related Content
Recently uploaded
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Malak Abu Hammad
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Allon Mureinik
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
HampshireHUG
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
Scott Keck-Warren
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
Neo4j
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
soniya singh
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
BookNet Canada
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
naman860154
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Padma Pradeep
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
AndikSusilo4
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
HostedbyConfluent
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
carlostorres15106
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Paola De la Torre
Slack Application Development 101 Slides
Slack Application Development 101 Slides
praypatel2
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
2toLead Limited
Recently uploaded
(20)
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
How to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
Slack Application Development 101 Slides
Slack Application Development 101 Slides
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Featured
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
Skeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Tessa Mero
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Lily Ray
How to have difficult conversations
How to have difficult conversations
Rajiv Jayarajah, MAppComm, ACC
Introduction to Data Science
Introduction to Data Science
Christy Abraham Joy
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
Vit Horky
The six step guide to practical project management
The six step guide to practical project management
MindGenius
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
RachelPearson36
Featured
(20)
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
Skeleton Culture Code
Skeleton Culture Code
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
Getting into the tech field. what next
Getting into the tech field. what next
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
How to have difficult conversations
How to have difficult conversations
Introduction to Data Science
Introduction to Data Science
Time Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
The six step guide to practical project management
The six step guide to practical project management
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Lotus Security Part I
1.
Lotus Domino Building Rock
Solid Security Part - I © Sanjaya Kumar Saxena
2.
The Alarming Truth
Italian Bank hit by ea ch XSS Fraudsters Chinese H L s Data B8r exis NePoit, Feb 17, 200 x — Netcraft, Jan 8 2008 18-million acker ste als s — HackB Identities gton — Washin ase.com IndiaTimes.com M , Feb 10 , 2008 alware Hackers break into — Information W eek, Feb 17, 200 r’s Presidential Mac blogs defaced 8 Ecuado 6 by XSS website Ha g Stage 007 ckin eb 9 2 — The Register, Feb 17, 2008 — Thaindian, Feb 11, 2008 — Wikiped ia, F RIAA wiped off the Net — The Register, Jan 20 websites , 2008 Greek Ministry intrusion Your Free MacW by hacker1,2008 orld hit 3 Expo Platinum Pass own rini, Jan eKathime — CNet, Jan 1 es d — 4,2008 Hacker steals Drive -by Pharmin g Davidson Co.’s r tak ia acke ylvan H in the Wild n 21 2008 Client Data enns 6, 2008 P an — Symantec, Ja — Falls Tribune, J Feb 4 2008 — AP, © Sanjaya Kumar Saxena
3.
Vulnerability Consequences
As a percentage of Overall Disclosures in 2006-2008 © Sanjaya Kumar Saxena
4.
Vulnerabilities by Attack
Technique © Sanjaya Kumar Saxena
5.
What is Information? Knowledge
acquired through study or experience or instruction A collection of facts or data In our context of ISO 27K, An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Categories Internal External Customer Outsourced © Sanjaya Kumar Saxena
6.
What is Security? Freedom
from Danger, Risk, etc.; Safety. Precautions taken to guard against Crime, Attack, Sabotage, Espionage, etc. © Sanjaya Kumar Saxena
7.
What is Information
Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
8.
What is Information
Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
9.
What is Information
Security? Confidentiality Ensuring that information is accessible only to those authorized to have access Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that authorized users have access to information and associated assets when required from ISO 27001 © Sanjaya Kumar Saxena
10.
What is a
Threat? Something that is a source of danger, “Earthquakes are a constant threat in Japan” In our context, Unwanted events that may result in harm to asset(s) Maybe deliberate or accidental Exploits known Vulnerabilities © Sanjaya Kumar Saxena
11.
Information Security Threats
THREAT Source Technique Method Internal Eavesdropping Unstructured External Privacy Structured Authentication Repudiation Unauthorized Access Denial of Service © Sanjaya Kumar Saxena
12.
Vulnerabilities Weakness in
the system Result of bug or design/deployment flaw Common Vulnerabilities: Buffer Overflow SQL Injection Cross Site Scripting (XSS) Directory Traversal SPAM is the result of SMTP vulnerabilites © Sanjaya Kumar Saxena
13.
Threats - Counter
Measures Eavesdropping Cryptography Privacy Cryptography Authentication Passwords/Certificates Repudiation Digital Signatures Unauthorized Access ACLs/Cryptography Denial of Service Availability/Firewall © Sanjaya Kumar Saxena
14.
SQL Injection SQL
Injection vulnerabilities occurs due to improper validations on user input fields. This attack can be mounted when a form field contents are used to build SQL statements dynamically inside the code, which is subsequently executed. This may allow the attacker to include malicious code in to the dynamically created SQL statement by tricking the data entered in the input field. The attacker may gain access to back-end database allowing him/her to read, delete and modify information. A SQL injection attack at the time of logging into an application is shown in the following slides. © Sanjaya Kumar Saxena
15.
SQL Injection Username:
Password: Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
16.
SQL Injection Username:
UserID Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
17.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
18.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
19.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
20.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
21.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena © Sanjaya Kumar Saxena
22.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- © Sanjaya Kumar Saxena
23.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘ ’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
24.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
25.
SQL Injection
Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
26.
XSS Attack Cross Site
Scripting vulnerabilities occur when a web based application does not validate user inputs on form fields, syntax of urls etc. An attacker can embed their own code into the Data entry form, manipulating the appearance and/or behavior of the page. A web-link is crafted and placed on the page in a manner that entices users to click on the link. Users treat the link placed on the web form as coming from a trusted source or same organization, thereby falling a prey to this vulnerability. The attacker gets access to sensitive application information by accessing cookie data of the user’s account on the vulnerable website/application. XSS attack is shown in the following slides, displaying a form field that allowed user to enter JavaScript code which returns complete user profile information from the application’s database. In this example “alert(document.cookie)” is entered in an input field leading to compromising cookie information. © Sanjaya Kumar Saxena
27.
XSS A simple entry
form of a social networking application © Sanjaya Kumar Saxena
28.
XSS Field manipulation with
javascript © Sanjaya Kumar Saxena
29.
XSS All it takes
to popup your sensitive information from the database © Sanjaya Kumar Saxena
30.
XSS - SAMY
MySpace Worm <script> A Self propagating, Cross Site Scripting (XSS) Worm affected millions of profiles on My Space © Sanjaya Kumar Saxena
31.
XSS - SAMY
MySpace Worm <script> <script> The process began when a user (SAMY) placed a javascript code in his profile on Myspace.com, a community site for sharing photos and staying in touch with friends. © Sanjaya Kumar Saxena
32.
XSS - SAMY
MySpace Worm <script> <script> When other users of Myspace.com viewed SAMY’s profile, the code would initiate a background request via AJAX, to add SAMY in user’s friends list. © Sanjaya Kumar Saxena
33.
XSS - SAMY
MySpace Worm <script> <script> This code was bypassing the normal approval process of adding a user of application to their friends list. © Sanjaya Kumar Saxena
34.
XSS - SAMY
MySpace Worm <script> <script> <script> The next step in the script was self replicating © Sanjaya Kumar Saxena
35.
XSS - SAMY
MySpace Worm <script> <script> <script> This involved parsing out the code and pasting it to viewing user’s profile. © Sanjaya Kumar Saxena
36.
XSS - SAMY
MySpace Worm This process would repeat in the newly infected user’s profile <script> <script> <script> © Sanjaya Kumar Saxena
37.
XSS - SAMY
MySpace Worm <script> <script> <script> © Sanjaya Kumar Saxena
38.
XSS - SAMY
MySpace Worm The spread of virus limits itself to the website and can essentially create a denial-of-service attack, due to the exponential spread of attacker’s friends list. This code will not affect any other site, except the malicious code can be used by another hacker. © Sanjaya Kumar Saxena
39.
Typical Attack Methodology A
Quick Preview Reconnaissance Discover & Understand Vulnerabilities Mount Attack © Sanjaya Kumar Saxena
40.
Reconnaissance An inspection or
exploration of an area, especially in the context of military information gathering. Commonly known techniques: Social Engineering Dumpster Driving Leveraging Web WHOIS DNS Search Engine Web-based Online Tools http://privacy.net/analyze http://network-tools.com © Sanjaya Kumar Saxena
41.
Reconnaisance Example Open
web-site, View source to check out web server No information – Use TELNET IIS V5 has over 250 known vulnerabilities © Sanjaya Kumar Saxena
42.
Attack Demonstration -
Step 1 Search engines can be used to look up NSFs on web © Sanjaya Kumar Saxena
43.
Attack Demonstration -
Step 2 Names.nsf found exposed © Sanjaya Kumar Saxena
44.
Attack Demonstration -
Step 3 © Sanjaya Kumar Saxena
45.
Attack Demonstration -
Step 4 © Sanjaya Kumar Saxena
46.
Counter Measures Basic Concepts
© Sanjaya Kumar Saxena
47.
What is a
Cryptography? “ Algorithms implemented in hardware or software to mathematically combine a key with plain text to produce cipher text and to convert cipher ” text to its original plain text form. © Sanjaya Kumar Saxena
48.
Dual Key Cryptography Secret
(or Public Key) Secret (or Public Key) Encryptor Decryptor Message Message © Sanjaya Kumar Saxena
49.
Digital Signature
# Your Secret Key Hash Encryptor + Message with # Message Digital Signature Hash Digital Signature = Decryptor Hash Your Public Key © Sanjaya Kumar Saxena
50.
A Fundamental Question
How do I trust a public key? CERTIFICATE Let a trustworthy agency certify it! Name Public Key Expiry Date Certificate: Issuer ID Other Attributes Like a driving license or passport Certifies your public key and other attributes Issued by a trustworthy agency Called Certification Agency (CA) CA’s Digital Signature © Sanjaya Kumar Saxena
51.
Secured Transactions using
Certificates Validate by: Establishing Trust Authenticate by: Challenging Each Other © Sanjaya Kumar Saxena
52.
Estalishing Trust By
Exchange of Certificates After masking private data (if any) By Comparing Certificates Trust the public key if the two have a common CA Possible in a hierarchical situation also © Sanjaya Kumar Saxena
53.
Authentication - Step
1 Requester generates a random # and challenges the server to sign it. ❶ Server signs and sends it back. ❷ Signature Requester verifies the signature. ❸ Signature © Sanjaya Kumar Saxena
54.
Authentication - Step
2 Server generates a random # and challenges the requester to sign it. ❶ Requester signs and sends it back. ❷ Signature Server verifies the signature. ❸ Signature Authentication is Successful! © Sanjaya Kumar Saxena