Practical Web Attacks

1,972 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,972
On SlideShare
0
From Embeds
0
Number of Embeds
73
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Practical Web Attacks

  1. 1. Web application attacks – practical demonstration Ing. Pavol Lupták, CISSP, CEH          www.nethemba.com             www.nethemba.com      
  2. 2. Agenda Unvalidates Parameters  Access Control Flaws  Session Management Flaws  Cross Site Scripting (XSS)  Injection flaws  Improper Error Handling  AJAX Security           www.nethemba.com       
  3. 3. Unvalidated Parameters Exploit Hidden Fields  Exploit Unchecked Email  Bypass Client Side JavaScript Validation           www.nethemba.com       
  4. 4. Access Controls Flaws Bypass a Path Based Access Control Scheme  Bypass Business Layer Access Control  Bypass Data Layer Access Control           www.nethemba.com       
  5. 5. Session Management Flaws Spoof an Authentication Cookie  Hijack a Session           www.nethemba.com       
  6. 6. Cross Site Scripting (XSS) Stored XSS  Reflected XSS  Cross Site Request Forgery (CSRF)           www.nethemba.com       
  7. 7. Injection flaws Blind SQL injection  Numeric SQL injection  String SQL injection  XPATH injection           www.nethemba.com       
  8. 8. Improper Error Handling Fail Open Authentication Scheme           www.nethemba.com       
  9. 9. AJAX Security Client Side Filtering  Same Origin Policy (SOP) Protection  XML Injection  JSON Injection  Dangerous Use of Eval           www.nethemba.com       
  10. 10. Used tools WebGoat project   http://www.owasp.org/index.php/Category:OWASP_WebGoat_P WebScarab   http://www.owasp.org/index.php/Category:OWASP_WebScarab Tamperdata http://tamperdata.mozdev.org/  LiveHTTPHeaders http://livehttpheaders.mozdev.org/  Add N Edit Cookies   https://addons.mozilla.org/en­US/firefox/addon/573          www.nethemba.com       
  11. 11. References New Web Applications Attacks   http://www.nethemba.com/new_web_attacks­nethe LAMP and PHP security hardening (in Slovak   language)   http://www.nethemba.com/php­sec.pdf          www.nethemba.com       
  12. 12. Thank you for listening! Ing. Pavol Lupták, CISSP, CEH pavol.luptak@nethemba.com          www.nethemba.com       

×