SlideShare a Scribd company logo

Practical Web Attacks

Rastislav Turek
Rastislav Turek
Technology
1 of 12
Web application attacks – practical demonstration Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
Agenda Unvalidates Parameters  Access Control Flaws  Session Management Flaws  Cross Site Scripting (XSS)  Injection flaws  Improper Error Handling  AJAX Security           www.nethemba.com       
Unvalidated Parameters Exploit Hidden Fields  Exploit Unchecked Email  Bypass Client Side JavaScript Validation           www.nethemba.com       
Access Controls Flaws Bypass a Path Based Access Control Scheme  Bypass Business Layer Access Control  Bypass Data Layer Access Control           www.nethemba.com       
Session Management Flaws Spoof an Authentication Cookie  Hijack a Session           www.nethemba.com       
Cross Site Scripting (XSS) Stored XSS  Reflected XSS  Cross Site Request Forgery (CSRF)           www.nethemba.com       
Injection flaws Blind SQL injection  Numeric SQL injection  String SQL injection  XPATH injection           www.nethemba.com       
Improper Error Handling Fail Open Authentication Scheme           www.nethemba.com       
AJAX Security Client Side Filtering  Same Origin Policy (SOP) Protection  XML Injection  JSON Injection  Dangerous Use of Eval           www.nethemba.com       
Used tools WebGoat project   http://www.owasp.org/index.php/Category:OWASP_WebGoat_P WebScarab   http://www.owasp.org/index.php/Category:OWASP_WebScarab Tamperdata http://tamperdata.mozdev.org/  LiveHTTPHeaders http://livehttpheaders.mozdev.org/  Add N Edit Cookies   https://addons.mozilla.org/en­US/firefox/addon/573          www.nethemba.com       
References New Web Applications Attacks   http://www.nethemba.com/new_web_attacks­nethe LAMP and PHP security hardening (in Slovak   language)   http://www.nethemba.com/php­sec.pdf          www.nethemba.com       
Thank you for listening! Ing. Pavol Lupták, CISSP, CEH pavol.luptak@nethemba.com          www.nethemba.com       

Recommended

Presentación1
Presentación1Presentación1
Presentación1EvelinRomina
 
CODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLCODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLAngie Quesada Cascante
 
Tercera clase maestria 2.
Tercera clase maestria 2.Tercera clase maestria 2.
Tercera clase maestria 2.Jose Alfredo Alfredo Sanchez
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018 Laura Hartwig
 
Practica obrian espejo
Practica obrian espejoPractica obrian espejo
Practica obrian espejoObrian Espejo
 
Practica Edgar Ortiz
Practica Edgar OrtizPractica Edgar Ortiz
Practica Edgar OrtizUniversidad Técnica de Ambato
 
Codigo de slideshare de medios de alma
Codigo de slideshare de medios de almaCodigo de slideshare de medios de alma
Codigo de slideshare de medios de almaeilencitaloquita2
 

Recommended

Presentación1
Presentación1Presentación1
Presentación1EvelinRomina
 
CODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLCODIGO EMBED Y DIRECCION URL
CODIGO EMBED Y DIRECCION URLAngie Quesada Cascante
 
Tercera clase maestria 2.
Tercera clase maestria 2.Tercera clase maestria 2.
Tercera clase maestria 2.Jose Alfredo Alfredo Sanchez
 
Don't Get Stung
Don't Get StungDon't Get Stung
Don't Get StungBarry Dorrans
 
Word press security 101 2018
Word press security 101 2018 Word press security 101 2018
Word press security 101 2018 Laura Hartwig
 
Practica obrian espejo
Practica obrian espejoPractica obrian espejo
Practica obrian espejoObrian Espejo
 
Practica Edgar Ortiz
Practica Edgar OrtizPractica Edgar Ortiz
Practica Edgar OrtizUniversidad Técnica de Ambato
 
Codigo de slideshare de medios de alma
Codigo de slideshare de medios de almaCodigo de slideshare de medios de alma
Codigo de slideshare de medios de almaeilencitaloquita2
 
Keyword swarm
Keyword swarmKeyword swarm
Keyword swarmGraeemej
 
Mi pasión
Mi pasiónMi pasión
Mi pasiónpilcoedwin
 
Mới
MớiMới
MớiDung Trương
 
Practica Tics
Practica TicsPractica Tics
Practica TicsUniversidad Tecnica de Ambato
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6arqsantibal
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acostaguest7eb22f
 
Jager
JagerJager
Jagerpaskar
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Kampus Menyan
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009Brian Lockrey
 
Amir Khan Returns
Amir Khan ReturnsAmir Khan Returns
Amir Khan ReturnsSharifuzzaman Pintu
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactionsmpderritut
 
тв код
тв кодтв код
тв кодilia
 
Div id
Div idDiv id
Div idMarta Rincon
 
Paky
PakyPaky
PakyCecilia Paye
 
Clase lunes
Clase lunesClase lunes
Clase lunesshirley364
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PPncalleja
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigosangie mesen
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8msz
 
Synopsi Barcamp
Synopsi BarcampSynopsi Barcamp
Synopsi BarcampRastislav Turek
 
Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty bankyRastislav Turek
 
Fraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsFraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsBond Beebe Accountants & Advisors
 
OWASP Testing Guide v3
OWASP Testing Guide v3OWASP Testing Guide v3
OWASP Testing Guide v3Rastislav Turek
 

More Related Content

What's hot

Keyword swarm
Keyword swarmKeyword swarm
Keyword swarmGraeemej
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6arqsantibal
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acostaguest7eb22f
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Kampus Menyan
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009Brian Lockrey
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactionsmpderritut
 
тв код
тв кодтв код
тв кодilia
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PPncalleja
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigosangie mesen
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8msz
 

What's hot (18)

Keyword swarm
Keyword swarmKeyword swarm
Keyword swarm
 
Mi pasión
Mi pasiónMi pasión
Mi pasión
 
Mới
MớiMới
Mới
 
Practica Tics
Practica TicsPractica Tics
Practica Tics
 
Practica 1 modulo 6
Practica 1 modulo 6Practica 1 modulo 6
Practica 1 modulo 6
 
Juan Pablo Acosta
Juan Pablo AcostaJuan Pablo Acosta
Juan Pablo Acosta
 
Jager
JagerJager
Jager
 
Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)Widget radio sarkub (nusa radio)
Widget radio sarkub (nusa radio)
 
Wordcampcolumbus 2009
Wordcampcolumbus 2009Wordcampcolumbus 2009
Wordcampcolumbus 2009
 
Amir Khan Returns
Amir Khan ReturnsAmir Khan Returns
Amir Khan Returns
 
Chemical reactions
Chemical reactionsChemical reactions
Chemical reactions
 
тв код
тв кодтв код
тв код
 
Div id
Div idDiv id
Div id
 
Paky
PakyPaky
Paky
 
Clase lunes
Clase lunesClase lunes
Clase lunes
 
Ejercicios de PP
Ejercicios de PPEjercicios de PP
Ejercicios de PP
 
Practica de códigos
Practica de códigosPractica de códigos
Practica de códigos
 
Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8Browser bloat 4x3 draft 8
Browser bloat 4x3 draft 8
 

Viewers also liked

Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty bankyRastislav Turek
 
Socialne siete: navod pre deti
Socialne siete: navod pre detiSocialne siete: navod pre deti
Socialne siete: navod pre detiRastislav Turek
 
Slovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruSlovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruRastislav Turek
 
Sociálne siete a bezpečnosť
Sociálne siete a bezpečnosťSociálne siete a bezpečnosť
Sociálne siete a bezpečnosťRastislav Turek
 
Cuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionCuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionverenicecastro
 
Inbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosInbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosRicardo Marsili
 

Viewers also liked (15)

Synopsi Barcamp
Synopsi BarcampSynopsi Barcamp
Synopsi Barcamp
 
Cílené útoky na klienty banky
Cílené útoky na klienty bankyCílené útoky na klienty banky
Cílené útoky na klienty banky
 
Fraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-ProfitsFraud Prevention for Small Businesses and Non-Profits
Fraud Prevention for Small Businesses and Non-Profits
 
OWASP Testing Guide v3
OWASP Testing Guide v3OWASP Testing Guide v3
OWASP Testing Guide v3
 
Socialne siete: navod pre deti
Socialne siete: navod pre detiSocialne siete: navod pre deti
Socialne siete: navod pre deti
 
Slovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoruSlovenské deti a riziká virtuálneho priestoru
Slovenské deti a riziká virtuálneho priestoru
 
Sociálne siete a bezpečnosť
Sociálne siete a bezpečnosťSociálne siete a bezpečnosť
Sociálne siete a bezpečnosť
 
23 at iwdk
23 at iwdk23 at iwdk
23 at iwdk
 
FranzDennisCV
FranzDennisCVFranzDennisCV
FranzDennisCV
 
Technology milestone
Technology milestoneTechnology milestone
Technology milestone
 
Lymphoma
LymphomaLymphoma
Lymphoma
 
Kelsey Old Resume
Kelsey Old ResumeKelsey Old Resume
Kelsey Old Resume
 
Cuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacionCuadro de los tipos de evaluacion
Cuadro de los tipos de evaluacion
 
Storyboard
StoryboardStoryboard
Storyboard
 
Inbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos PráticosInbound Marketing - Conceitos e Exemplos Práticos
Inbound Marketing - Conceitos e Exemplos Práticos
 

Similar to Practical Web Attacks

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFMark Stanton
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation RevisedOntico
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload PresentationOntico
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionseyelliando dias
 
High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)Stoyan Stefanov
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up360|Conferences
 
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityImplementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityJISC.AM
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!Cláudio André
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008mvitor
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaJim Manico
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series Amazon Web Services Korea
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshoptestuser1223
 
Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Matthew Baya
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramOpenDNS
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)Jeremiah Grossman
 

Similar to Practical Web Attacks (20)

Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRFBe Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
 
Practical web-attacks2
Practical web-attacks2Practical web-attacks2
Practical web-attacks2
 
Gmr Highload Presentation Revised
Gmr Highload Presentation RevisedGmr Highload Presentation Revised
Gmr Highload Presentation Revised
 
Gmr Highload Presentation
Gmr Highload PresentationGmr Highload Presentation
Gmr Highload Presentation
 
Case Studies
Case StudiesCase Studies
Case Studies
 
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey IntroductionseyCwinters Intro To Rest And JerREST and Jersey Introductionsey
Cwinters Intro To Rest And JerREST and Jersey Introductionsey
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)High Performance Kick Ass Web Apps (JavaScript edition)
High Performance Kick Ass Web Apps (JavaScript edition)
 
Web Application Defences
Web Application DefencesWeb Application Defences
Web Application Defences
 
Douglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash UpDouglas Knudsen - Great Mash Up
Douglas Knudsen - Great Mash Up
 
Implementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff UniversityImplementing a production Shibboleth IdP service at Cardiff University
Implementing a production Shibboleth IdP service at Cardiff University
 
Hacker, you shall not pass!
Hacker, you shall not pass!Hacker, you shall not pass!
Hacker, you shall not pass!
 
WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008WWW:::Mechanize YAPC::BR 2008
WWW:::Mechanize YAPC::BR 2008
 
Cross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with JavaCross Site Scripting (XSS) Defense with Java
Cross Site Scripting (XSS) Defense with Java
 
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
AWS IAM과 친해지기 – 조이정, AWS 솔루션즈 아키텍트:: AWS Builders Online Series
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Using Wordpress 2009 04 29
Using Wordpress 2009 04 29Using Wordpress 2009 04 29
Using Wordpress 2009 04 29
 
Ajax Security
Ajax SecurityAjax Security
Ajax Security
 
Security Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training ProgramSecurity Ninjas: An Open Source Application Security Training Program
Security Ninjas: An Open Source Application Security Training Program
 
WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)WhiteHat Security "Website Security Statistics Report" (Q1'09)
WhiteHat Security "Website Security Statistics Report" (Q1'09)
 

More from Rastislav Turek

Dodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciDodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciRastislav Turek
 
Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Rastislav Turek
 
Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Rastislav Turek
 
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skKritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skRastislav Turek
 
SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0Rastislav Turek
 
Rodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRastislav Turek
 
Vraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláVraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláRastislav Turek
 
Pravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímPravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímRastislav Turek
 
Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Rastislav Turek
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Rastislav Turek
 

More from Rastislav Turek (12)

Dodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraciDodatok k zmluve o spolupraci
Dodatok k zmluve o spolupraci
 
Zmluva o spolupraci
Zmluva o spolupraciZmluva o spolupraci
Zmluva o spolupraci
 
Credit Card Frauds
Credit Card FraudsCredit Card Frauds
Credit Card Frauds
 
Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008Výročná správa SK-NIC, a.s. za rok 2008
Výročná správa SK-NIC, a.s. za rok 2008
 
Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007Výročná správa SK-NIC, a.s. za rok 2007
Výročná správa SK-NIC, a.s. za rok 2007
 
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne skKritika pravidiel poskytovania menného priestoru v internetovej doméne sk
Kritika pravidiel poskytovania menného priestoru v internetovej doméne sk
 
SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0SYNOPSI Boyfriend Audit 2.0
SYNOPSI Boyfriend Audit 2.0
 
Rodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows VistaRodičovská kontrola vo Windows Vista
Rodičovská kontrola vo Windows Vista
 
Vraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidláVraj rodinách chýbajú pravidlá
Vraj rodinách chýbajú pravidlá
 
Pravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosímPravá zdravá strava alebo Jeden Vifon, prosím
Pravá zdravá strava alebo Jeden Vifon, prosím
 
Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008Information Security Survey in Slovak Republic 2008
Information Security Survey in Slovak Republic 2008
 
Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007Information Security Survey in Czech Republic 2007
Information Security Survey in Czech Republic 2007
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 

Recently uploaded (20)

Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 

Practical Web Attacks

  • 1. Web application attacks – practical demonstration Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
  • 2. Agenda Unvalidates Parameters  Access Control Flaws  Session Management Flaws  Cross Site Scripting (XSS)  Injection flaws  Improper Error Handling  AJAX Security           www.nethemba.com       
  • 3. Unvalidated Parameters Exploit Hidden Fields  Exploit Unchecked Email  Bypass Client Side JavaScript Validation           www.nethemba.com       
  • 4. Access Controls Flaws Bypass a Path Based Access Control Scheme  Bypass Business Layer Access Control  Bypass Data Layer Access Control           www.nethemba.com       
  • 5. Session Management Flaws Spoof an Authentication Cookie  Hijack a Session           www.nethemba.com       
  • 6. Cross Site Scripting (XSS) Stored XSS  Reflected XSS  Cross Site Request Forgery (CSRF)           www.nethemba.com       
  • 7. Injection flaws Blind SQL injection  Numeric SQL injection  String SQL injection  XPATH injection           www.nethemba.com       
  • 8. Improper Error Handling Fail Open Authentication Scheme           www.nethemba.com       
  • 9. AJAX Security Client Side Filtering  Same Origin Policy (SOP) Protection  XML Injection  JSON Injection  Dangerous Use of Eval           www.nethemba.com       
  • 10. Used tools WebGoat project   http://www.owasp.org/index.php/Category:OWASP_WebGoat_P WebScarab   http://www.owasp.org/index.php/Category:OWASP_WebScarab Tamperdata http://tamperdata.mozdev.org/  LiveHTTPHeaders http://livehttpheaders.mozdev.org/  Add N Edit Cookies   https://addons.mozilla.org/en­US/firefox/addon/573          www.nethemba.com       
  • 11. References New Web Applications Attacks   http://www.nethemba.com/new_web_attacks­nethe LAMP and PHP security hardening (in Slovak   language)   http://www.nethemba.com/php­sec.pdf          www.nethemba.com       
  • 12. Thank you for listening! Ing. Pavol Lupták, CISSP, CEH pavol.luptak@nethemba.com          www.nethemba.com