X

Download Website Vulnerabilities PowerPoint Presentation


Login   OR  Register
X

Share on Social Media

               

Home / Computers & Web / Computers & Web Presentations / Website Vulnerabilities PowerPoint Presentation

Website Vulnerabilities PowerPoint Presentation

Note : Website Vulnerabilities PPT Presentation is available for free download. Click on Download Free PowerPoint Presentation top red button for free download Website Vulnerabilities presentation in .ppt/pptx format.
picworld By : picworld

On : Mar 20, 2018

facebook   twitter   google plus  
In : Computers & Web

Embed :
159
views

0
downloads
Login / Signup - with account for


  • → Make favorite
  • → Flag as inappropriate
  • → Download Presentation
  • → Share Presentation

Website Vulnerabilities
Presentation Transcript
Collapse/Expand

  • Slide 1 - by Brian Vees SECURITY VULNERABILITIES IN WEBSITES
  • Slide 2 - SQL Injection Username Enumeration Cross Site Scripting (XSS) Remote Code Execution String Formatting Vulnerabilities Five Types of Vulnerabilities
  • Slide 3 - A very common, and easy to exploit vulnerability Requires basic SQL knowledge The basic idea: Find a user-inputted field that most likely is used to query a database Insert text in the field which will then merge with the SQL query being executed Examine the results to gain info about the database Using this info, write better queries to receive potentially private data SQL Injection
  • Slide 4 - Given a sample login prompt on a webpage: Query to validate username might look like this: Entering a single apostrophe “breaks out” of the intended SQL code, allowing other code to be executed SQL Injection - Example query = "select * from user where username='" + tbUserName.Text + "'";
  • Slide 5 - Entering this data causes the following query to be sent to the database: Since 1=1 is always true, this query returns all users in the database SQL Injection – Example (Cont.) select * from user where username='' or 1=1 --'
  • Slide 6 - SQL injection to obtain error messages containing useful data SQL injection to delete data ('drop [tablename]--) SQL injection to execute files exec sp_oamethod @o, 'run', NULL, 'executable.exe' Other Examples
  • Slide 7 - “Escape” apostrophes String replacement on SQL-specific character combinations (“--”) Safest: reject any bad input rather than attempting to “cleanse” it Not necessarily plausible: names like O’Brien and other valid input contain apostrophes SQL Injection Prevention
  • Slide 8 - A very simple method of finding valid usernames Username Enumeration Invalid Username Valid Username
  • Slide 9 - Use the same error message for invalid password and invalid username This way an attacker has no idea whether or not the username is correct Username Enumeration Prevention
  • Slide 10 - Another type of code injection, but with client-side script Can be used to bypass client-side security, as well as gain other information (session cookies) Yahoo! and even Google have previously fallen victim to this vulnerability Cross Site Scripting
  • Slide 11 - This form echoes what the user entered in the case of an invalid login (i.e. invalid characters) What if we input JavaScript? XSS Example
  • Slide 12 - Consider if we now input the following code: With this data, we can bypass cookie-based security Also, external, lengthier scripts can be injected: Why Is XSS Dangerous?
  • Slide 13 - User input cleansing Don’t echo user input back unless it is necessary XSS Prevention
  • Slide 14 - Potentially the most dangerous vulnerability Stems from unsecure settings on a web server Remote Code Execution
  • Slide 15 - In PHP, the register globals setting is often set to “on” to ease development This allows for global variables to be set remotely require($page . “.php”); If $page is not initialized, any arbitrary file can be included and will be executed on that server Remote Code Execution Example
  • Slide 16 - There are several XML specifications that are also vulnerable to remote code execution Improperly validated XML can “break out” of the XML, and execute malicious code XML Vulnerabilities
  • Slide 17 - Ensure web server configuration is secure (namely, if using PHP, turn register_globals off) Validate user input Remote Code Execution Prevention
  • Slide 18 - An attack on server-side functions that can perform formatting (such as C’s printf) Special characters are used to read or write sections of memory that normally would not be accessible String Formatting Vulnerabilities
  • Slide 19 - %s can be used to continue reading data off the stack until an illegal memory address is attempted to be accessed, crashing the program %x can be used to print areas of memory that are normally not accessible %d, %u, and %x can be used to overwrite the instruction pointer, allowing the execution of user-defined code String Formatting Example
  • Slide 20 - Make sure and verify all user input Replace or reject special characters (“%”) String Formatting Vulnerability Prevention
  • Slide 21 - What is the golden rule that will stop the majority of these website attacks? Conclusion Validate User Input!

Description : Website vulnerabilities has SQL Injections, Cross Site Scripting (XSS). Know about website vulnerabilities with this website vulnerabilities powerpoint (ppt) presentation.

Tags : web security | website security | computer virus | hackers | website hack | hacking | website vulnerabilities | malicious attacks | mobile malware | mal attacks | website vulnerabilities