Badam Niazi, profile picture
Uploaded byBadam Niazi
PPTX, PDF13 views

Web_Application_Attacks_Beginner_EN.pptx

xyz

Embed presentation

Download to read offline
Web Application Attacks (Beginner Level) Instructor: __________ | Duration: 45–60 minutes
Objectives • Understand what web attacks are and why they happen. • Identify safe tools and an intentionally vulnerable lab for practice. • Learn foundational prevention principles.
What are Web Application Attacks? • A web app communicates between a browser and a server. • Attackers try to: • • Send malicious input → Injection (e.g., SQLi) • • Access another user’s data → Broken Access Control / IDOR • • Execute code in the browser → Cross Site ‑ Scripting (XSS) • • Abuse login/session weaknesses → Auth/Session flaws
Why use tools? • To find, observe, and fix weaknesses. • Practice only in safe labs (intentionally vulnerable apps).
Burp Suite (PortSwigger) • Interception proxy between your browser and the server. • See/modify/resend requests (Proxy, Repeater). • Intruder/Scanner available in Pro; Community is sufficient for learning.
Nikto • Fast web server scanner. • Finds dangerous default files/paths, outdated versions, simple misconfigurations. • Human validation required for results.
WebGoat (OWASP) • Intentionally vulnerable educational web app. • Practice attacks safely and learn defenses. • Sample lessons: SQL Injection, XSS, Access Control, Sessions.
Legacy Tools (WebScarab, Paros) • Older Java proxy tools historically used in training. • Modern replacements: Burp Suite (primary) or OWASP ZAP (free alternative).
Safe Lab – Quick Start • 1) Start WebGoat (Docker): • docker run -p 8080:8080 -p 9090:9090 --rm webgoat/goatandwolf • Then open: http://localhost:8080/WebGoat • 2) Install/Configure Burp Suite Community: • Set browser proxy to 127.0.0.1:8080 and trust Burp’s CA (HTTPS). • 3) Simple exercise: Submit a form, observe in Proxy; tweak a parameter in Repeater.
Three Common Attacks — Simple View • Injection (SQLi): Untrusted input alters a database query. • Prevention: Parameterized Queries / Prepared Statements. • XSS: Untrusted input runs as script in the user’s browser. • Prevention: Output Encoding + Content Security Policy (CSP). ‑ ‑ • Broken Access Control / IDOR: User can view/modify another user’s data.
Session/Login Basics • Strong password policy + MFA. • Secure cookies: HttpOnly, Secure, SameSite. • Rate limiting/lockout; session rotation on privilege change.
Configuration & Updates • Disable debug in production. • Enable security headers: HSTS, CSP, X Frame Options, X Content Type Options, ‑ ‑ ‑ ‑ ‑ Referrer Policy. ‑ • Keep dependencies up to date.
Beginner Checklist • ☑ Validate/sanitize input + Parameterized Queries. • ☑ Output Encoding + CSP. • ☑ Server side access control. ‑ • ☑ Secure sessions/cookies. • ☑ Debug off + security headers. • ☑ Updated dependencies + basic logging/alerts.
Legal/Ethical Note • Only test systems you own, have permission to test, or intentionally vulnerable labs (WebGoat/DVWA/Juice Shop). • Do not scan real websites without consent.
Homework/Practice • Complete the first SQLi lesson in WebGoat. • In Burp, save one request/response and write a brief prevention note. • Add security headers to your small project.

More Related Content

PPTX
Solving Labs for Vulnerabilities: Login Bypass & SQL Injection Exploits
byBoston Institute of Analytics
 
PPTX
Your Web Application Is Most Likely Insecure
byAchievers Tech
 
PDF
Getting Inside Common Web Security Threats
byAndy Longshaw
 
PPTX
Web Hacking With Burp Suite 101
byZack Meyers
 
DOCX
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byMatthewTennant613
 
DOCX
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byAnastaciaShadelb
 
DOCX
15.3 student guide web application tool time overviewtodays c
byUMAR48665
 
PPT
Pentesting Using Burp Suite
byjasonhaddix
 
Solving Labs for Vulnerabilities: Login Bypass & SQL Injection Exploits
byBoston Institute of Analytics
 
Your Web Application Is Most Likely Insecure
byAchievers Tech
 
Getting Inside Common Web Security Threats
byAndy Longshaw
 
Web Hacking With Burp Suite 101
byZack Meyers
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byMatthewTennant613
 
15.3 Student Guide Web Application Tool TimeOverviewTodays c
byAnastaciaShadelb
 
15.3 student guide web application tool time overviewtodays c
byUMAR48665
 
Pentesting Using Burp Suite
byjasonhaddix
 

Similar to Web_Application_Attacks_Beginner_EN.pptx

PPTX
Web Security: Working with burpe suite for beginners
byYour Study_Buddy
 
PDF
BSides Lisbon 2013 - All your sites belong to Burp
byTiago Mendo
 
PPTX
Security Testing Training With Examples
byAlwin Thayyil
 
PDF
Noinject
byJustin Swanhart
 
PDF
Web application security - Course overview
bySatish b
 
PPTX
Burp Suite With CSRF Demo presentarion.pptx
bybeboorabi7
 
PPTX
Vulnerabilities in modern web applications
byNiyas Nazar
 
PDF
Web application penetration testing lab setup guide
bySudhanshu Chauhan
 
PPTX
Infosec girls training-hackcummins-college-jan-2020(v0.1)
byShrutirupa Banerjiee
 
PDF
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
byIRJET Journal
 
PPTX
Simple web security
by裕夫 傅
 
PPTX
OWASP San Diego Training Presentation
byowaspsd
 
PPTX
Burp_Suite_Presentation_professional.pptx
byttemp7800
 
PPTX
Burp Suite is a powerful and widely-used tool
bywaudit1
 
PDF
Don't Do what Derpy the Dreadful Dev Does
byLiam O'Saurus
 
PDF
Ch 5: Bypassing Client-Side Controls
bySam Bowne
 
PPTX
Burp Suite Starter
byFadi Abdulwahab
 
PDF
Burp suite
byYashar Shahinzadeh
 
PDF
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
PPTX
Attacking Web Applications
bySasha Goldshtein
 
Web Security: Working with burpe suite for beginners
byYour Study_Buddy
 
BSides Lisbon 2013 - All your sites belong to Burp
byTiago Mendo
 
Security Testing Training With Examples
byAlwin Thayyil
 
Noinject
byJustin Swanhart
 
Web application security - Course overview
bySatish b
 
Burp Suite With CSRF Demo presentarion.pptx
bybeboorabi7
 
Vulnerabilities in modern web applications
byNiyas Nazar
 
Web application penetration testing lab setup guide
bySudhanshu Chauhan
 
Infosec girls training-hackcummins-college-jan-2020(v0.1)
byShrutirupa Banerjiee
 
IRJET- Bug Hunting using Web Application Penetration Testing Techniques.
byIRJET Journal
 
Simple web security
by裕夫 傅
 
OWASP San Diego Training Presentation
byowaspsd
 
Burp_Suite_Presentation_professional.pptx
byttemp7800
 
Burp Suite is a powerful and widely-used tool
bywaudit1
 
Don't Do what Derpy the Dreadful Dev Does
byLiam O'Saurus
 
Ch 5: Bypassing Client-Side Controls
bySam Bowne
 
Burp Suite Starter
byFadi Abdulwahab
 
Burp suite
byYashar Shahinzadeh
 
Lets Make our Web Applications Secure
byAryashree Pritikrishna
 
Attacking Web Applications
bySasha Goldshtein
 

More from Badam Niazi

PPTX
Lec 3 Number SystemLec 3 Number SystemLec 3 Number System.pptx
byBadam Niazi
 
PPTX
Lec 2 Generations of ComputerLec 2 Generations of ComputerLec 2 Generations o...
byBadam Niazi
 
PPTX
Lec 2 Generations of ComputerLec 2 Generations of Computer.Lec 2 Generations ...
byBadam Niazi
 
PPTX
Lec 3 Number SystemLec 3 Number SystemLec 3 Number System.pptx
byBadam Niazi
 
PPTX
Web_Application_Attacks_Beginner_PS.pptx
byBadam Niazi
 
PPTX
SOFTWARE AND LICENSING.pptx
byBadam Niazi
 
PPT
Disabilities and using of digital technology
byBadam Niazi
 
Lec 3 Number SystemLec 3 Number SystemLec 3 Number System.pptx
byBadam Niazi
 
Lec 2 Generations of ComputerLec 2 Generations of ComputerLec 2 Generations o...
byBadam Niazi
 
Lec 2 Generations of ComputerLec 2 Generations of Computer.Lec 2 Generations ...
byBadam Niazi
 
Lec 3 Number SystemLec 3 Number SystemLec 3 Number System.pptx
byBadam Niazi
 
Web_Application_Attacks_Beginner_PS.pptx
byBadam Niazi
 
SOFTWARE AND LICENSING.pptx
byBadam Niazi
 
Disabilities and using of digital technology
byBadam Niazi
 

Recently uploaded

PDF
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
PDF
Chapter 05 Drugs Acting on the Central Nervous System: Anti-Depressant Drugs
bySandeshSul
 
PPTX
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
PDF
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
PDF
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
PPTX
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
PPTX
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
PPTX
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
PDF
Chapter 05 Drugs Acting on the Central Nervous System: Anticonvulsant (Antiep...
bySandeshSul
 
PPTX
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
PDF
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
PDF
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
PDF
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
PDF
Structure-of-the-Atom PPT.pdf/CBSE CLASS 11 CHEMISTRY/ PREPARED BY K SANDEEP ...
bySandeep Swamy
 
PDF
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
PPTX
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
PPTX
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
PPTX
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 
PPTX
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
PPTX
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 
How "Raiders of the Lost Ark" and "Ordinary People" Employ Non-Verbal Acting
by6x5csns4pn
 
Chapter 05 Drugs Acting on the Central Nervous System: Anti-Depressant Drugs
bySandeshSul
 
WEEK 2 (2).pptx TLE COOKERY 10 QUARTER 4
byResynFayeCortez2
 
Pharmaceutical Quality Assurance Unit 1 (BP606T)
byChetan Mali
 
Nursing care plan for Vomiting /B.Sc nsg
byDr. Sudhadevi Sadanandan
 
Greengnorance Toolkit Module1 Climate Change
byKarl Donert
 
Types of counselling Directive, Non Directive, Eclectic Counselling
byPriya Sush
 
How to Track & Manage My Time Section in Odoo 18 Time Off
byCeline George
 
Chapter 05 Drugs Acting on the Central Nervous System: Anticonvulsant (Antiep...
bySandeshSul
 
Renal Physiology- Functional anatomy of Kidney.pptx
byDisha Soriya
 
Workshop 29 Crystal Review All Students by YogiGoddess
by©LDMMIA, ©Reiki Yoga
 
Orlando by Virginia Woolf: The Granite and The Rainbow
byAdityarajsinh Gohil
 
Holm Community Heritage at St Nicholas Kirk - 2025 AGM Minutes (30.04.2025)
byAntoine Pietri
 
Structure-of-the-Atom PPT.pdf/CBSE CLASS 11 CHEMISTRY/ PREPARED BY K SANDEEP ...
bySandeep Swamy
 
PHARMACOLOGY 1 ( BP 404 T) Unit 1 (Cology 1)
byChetan Mali
 
How to Change Shipping Label Size in Odoo 18 Inventory
byCeline George
 
Overview of How to set priority in Odoo 19 Todo
byCeline George
 
Q4_PPT MUSIC & ARTS 7 week 1-2, matatag curriculum
byZEN
 
Fluorimetric Analysis- Theory, Instrumentation and Application
bySayali Powar
 
MEMORY &FORGETTING. Shilpa Hotakar.Psychology pptx
bySHILPA HOTAKAR
 

Web_Application_Attacks_Beginner_EN.pptx

  • 1.
    Web Application Attacks (BeginnerLevel) Instructor: __________ | Duration: 45–60 minutes
  • 2.
    Objectives • Understand whatweb attacks are and why they happen. • Identify safe tools and an intentionally vulnerable lab for practice. • Learn foundational prevention principles.
  • 3.
    What are WebApplication Attacks? • A web app communicates between a browser and a server. • Attackers try to: • • Send malicious input → Injection (e.g., SQLi) • • Access another user’s data → Broken Access Control / IDOR • • Execute code in the browser → Cross Site ‑ Scripting (XSS) • • Abuse login/session weaknesses → Auth/Session flaws
  • 4.
    Why use tools? •To find, observe, and fix weaknesses. • Practice only in safe labs (intentionally vulnerable apps).
  • 5.
    Burp Suite (PortSwigger) •Interception proxy between your browser and the server. • See/modify/resend requests (Proxy, Repeater). • Intruder/Scanner available in Pro; Community is sufficient for learning.
  • 6.
    Nikto • Fast webserver scanner. • Finds dangerous default files/paths, outdated versions, simple misconfigurations. • Human validation required for results.
  • 7.
    WebGoat (OWASP) • Intentionallyvulnerable educational web app. • Practice attacks safely and learn defenses. • Sample lessons: SQL Injection, XSS, Access Control, Sessions.
  • 8.
    Legacy Tools (WebScarab,Paros) • Older Java proxy tools historically used in training. • Modern replacements: Burp Suite (primary) or OWASP ZAP (free alternative).
  • 9.
    Safe Lab –Quick Start • 1) Start WebGoat (Docker): • docker run -p 8080:8080 -p 9090:9090 --rm webgoat/goatandwolf • Then open: http://localhost:8080/WebGoat • 2) Install/Configure Burp Suite Community: • Set browser proxy to 127.0.0.1:8080 and trust Burp’s CA (HTTPS). • 3) Simple exercise: Submit a form, observe in Proxy; tweak a parameter in Repeater.
  • 10.
    Three Common Attacks— Simple View • Injection (SQLi): Untrusted input alters a database query. • Prevention: Parameterized Queries / Prepared Statements. • XSS: Untrusted input runs as script in the user’s browser. • Prevention: Output Encoding + Content Security Policy (CSP). ‑ ‑ • Broken Access Control / IDOR: User can view/modify another user’s data.
  • 11.
    Session/Login Basics • Strongpassword policy + MFA. • Secure cookies: HttpOnly, Secure, SameSite. • Rate limiting/lockout; session rotation on privilege change.
  • 12.
    Configuration & Updates •Disable debug in production. • Enable security headers: HSTS, CSP, X Frame Options, X Content Type Options, ‑ ‑ ‑ ‑ ‑ Referrer Policy. ‑ • Keep dependencies up to date.
  • 13.
    Beginner Checklist • ☑Validate/sanitize input + Parameterized Queries. • ☑ Output Encoding + CSP. • ☑ Server side access control. ‑ • ☑ Secure sessions/cookies. • ☑ Debug off + security headers. • ☑ Updated dependencies + basic logging/alerts.
  • 14.
    Legal/Ethical Note • Onlytest systems you own, have permission to test, or intentionally vulnerable labs (WebGoat/DVWA/Juice Shop). • Do not scan real websites without consent.
  • 15.
    Homework/Practice • Complete thefirst SQLi lesson in WebGoat. • In Burp, save one request/response and write a brief prevention note. • Add security headers to your small project.