There are a lot of web applications which lag serious security issues: - Input is not escaped - external file validation is not proper - db user has permission to drop entire database - your app may be hosted on any ill-configured server - injectable input fields, no guard against XSS attacks. Let's see how different attacks are made on any web app & their impact on an organisation. This covers a lot of hands-on demo examples.

1. Web Application Security pitfalls

2. Introduction & Some BAD Stories
1 billion accounts
has been hacked twice , recently in 2016 Yahoo told that 1 billion
accounts info were stolen
notified/urged users to change their password (and I also got
that mail)
The problem is it happened all the way back in August 2013.
Hacker has had more than three years to exploit it, security
experts say
Hacker attempting to sell information on 200 million Yahoo
accounts.
$256 million or more
online retailer, Cyber criminals took more than 45 million credit
and debit card numbers
some of which were used later to buy millions of dollars in
electronics from Wal-Mart and elsewhere
$2 billion
- The Sony data breach, which exposed information from more
than 100 million user accounts in April 20, 2011
- Hackers obtained personal information, including credit, debit,
and bank account numbers in some instances
- while the site was down for a month.
$140 million
a payment processor was the victim of a major cyber attack in
2008
100 million credit and debit cards

3. Contents
Http Request /Response flow
1. How http request-response works
2. Anatomy of http request & response
3. Demonstrate using chrome inspector or Burp proxy
OWASP
1. What is OWASP
2. OWASP Top 10 attacks
SQL Injection
1. What it is ? & How attack happens
2. Practical Demo using DVWA web app
3. Lab tool : sqlmap to detect & exploit using SQL Injection
4. Mitigations and guarding
Data Validation & Distrust all data

4. HTTP Request-Response flow

5. Structure of HTTP Request

6. Structure of HTTP Response

7. OWASP Introduction
OWASP Top 10 attacks:
• List of most critical web application security flaws.
• These error occur frequently and allow attackers to steal data or take over application.
• Tells What is the issue, How to test it , How to fix .
Open Web Application Security Project (OWASP) is an online community
which creates freely-available articles methodologies, documentation, tools,
and technologies in the field of web application security.
OWASP Top 10
OWASP Top 10

8. Injection attacks
References
A1-Injection
Injection flaws , such as SQL, OS Injection, occur when untrusted data
is sent to app which can trick interpreter into executing unintended
commands.
◎ SQL Injection
◎ OS Injection
◎ Shell uploading

9. How attack happens
Action time
Demo: SQL Injection (DVWA)
// Get input
$id = $_REQUEST[ 'id' ];
$db = new mysqli('localhost', 'username', 'password', 'storedb');
$sql = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = $db->query($sql);
Attack Vectors
‘ OR 1=1 # $sql = "SELECT first_name, last_name FROM users WHERE user_id = '' OR 1=1 #'";
‘ UNION SELECT database(), @@version
‘ UNION SELECT table_schema,table_name FROM information_schema.tables
WHERE table_schema = ‘storedb’

10. Automated SQL Injection using sqlmap Tool
Action time Usage
Demo: sqlmap db exploit
Sqlmap : Open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database servers.
Build in python & requires python installed on system.
Support to dump database tables entirely,
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM
DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management
systems.
Automatic recognition of password hash formats and support for cracking them using a
dictionary-based attack.

11. Defences against SQL Injection
◎ Prepared statements (parameterized queries)
◎ Escaping all User Supplied Input
◎ Strict validation over input parameters
◎ Use of stored-procedures
Site-sharing
Prevention CheatSheet

12. References
Special thanks to all the people who made and released
these awesome resources for free:
◎ https://www.owasp.org/
◎ http://sqlmap.org/

13. Thanks!
Any questions?
You can find me at:
deepak.chandani@thepsi.com