SlideShare a Scribd company logo

web _security_ for _confedindality s.ppt

Download as PPT, PDF
N
naghamallella

web security

Education
1 of 25
Web Security By Ansam Osama Abdul-Majeed Muna Jaffer Sedeeq
Overview Of Web Security Web (WWW or world wide web) Web Server Web Browsers Web Security
Definitions Web The world wide web (WWW) is an interconnection of networks of computer systems that provides information and services to users of the web . Computer systems in this interconnection of networks that provide services and information to other computer systems are called Web Servers Web Servers
Definitions (continue) Computer systems that request services and infomation are call Web Browsers Web Browsers Web security is a set of procedures , practices , and technologies for protecting web servers, web browser and their surrounding organizations. Web Security
Web Security From the users' perspective Legitimate Safe Private
Web Security From the server's perspective Legitimate Responsible From the perspective of both the server and the user They have an expectation that their communications will be free from eavesdropping and reliable in terms that their transmissions will not be modified by a third party
Web Site Attacks (Threats) I. Attacks on Web Site Information A. Integrity of Information Attacks 1.Threats a. Modification of user data b. Modification of message traffic in transit 2. Consequences a. Loss of information b. Vulnerability to all other threats 3. Countermeasures - cryptographic checksums
Web Site Attacks (Threats) B. Confidentiality of Information Attacks 1. Threats a. Eavesdropping on the Net b. Theft of info from server c. Theft of data from client d. Info about network configuration e. Info about which client talks to server 2 . Consequences a. Loss of information b. Loss of privacy
3. Countermeasures a. Encryption b. Web proxies II. Attacks on Web Site Accessibility A. Denial of Service Attacks 1.Threats a. Flooding of machine with bogus requests b. Isolating machine by DNS attacks 2.Consequences a. Disruptive b. Annoying c. Prevent user from getting work done
B. Authentication Attacks 1. Threats a. Impersonation of legitimate user b. Data forgery 2. Consequences a. Misrepresentation of user b. Belief that false information is valid 3. Countermeasures - cryptographic techniques 3. Countermeasures - difficult to prevent
Some Classes of Attacks on Web
Attacks on Authentication Attacks that used to circumvent or exploit the authentication process of a web site. 1
Attacks on Authentication 1 Brute Force Attack Automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key
Insufficient Authentication Occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Attacks on Authentication 1
Weak Password Recovery Validation Occurs when a web site permits attacker to illegally obtain, change or recover another user’s password. Attacks on Authentication 1
Attacks on Authorization Attacks that target a web site's method of determining if a user, service, or application has the necessary permissions to perform a requested action 2
Attacks on Authorization Credential/Session Prediction A method of hijacking or impersonating a web site user guessing the unique value that identifies a particular session or user 2
Insufficient Authorization Occurs when a web site permits access to sensitive content or functionality that should require increased access control restrictions. Attacks on Authorization 2
Client-side Attacks Focuses on the abuse or exploitation of a web site's users. 3
Client-side Attacks Content Spoofing An attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. http://foo.example/page?frame_src=http://foo.example/file.html. An attacker may be able to replace the “frame_src” parameter value with “frame_src=http://attacker.example/spoof.html” The browser location bar visibly remains under the user expected domain( foo.example). 3
Cross-Site Scripting An attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user’s browser Client-side Attacks 3
Command Execution Covers attacks designed to execute remote commands on the web site. All web sites utilize user-supplied input to fulfill requests 4
Command Execution SQL Injection An attack technique used to exploit web sites that construct SQL statements from user-supplied input. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=1 should return the same web page as: http://example/article.asp?ID=2 because the SQL statement 'and 1=1' is always true. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=0 4
SSI Injection SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application Command Execution 4
Than ks

Recommended

Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
Wail Hassan
 
Network security
Network securityNetwork security
Network security
nafisarayhana1
 
Security Threats to Electronic Commerce
Security Threats to Electronic CommerceSecurity Threats to Electronic Commerce
Security Threats to Electronic Commerce
Darlene Enderez
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
VIRAJDEY1
 

Recommended

Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
Wail Hassan
 
Network security
Network securityNetwork security
Network security
nafisarayhana1
 
Security Threats to Electronic Commerce
Security Threats to Electronic CommerceSecurity Threats to Electronic Commerce
Security Threats to Electronic Commerce
Darlene Enderez
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Computer Security
Computer SecurityComputer Security
Computer Security
Vaibhavi Patel
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
Computer security system Unit1.pptx
Computer security system Unit1.pptxComputer security system Unit1.pptx
Computer security system Unit1.pptx
VIRAJDEY1
 
Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
Alwin Thayyil
 
Client /server security overview
Client /server security overviewClient /server security overview
Client /server security overview
Mohamed Sayed
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
idescitation
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
IRJET Journal
 
Security communication
Security communicationSecurity communication
Security communication
Say Shyong
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
IRJET Journal
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
AjaySahre
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
Sumanth Damarla
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 
Cyber Threats
Cyber ThreatsCyber Threats
Cyber Threats
JettySudeepthi
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
Reza Nurfachmi
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
tcellsn
 
Information security
Information securityInformation security
Information security
Sathyanarayana Panduranga
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Chris Hillman
 
AW-Infs201101067.pptx
AW-Infs201101067.pptxAW-Infs201101067.pptx
AW-Infs201101067.pptx
AnonymousDevil2
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Aspects of Network Security
Aspects of Network SecurityAspects of Network Security
Aspects of Network Security
SHUBHA CHATURVEDI
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
mehr77
 
Types of Cyber Attacks
Types of Cyber AttacksTypes of Cyber Attacks
Types of Cyber Attacks
Rubal Sagwal
 
OS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.pptOS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.ppt
naghamallella
 
basic logic gate presentation date23.ppt
basic logic gate presentation date23.pptbasic logic gate presentation date23.ppt
basic logic gate presentation date23.ppt
naghamallella
 

More Related Content

Similar to web _security_ for _confedindality s.ppt

Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
idescitation
 
Security communication
Security communicationSecurity communication
Security communication
Say Shyong
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
Sreerag Gopinath
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
Abdul Wahid
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
mehr77
 

Similar to web _security_ for _confedindality s.ppt (20)

Security Testing Training With Examples
Security Testing Training With ExamplesSecurity Testing Training With Examples
Security Testing Training With Examples
 
Client /server security overview
Client /server security overviewClient /server security overview
Client /server security overview
 
Study of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their CountermeasuresStudy of Web Application Attacks & Their Countermeasures
Study of Web Application Attacks & Their Countermeasures
 
IRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different TypesIRJET- Cyber Attacks and its different Types
IRJET- Cyber Attacks and its different Types
 
Security communication
Security communicationSecurity communication
Security communication
 
IRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application VulnerabilitiesIRJET- Survey on Web Application Vulnerabilities
IRJET- Survey on Web Application Vulnerabilities
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
 
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Sreerag cs network security
Sreerag cs network securitySreerag cs network security
Sreerag cs network security
 
Cyber Threats
Cyber ThreatsCyber Threats
Cyber Threats
 
Hack using firefox
Hack using firefoxHack using firefox
Hack using firefox
 
Web Application Security Tips
Web Application Security TipsWeb Application Security Tips
Web Application Security Tips
 
Information security
Information securityInformation security
Information security
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
AW-Infs201101067.pptx
AW-Infs201101067.pptxAW-Infs201101067.pptx
AW-Infs201101067.pptx
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
Aspects of Network Security
Aspects of Network SecurityAspects of Network Security
Aspects of Network Security
 
Report on xss and do s
Report on xss and do sReport on xss and do s
Report on xss and do s
 
Types of Cyber Attacks
Types of Cyber AttacksTypes of Cyber Attacks
Types of Cyber Attacks
 

More from naghamallella

logic gate presentation for and or n.ppt
logic gate presentation for and or n.pptlogic gate presentation for and or n.ppt
logic gate presentation for and or n.ppt
naghamallella
 
BOOTP computer science for multiproc.ppt
BOOTP computer science for multiproc.pptBOOTP computer science for multiproc.ppt
BOOTP computer science for multiproc.ppt
naghamallella
 
thread_ multiprocessor_ scheduling_a.ppt
thread_ multiprocessor_ scheduling_a.pptthread_ multiprocessor_ scheduling_a.ppt
thread_ multiprocessor_ scheduling_a.ppt
naghamallella
 
distributed real time system schedul.ppt
distributed real time system schedul.pptdistributed real time system schedul.ppt
distributed real time system schedul.ppt
naghamallella
 

More from naghamallella (20)

OS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.pptOS-20210426203801 introduction to os.ppt
OS-20210426203801 introduction to os.ppt
 
basic logic gate presentation date23.ppt
basic logic gate presentation date23.pptbasic logic gate presentation date23.ppt
basic logic gate presentation date23.ppt
 
logic gate presentation for and or n.ppt
logic gate presentation for and or n.pptlogic gate presentation for and or n.ppt
logic gate presentation for and or n.ppt
 
6_2019_04_09!08_59_48_PM logic gate_.ppt
6_2019_04_09!08_59_48_PM logic gate_.ppt6_2019_04_09!08_59_48_PM logic gate_.ppt
6_2019_04_09!08_59_48_PM logic gate_.ppt
 
bin packing 2 for real time scheduli.ppt
bin packing 2 for real time scheduli.pptbin packing 2 for real time scheduli.ppt
bin packing 2 for real time scheduli.ppt
 
bin packing2 and scheduling for mul.pptx
bin packing2 and scheduling for mul.pptxbin packing2 and scheduling for mul.pptx
bin packing2 and scheduling for mul.pptx
 
BOOTP computer science for multiproc.ppt
BOOTP computer science for multiproc.pptBOOTP computer science for multiproc.ppt
BOOTP computer science for multiproc.ppt
 
trusted computing platform alliancee.ppt
trusted computing platform alliancee.ppttrusted computing platform alliancee.ppt
trusted computing platform alliancee.ppt
 
trusted computing for security confe.ppt
trusted computing for security confe.ppttrusted computing for security confe.ppt
trusted computing for security confe.ppt
 
bin packing and scheduling multiproc.ppt
bin packing and scheduling multiproc.pptbin packing and scheduling multiproc.ppt
bin packing and scheduling multiproc.ppt
 
multiprocessor _system _presentation.ppt
multiprocessor _system _presentation.pptmultiprocessor _system _presentation.ppt
multiprocessor _system _presentation.ppt
 
image processing for jpeg presentati.ppt
image processing for jpeg presentati.pptimage processing for jpeg presentati.ppt
image processing for jpeg presentati.ppt
 
introduction to jpeg for image proce.ppt
introduction to jpeg for image proce.pptintroduction to jpeg for image proce.ppt
introduction to jpeg for image proce.ppt
 
jpg image processing nagham salim_as.ppt
jpg image processing nagham salim_as.pptjpg image processing nagham salim_as.ppt
jpg image processing nagham salim_as.ppt
 
lips _reading_nagham _salim compute.pptx
lips _reading_nagham _salim compute.pptxlips _reading_nagham _salim compute.pptx
lips _reading_nagham _salim compute.pptx
 
electronic mail security for authent.ppt
electronic mail security for authent.pptelectronic mail security for authent.ppt
electronic mail security for authent.ppt
 
lips _reading _in computer_ vision_n.ppt
lips _reading _in computer_ vision_n.pptlips _reading _in computer_ vision_n.ppt
lips _reading _in computer_ vision_n.ppt
 
thread_ multiprocessor_ scheduling_a.ppt
thread_ multiprocessor_ scheduling_a.pptthread_ multiprocessor_ scheduling_a.ppt
thread_ multiprocessor_ scheduling_a.ppt
 
distributed real time system schedul.ppt
distributed real time system schedul.pptdistributed real time system schedul.ppt
distributed real time system schedul.ppt
 
Trusted Computing security _platform.ppt
Trusted Computing security _platform.pptTrusted Computing security _platform.ppt
Trusted Computing security _platform.ppt
 

Recently uploaded

Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Sapana Sha
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
PECB
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
SoniaTolstoy
 

Recently uploaded (20)

The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
IGNOU MSCCFT and PGDCFT Exam Question Pattern: MCFT003 Counselling and Family...
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdfBASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
BASLIQ CURRENT LOOKBOOK LOOKBOOK(1) (1).pdf
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 

web _security_ for _confedindality s.ppt

  • 1. Web Security By Ansam Osama Abdul-Majeed Muna Jaffer Sedeeq
  • 2. Overview Of Web Security Web (WWW or world wide web) Web Server Web Browsers Web Security
  • 3. Definitions Web The world wide web (WWW) is an interconnection of networks of computer systems that provides information and services to users of the web . Computer systems in this interconnection of networks that provide services and information to other computer systems are called Web Servers Web Servers
  • 4. Definitions (continue) Computer systems that request services and infomation are call Web Browsers Web Browsers Web security is a set of procedures , practices , and technologies for protecting web servers, web browser and their surrounding organizations. Web Security
  • 5. Web Security From the users' perspective Legitimate Safe Private
  • 6. Web Security From the server's perspective Legitimate Responsible From the perspective of both the server and the user They have an expectation that their communications will be free from eavesdropping and reliable in terms that their transmissions will not be modified by a third party
  • 7. Web Site Attacks (Threats) I. Attacks on Web Site Information A. Integrity of Information Attacks 1.Threats a. Modification of user data b. Modification of message traffic in transit 2. Consequences a. Loss of information b. Vulnerability to all other threats 3. Countermeasures - cryptographic checksums
  • 8. Web Site Attacks (Threats) B. Confidentiality of Information Attacks 1. Threats a. Eavesdropping on the Net b. Theft of info from server c. Theft of data from client d. Info about network configuration e. Info about which client talks to server 2 . Consequences a. Loss of information b. Loss of privacy
  • 9. 3. Countermeasures a. Encryption b. Web proxies II. Attacks on Web Site Accessibility A. Denial of Service Attacks 1.Threats a. Flooding of machine with bogus requests b. Isolating machine by DNS attacks 2.Consequences a. Disruptive b. Annoying c. Prevent user from getting work done
  • 10. B. Authentication Attacks 1. Threats a. Impersonation of legitimate user b. Data forgery 2. Consequences a. Misrepresentation of user b. Belief that false information is valid 3. Countermeasures - cryptographic techniques 3. Countermeasures - difficult to prevent
  • 11. Some Classes of Attacks on Web
  • 12. Attacks on Authentication Attacks that used to circumvent or exploit the authentication process of a web site. 1
  • 13. Attacks on Authentication 1 Brute Force Attack Automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key
  • 14. Insufficient Authentication Occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Attacks on Authentication 1
  • 15. Weak Password Recovery Validation Occurs when a web site permits attacker to illegally obtain, change or recover another user’s password. Attacks on Authentication 1
  • 16. Attacks on Authorization Attacks that target a web site's method of determining if a user, service, or application has the necessary permissions to perform a requested action 2
  • 17. Attacks on Authorization Credential/Session Prediction A method of hijacking or impersonating a web site user guessing the unique value that identifies a particular session or user 2
  • 18. Insufficient Authorization Occurs when a web site permits access to sensitive content or functionality that should require increased access control restrictions. Attacks on Authorization 2
  • 19. Client-side Attacks Focuses on the abuse or exploitation of a web site's users. 3
  • 20. Client-side Attacks Content Spoofing An attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. http://foo.example/page?frame_src=http://foo.example/file.html. An attacker may be able to replace the “frame_src” parameter value with “frame_src=http://attacker.example/spoof.html” The browser location bar visibly remains under the user expected domain( foo.example). 3
  • 21. Cross-Site Scripting An attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user’s browser Client-side Attacks 3
  • 22. Command Execution Covers attacks designed to execute remote commands on the web site. All web sites utilize user-supplied input to fulfill requests 4
  • 23. Command Execution SQL Injection An attack technique used to exploit web sites that construct SQL statements from user-supplied input. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=1 should return the same web page as: http://example/article.asp?ID=2 because the SQL statement 'and 1=1' is always true. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=0 4
  • 24. SSI Injection SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application Command Execution 4