SlideShare a Scribd company logo

Web Application Security and Awareness

Abdul Rahman Sherzad
Abdul Rahman Sherzad

Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web. Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors. The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others. Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered. The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.

1 of 20
Download to read offline
Web Application Security and Awareness Abdul Rahman, Sherzad Lecturer at Computer Science Faculty of Herat University, Afghanistan, and Ph.D. Student at Technical University of Berlin, Germany December 19, 2016 12th IT Conference for Higher Education in Afghanistan January 05, 2017 Hariwa Institute of Higher Education, Herat, Afghanistan
2 Major problems were only caused by a collection of smaller factors, and only a reverse similar behavior is needed to resolve the given situation (Sherzad).
Goal and Objectives Build security awareness for web applications Get to know attack methods Learn ways to discover security vulnerabilities Learn the basics of secure web development 3
4 Web Application Security Websites Web Applications Web Services
5 Intentions Malicious Damage Financial Gain Blackmail Further Attacks Political Competitor Commercial Personal Grievance Discover Vulnerabilities Show Skills [1]
Security Threats ■ The majority of web application attacks occur through – Cross Site Scripting (XSS) – SQL Injection ■ The majority of web application vulnerabilities arise from – Weak coding, – Failure to properly validate input, – Failure to sanitize output. 6[2] [3] [4]
2010 Web Applications Weakness 7[2][3][4]
User Input • Attacker can easily change any part of the HTTP request before submitting – Cookies – Form fields – Hidden fields – URL – Headers • The ultimate solution: Input must be validated on the SERVER! – Not just on the CLIENT! 8[5]
Client-side - Demo Link ■ Client-side Validation (Can be disabled by client) – HTML5 – JavaScript ■ Input Fields (Can be Modified by client) – Hidden Fields – Dropdown ■ Cookies (Can be Changed by client) 9
Phishing – Demo Link ■ Hackers use E-MAIL / Instant Message to fish or steal user's personal and financial information – User ID / Password – Credit Card Number – PIN ■ In a typical phishing attack a user will receive an e-mail message impersonated to be sent from a bank or other e-commerce enterprise. ■ 1% - 20% users respond to such attacks. ■ In Afghanistan it is very common and practical!!! 10[6] [7]
Phishing Ultimate Solutions ■ Policy guidelines ■ Training the end users ■ User awareness – Carefully check the suspicious links! – Do not click the E-MAIL asking sensitive data! – Do not Trust TinyURL links! – Do not Enter CREDIT CARD or Sensitive Data if the website doesn't start with https:// 11[6] [7]
Cross-site Scripting (XSS) ■ XSS, a security exploit in which the attacker inserts malicious client-side code into webpages. ■ It has been around since the 1990s. ■ Most major websites like Google, Yahoo and Facebook have all been affected by cross-site scripting flaws at some point. ■ Attacks exploiting XSS vulnerabilities can steal data, take control of a user's session, run malicious code, or be used as part of a phishing scam. – Reflected - Demo Link – Persistent – Basic Demo Link || Steal Cookie Demo Link 12[8] [9] [10]
Preventing XSS Attacks ■ Filtering ■ Input Validation / Output Sanitization ■ Select a safer browser ■ Use a virtual machine for suspicious links ■ Pay more attention to shortened URLs ■ Use plugins for better security (like NoScript). 13[8] [9] [10]
SQL Injection ■ SQL Injection is a technique where malicious users can inject SQL commands into an SQL statement through – URLs – Input Parameters – Others e.g. Cookie, HTTP Headers ■ SQL injection is a very old approach but it is still popular among attackers. 14[11] [12]
Possible Threats ■ Unauthorized access to application – User login without knowing the login nor the password ■ Access to whole database / databases on the server – Attacker can delete, modify or even worse, steal the data ■ Read / write files on server's file system ■ Code execution 15[11] [12]
SQL Injection - Demo Link ■ Login without knowing the username and the password – anything' OR TRUE; -- ■ Modify and steal the data – anything' OR 1; UPDATE users SET email = 'evil@evitsite.com' WHERE email = 'absherzad@gmail.com';-- ■ Delete data and even drop the tables – anything' OR 1; DROP TABLE users; -- 16
17 Mitigate Risk Always validate input Escape user input Least privilege Use prepared statements Code reviews Salt & hash passwords [13] [14]
Conclusion - Core Security Principles ■ Use least privilege ■ Do not trust user input ■ Apply defense in depth ■ Fail securely and friendly ■ Turn off un-needed services ■ Keep systems patched ■ Watch for logic holes ■ Hide sensitive information – Encryption – Access controls 18[15] [16]
19 Works Cited 1 The Australian High Tech Crime Center. (2005). Hacking Motives. Australia: Australian High Tech Crime Center. 2 The Ocenzic. (2014). Application Vulnerability Trends Report. Ocenzic. 3 The Open Web Application Security Project. (2013, June 12). OWASP Top Ten Project. Retrieved from OWASP: https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 4 The Web Application Security Consortium. (2011). Web-Hacking-Incident-Database. Retrieved from WASP: http://projects.webappsec.org/w/page/13246995/Web- Hacking-Incident-Database 5 The Open Web Application Security Project. (2010, April 22). Unvalidated Input. Retrieved from OWASP: https://www.owasp.org/index.php/Unvalidated_Input 6 The Open Web Application Security Project. (2009, April 14). Phishing. Retrieved from OWASP: https://www.owasp.org/index.php/Phishing 7 Steinberg, J. (2014, August 25). Why You Are At Risk Of Phishing Attacks. Retrieved from Forbes: http://www.forbes.com/sites/josephsteinberg/2014/08/25/why-you- are-at-risk-of-phishing-attacks-and-why-jp-morgan-chase-customers-were-targeted-this-week/ 8 The Open Web Application Security Project. (2014, April 22). Cross-site Scripting (XSS). Retrieved from OWASP: https://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9 Abela, R. (2013, June 5). The Dangerous Complexity of Web Application Security. Retrieved from NetSparker: https://www.netsparker.com/blog/web-security/dangerous- complexity-of-web-application-security/ 10 Abela, R. (2013, May 22). Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? Retrieved from Netsparker: https://www.netsparker.com/blog/web-security/web-application-security-misconceptions-vulnerabilities/ 11 The Open Web Application Security Project. (2014, August 14). SQL Injection. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection 12 Abela, R. (2013, May 28). South African Police Web Application for Whistleblowers Hacked via SQL Injection. Retrieved from Netsparker: https://www.netsparker.com/blog/news/south-african-police-whistleblowers-hacked-sql-injection/ 13 The Open Web Application Security Project. (2014, June 7). SQL Injection Prevention Cheat Sheet. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 14 Litwin, P. (2004, September). Stop SQL Injection Attacks Before They Stop You. Retrieved from MSDN: https://msdn.microsoft.com/en-us/magazine/cc163917.aspx 15 Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving Web Application Security: Threats and Countermeasures. Microsoft. 16 Bollefer, T., Chander, G., Johansson, J., Kass, M., & Olson, E. (2002). Building and Configuring More Secure Web Sites. Microsoft.
20

Recommended

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
IT Security Presentation
IT Security PresentationIT Security Presentation
IT Security Presentationelihuwalker
 

Recommended

Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
IT Security Presentation
IT Security PresentationIT Security Presentation
IT Security Presentationelihuwalker
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Cyber security
Cyber securityCyber security
Cyber security
Manjushree Mashal
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
Mohammad Shakirul islam
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
Vaishak Chandran
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪThesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Abdul Rahman Sherzad
 
Entity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemEntity Relationship Diagram of Library System
Entity Relationship Diagram of Library System
Abdul Rahman Sherzad
 

More Related Content

What's hot

Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityAbdul Wahid
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesSoftware Guru
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
ebusinessmantra
 
Cyber security
Cyber securityCyber security
Cyber security
Manjushree Mashal
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
Mohammad Shakirul islam
 
Xss attack
Xss attackXss attack
Xss attack
Manjushree Mashal
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
 
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
Vaishak Chandran
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Brute force attack
Brute force attackBrute force attack
Brute force attackjoycruiser
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks pptAryan Ragu
 
Application security
Application securityApplication security
Application security
Hagar Alaa el-din
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 

What's hot (20)

Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Web application security
Web application securityWeb application security
Web application security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Web application vulnerabilities
Web application vulnerabilitiesWeb application vulnerabilities
Web application vulnerabilities
 
Cyber security
Cyber securityCyber security
Cyber security
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Xss attack
Xss attackXss attack
Xss attack
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
 
Application Security
Application SecurityApplication Security
Application Security
 
CYBER SECURITY
CYBER SECURITYCYBER SECURITY
CYBER SECURITY
 
Web application security
Web application securityWeb application security
Web application security
 
Brute force attack
Brute force attackBrute force attack
Brute force attack
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Phishing attacks ppt
Phishing attacks pptPhishing attacks ppt
Phishing attacks ppt
 
Application security
Application securityApplication security
Application security
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 

Viewers also liked

Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪThesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Abdul Rahman Sherzad
 
Entity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemEntity Relationship Diagram of Library System
Entity Relationship Diagram of Library System
Abdul Rahman Sherzad
 
Herat University Library Management System Persian User Manual
Herat University Library Management System Persian User ManualHerat University Library Management System Persian User Manual
Herat University Library Management System Persian User Manual
Abdul Rahman Sherzad
 
Easy Learn Computer Settings
Easy Learn Computer SettingsEasy Learn Computer Settings
Easy Learn Computer Settings
syazwanie filzah
 
Herat University Library Management System English User Manual
Herat University Library Management System English User ManualHerat University Library Management System English User Manual
Herat University Library Management System English User ManualAbdul Rahman Sherzad
 
Herat Univeristy Information Department
Herat Univeristy Information DepartmentHerat Univeristy Information Department
Herat Univeristy Information Department
Abdul Rahman Sherzad
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
INSIGHT FORENSIC
 
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Abdul Rahman Sherzad
 
Tarjumaye jadwali-quran-karim-pdf
Tarjumaye jadwali-quran-karim-pdfTarjumaye jadwali-quran-karim-pdf
Tarjumaye jadwali-quran-karim-pdf
BU
 
Lecture 1. java database connectivity
Lecture 1. java database connectivityLecture 1. java database connectivity
Lecture 1. java database connectivity
Waheedullah Suliman Khail
 
Introduction to sql_02
Introduction to sql_02Introduction to sql_02
Introduction to sql_02
Esmatullah Adel
 
Bitcharities Cause Presentation
Bitcharities Cause PresentationBitcharities Cause Presentation
Bitcharities Cause Presentation
Francesco Rulli
 
E learning ict4-d_presentation
E learning ict4-d_presentationE learning ict4-d_presentation
E learning ict4-d_presentation
Faculty of Computer Science Nangarhar University
 
Simple past
Simple pastSimple past
Simple past
Zainab Bahar Aminy
 
How to speak in public
How to speak in publicHow to speak in public
How to speak in publicJawid Qaumi
 
Introduction to graph databases in term of neo4j
Introduction to graph databases in term of neo4jIntroduction to graph databases in term of neo4j
Introduction to graph databases in term of neo4j
Abdullah Hamidi
 
How to take control of your l ife
How to take control of your l ifeHow to take control of your l ife
How to take control of your l ifeMashooq Jami
 
Web design - Working with forms in HTML
Web design - Working with forms in HTMLWeb design - Working with forms in HTML
Web design - Working with forms in HTML
Mustafa Kamel Mohammadi
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
Savvius, Inc
 

Viewers also liked (20)

Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪThesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
Thesis writing and editing guide - راﻫﻨﻤﺎي ﻧﮕﺎرش و تدوین ﭘﺎﻳﺎن ﻧﺎﻣﻪ
 
Entity Relationship Diagram of Library System
Entity Relationship Diagram of Library SystemEntity Relationship Diagram of Library System
Entity Relationship Diagram of Library System
 
Herat University Library Management System Persian User Manual
Herat University Library Management System Persian User ManualHerat University Library Management System Persian User Manual
Herat University Library Management System Persian User Manual
 
Easy Learn Computer Settings
Easy Learn Computer SettingsEasy Learn Computer Settings
Easy Learn Computer Settings
 
Herat University Library Management System English User Manual
Herat University Library Management System English User ManualHerat University Library Management System English User Manual
Herat University Library Management System English User Manual
 
Herat Univeristy Information Department
Herat Univeristy Information DepartmentHerat Univeristy Information Department
Herat Univeristy Information Department
 
(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope(130511) #fitalk network forensics and its role and scope
(130511) #fitalk network forensics and its role and scope
 
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
Transforming a Paper-Based Library System to Digital in Example of Herat Univ...
 
Tarjumaye jadwali-quran-karim-pdf
Tarjumaye jadwali-quran-karim-pdfTarjumaye jadwali-quran-karim-pdf
Tarjumaye jadwali-quran-karim-pdf
 
Lecture 1. java database connectivity
Lecture 1. java database connectivityLecture 1. java database connectivity
Lecture 1. java database connectivity
 
Introduction to sql_02
Introduction to sql_02Introduction to sql_02
Introduction to sql_02
 
Bitcharities Cause Presentation
Bitcharities Cause PresentationBitcharities Cause Presentation
Bitcharities Cause Presentation
 
E learning ict4-d_presentation
E learning ict4-d_presentationE learning ict4-d_presentation
E learning ict4-d_presentation
 
Simple past
Simple pastSimple past
Simple past
 
How to speak in public
How to speak in publicHow to speak in public
How to speak in public
 
Introduction to graph databases in term of neo4j
Introduction to graph databases in term of neo4jIntroduction to graph databases in term of neo4j
Introduction to graph databases in term of neo4j
 
How to take control of your l ife
How to take control of your l ifeHow to take control of your l ife
How to take control of your l ife
 
MyCV
MyCVMyCV
MyCV
 
Web design - Working with forms in HTML
Web design - Working with forms in HTMLWeb design - Working with forms in HTML
Web design - Working with forms in HTML
 
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the AnswersYou Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
You Suspect a Security Breach. Network Forensic Analysis Gives You the Answers
 

Similar to Web Application Security and Awareness

DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
Editor IJMTER
 
Security system in banks
Security system in banksSecurity system in banks
Security system in banks
university of education,Lahore
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
Daniel Tumser
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
HTS Hosting
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
Janagi Kannan
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
IAEME Publication
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
Shivam Porwal
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
Sebastien Deleersnyder
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
Mark Garratt
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
MenloSecurity
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
Nilesh Sapariya
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
Kaukau9
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteImperva Incapsula
 
Security Testing
Security TestingSecurity Testing
Security TestingISsoft
 

Similar to Web Application Security and Awareness (20)

DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
 
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...A Review paper on Securing PHP based websites From Web Application Vulnerabil...
A Review paper on Securing PHP based websites From Web Application Vulnerabil...
 
Security system in banks
Security system in banksSecurity system in banks
Security system in banks
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
C01461422
C01461422C01461422
C01461422
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
 
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
 
Security risks awareness
Security risks awarenessSecurity risks awareness
Security risks awareness
 
Research challenges and issues in web security
Research challenges and issues in web securityResearch challenges and issues in web security
Research challenges and issues in web security
 
Owasp Top 10
Owasp Top 10Owasp Top 10
Owasp Top 10
 
Solvay secure application layer v2015 seba
Solvay secure application layer v2015 sebaSolvay secure application layer v2015 seba
Solvay secure application layer v2015 seba
 
Developing Secure Web Apps
Developing Secure Web AppsDeveloping Secure Web Apps
Developing Secure Web Apps
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?A Closer Look at Isolation: Hype or Next Gen Security?
A Closer Look at Isolation: Hype or Next Gen Security?
 
Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015Cyber Security Workshop @SPIT- 3rd October 2015
Cyber Security Workshop @SPIT- 3rd October 2015
 
Research Paper
Research PaperResearch Paper
Research Paper
 
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
30ITSecurityThreatsVulnerabilitiesandCountermeasuresV1.ppt
 
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure WebsiteJoomla Security Simplified —  Seven Easy Steps For a More Secure Website
Joomla Security Simplified —  Seven Easy Steps For a More Secure Website
 
Security Testing
Security TestingSecurity Testing
Security Testing
 

More from Abdul Rahman Sherzad

Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in AfghanistanData is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Abdul Rahman Sherzad
 
PHP Unicode Input Validation Snippets
PHP Unicode Input Validation SnippetsPHP Unicode Input Validation Snippets
PHP Unicode Input Validation Snippets
Abdul Rahman Sherzad
 
Iterations and Recursions
Iterations and RecursionsIterations and Recursions
Iterations and Recursions
Abdul Rahman Sherzad
 
Sorting Alpha Numeric Data in MySQL
Sorting Alpha Numeric Data in MySQLSorting Alpha Numeric Data in MySQL
Sorting Alpha Numeric Data in MySQL
Abdul Rahman Sherzad
 
PHP Variable variables Examples
PHP Variable variables ExamplesPHP Variable variables Examples
PHP Variable variables Examples
Abdul Rahman Sherzad
 
Cross Join Example and Applications
Cross Join Example and ApplicationsCross Join Example and Applications
Cross Join Example and Applications
Abdul Rahman Sherzad
 
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Abdul Rahman Sherzad
 
Database Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event SchedulersDatabase Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event Schedulers
Abdul Rahman Sherzad
 
Mobile Score Notification System
Mobile Score Notification SystemMobile Score Notification System
Mobile Score Notification System
Abdul Rahman Sherzad
 
Herat Innovation Lab 2015
Herat Innovation Lab 2015Herat Innovation Lab 2015
Herat Innovation Lab 2015
Abdul Rahman Sherzad
 
Evaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan UniversitiesEvaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan Universities
Abdul Rahman Sherzad
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail Explanation
Abdul Rahman Sherzad
 
Java Applet and Graphics
Java Applet and GraphicsJava Applet and Graphics
Java Applet and Graphics
Abdul Rahman Sherzad
 
Fundamentals of Database Systems Questions and Answers
Fundamentals of Database Systems Questions and AnswersFundamentals of Database Systems Questions and Answers
Fundamentals of Database Systems Questions and Answers
Abdul Rahman Sherzad
 
Everything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsEverything about Database JOINS and Relationships
Everything about Database JOINS and Relationships
Abdul Rahman Sherzad
 
Create Splash Screen with Java Step by Step
Create Splash Screen with Java Step by StepCreate Splash Screen with Java Step by Step
Create Splash Screen with Java Step by Step
Abdul Rahman Sherzad
 
Fal-e-Hafez (Omens of Hafez) Cards in Persian using Java
Fal-e-Hafez (Omens of Hafez) Cards in Persian using JavaFal-e-Hafez (Omens of Hafez) Cards in Persian using Java
Fal-e-Hafez (Omens of Hafez) Cards in Persian using Java
Abdul Rahman Sherzad
 
Web Design and Development Life Cycle and Technologies
Web Design and Development Life Cycle and TechnologiesWeb Design and Development Life Cycle and Technologies
Web Design and Development Life Cycle and Technologies
Abdul Rahman Sherzad
 
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton ClassesJava Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
Abdul Rahman Sherzad
 
Java Unicode with Live GUI Examples
Java Unicode with Live GUI ExamplesJava Unicode with Live GUI Examples
Java Unicode with Live GUI Examples
Abdul Rahman Sherzad
 

More from Abdul Rahman Sherzad (20)

Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in AfghanistanData is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
Data is the Fuel of Organizations: Opportunities and Challenges in Afghanistan
 
PHP Unicode Input Validation Snippets
PHP Unicode Input Validation SnippetsPHP Unicode Input Validation Snippets
PHP Unicode Input Validation Snippets
 
Iterations and Recursions
Iterations and RecursionsIterations and Recursions
Iterations and Recursions
 
Sorting Alpha Numeric Data in MySQL
Sorting Alpha Numeric Data in MySQLSorting Alpha Numeric Data in MySQL
Sorting Alpha Numeric Data in MySQL
 
PHP Variable variables Examples
PHP Variable variables ExamplesPHP Variable variables Examples
PHP Variable variables Examples
 
Cross Join Example and Applications
Cross Join Example and ApplicationsCross Join Example and Applications
Cross Join Example and Applications
 
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
Applicability of Educational Data Mining in Afghanistan: Opportunities and Ch...
 
Database Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event SchedulersDatabase Automation with MySQL Triggers and Event Schedulers
Database Automation with MySQL Triggers and Event Schedulers
 
Mobile Score Notification System
Mobile Score Notification SystemMobile Score Notification System
Mobile Score Notification System
 
Herat Innovation Lab 2015
Herat Innovation Lab 2015Herat Innovation Lab 2015
Herat Innovation Lab 2015
 
Evaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan UniversitiesEvaluation of Existing Web Structure of Afghan Universities
Evaluation of Existing Web Structure of Afghan Universities
 
PHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail ExplanationPHP Basic and Fundamental Questions and Answers with Detail Explanation
PHP Basic and Fundamental Questions and Answers with Detail Explanation
 
Java Applet and Graphics
Java Applet and GraphicsJava Applet and Graphics
Java Applet and Graphics
 
Fundamentals of Database Systems Questions and Answers
Fundamentals of Database Systems Questions and AnswersFundamentals of Database Systems Questions and Answers
Fundamentals of Database Systems Questions and Answers
 
Everything about Database JOINS and Relationships
Everything about Database JOINS and RelationshipsEverything about Database JOINS and Relationships
Everything about Database JOINS and Relationships
 
Create Splash Screen with Java Step by Step
Create Splash Screen with Java Step by StepCreate Splash Screen with Java Step by Step
Create Splash Screen with Java Step by Step
 
Fal-e-Hafez (Omens of Hafez) Cards in Persian using Java
Fal-e-Hafez (Omens of Hafez) Cards in Persian using JavaFal-e-Hafez (Omens of Hafez) Cards in Persian using Java
Fal-e-Hafez (Omens of Hafez) Cards in Persian using Java
 
Web Design and Development Life Cycle and Technologies
Web Design and Development Life Cycle and TechnologiesWeb Design and Development Life Cycle and Technologies
Web Design and Development Life Cycle and Technologies
 
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton ClassesJava Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
Java Virtual Keyboard Using Robot, Toolkit and JToggleButton Classes
 
Java Unicode with Live GUI Examples
Java Unicode with Live GUI ExamplesJava Unicode with Live GUI Examples
Java Unicode with Live GUI Examples
 

Recently uploaded

Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
Matjaž Lipuš
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
OECD Directorate for Financial and Enterprise Affairs
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
khadija278284
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
Howard Spence
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
Sebastiano Panichella
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
Vladimir Samoylov
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
Access Innovations, Inc.
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Sebastiano Panichella
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
OWASP Beja
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Orkestra
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Sebastiano Panichella
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
IP ServerOne
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
Faculty of Medicine And Health Sciences
 

Recently uploaded (13)

Bitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXOBitcoin Lightning wallet and tic-tac-toe game XOXO
Bitcoin Lightning wallet and tic-tac-toe game XOXO
 
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
Competition and Regulation in Professional Services – KLEINER – June 2024 OEC...
 
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdfBonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
Bonzo subscription_hjjjjjjjj5hhhhhhh_2024.pdf
 
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptxsomanykidsbutsofewfathers-140705000023-phpapp02.pptx
somanykidsbutsofewfathers-140705000023-phpapp02.pptx
 
International Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software TestingInternational Workshop on Artificial Intelligence in Software Testing
International Workshop on Artificial Intelligence in Software Testing
 
Getting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control TowerGetting started with Amazon Bedrock Studio and Control Tower
Getting started with Amazon Bedrock Studio and Control Tower
 
Eureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 PresentationEureka, I found it! - Special Libraries Association 2021 Presentation
Eureka, I found it! - Special Libraries Association 2021 Presentation
 
Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...Announcement of 18th IEEE International Conference on Software Testing, Verif...
Announcement of 18th IEEE International Conference on Software Testing, Verif...
 
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers0x01 - Newton's Third Law: Static vs. Dynamic Abusers
0x01 - Newton's Third Law: Static vs. Dynamic Abusers
 
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
Sharpen existing tools or get a new toolbox? Contemporary cluster initiatives...
 
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...Doctoral Symposium at the 17th IEEE International Conference on Software Test...
Doctoral Symposium at the 17th IEEE International Conference on Software Test...
 
Acorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutesAcorn Recovery: Restore IT infra within minutes
Acorn Recovery: Restore IT infra within minutes
 
Obesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditionsObesity causes and management and associated medical conditions
Obesity causes and management and associated medical conditions
 

Web Application Security and Awareness

  • 1. Web Application Security and Awareness Abdul Rahman, Sherzad Lecturer at Computer Science Faculty of Herat University, Afghanistan, and Ph.D. Student at Technical University of Berlin, Germany December 19, 2016 12th IT Conference for Higher Education in Afghanistan January 05, 2017 Hariwa Institute of Higher Education, Herat, Afghanistan
  • 2. 2 Major problems were only caused by a collection of smaller factors, and only a reverse similar behavior is needed to resolve the given situation (Sherzad).
  • 3. Goal and Objectives Build security awareness for web applications Get to know attack methods Learn ways to discover security vulnerabilities Learn the basics of secure web development 3
  • 6. Security Threats ■ The majority of web application attacks occur through – Cross Site Scripting (XSS) – SQL Injection ■ The majority of web application vulnerabilities arise from – Weak coding, – Failure to properly validate input, – Failure to sanitize output. 6[2] [3] [4]
  • 7. 2010 Web Applications Weakness 7[2][3][4]
  • 8. User Input • Attacker can easily change any part of the HTTP request before submitting – Cookies – Form fields – Hidden fields – URL – Headers • The ultimate solution: Input must be validated on the SERVER! – Not just on the CLIENT! 8[5]
  • 9. Client-side - Demo Link ■ Client-side Validation (Can be disabled by client) – HTML5 – JavaScript ■ Input Fields (Can be Modified by client) – Hidden Fields – Dropdown ■ Cookies (Can be Changed by client) 9
  • 10. Phishing – Demo Link ■ Hackers use E-MAIL / Instant Message to fish or steal user's personal and financial information – User ID / Password – Credit Card Number – PIN ■ In a typical phishing attack a user will receive an e-mail message impersonated to be sent from a bank or other e-commerce enterprise. ■ 1% - 20% users respond to such attacks. ■ In Afghanistan it is very common and practical!!! 10[6] [7]
  • 11. Phishing Ultimate Solutions ■ Policy guidelines ■ Training the end users ■ User awareness – Carefully check the suspicious links! – Do not click the E-MAIL asking sensitive data! – Do not Trust TinyURL links! – Do not Enter CREDIT CARD or Sensitive Data if the website doesn't start with https:// 11[6] [7]
  • 12. Cross-site Scripting (XSS) ■ XSS, a security exploit in which the attacker inserts malicious client-side code into webpages. ■ It has been around since the 1990s. ■ Most major websites like Google, Yahoo and Facebook have all been affected by cross-site scripting flaws at some point. ■ Attacks exploiting XSS vulnerabilities can steal data, take control of a user's session, run malicious code, or be used as part of a phishing scam. – Reflected - Demo Link – Persistent – Basic Demo Link || Steal Cookie Demo Link 12[8] [9] [10]
  • 13. Preventing XSS Attacks ■ Filtering ■ Input Validation / Output Sanitization ■ Select a safer browser ■ Use a virtual machine for suspicious links ■ Pay more attention to shortened URLs ■ Use plugins for better security (like NoScript). 13[8] [9] [10]
  • 14. SQL Injection ■ SQL Injection is a technique where malicious users can inject SQL commands into an SQL statement through – URLs – Input Parameters – Others e.g. Cookie, HTTP Headers ■ SQL injection is a very old approach but it is still popular among attackers. 14[11] [12]
  • 15. Possible Threats ■ Unauthorized access to application – User login without knowing the login nor the password ■ Access to whole database / databases on the server – Attacker can delete, modify or even worse, steal the data ■ Read / write files on server's file system ■ Code execution 15[11] [12]
  • 16. SQL Injection - Demo Link ■ Login without knowing the username and the password – anything' OR TRUE; -- ■ Modify and steal the data – anything' OR 1; UPDATE users SET email = 'evil@evitsite.com' WHERE email = 'absherzad@gmail.com';-- ■ Delete data and even drop the tables – anything' OR 1; DROP TABLE users; -- 16
  • 18. Conclusion - Core Security Principles ■ Use least privilege ■ Do not trust user input ■ Apply defense in depth ■ Fail securely and friendly ■ Turn off un-needed services ■ Keep systems patched ■ Watch for logic holes ■ Hide sensitive information – Encryption – Access controls 18[15] [16]
  • 19. 19 Works Cited 1 The Australian High Tech Crime Center. (2005). Hacking Motives. Australia: Australian High Tech Crime Center. 2 The Ocenzic. (2014). Application Vulnerability Trends Report. Ocenzic. 3 The Open Web Application Security Project. (2013, June 12). OWASP Top Ten Project. Retrieved from OWASP: https://www.owasp.org/index.php/Top10#OWASP_Top_10_for_2013 4 The Web Application Security Consortium. (2011). Web-Hacking-Incident-Database. Retrieved from WASP: http://projects.webappsec.org/w/page/13246995/Web- Hacking-Incident-Database 5 The Open Web Application Security Project. (2010, April 22). Unvalidated Input. Retrieved from OWASP: https://www.owasp.org/index.php/Unvalidated_Input 6 The Open Web Application Security Project. (2009, April 14). Phishing. Retrieved from OWASP: https://www.owasp.org/index.php/Phishing 7 Steinberg, J. (2014, August 25). Why You Are At Risk Of Phishing Attacks. Retrieved from Forbes: http://www.forbes.com/sites/josephsteinberg/2014/08/25/why-you- are-at-risk-of-phishing-attacks-and-why-jp-morgan-chase-customers-were-targeted-this-week/ 8 The Open Web Application Security Project. (2014, April 22). Cross-site Scripting (XSS). Retrieved from OWASP: https://www.owasp.org/index.php/Cross- site_Scripting_(XSS) 9 Abela, R. (2013, June 5). The Dangerous Complexity of Web Application Security. Retrieved from NetSparker: https://www.netsparker.com/blog/web-security/dangerous- complexity-of-web-application-security/ 10 Abela, R. (2013, May 22). Web Application Security Misconception; Are All Vulnerabilities Equally Dangerous? Retrieved from Netsparker: https://www.netsparker.com/blog/web-security/web-application-security-misconceptions-vulnerabilities/ 11 The Open Web Application Security Project. (2014, August 14). SQL Injection. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection 12 Abela, R. (2013, May 28). South African Police Web Application for Whistleblowers Hacked via SQL Injection. Retrieved from Netsparker: https://www.netsparker.com/blog/news/south-african-police-whistleblowers-hacked-sql-injection/ 13 The Open Web Application Security Project. (2014, June 7). SQL Injection Prevention Cheat Sheet. Retrieved from OWASP: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet 14 Litwin, P. (2004, September). Stop SQL Injection Attacks Before They Stop You. Retrieved from MSDN: https://msdn.microsoft.com/en-us/magazine/cc163917.aspx 15 Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving Web Application Security: Threats and Countermeasures. Microsoft. 16 Bollefer, T., Chander, G., Johansson, J., Kass, M., & Olson, E. (2002). Building and Configuring More Secure Web Sites. Microsoft.
  • 20. 20