X

Download Website Vulnerabilities PowerPoint Presentation

SlidesFinder-Advertising-Design.jpg

Login   OR  Register
X


Iframe embed code :



Presentation url :

Home / Computers & Web / Computers & Web Presentations / Website Vulnerabilities PowerPoint Presentation

Website Vulnerabilities PowerPoint Presentation

Ppt Presentation Embed Code   Zoom Ppt Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Website Vulnerabilities powerpoint presentation easily and in no time. This helps you give your presentation on Website Vulnerabilities in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Website Vulnerabilities powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by picworld in Computers & Web ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

Website Vulnerabilities Presentation Transcript

Slide 1 - by Brian Vees SECURITY VULNERABILITIES IN WEBSITES
Slide 2 - SQL Injection Username Enumeration Cross Site Scripting (XSS) Remote Code Execution String Formatting Vulnerabilities Five Types of Vulnerabilities
Slide 3 - A very common, and easy to exploit vulnerability Requires basic SQL knowledge The basic idea: Find a user-inputted field that most likely is used to query a database Insert text in the field which will then merge with the SQL query being executed Examine the results to gain info about the database Using this info, write better queries to receive potentially private data SQL Injection
Slide 4 - Given a sample login prompt on a webpage: Query to validate username might look like this: Entering a single apostrophe “breaks out” of the intended SQL code, allowing other code to be executed SQL Injection - Example query = "select * from user where username='" + tbUserName.Text + "'";
Slide 5 - Entering this data causes the following query to be sent to the database: Since 1=1 is always true, this query returns all users in the database SQL Injection – Example (Cont.) select * from user where username='' or 1=1 --'
Slide 6 - SQL injection to obtain error messages containing useful data SQL injection to delete data ('drop [tablename]--) SQL injection to execute files exec sp_oamethod @o, 'run', NULL, 'executable.exe' Other Examples
Slide 7 - “Escape” apostrophes String replacement on SQL-specific character combinations (“--”) Safest: reject any bad input rather than attempting to “cleanse” it Not necessarily plausible: names like O’Brien and other valid input contain apostrophes SQL Injection Prevention
Slide 8 - A very simple method of finding valid usernames Username Enumeration Invalid Username Valid Username
Slide 9 - Use the same error message for invalid password and invalid username This way an attacker has no idea whether or not the username is correct Username Enumeration Prevention
Slide 10 - Another type of code injection, but with client-side script Can be used to bypass client-side security, as well as gain other information (session cookies) Yahoo! and even Google have previously fallen victim to this vulnerability Cross Site Scripting
Slide 11 - This form echoes what the user entered in the case of an invalid login (i.e. invalid characters) What if we input JavaScript? XSS Example
Slide 12 - Consider if we now input the following code: With this data, we can bypass cookie-based security Also, external, lengthier scripts can be injected: Why Is XSS Dangerous?
Slide 13 - User input cleansing Don’t echo user input back unless it is necessary XSS Prevention
Slide 14 - Potentially the most dangerous vulnerability Stems from unsecure settings on a web server Remote Code Execution
Slide 15 - In PHP, the register globals setting is often set to “on” to ease development This allows for global variables to be set remotely require($page . “.php”); If $page is not initialized, any arbitrary file can be included and will be executed on that server Remote Code Execution Example
Slide 16 - There are several XML specifications that are also vulnerable to remote code execution Improperly validated XML can “break out” of the XML, and execute malicious code XML Vulnerabilities
Slide 17 - Ensure web server configuration is secure (namely, if using PHP, turn register_globals off) Validate user input Remote Code Execution Prevention
Slide 18 - An attack on server-side functions that can perform formatting (such as C’s printf) Special characters are used to read or write sections of memory that normally would not be accessible String Formatting Vulnerabilities
Slide 19 - %s can be used to continue reading data off the stack until an illegal memory address is attempted to be accessed, crashing the program %x can be used to print areas of memory that are normally not accessible %d, %u, and %x can be used to overwrite the instruction pointer, allowing the execution of user-defined code String Formatting Example
Slide 20 - Make sure and verify all user input Replace or reject special characters (“%”) String Formatting Vulnerability Prevention
Slide 21 - What is the golden rule that will stop the majority of these website attacks? Conclusion Validate User Input!