Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
+ Background & Basics of Web App Security, The HTTP Protocol, Web.
+ Application Insecurities, OWASP Top 10 Vulnerabilities (XSS, SQL Injection, CSRF, etc.)
+ Web App Security Tools (Scanners, Fuzzers, etc), Remediation of Web App
+ Vulnerabilities, Web Application Audits and Risk Assessment.
Web Application Security 101 was conducted by:
Vaibhav Gupta, Vishal Ashtana, Sandeep Singh from Null.
Application Security - Your Success Depends on itWSO2
Traditional information security mainly revolves around network and operating system (OS) level protection. Regardless of the level of security guarding those aspects, the system can be penetrated and the entire deployment can be brought down if your application's security isn't taken into serious consideration. Information security should ideally start at the application level, before network and OS level security is ensured. To achieve this, security needs to be integrated into the application at the software development phase.
In this session, Dulanja will discuss the following:
The importance of application security - why network and OS security is insufficient.
Challenges in securing your application.
Making security part of the development lifecycle.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪAbdul Rahman Sherzad
يكي از اهداف ارائه پايان نامه يا منوگراف، آشنايی محصلین با نحوه نگارش و تنظيم مطالب يك موضوع علمي تحقیقی است اين راهنما به شيوه ساده اي ترتیب شده و مي تواند شما را تا رسيدن به يك پايان نامه كامل همراهي كند. پايان نامه به عنوان بخشی از فعاليت هاي لازم برای اخذ درجه در رشته و مقطع تحصيلی مربوطه مي باشد و بايد به طور منطقی و علمی نوشته و تدوین شود.
يكی از دلا يل تهيه اين راهنما ايجاد هماهنگی بيشتر و يكسان سازی پايان نامه ها و رساله های محصلین از نظر شكل ظاهری، نحوه تايپ، صحافی و صفحه پردازی پايان نامه تحصيلی محصلین دوره تحصيلات تكميلی است. راهنمای حاضر براساس دستورالعمل های وزارت تحصیلات عالی افغانستان و همچنين با عنايت به نكات برجسته آيين نامه های پوهنتون هرات تهيه گرديده است.
OWASP Top 10 2021 – Overview and What's New.
OWASP Top 10 is the most successful OWASP Project
It shows ten most critical web application security flaws.
Read the presentation and you will learn each OWASP Top 10 category and recommendations on how to prevent it.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
You've seen the headlines. You're beginning to understand the importance of cybersecurity. Where do you begin? It's important to understand the common methods of attack and ways you can begin to protect your organization today. For more information on our cybersecurity education please visit FPOV.com/edu.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪAbdul Rahman Sherzad
يكي از اهداف ارائه پايان نامه يا منوگراف، آشنايی محصلین با نحوه نگارش و تنظيم مطالب يك موضوع علمي تحقیقی است اين راهنما به شيوه ساده اي ترتیب شده و مي تواند شما را تا رسيدن به يك پايان نامه كامل همراهي كند. پايان نامه به عنوان بخشی از فعاليت هاي لازم برای اخذ درجه در رشته و مقطع تحصيلی مربوطه مي باشد و بايد به طور منطقی و علمی نوشته و تدوین شود.
يكی از دلا يل تهيه اين راهنما ايجاد هماهنگی بيشتر و يكسان سازی پايان نامه ها و رساله های محصلین از نظر شكل ظاهری، نحوه تايپ، صحافی و صفحه پردازی پايان نامه تحصيلی محصلین دوره تحصيلات تكميلی است. راهنمای حاضر براساس دستورالعمل های وزارت تحصیلات عالی افغانستان و همچنين با عنايت به نكات برجسته آيين نامه های پوهنتون هرات تهيه گرديده است.
Herat University Library Management System Persian User ManualAbdul Rahman Sherzad
به طور کلی, هدف سیستم مدیریت کتابخانه جایگزین کردن سیستم ( تکنالوژی عصری) به جای سیستم سنتی و کاغذی و ازکار افتاده درحال استفاده در کتابخانه های دانشگاه هرات بوده که کارکنان کتابخانه راقادر به انجام تمام وظایف محوله شان به شیوه بسیار موثر میکند .
اجرای این پروژه کارکنان کتابخانه ( کتابدار ) را قادر می سازد به ثبت منابع کتابخانه یعنی کتاب ، کتاب های الکترونیکی (eBooks)، کاربران (users)، اطلاعیه ها و غیره همچنین به روز رسانی ، حذف و صدور یک کتاب به عضو ، پیدا کردن اطلاعات مربوط به منابع کتابخانه از قبیل تعداد کل کتاب ها و اعضا به طور دقیق میباشد برای مثال : (لیست کردن) اعضا از لحاظ جنسیت ، دانشگاهها ، مدیریت ها و کتاب های که برای اعضا صادر شده و (کتابهایکه)در زمان تعیین شده بر گشتانده نشده.
اعضای کتابخانه می توانند از این پروژه برای پیدا کردن جزئیات مربوط به تمام کتابهای حال حاضر موجود در کتابخانه ها و تعیین اینکه آیا موجوداند, به قرض گرفته شده اند وموعدیکه بایدبرگشتانده شوند استفاده نمایند.
This presentation demonstrates the achievement of Herat University implementing Local Electronic Library Management System where reduce paper-based and provides the users efficient services.
In addition, Herat University officially opened and inuqurated wit in the context of Library Management System and establishing Infor
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...Abdul Rahman Sherzad
Resourceful libraries have long attracted knowledge-seekers and have played an important role in education and research. With the astonishing advances in science and technology, traditional libraries have not remained unaffected and the concept of digital library has emerged and caused a revolution in these old institutions. A digital library can provide access to many of the information networks around the world, which is a necessary component of almost any research experience today.
Considering the facilities associated with a digital library, gradual replacement of traditional libraries by digital ones appears to be inevitable. As an important step in enhancement of education in Afghanistan, the concept of digital libraries must be introduced and integrated into the country’s rapidly evolving educational system.
This thesis addresses the challenges existing in Afghanistan university libraries. A solution for each challenge is defined by introducing digital and automated systems and finally a scheme is provided for switching from a paper-based library system to a digital library system.
Introduction to SQL_02 lecture with English language and Persian Translation. This lecture is for absolutely beginners. This is the ninth lecture in database one.
bitCharities democratizes charitable giving by connecting brands, non-profits and donors.
bitCharities.com gathers large scale data on its entire user and donor base and shares it at no cost with the participating charities so that they can scale their fundraising efforts with larger corporate sponsors. bitCharities gives back 100% of the donations gathered on its platform to the charities.
While donors can easily, simply, and publicly support a wide range of charitable organizations, brands can align their philanthropic efforts with their customers. bitCharities can engage the first party brand's database and activate them to participate in charitable donations, creating global awareness and a call for action even before any money is spent.
Currently bitCharities gathers an average of 8,000 daily donations:
http://www.bitlanders.com/pages/top_charities
bitCharities is an organization who uses Bitcoin and other crypto-assets to empower digital citizens of any income level with a user-friendly platform to support charities of their choice through micro donations starting at 1 Satoshi (about 1/5000th of a US cent).
Introduction to graph databases in term of neo4jAbdullah Hamidi
The records in a graph database are called Nodes .
Nodes are connected through typed, directed Relationships.
Each single Node and Relationship can have named attributes referred to as Properties.
A Label is a name that organizes nodes into groups.
The flexibility of the graph model has allowed us to add new nodes and new relationships.
Relationships in a graph naturally form paths. Querying—or traversing—the graph involves following paths.
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersSavvius, Inc
When you suspect an attack, you need to answer the questions who, what, when and how - fast. Network forensics is the answer. In this webinar, you'll learn from our special guest, Keatron Evans, how network forensics—network traffic recording along with powerful search and analysis tools—can enable your in–house security team to track down, verify, and characterize attacks. Keatron will walk you through a few real-world security breach scenarios and demonstrate live best practices for attack analysis using network forensics to find the proof you need quickly to take action.
Special Guest: Keatron Evans:
Keatron, one of the two lead authors of "Chained Exploits: Advanced Hacking Attacks From Start to Finish", is regularly engaged in training and consulting for members of the United States intelligence community, military, and federal law enforcement agencies. Keatron specializes in penetration testing, network forensics, and malware analysis. Keatron serves as Senior Security Researcher and Principle of Blink Digital Security which performs penetration tests and forensics for government and corporations.
Slides from data MindsConnect 2018 Conference hosted at Ghelamnco Arena in Ghent by Belgian SQL Server USer Grup. SECDev(OPS) How to embrace your security.
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
In today’s Era, Web applications are one of the most part ubiquitous platforms for
information sharing and services over Internet which play significant role in individual life as well
as in any country’s growth. Web applications have gone through a very rapid Growth As they are
increasingly used for the financial organization, government, hospitality and many critical services.
Web applications become a popular and precious target for security attacks. at the present time,
billions of transactions are done online through net banking, online shopping, online billing and
many more. Even though these applications are used by lots of people modern web applications
often implements the complex structure requires for user to carry out actions in given order, in
many cases the security level is too low, which makes them vulnerable to get compromised. Even
though a large number of techniques have been developed to build up web applications and
mitigate the attacks toward web applications, there is little effort constant to drawing relations
among these techniques and building a big picture of web application security(WAS) research. In
this paper, we present a survey on various types of web application vulnerabilities(WAV).
Website security is geared towards ensuring the security of websites and web applications and preventing and/or responding effectively to cyber threats.
Application Security session given as part of the Solvay Executive Master in IT Management.
Explaining application security challenges for web, mobile, cloud and internet of things.
Positioning OWASP SAMM as structural and measurable framework to get application security under control in the complete application lifecycle.
A Closer Look at Isolation: Hype or Next Gen Security?MenloSecurity
This webinar looks at Isolation from different viewpoints. Learn from a Menlo Security customer, along with John Pescatore, Director of Emerging Technologies at SANS Institute, and Kowsik Guruswamy, Menlo Security CTO, as they explore why organizations around the globe are looking at isolation as the means to protect their users from ever-present web and email dangers.
Cyber Security Workshop @SPIT- 3rd October 2015Nilesh Sapariya
Got Invited for conducting the workshop on ‘Cyber Security’ at top notch engineering college.
Sardar Patel Institute of Technology, Andheri on 3rd October, 2015.
Student feedback:-
https://drive.google.com/file/d/0B_uWWP1uW7TFWVdTanJFdTlqNkE/view?usp=sharing
Appreciation letter:-
https://drive.google.com/file/d/0B_uWWP1uW7TFMkVVUTR4V1JTN2c/view?usp=sharing
Data is the Fuel of Organizations: Opportunities and Challenges in AfghanistanAbdul Rahman Sherzad
A car without fuel cannot be driven; a mobile, a laptop or a PC without power cannot be used; a website without feeding won't have any visitors; likewise, an organization without data will not stand and cannot be survived.
The data quickly becoming one of the most important resources for any country, company, or organizations. It is the data that enables organizations to explain the past and guess the future through data science and business intelligence tools.
This presentation demonstrates how the Kankor data can be used as a resource in the context of Afghanistan, particularly, the candidates’ names that organizations in Afghanistan do not use for anything.
Read the following paper for more information and examples:
https://www.researchgate.net/publication/322695084_Data_is_the_Fuel_of_Organizations_Opportunities_and_Challenges_in_Afghanistan
These useful functions/snippets enable you to validate Unicode characters such as Digits, Person names, and Text mainly used in Afghanistan and Iran.
Feature list:
* Validate Person names commonly used in Afghanistan and Iran. Person names may be in Persian/Dari, Arabic, and English and similar languages;
* Validate only Persian Text;
* Validate only Pashtu Text;
* Validate digit in Persian/Dari, Pashtu and Arabic format;
* Validate digit in all common formats.
This presentation explains and solves problems such as Factorial, Fibonacci, Greatest Common Divisor, Binary Search, and Traversing Directory and Sub-Directories in both recursion and iteration.
In summary, there are similarities between recursion and iteration. Hence, any problems that can be solved with iterations can be solved with recursions and vice versa.
In SQL, the ORDER BY keyword is used to sort the result-set in ascending (ASC) or descending (DESC) order by some specified column/columns.
It works great for most of the cases. However, for alphanumeric data, it may not return the result-set that you will be expecting.
This presentation explains how this can be addressed using different techniques.
In PHP, variable variables take the value of one variable, and treat that as the name of another variable.
Variable variables are just variables whose names can be programmatically set and accessed. Hence, they are also called dynamic variable names.
Cross joins are used to return every combination of rows from two and more than two tables. Cross Joins are sometimes called a Cartesian product. This presentation illustrates cross join examples and applications in real life.
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...Abdul Rahman Sherzad
The increase in enrollment in education and higher education institutions, the increase in the use of the Internet as well as the emergence of technology in educational systems have led to the aggregation of large amounts of student data at educational institutions (schools, colleges, and universities), which makes it vital to use data mining methods to improve the educational settings.
Although educational institutions collect an enormous amount of student data, this data is utilized to produce basic insights and is not used for decisions to improve the educational settings.
To get essential benefits from the data, powerful techniques are required to extract the useful knowledge which is valuable and significant for the decision and policy makers.
Database Automation with MySQL Triggers and Event SchedulersAbdul Rahman Sherzad
This advanced training seminar on "Database Automation using MySQL Triggers and Event Schedulers" is dedicated to the Computer Science graduates and students of both public and private universities.
In this seminar we are going to look in depth at MySQL Triggers and Event Schedulers– powerful features supported by most popular commercial and open source relational database systems.
The Triggers are powerful tools for protecting the integrity of the data in the databases, logging and auditing of the changes on data, business logic, perform calculations, run further SQL commands, etc.
The Events are very useful to automate some database operations such as optimizing database tables, cleaning up logs, archiving data, or generate complex reports during off-peak time, etc.
The participants will learn about the true concept, implementation and application of MySQL Triggers and Event Schedulers with real life examples and scenarios.
They will also learn how to use the database triggers and event schedulers in many real cases to automate database tasks - such as optimizing database tables, cleaning up logs, archiving data, or generate complex reports during off-peak time.
This seminar is presented by Abdul Rahman Sherzad lecturer at Computer Science faculty of Herat University, and PhD Student at Technical University of Berlin, Germany at Hariwa Institute of Higher Education, Herat, Afghanistan.
Education is one of the main pillars and key concerns for each society in general. In developing countries, in particular in Afghanistan, we observe a remarkable increase in enrollment in education and higher education institutions, but most of the students don't have proper access to their scores. For instance, while Kankor result is announced the vast amounts of traffic the visitors generate make the website completely down and inaccessible. Another example, There is no efficient method to access the university scores in particular for students from other provinces. Last but not least, Diploma and certification verification is a lengthy and complicated process, when graduated students apply for jobs and scholarships inside or outside of Afghanistan they are asked to provide their certificate and diploma. One of the solutions can be verification of the graduation documents through SMS.
In Herat Innovation Lab 2015, Education group members under the mentorship of Abdul Rahman Sherzad chose this social and educational domain problem and within three days they designed and developed a prototype solution that enable students to access i.e. Kankor Scores Result, University Scores Result, Faculties Announcements and Events, and Certificate/Diploma Verification via SMS, Mobile and Web Applications effectively and efficiently.
Innovation Labs (iLabs) is a social innovation program covering a series of conferences. One the one hand, the goal is to bring social and technology experts together for the networking purpose. On the other hand, the motivation is to harness technology to solve the most challenging social and environmental problems and to build tech-based systems.
This presentation looks into the existing web structure and services of all Afghan universities, not only to evaluate the entire infrastructure but also to systematically analyze the gaps and design challenges of web platforms and services as a means of communication and collaboration among various stakeholders including the Ministry of Higher Education, its subsidiaries, students and other related audience.
The presentation finds that the environment for necessary ICT infrastructure and services is up to the expected required standard to provide access to various online resources and systems. The next important finding is the increasing demand by students to access information online rather than the existing traditional paper-based systems. Another very important finding is related to the non-existence of a formal managerial oversight to all the online resources and thus has resulted to a very poor quality of content, outdated information and the services that don't meet the expected needs and challenges.
PHP Basic and Fundamental Questions and Answers with Detail ExplanationAbdul Rahman Sherzad
These PHP basic and fundamental questions and answers with detail explanation help students and learners to think comprehensive, and to seek more to understand the concept and the root of each topic concretely.
This presentation introduces Java Applet and Java Graphics in detail with examples and finally using the concept of both applet and graphics code the analog clock project to depict how to use them in real life challenges and applications.
Fundamentals of Database Systems questions and answers with explanation for fresher's and experienced for interview, competitive examination and entrance test.
Today, we continue our journey into the world of RDBMS (relational database management systems) and SQL (Structured Query Language).
In this presentation, you will understand about some key definitions and then you will learn how to work with multiple tables that have relationships with each other.
First, we will go covering some core concepts and key definitions, and then will begin working with JOINs queries in SQL.
This presentation guide you how to make a custom Splash Screen step by step using Java Programming. In addition, you will learn the concept and usage of Java Timer, Java Progress Bar and Window ...
This presentation explains step by step how to develop and code Fal-e Hafez (Omens of Hafez) Cards in Persian Using JAVA. There are several applications which are coded by different programming languages i.e. Java languages for Desktops and Mobiles, HTML and CSS and PHP for Web Pages, etc. and this shows the importance of Omens of Hafez among the Persian people.
This presentation is an introduction to the design, creation, and maintenance of web design and development life cycle and web technologies. With it, you will learn about the web technologies, the life cycle of developing an efficient website and web application and finally some web essentials questions will be provided and reviewed.
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton ClassesAbdul Rahman Sherzad
A Virtual Keyboard is considered to be a component to use on computers without a real keyboard e.g. Touch Screen Computers and Smart Phones; where a mouse can utilize the keyboard functionalities and features.
In addition, Virtual Keyboard used for the following subjects: Foreign Character Sets, Touchscreen, Bypass Key Loggers, etc.
With Unicode you can program and accomplish many funny, cool and useful programs and tools as for instance, Abjad Calculator, Bubble Text Generator to write letters in circle, Flip Text Generator to write letters upside down, Google Transliteration to convert English names to Persian/Arabic, etc...
This presentation by Morris Kleiner (University of Minnesota), was made during the discussion “Competition and Regulation in Professions and Occupations” held at the Working Party No. 2 on Competition and Regulation on 10 June 2024. More papers and presentations on the topic can be found out at oe.cd/crps.
This presentation was uploaded with the author’s consent.
Have you ever wondered how search works while visiting an e-commerce site, internal website, or searching through other types of online resources? Look no further than this informative session on the ways that taxonomies help end-users navigate the internet! Hear from taxonomists and other information professionals who have first-hand experience creating and working with taxonomies that aid in navigation, search, and discovery across a range of disciplines.
0x01 - Newton's Third Law: Static vs. Dynamic AbusersOWASP Beja
f you offer a service on the web, odds are that someone will abuse it. Be it an API, a SaaS, a PaaS, or even a static website, someone somewhere will try to figure out a way to use it to their own needs. In this talk we'll compare measures that are effective against static attackers and how to battle a dynamic attacker who adapts to your counter-measures.
About the Speaker
===============
Diogo Sousa, Engineering Manager @ Canonical
An opinionated individual with an interest in cryptography and its intersection with secure software development.
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Orkestra
UIIN Conference, Madrid, 27-29 May 2024
James Wilson, Orkestra and Deusto Business School
Emily Wise, Lund University
Madeline Smith, The Glasgow School of Art
Acorn Recovery: Restore IT infra within minutesIP ServerOne
Introducing Acorn Recovery as a Service, a simple, fast, and secure managed disaster recovery (DRaaS) by IP ServerOne. A DR solution that helps restore your IT infra within minutes.
Obesity causes and management and associated medical conditions
Web Application Security and Awareness
1. Web Application
Security and Awareness
Abdul Rahman, Sherzad
Lecturer at Computer Science Faculty of Herat
University, Afghanistan, and
Ph.D. Student at Technical University of Berlin,
Germany
December 19, 2016
12th IT Conference for Higher Education in Afghanistan
January 05, 2017
Hariwa Institute of Higher Education, Herat, Afghanistan
2. 2
Major problems were only caused by a collection
of smaller factors, and only a reverse similar
behavior is needed to resolve the given situation
(Sherzad).
3. Goal and Objectives
Build security awareness for web applications
Get to know attack methods
Learn ways to discover security vulnerabilities
Learn the basics of secure web development
3
6. Security Threats
■ The majority of web application attacks occur through
– Cross Site Scripting (XSS)
– SQL Injection
■ The majority of web application vulnerabilities arise from
– Weak coding,
– Failure to properly validate input,
– Failure to sanitize output.
6[2] [3] [4]
8. User Input
• Attacker can easily change any part of the HTTP request
before submitting
– Cookies
– Form fields
– Hidden fields
– URL
– Headers
• The ultimate solution: Input must be validated on the
SERVER!
– Not just on the CLIENT!
8[5]
9. Client-side - Demo Link
■ Client-side Validation (Can be disabled by client)
– HTML5
– JavaScript
■ Input Fields (Can be Modified by client)
– Hidden Fields
– Dropdown
■ Cookies (Can be Changed by client)
9
10. Phishing – Demo Link
■ Hackers use E-MAIL / Instant Message to fish or steal user's personal and
financial information
– User ID / Password
– Credit Card Number
– PIN
■ In a typical phishing attack a user will receive an e-mail message impersonated to
be sent from a bank or other e-commerce enterprise.
■ 1% - 20% users respond to such attacks.
■ In Afghanistan it is very common and practical!!!
10[6] [7]
11. Phishing Ultimate Solutions
■ Policy guidelines
■ Training the end users
■ User awareness
– Carefully check the suspicious links!
– Do not click the E-MAIL asking sensitive data!
– Do not Trust TinyURL links!
– Do not Enter CREDIT CARD or Sensitive Data if the website
doesn't start with https://
11[6] [7]
12. Cross-site Scripting (XSS)
■ XSS, a security exploit in which the attacker inserts malicious client-side code into
webpages.
■ It has been around since the 1990s.
■ Most major websites like Google, Yahoo and Facebook have all been affected by
cross-site scripting flaws at some point.
■ Attacks exploiting XSS vulnerabilities can steal data, take control of a user's
session, run malicious code, or be used as part of a phishing scam.
– Reflected - Demo Link
– Persistent – Basic Demo Link || Steal Cookie Demo Link
12[8] [9] [10]
13. Preventing XSS Attacks
■ Filtering
■ Input Validation / Output Sanitization
■ Select a safer browser
■ Use a virtual machine for suspicious links
■ Pay more attention to shortened URLs
■ Use plugins for better security (like NoScript).
13[8] [9] [10]
14. SQL Injection
■ SQL Injection is a technique where malicious users can
inject SQL commands into an SQL statement through
– URLs
– Input Parameters
– Others e.g. Cookie, HTTP Headers
■ SQL injection is a very old approach but it is still popular
among attackers.
14[11] [12]
15. Possible Threats
■ Unauthorized access to application
– User login without knowing the login nor the password
■ Access to whole database / databases on the server
– Attacker can delete, modify or even worse, steal the data
■ Read / write files on server's file system
■ Code execution
15[11] [12]
16. SQL Injection - Demo Link
■ Login without knowing the username and the password
– anything' OR TRUE; --
■ Modify and steal the data
– anything' OR 1; UPDATE users SET email = 'evil@evitsite.com'
WHERE email = 'absherzad@gmail.com';--
■ Delete data and even drop the tables
– anything' OR 1; DROP TABLE users; --
16
18. Conclusion - Core Security Principles
■ Use least privilege
■ Do not trust user input
■ Apply defense in depth
■ Fail securely and friendly
■ Turn off un-needed services
■ Keep systems patched
■ Watch for logic holes
■ Hide sensitive information
– Encryption
– Access controls
18[15] [16]
19. 19
Works Cited
1 The Australian High Tech Crime Center. (2005). Hacking Motives. Australia: Australian High Tech Crime Center.
2 The Ocenzic. (2014). Application Vulnerability Trends Report. Ocenzic.
3 The Open Web Application Security Project. (2013, June 12). OWASP Top Ten Project. Retrieved from OWASP:
https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013
4 The Web Application Security Consortium. (2011). Web-Hacking-Incident-Database. Retrieved from WASP: http://projects.webappsec.org/w/page/13246995/Web-
Hacking-Incident-Database
5 The Open Web Application Security Project. (2010, April 22). Unvalidated Input. Retrieved from OWASP: https://www.owasp.org/index.php/Unvalidated_Input
6 The Open Web Application Security Project. (2009, April 14). Phishing. Retrieved from OWASP: https://www.owasp.org/index.php/Phishing
7 Steinberg, J. (2014, August 25). Why You Are At Risk Of Phishing Attacks. Retrieved from Forbes: http://www.forbes.com/sites/josephsteinberg/2014/08/25/why-you-
are-at-risk-of-phishing-attacks-and-why-jp-morgan-chase-customers-were-targeted-this-week/
8 The Open Web Application Security Project. (2014, April 22). Cross-site Scripting (XSS). Retrieved from OWASP: https://www.owasp.org/index.php/Cross-
site_Scripting_(XSS)
9 Abela, R. (2013, June 5). The Dangerous Complexity of Web Application Security. Retrieved from NetSparker: https://www.netsparker.com/blog/web-security/dangerous-
complexity-of-web-application-security/
10 Abela, R. (2013, May 22). Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? Retrieved from Netsparker:
https://www.netsparker.com/blog/web-security/web-application-security-misconceptions-vulnerabilities/
11 The Open Web Application Security Project. (2014, August 14). SQL Injection. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection
12 Abela, R. (2013, May 28). South African Police Web Application for Whistleblowers Hacked via SQL Injection. Retrieved from Netsparker:
https://www.netsparker.com/blog/news/south-african-police-whistleblowers-hacked-sql-injection/
13 The Open Web Application Security Project. (2014, June 7). SQL Injection Prevention Cheat Sheet. Retrieved from OWASP:
https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
14 Litwin, P. (2004, September). Stop SQL Injection Attacks Before They Stop You. Retrieved from MSDN: https://msdn.microsoft.com/en-us/magazine/cc163917.aspx
15 Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving Web Application Security: Threats and Countermeasures. Microsoft.
16 Bollefer, T., Chander, G., Johansson, J., Kass, M., & Olson, E. (2002). Building and Configuring More Secure Web Sites. Microsoft.