FB
Uploaded byfg.informatik Universität Basel
PDF, PPTX424 views

Website-Security

The document discusses several security vulnerabilities found in an online photo gallery application called fg.gallery built with PHP and MySQL. It identifies issues such as SQL injection, information exposure through error messages, lack of encryption of sensitive data, use of hard-coded credentials, session hijacking, cross-site scripting, cross-site request forgery, improper access controls, reliance on untrusted inputs, and unrestricted uploads of dangerous file types. Developers are encouraged to find and address these issues to help secure the application.

Embed presentation

Download as PDF, PPTX
fg.workshop
fg.workshop
fg.workshop > 200’000 Kreditkartendaten mittels SQL Injection gestohlen > 40 Millionen Kreditkartendaten unverschlüsselt abgespeichert
fg.workshop
fg.workshop Web Security "A good programmer is someone who always looks both ways before crossing a one-way street." — Doug Linder Marcel Büchler - Ivan Giangreco
fg.gallery fg.workshop • Galerie zum Hochladen von Bildern • einfache Benutzerverwaltung • Benutzer können Bilder bewerten • PHP, MySQL
fg.workshop Happy Hacking Finde die Sicherheitslücken.
fg.workshop fg.gallery • SQL-Injection • Missing Encryption of Sensitive Data • Information Exposure through an Error Message • Use of Hard-coded Credentials • Missing Authentication for Critical • Session Hijacking Function • Use of Blacklists instead of • Cross-Site-Scripting Whitelists • Cross-Site-Request Forgery • Improper Access Control • Reliance on Untrusted Inputs (Spoofed HTTP Requests) • Unrestricted Upload of File with Dangerous Type
fg.workshop SQL Injection
fg.workshop Cross-Site Scripting (XSS) Cookie wird an einen fremden Server geschickt! Und dasselbe hexadezimal codiert:
fg.workshop Session Hijacking
fg.workshop Cross-Site Request Forgery (CSRF) HTTP Request HTTP Response Logged in
fg.workshop Cross-Site Request Forgery (CSRF) Comment as you like Comment: HTTP Request HTTP Response
fg.workshop Cross-Site Request Forgery (CSRF) Comment as you like Comment: HTTP Request <img src=”http:// HTTP Response www.server.de/buy.php? num_of_stocks=1000”/>
fg.workshop Cross-Site Request Forgery (CSRF) Logged in HTTP Request HTTP Request http://www.server.de/buy.php?num_of_stocks=1000
fg.workshop http://cwe.mitre.org/top25/ http://phpsec.org/projects/guide/
fg.workshop Q&A

More Related Content

PDF
CSRF: ways to exploit, ways to prevent
byPaulius Leščinskas
 
PDF
Applying Security Controls on REST APIs
byErick Belluci Tedeschi
 
PPTX
Browser Security 101
byStormpath
 
PPTX
MITM Attacks on HTTPS: Another Perspective
byGreenD0g
 
PDF
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
PPT
DLL-Injection
byfg.informatik Universität Basel
 
PDF
Emergent gameplay
byfg.informatik Universität Basel
 
PDF
JavaScript packt aus: "Alle haben mich falsch verstanden!"
byfg.informatik Universität Basel
 
CSRF: ways to exploit, ways to prevent
byPaulius Leščinskas
 
Applying Security Controls on REST APIs
byErick Belluci Tedeschi
 
Browser Security 101
byStormpath
 
MITM Attacks on HTTPS: Another Perspective
byGreenD0g
 
XXE Exposed: SQLi, XSS, XXE and XEE against Web Services
byAbraham Aranguren
 
DLL-Injection
byfg.informatik Universität Basel
 
Emergent gameplay
byfg.informatik Universität Basel
 
JavaScript packt aus: "Alle haben mich falsch verstanden!"
byfg.informatik Universität Basel
 

Viewers also liked

PDF
NumericOS - How to build your own Operatingsystem
byfg.informatik Universität Basel
 
PDF
fg.workshop: Software vulnerability
byfg.informatik Universität Basel
 
PPTX
Hugs instead of Bugs: Dreaming of Quality Tools for Devs and Testers
byAndreas Grabner
 
PDF
Nfs brief corporate presentation
byCA Nikesh Sheth
 
DOC
EEIefolio_a_tiago_goncalves1
bytiago_goncalves
 
PPTX
Application Quality Gates in Continuous Delivery: Deliver Better Software Fas...
byAndreas Grabner
 
NumericOS - How to build your own Operatingsystem
byfg.informatik Universität Basel
 
fg.workshop: Software vulnerability
byfg.informatik Universität Basel
 
Hugs instead of Bugs: Dreaming of Quality Tools for Devs and Testers
byAndreas Grabner
 
Nfs brief corporate presentation
byCA Nikesh Sheth
 
EEIefolio_a_tiago_goncalves1
bytiago_goncalves
 
Application Quality Gates in Continuous Delivery: Deliver Better Software Fas...
byAndreas Grabner
 

Similar to Website-Security

PDF
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
bye2-labs
 
PDF
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
byShreeraj Shah
 
PDF
Web Application Security Testing - Aware in BugDay Bangkok 2012
byPrathan Dansakulcharoenkit
 
PDF
Do You Write Secure Code? by Erez Metula
byAlphageeks
 
PDF
Minor Mistakes In Web Portals
bymsobiegraj
 
PDF
The top 10 security issues in web applications
byDevnology
 
PDF
Evolution Of Web Security
byChris Shiflett
 
PPTX
Sd mexico
byGeneXus
 
KEY
Do it-yourself-audits
byJohann-Peter Hartmann
 
KEY
DVWA BruCON Workshop
bytestuser1223
 
PDF
Web Application Scanning 101
bySasha Nunke
 
PPTX
AW-Infs201101067.pptx
byAnonymousDevil2
 
PPT
DC612 Day - Web Application Security: OWASP Top 10
bydc612
 
PPTX
Network penetration testing
byImaginea
 
PDF
Day 2 Dns Cert 4b Name Server Redirection
byvngundi
 
PDF
MBFuzzer : MITM Fuzzing for Mobile Applications
byFatih Ozavci
 
PPTX
Web application
byEve_Srithong
 
PPT
Attacking Web Applications
bySasha Goldshtein
 
PDF
Load Balancing und Beschleunigung mit Citrix Net Scaler
byDigicomp Academy AG
 
PPT
Php Security By Mugdha And Anish
byOSSCube
 
E2 Labs: ADVANCED PROGRAM ON: THE SECURITY OF A WEBSITE
bye2-labs
 
[Infosecworld 08 Orlando] CSRF: The Biggest Little Vulnerability on the Web
byShreeraj Shah
 
Web Application Security Testing - Aware in BugDay Bangkok 2012
byPrathan Dansakulcharoenkit
 
Do You Write Secure Code? by Erez Metula
byAlphageeks
 
Minor Mistakes In Web Portals
bymsobiegraj
 
The top 10 security issues in web applications
byDevnology
 
Evolution Of Web Security
byChris Shiflett
 
Sd mexico
byGeneXus
 
Do it-yourself-audits
byJohann-Peter Hartmann
 
DVWA BruCON Workshop
bytestuser1223
 
Web Application Scanning 101
bySasha Nunke
 
AW-Infs201101067.pptx
byAnonymousDevil2
 
DC612 Day - Web Application Security: OWASP Top 10
bydc612
 
Network penetration testing
byImaginea
 
Day 2 Dns Cert 4b Name Server Redirection
byvngundi
 
MBFuzzer : MITM Fuzzing for Mobile Applications
byFatih Ozavci
 
Web application
byEve_Srithong
 
Attacking Web Applications
bySasha Goldshtein
 
Load Balancing und Beschleunigung mit Citrix Net Scaler
byDigicomp Academy AG
 
Php Security By Mugdha And Anish
byOSSCube
 

More from fg.informatik Universität Basel

PDF
fg.workshop: Opensource licenses
byfg.informatik Universität Basel
 
PDF
Version management mit Git und Github
byfg.informatik Universität Basel
 
PDF
Drahtlose Kommunikation und SDR
byfg.informatik Universität Basel
 
PDF
OpenCL Grundlagen
byfg.informatik Universität Basel
 
PDF
Hardware-Basteleien für Informatiker
byfg.informatik Universität Basel
 
PDF
Game Design Dokumentation und Projekt Management
byfg.informatik Universität Basel
 
PDF
Hydraulische Erosion und Terraingeneration (GPGPU)
byfg.informatik Universität Basel
 
PDF
Ruby, Ruby, Ruby!
byfg.informatik Universität Basel
 
PDF
CS108 Bootcamp Eyeballs
byfg.informatik Universität Basel
 
PPTX
CS108 Bootcamp Einführung YASY
byfg.informatik Universität Basel
 
PDF
CS108 Bootcamp 2011 Intro - Jarwars
byfg.informatik Universität Basel
 
PDF
Open source hardware
byfg.informatik Universität Basel
 
fg.workshop: Opensource licenses
byfg.informatik Universität Basel
 
Version management mit Git und Github
byfg.informatik Universität Basel
 
Drahtlose Kommunikation und SDR
byfg.informatik Universität Basel
 
OpenCL Grundlagen
byfg.informatik Universität Basel
 
Hardware-Basteleien für Informatiker
byfg.informatik Universität Basel
 
Game Design Dokumentation und Projekt Management
byfg.informatik Universität Basel
 
Hydraulische Erosion und Terraingeneration (GPGPU)
byfg.informatik Universität Basel
 
Ruby, Ruby, Ruby!
byfg.informatik Universität Basel
 
CS108 Bootcamp Eyeballs
byfg.informatik Universität Basel
 
CS108 Bootcamp Einführung YASY
byfg.informatik Universität Basel
 
CS108 Bootcamp 2011 Intro - Jarwars
byfg.informatik Universität Basel
 
Open source hardware
byfg.informatik Universität Basel
 

Recently uploaded

PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
PDF
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
PDF
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
PDF
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PPTX
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PPTX
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
Oracle Cloud Infrastructure 2025 Architect Professional (1Z0-1127-25) Master ...
byExamCert App
 
How AI Can Help Platform Engineers Build Better Platforms
byAll Things Open
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Digital Twin in IBM for Accelerated Discovery of Climate & Sustainability, K...
byMichiaki Tatsubori
 
UiPath Automation Developer Associate Training Series 2025 - Session 4
byDianaGray10
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
From Artificial Intelligence to African Intelligence: Transforming Research &...
byMoses Kemibaro
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
The Transformative Technology in Contemporary Businesses
bygreyaudrina
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Tech Trends 2026: AI Agents, Quantum Computing, Robotics & Cybersecurity
byridwansassman
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 

Website-Security