SlideShare a Scribd company logo

Lotus Security Part I

Sanjaya K Saxena
Sanjaya K Saxena

Building Rock Solid Lotus Domino Security Part I - Essential Information Security Concepts

TechnologyNews & Politics
1 of 54
Lotus Domino Building Rock Solid Security Part - I © Sanjaya Kumar Saxena
The Alarming Truth Italian Bank hit by ea ch XSS Fraudsters Chinese H L s Data B8r exis NePoit, Feb 17, 200 x — Netcraft, Jan 8 2008 18-million acker ste als s — HackB Identities gton — Washin ase.com IndiaTimes.com M , Feb 10 , 2008 alware Hackers break into — Information W eek, Feb 17, 200 r’s Presidential Mac blogs defaced 8 Ecuado 6 by XSS website Ha g Stage 007 ckin eb 9 2 — The Register, Feb 17, 2008 — Thaindian, Feb 11, 2008 — Wikiped ia, F RIAA wiped off the Net — The Register, Jan 20 websites , 2008 Greek Ministry intrusion Your Free MacW by hacker1,2008 orld hit 3 Expo Platinum Pass own rini, Jan eKathime — CNet, Jan 1 es d — 4,2008 Hacker steals Drive -by Pharmin g Davidson Co.’s r tak ia acke ylvan H in the Wild n 21 2008 Client Data enns 6, 2008 P an — Symantec, Ja — Falls Tribune, J Feb 4 2008 — AP, © Sanjaya Kumar Saxena
Vulnerability Consequences As a percentage of Overall Disclosures in 2006-2008 © Sanjaya Kumar Saxena
Vulnerabilities by Attack Technique © Sanjaya Kumar Saxena
What is Information? Knowledge acquired through study or experience or instruction A collection of facts or data In our context of ISO 27K, An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Categories Internal External Customer Outsourced © Sanjaya Kumar Saxena
What is Security? Freedom from Danger, Risk, etc.; Safety. Precautions taken to guard against Crime, Attack, Sabotage, Espionage, etc. © Sanjaya Kumar Saxena
What is Information Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
What is Information Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
What is Information Security? Confidentiality Ensuring that information is accessible only to those authorized to have access Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that authorized users have access to information and associated assets when required from ISO 27001 © Sanjaya Kumar Saxena
What is a Threat? Something that is a source of danger, “Earthquakes are a constant threat in Japan” In our context, Unwanted events that may result in harm to asset(s) Maybe deliberate or accidental Exploits known Vulnerabilities © Sanjaya Kumar Saxena
Information Security Threats THREAT Source Technique Method Internal Eavesdropping Unstructured External Privacy Structured Authentication Repudiation Unauthorized Access Denial of Service © Sanjaya Kumar Saxena
Vulnerabilities Weakness in the system Result of bug or design/deployment flaw Common Vulnerabilities: Buffer Overflow SQL Injection Cross Site Scripting (XSS) Directory Traversal SPAM is the result of SMTP vulnerabilites © Sanjaya Kumar Saxena
Threats - Counter Measures Eavesdropping Cryptography Privacy Cryptography Authentication Passwords/Certificates Repudiation Digital Signatures Unauthorized Access ACLs/Cryptography Denial of Service Availability/Firewall © Sanjaya Kumar Saxena
SQL Injection SQL Injection vulnerabilities occurs due to improper validations on user input fields. This attack can be mounted when a form field contents are used to build SQL statements dynamically inside the code, which is subsequently executed. This may allow the attacker to include malicious code in to the dynamically created SQL statement by tricking the data entered in the input field. The attacker may gain access to back-end database allowing him/her to read, delete and modify information. A SQL injection attack at the time of logging into an application is shown in the following slides. © Sanjaya Kumar Saxena
SQL Injection Username: Password: Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
SQL Injection Username: UserID Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘ ’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
XSS Attack Cross Site Scripting vulnerabilities occur when a web based application does not validate user inputs on form fields, syntax of urls etc. An attacker can embed their own code into the Data entry form, manipulating the appearance and/or behavior of the page. A web-link is crafted and placed on the page in a manner that entices users to click on the link. Users treat the link placed on the web form as coming from a trusted source or same organization, thereby falling a prey to this vulnerability. The attacker gets access to sensitive application information by accessing cookie data of the user’s account on the vulnerable website/application. XSS attack is shown in the following slides, displaying a form field that allowed user to enter JavaScript code which returns complete user profile information from the application’s database. In this example “alert(document.cookie)” is entered in an input field leading to compromising cookie information. © Sanjaya Kumar Saxena
XSS A simple entry form of a social networking application © Sanjaya Kumar Saxena
XSS Field manipulation with javascript © Sanjaya Kumar Saxena
XSS All it takes to popup your sensitive information from the database © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm <script> A Self propagating, Cross Site Scripting (XSS) Worm affected millions of profiles on My Space © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm <script> <script> The process began when a user (SAMY) placed a javascript code in his profile on Myspace.com, a community site for sharing photos and staying in touch with friends. © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm <script> <script> When other users of Myspace.com viewed SAMY’s profile, the code would initiate a background request via AJAX, to add SAMY in user’s friends list. © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm <script> <script> This code was bypassing the normal approval process of adding a user of application to their friends list. © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm <script> <script> <script> The next step in the script was self replicating © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm <script> <script> <script> This involved parsing out the code and pasting it to viewing user’s profile. © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm This process would repeat in the newly infected user’s profile <script> <script> <script> © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm <script> <script> <script> © Sanjaya Kumar Saxena
XSS - SAMY MySpace Worm The spread of virus limits itself to the website and can essentially create a denial-of-service attack, due to the exponential spread of attacker’s friends list. This code will not affect any other site, except the malicious code can be used by another hacker. © Sanjaya Kumar Saxena
Typical Attack Methodology A Quick Preview Reconnaissance Discover & Understand Vulnerabilities Mount Attack © Sanjaya Kumar Saxena
Reconnaissance An inspection or exploration of an area, especially in the context of military information gathering. Commonly known techniques: Social Engineering Dumpster Driving Leveraging Web WHOIS DNS Search Engine Web-based Online Tools http://privacy.net/analyze http://network-tools.com © Sanjaya Kumar Saxena
Reconnaisance Example Open web-site, View source to check out web server No information – Use TELNET IIS V5 has over 250 known vulnerabilities © Sanjaya Kumar Saxena
Attack Demonstration - Step 1 Search engines can be used to look up NSFs on web © Sanjaya Kumar Saxena
Attack Demonstration - Step 2 Names.nsf found exposed © Sanjaya Kumar Saxena
Attack Demonstration - Step 3 © Sanjaya Kumar Saxena
Attack Demonstration - Step 4 © Sanjaya Kumar Saxena
Counter Measures Basic Concepts © Sanjaya Kumar Saxena
What is a Cryptography? “ Algorithms implemented in hardware or software to mathematically combine a key with plain text to produce cipher text and to convert cipher ” text to its original plain text form. © Sanjaya Kumar Saxena
Dual Key Cryptography Secret (or Public Key) Secret (or Public Key) Encryptor Decryptor Message Message © Sanjaya Kumar Saxena
Digital Signature # Your Secret Key Hash Encryptor + Message with # Message Digital Signature Hash Digital Signature = Decryptor Hash Your Public Key © Sanjaya Kumar Saxena
A Fundamental Question How do I trust a public key? CERTIFICATE Let a trustworthy agency certify it! Name Public Key Expiry Date Certificate: Issuer ID Other Attributes Like a driving license or passport Certifies your public key and other attributes Issued by a trustworthy agency Called Certification Agency (CA) CA’s Digital Signature © Sanjaya Kumar Saxena
Secured Transactions using Certificates Validate by: Establishing Trust Authenticate by: Challenging Each Other © Sanjaya Kumar Saxena
Estalishing Trust By Exchange of Certificates After masking private data (if any) By Comparing Certificates Trust the public key if the two have a common CA Possible in a hierarchical situation also © Sanjaya Kumar Saxena
Authentication - Step 1 Requester generates a random # and challenges the server to sign it. ❶ Server signs and sends it back. ❷ Signature Requester verifies the signature. ❸ Signature © Sanjaya Kumar Saxena
Authentication - Step 2 Server generates a random # and challenges the requester to sign it. ❶ Requester signs and sends it back. ❷ Signature Server verifies the signature. ❸ Signature Authentication is Successful! © Sanjaya Kumar Saxena

Recommended

Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"jayeshpar2006
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 201244CON
 
Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationdominion
 
Domino security
Domino securityDomino security
Domino securitydominion
 
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 401244CON
 
Lotus Security Part II
Lotus Security Part IILotus Security Part II
Lotus Security Part IISanjaya K Saxena
 
Statistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided TourStatistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided TourSanjaya K Saxena
 
Lotus Admin Training Part II
Lotus Admin Training Part IILotus Admin Training Part II
Lotus Admin Training Part IISanjaya K Saxena
 

Recommended

Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"
Notes Browser Plugin 9.0.1 - "Accessing legacy Applications"jayeshpar2006
 
Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 2012Modern Post-Exploitation Strategies - 44CON 2012
Modern Post-Exploitation Strategies - 44CON 201244CON
 
Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationdominion
 
Domino security
Domino securityDomino security
Domino securitydominion
 
Toppling Domino - 44CON 4012
Toppling Domino - 44CON 4012Toppling Domino - 44CON 4012
Toppling Domino - 44CON 401244CON
 
Lotus Security Part II
Lotus Security Part IILotus Security Part II
Lotus Security Part IISanjaya K Saxena
 
Statistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided TourStatistics & Decision Science for Agile - A Guided Tour
Statistics & Decision Science for Agile - A Guided TourSanjaya K Saxena
 
Lotus Admin Training Part II
Lotus Admin Training Part IILotus Admin Training Part II
Lotus Admin Training Part IISanjaya K Saxena
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 

More Related Content

Recently uploaded

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 

Featured

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 

Featured (20)

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 

Lotus Security Part I

  • 1. Lotus Domino Building Rock Solid Security Part - I © Sanjaya Kumar Saxena
  • 2. The Alarming Truth Italian Bank hit by ea ch XSS Fraudsters Chinese H L s Data B8r exis NePoit, Feb 17, 200 x — Netcraft, Jan 8 2008 18-million acker ste als s — HackB Identities gton — Washin ase.com IndiaTimes.com M , Feb 10 , 2008 alware Hackers break into — Information W eek, Feb 17, 200 r’s Presidential Mac blogs defaced 8 Ecuado 6 by XSS website Ha g Stage 007 ckin eb 9 2 — The Register, Feb 17, 2008 — Thaindian, Feb 11, 2008 — Wikiped ia, F RIAA wiped off the Net — The Register, Jan 20 websites , 2008 Greek Ministry intrusion Your Free MacW by hacker1,2008 orld hit 3 Expo Platinum Pass own rini, Jan eKathime — CNet, Jan 1 es d — 4,2008 Hacker steals Drive -by Pharmin g Davidson Co.’s r tak ia acke ylvan H in the Wild n 21 2008 Client Data enns 6, 2008 P an — Symantec, Ja — Falls Tribune, J Feb 4 2008 — AP, © Sanjaya Kumar Saxena
  • 3. Vulnerability Consequences As a percentage of Overall Disclosures in 2006-2008 © Sanjaya Kumar Saxena
  • 4. Vulnerabilities by Attack Technique © Sanjaya Kumar Saxena
  • 5. What is Information? Knowledge acquired through study or experience or instruction A collection of facts or data In our context of ISO 27K, An asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. Categories Internal External Customer Outsourced © Sanjaya Kumar Saxena
  • 6. What is Security? Freedom from Danger, Risk, etc.; Safety. Precautions taken to guard against Crime, Attack, Sabotage, Espionage, etc. © Sanjaya Kumar Saxena
  • 7. What is Information Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
  • 8. What is Information Security? “ The protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, ” and counter such threats. from U.S. National Information Systems Security Glossary © Sanjaya Kumar Saxena
  • 9. What is Information Security? Confidentiality Ensuring that information is accessible only to those authorized to have access Integrity Safeguarding the accuracy and completeness of information and processing methods Availability Ensuring that authorized users have access to information and associated assets when required from ISO 27001 © Sanjaya Kumar Saxena
  • 10. What is a Threat? Something that is a source of danger, “Earthquakes are a constant threat in Japan” In our context, Unwanted events that may result in harm to asset(s) Maybe deliberate or accidental Exploits known Vulnerabilities © Sanjaya Kumar Saxena
  • 11. Information Security Threats THREAT Source Technique Method Internal Eavesdropping Unstructured External Privacy Structured Authentication Repudiation Unauthorized Access Denial of Service © Sanjaya Kumar Saxena
  • 12. Vulnerabilities Weakness in the system Result of bug or design/deployment flaw Common Vulnerabilities: Buffer Overflow SQL Injection Cross Site Scripting (XSS) Directory Traversal SPAM is the result of SMTP vulnerabilites © Sanjaya Kumar Saxena
  • 13. Threats - Counter Measures Eavesdropping Cryptography Privacy Cryptography Authentication Passwords/Certificates Repudiation Digital Signatures Unauthorized Access ACLs/Cryptography Denial of Service Availability/Firewall © Sanjaya Kumar Saxena
  • 14. SQL Injection SQL Injection vulnerabilities occurs due to improper validations on user input fields. This attack can be mounted when a form field contents are used to build SQL statements dynamically inside the code, which is subsequently executed. This may allow the attacker to include malicious code in to the dynamically created SQL statement by tricking the data entered in the input field. The attacker may gain access to back-end database allowing him/her to read, delete and modify information. A SQL injection attack at the time of logging into an application is shown in the following slides. © Sanjaya Kumar Saxena
  • 15. SQL Injection Username: Password: Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  • 16. SQL Injection Username: UserID Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  • 17. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  • 18. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  • 19. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  • 20. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN Forgot Password? © Sanjaya Kumar Saxena
  • 21. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena © Sanjaya Kumar Saxena
  • 22. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- © Sanjaya Kumar Saxena
  • 23. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘ ’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
  • 24. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
  • 25. SQL Injection Statement = “Select * from tUsers where Username: userid = ‘ “ + UserID + ” ’ AND UserID password = ‘ “ + Password123 + ” ’ ”; Password: Password123 SELECT * from tUsers where userid = ‘sks’ AND password = ‘pw3007’ Remember Me LOGIN UserID Username Password User’s Name Forgot Password? 9876 sks pw3007 Sanjaya K Saxena UserID = ‘ or 1=1 -- SELECT * from tUsers where userid = ‘‘ or 1=1 --’ AND password = ‘pw3007’ © Sanjaya Kumar Saxena
  • 26. XSS Attack Cross Site Scripting vulnerabilities occur when a web based application does not validate user inputs on form fields, syntax of urls etc. An attacker can embed their own code into the Data entry form, manipulating the appearance and/or behavior of the page. A web-link is crafted and placed on the page in a manner that entices users to click on the link. Users treat the link placed on the web form as coming from a trusted source or same organization, thereby falling a prey to this vulnerability. The attacker gets access to sensitive application information by accessing cookie data of the user’s account on the vulnerable website/application. XSS attack is shown in the following slides, displaying a form field that allowed user to enter JavaScript code which returns complete user profile information from the application’s database. In this example “alert(document.cookie)” is entered in an input field leading to compromising cookie information. © Sanjaya Kumar Saxena
  • 27. XSS A simple entry form of a social networking application © Sanjaya Kumar Saxena
  • 28. XSS Field manipulation with javascript © Sanjaya Kumar Saxena
  • 29. XSS All it takes to popup your sensitive information from the database © Sanjaya Kumar Saxena
  • 30. XSS - SAMY MySpace Worm <script> A Self propagating, Cross Site Scripting (XSS) Worm affected millions of profiles on My Space © Sanjaya Kumar Saxena
  • 31. XSS - SAMY MySpace Worm <script> <script> The process began when a user (SAMY) placed a javascript code in his profile on Myspace.com, a community site for sharing photos and staying in touch with friends. © Sanjaya Kumar Saxena
  • 32. XSS - SAMY MySpace Worm <script> <script> When other users of Myspace.com viewed SAMY’s profile, the code would initiate a background request via AJAX, to add SAMY in user’s friends list. © Sanjaya Kumar Saxena
  • 33. XSS - SAMY MySpace Worm <script> <script> This code was bypassing the normal approval process of adding a user of application to their friends list. © Sanjaya Kumar Saxena
  • 34. XSS - SAMY MySpace Worm <script> <script> <script> The next step in the script was self replicating © Sanjaya Kumar Saxena
  • 35. XSS - SAMY MySpace Worm <script> <script> <script> This involved parsing out the code and pasting it to viewing user’s profile. © Sanjaya Kumar Saxena
  • 36. XSS - SAMY MySpace Worm This process would repeat in the newly infected user’s profile <script> <script> <script> © Sanjaya Kumar Saxena
  • 37. XSS - SAMY MySpace Worm <script> <script> <script> © Sanjaya Kumar Saxena
  • 38. XSS - SAMY MySpace Worm The spread of virus limits itself to the website and can essentially create a denial-of-service attack, due to the exponential spread of attacker’s friends list. This code will not affect any other site, except the malicious code can be used by another hacker. © Sanjaya Kumar Saxena
  • 39. Typical Attack Methodology A Quick Preview Reconnaissance Discover & Understand Vulnerabilities Mount Attack © Sanjaya Kumar Saxena
  • 40. Reconnaissance An inspection or exploration of an area, especially in the context of military information gathering. Commonly known techniques: Social Engineering Dumpster Driving Leveraging Web WHOIS DNS Search Engine Web-based Online Tools http://privacy.net/analyze http://network-tools.com © Sanjaya Kumar Saxena
  • 41. Reconnaisance Example Open web-site, View source to check out web server No information – Use TELNET IIS V5 has over 250 known vulnerabilities © Sanjaya Kumar Saxena
  • 42. Attack Demonstration - Step 1 Search engines can be used to look up NSFs on web © Sanjaya Kumar Saxena
  • 43. Attack Demonstration - Step 2 Names.nsf found exposed © Sanjaya Kumar Saxena
  • 44. Attack Demonstration - Step 3 © Sanjaya Kumar Saxena
  • 45. Attack Demonstration - Step 4 © Sanjaya Kumar Saxena
  • 46. Counter Measures Basic Concepts © Sanjaya Kumar Saxena
  • 47. What is a Cryptography? “ Algorithms implemented in hardware or software to mathematically combine a key with plain text to produce cipher text and to convert cipher ” text to its original plain text form. © Sanjaya Kumar Saxena
  • 48. Dual Key Cryptography Secret (or Public Key) Secret (or Public Key) Encryptor Decryptor Message Message © Sanjaya Kumar Saxena
  • 49. Digital Signature # Your Secret Key Hash Encryptor + Message with # Message Digital Signature Hash Digital Signature = Decryptor Hash Your Public Key © Sanjaya Kumar Saxena
  • 50. A Fundamental Question How do I trust a public key? CERTIFICATE Let a trustworthy agency certify it! Name Public Key Expiry Date Certificate: Issuer ID Other Attributes Like a driving license or passport Certifies your public key and other attributes Issued by a trustworthy agency Called Certification Agency (CA) CA’s Digital Signature © Sanjaya Kumar Saxena
  • 51. Secured Transactions using Certificates Validate by: Establishing Trust Authenticate by: Challenging Each Other © Sanjaya Kumar Saxena
  • 52. Estalishing Trust By Exchange of Certificates After masking private data (if any) By Comparing Certificates Trust the public key if the two have a common CA Possible in a hierarchical situation also © Sanjaya Kumar Saxena
  • 53. Authentication - Step 1 Requester generates a random # and challenges the server to sign it. ❶ Server signs and sends it back. ❷ Signature Requester verifies the signature. ❸ Signature © Sanjaya Kumar Saxena
  • 54. Authentication - Step 2 Server generates a random # and challenges the requester to sign it. ❶ Requester signs and sends it back. ❷ Signature Server verifies the signature. ❸ Signature Authentication is Successful! © Sanjaya Kumar Saxena