SlideShare une entreprise Scribd logo

Web security with Eng Ahmed Galal and Eng Ramy saeid

Télécharger en tant que PPTX, PDF
Ahmed Ghazey
Ahmed Ghazey

web security presentation for Cryptography course faculty of computers and information Cairo university

FormationTechnologie
1  sur  64
Web Security
I. SQL injection
OVERVIEW  Introduction  SQL Injection  SQL Injection mitigation  Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART)  Conclusion
Web Applications  In computing, a web application is any application that uses a web browser as a client  With the rapid development of Internet, web applications involving database component become more and more popular.  Structured Query Language (SQL)is the major language to interact with database systems , such as MS SQL Server, Oracle, Access, MySQL, etc.
SQL injection  SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution  SQL injection must exploit a security vulnerability in an application's software
SQL injection  Ex: Suppose that a specific web application uses the following code for user authentication: String query = "SELECT accounts FROM users WHERE login = ' " + login + "' AND pass= ' " + pass + " ''';
Normal behavior  If the login and pass fields are filled with “Ali” and ”33214” the resulted query will be SELECT accounts FROM users WHERE login = „Ali' AND pass= „33214„  This query will return true only if the login name “Ali” and the password “33214” exists in the DB
Injected SQL statement  If the login and pass fields are filled with “admin” and ” ' or '1'='1 ” the resulted query will be SELECT accounts FROM users WHERE login='admin„ AND pass = „‟ or „1‟=„1‟  In this situation, the WHERE clause always has a true value, and contributes to a query result of all the accounts in table users  If the web application takes the first record to be the authenticated user, the user authentication mechanism would be broken by SQL injection
Injected SQL statement cont.  Imagine If we filled the pass field with the following SQL statement a„ ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't SELECT accounts FROM users WHERE login='admin„ AND pass = „a‟ ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't‟
SQL injection in URL  Ex: Suppose that a specific website have the following URL for showing books review depending on book ID Original URL: http://books.example.com/showReview.php?ID= 5 Injected URL: http://books.example.com/showReview.php?ID=5 AN D 1=1 Resulted SQL query : SELECT * FROM bookreviews WHERE ID = 5 AND 1=1;
Mitigation 1- Prepared statement 2- Escaping Franks's Oracle site => Franks„‟s Oracle site A ''double quoted'' word => A “”double quoted”” word
Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART) Related Applications:  Paros : is an open-source security scanner for testing web application vulnerabilities. It is a traditional penetration test which automatically scans web applications with injected HTTP request. By analyzing the response page,  JDBC checker : checks the type correctness of generated SQL queries, in order to find SQLIVs caused by improper type checking.  Sania : proposes syntactic and semantic analysis of the parse tree of intended SQL queries. After filling attack codes in leaf nodes, Sania checks the differences between initially parse tree and modified parse tree, and reports SQLIVs
Test SQLIVs in Web Applications Based on Structure Matching (SMART) A. Structure definition ( According to the ANSI SQL standard) B. Structure extraction C. Structure matching D. Validation
Test SQLIVs in Web Applications Based on Structure Matching (SMART) A. Structure definition ( According to the ANSI SQL standard) 1. Blank, includes space characters, tabs, carriage returns, line feeds, 2. 3. 4. 5. 6. 7. etc. Single-line comment, often lead by comment symbol "-Multiple-line comment, often cited by a pair of comment symbol "/*" and "*/". Keyword, pre-defined by SQL standard, which makes the SQL query meaningful, such as "SELECT", "INSERT","GRANT", “OR” etc. Punctuation, often used to separate SQL queries, or used in some mathematical operations, such as "=", "(", ";", etc. Identifier, often used to specify database name, table name, variable name, etc. Data, includes all kinds of data used in SQL standard,such as integers, real numbers, strings, dates, times, etc.
Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. B. Structure extraction 1. 2. 3. To describe the structure of SQL queries, SMART defines the SQL structure features of SQL query Q as a string array S: S=‘a1,a2,a3.. am’ (m≥1) where ai (1≤i≤m) is the ith keyword or punctuation in query Q, and m is the total number of keywords and punctuations. Regular expressions analysis is used on the SQL query to extract its structure features For example, the structure features of query "SELECT accounts FROM users WHERE login= 'admin' AND pass= 'admin ' " is: 'SELECT FROM WHERE = AND ='
Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. C. Structure matching 1. 2. For a given structure features array S, we define three kinds of operation to modify it: "add" an element into it, "delete" an element from it, and "change" one of its elements into another Given SQL structure features SI=A[1..m], S2=B[1..n], we define d(i, j)=δ (A[1..i], B[1..j]) as the least number of modification operations required to transfer A[1..i] into B[1..j].
Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. D. Validation Web applications are usually composed by many web pages where each web page has zero or more input parameters. For example, the following HTTP request shows that the "Login.jsp" page has two input parameters "login" and "pass", and their default values are "admin" and "admin": HTTP://www.bookstore.com/Login.jsp?login=admin&pass=admin 1. 2. we test the two input parameters in turn. If "login" parameter is the current parameter being tested, we first send the above original request over HTTP, and get all the SQL queries generated by it, denoted as Q=Q1,Q2..Qm. Then we get all the SQL queries generated by the injected request, denoted as Q'=Q‘1Q‘2 .. Q’n.
Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont.  If m does not equal n, we cannot determine whether SQL injection succeeds, because the SQL queries are probably generated by different code branches  if m equals n, then we examine each pair of Qi, and Q„i and extract their structure features, denoted as S1 and S2 1. 2. 3. 4. If the extraction of S1 and S2 are both failed, we cannot determine whether SQLIV exists. If the extraction of S1 is failed and S2 is successful, we believe that the injection has broken some authentication mechanism, and alert it as a SQLIV If the extraction of S1 is successful and S2 is failed, we believe that the injection has broken the structure of the generated SQL query, and also alert it as a SQLIV If the extraction of S1and S2 are both successful, we
Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. If matching_value(S1,S2) equal zero, we believe that the structure of the SQL query doesn't change so the SQL injection doesn't succeed 2. If matching_value(S1,S2) is larger than zero and not larger than a given upper bound specified, we believe that the SQL injection appears and changes the structure of the SQL query, and alert it as a SQLIV 3. if matching_value(S1,S2) is larger than the upper bound, we believe that the change of the structure is caused by executing different code branches 4. If we still cannot determine whether SQL injection succeeds when finishing all the test cases, we believe that the tested input parameter is probably safe against SQL injection. Then we continue to test next input parameter, until all the input parameters are tested 1.
CONCLUSION We presented SMART, a new method to automatically test SQL injection vulnerabilities in web applications. SMART tests each input parameter of web applications, matches the SQL queries generated by both original HTTP request and injected HTTP request, and determines whether it has SQL injection vulnerability.
II. CROSS-SITE SCRIPTING XSS
OVERVIEW  INTRODUCTION  XSS VULNERABILITIES  A SOLUTION TO BLOCK CROSS SITE SCRIPTING VULNERABILITIES  AVOIDING XSS VULNERABILITIES  CONCLUSION
CROSS-SITE SCRIPTING (XSS)  Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications.  XSS allows for code injection by malicious web users into Internet pages viewed by other users.  In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification.
XSS VULNERABILITIES  There are Two types of XSS vulnerabilities: Reflected (Non-Persistent) Stored (Persistent)
Reflected (NON-PERSISTENT)  It occurs when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user  An example could be when an attacker convinces a user to follow a malicious URL that injects code into the results page; thus giving the attacker full access to that page's content.
Reflected (NON-PERSISTENT)  Malicious content dose not get stored in the server
Stored (PERSISTENT)  It occurs when the data provided by the attacker is saved by the server (database, file system, other location).  Then permanently displayed on "normal" pages returned to other users in the course of regular browsing,
Stored (PERSISTENT)  The server stores the malicious content
A solution to block Cross Site Scripting Vulnerabilities
A solution to block Cross Site Scripting Vulnerabilities Cont.
Components interaction  The schema for each web page, where an input control is present, is generated and stored offline by the developer in a folder structure or in a database.  When a request is received, the HTTP request is passed on to the converter.  Converter converts the input to an XML object and sends it to the validator.
Components interaction Cont.  Validator retrieves the corresponding schema for the request and maps the XML object with the schema document.  If the input maps with the schema then the status is returned to the converter as „yes‟, otherwise the status „no‟ is returned.  If the status „yes‟ then the request is forwarded to the web application. Otherwise, the request is forwarded to an error page.
AVOIDING XSS VULNERABILITIES  Eliminating scripts  Cookie security  Input validation
ELIMINATING SCRIPTS  Some web applications are written to function without the need for client-side scripts.  In this way users would not be susceptible to XSS attacks.
COOKIE SECURITY  Because client-side scripts have access to cookies, XSS exploits are able steal these cookies and hinder business functions.  Web applications tie session cookies to the IP address of the user who originally logged in; only that IP address is permitted to use the particular cookie.
INPUT VALIDATION  It helps decipher other injection attacks such as SQL injection.  Effective for most types of input, yet when an application by design must be able to accept special HTML characters, HTML entity encoding is the desired choice.
AVOIDING XSS VULNERABILITIES  Do not follow links from sites that navigate to security-sensitive pages referencing personal or business information.  Always practice obtaining a list of attacks that have occurred on particular sites or messages boards.
AVOIDING XSS VULNERABILITIES  User‟s can disable scripting when not required in order to reduce an XSS-style attack.  Do not trust links given on other sites such as e-mail or message boards.  Always access any site with sensitive information through its address and not third party sites
CONCLUISON  Always practice using testing tools during the design phase to eliminate XSS holes in the application.  Input validation and HTML escaping are essential, yet that must be applied at all application points accepting data.
III. Denial of Service attacks (DOS)
Outlines  Abstract  Introduction  Motivation.  General Attack scenario.  Classification of DOS and DDOS attacks.     General attack classification Definition for DOS and DDOS Dos attack classification From DOS to DDOS  How to protect.  Example of DOS using LOIC.
Abstract  Recently many prominent web sites face so called Distributed Denial of Service Attacks (DDoS). While former security threats could be faced by a tight security policy and active measures like using firewalls, vendor patches etc. these DDoS are new in such way that there is no completely satisfying protection yet, in this part of presentation we will cover this topic carefully.  We will classify types of attacks.  Explore different DDOS tools.
Introduction  Motivation  Security threats is as old as the internet it self, In fact the first connection between computers in the ARPAnet between SRI and UCLA resulted in a crash of the receiving system due to some bugs in the communication software a classical Denial-of-Service attack.
General attack scenario  big web sites usually use more than one system running their web server. The clients access these servers via a load balancing server which redirects the HTTP requests to one of the servers. Todays web servers don't work as stand alone systems but need the support of a number of backend systems (like database or le-servers) to fulll their tasks. The whole LAN network where the site is hosted is typically protected by a firewall system. On the way the IP datagrams have to pass a num-ber of routers. On each of these systems there is at least the hardware, the operating system and (as part of the OS) aTCP/IP protocol stack that can fall victim to attacks.
Classification of DOS and DDOS attacks.  a possible classification of IT attacks according to the intention of the cracker could be  Denial of Service attack  The main goal of the attack is the disruption of service, this can be reached by a variety of ways.  Intrusion  Get access to a system and to circumvent certain barriers .  Information Theft  Access to otherwise restricted, sensitive information.  Modification  Attacker try to alter information, the type of attack increased lately
DOS definition according to W3C  What is a Denial of Service attack? Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests.
DDOS definition according to W3C  A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands
Definition of DOS and DOSS  Denial-Of-Service Attack = DOS Attack is a malicious attempt by a single person or a group of people to cause the victim, site or node to deny service to it customers.  DoS = when a single host attacks  DDoS = when simultaneously multiple hosts attack
DOS attack classification  DOS and DDOS usually used limited number of well known attacks with names like Smurf, teardrop, or SYN-Flood.  We will try to provide a classification in categories according to specified criteria.  System attacked.  Part of the system attacked.  Bug or overload.
System attacked  According to general attack scenario we will identify a number of attack points :  Attack clients themselves ( useless number of users     or large ) Attack the router that connects the site hosting the webserver to its ISP ( Internet Service Provider ) this will effectively cut off all access to the websites. Attack the firewall system although firewalls should be quite immune to direct attacks , firewalls is a bottle nick all in and out bound connection go through it, so if an attack with a high load will stop them. Attack the load balancer. attack the servers it self ( will be hard )
Part of the system is attacked  Attacks forms can be further divided by the part of the system that is attacked.  Attack depends on the hardware (rare), theoretically CPU and network card could fail to work due to some data in net work packages.  Attack based on the limitation of the hardware.  Attacks targeting the Operating systems or the TCP/IP stacks of host.  For this type of attack some are bugs that can be fixed some are fundamental limitation. What to do ?!!!
Bug or overload  In general one has to distinguish whether a DoS is a cause of a specific bug or just an overload of components that function according to their specification. Although bugs are often more severe in their effects, most of the time the vendors quickly provide fixes. All the administrators have to do is to apply them to their system in order to avoid further attacks. Attacks that are based on an overload are typically harder to cope with. Of course you can buy new hardware, but as long as an attacker finds enough resources to use as relays in the Internet he will always bring your system to a halt. Changing the specification or protocols in order to fix the hole that allows the DoS is nearly impossible as this would often mean changing the software in millions of computers
Examples  Jolt2 is an attack targeting most of Microsoft windows systems , jolt2 sends a continuous stream of ICMP ECHO-REPLy fragment with specially tuned fragmentation which almost cause consumption of CPU and Memory 100% which render the system to unusable.  SYN-Flooding attack is to generate many half open TCP connections .  Smurf Attack so called amplifier sites in order to multiply the amount of traffic that hits the destination, this attack ends ICMP_ECHO_REQUEST packets with spoofed sender address to one or more subnet, subnet broadcast addresses, the packets received and replied by as many stations as are connected to the subnet.
From DOS to DDOS  Major Internet websites like amazon or Yahoo tend to have Internet connections with very large bandwidth an server farms with lots of components. Furthermore they are typically protected by firewall systems that block the known attacks that are based on malformed packets .  Their fears about large-scale attacks were proved soon later in February 2000 when major Internet sites –ebay amazon…etc where under attack. There are currently a few
How the attack happens ?  The actual attack is carried out by so called daemons – hidden programs – a number of the daemon is controlled by handlers and finally this handlers are activated by the attacker using clients tools.
How the intrusion to clients computers happen ? (|)  Stolen account is setup as a repository for a daemons program and attack tools .  Sniffers are used scan large ranges of network blocks to identify potential targets . Targets will include (overflow , security bugs,…etc. ).  A list of vulnerable systems is then used to create a script that perform exploit, set up command running under the root account , that listen to TCP port and connects to this port to confirm the success of the exploit .  From the list select one with the desired architecture ,Pre- compiled binaries of the DDoS daemons and handlers programs are created and stored on a stolen account somewhere on the Interne.
How the intrusion to clients computers happen ?( ||)  A script is then run which takes this list of "owned“ systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. The result of this automation is the ability for attackers to set up the denial of service network in a very short time frame and on widely dispersed systems whose true owners often don't even realize the attack.
Protection from DDOS  General protection  Basic security measures are mandatory.  If a running system is hacked into, no more network attacks are necessary, since local attacks ( processes consuming , memory consuming or simply shutting down )  A set of firewall should be used to separate the interior net from the internet , the firewall rules should include some sanity check for source and destination addresses.  Intrusion detection systems should be used to notify administrators of unusual activities.
Protection  IP verify unicast reverse-path( Smurf)  Use the IP verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.  This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.  Configure rate limiting for SYN packets  Limit response time.  Apply ingress and egress filtering  Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.  ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.

Recommandé

SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention Rejaul Islam Royel
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 

Recommandé

SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attackRayudu Babu
 
SQL injection implementation and prevention
SQL injection implementation and prevention SQL injection implementation and prevention
SQL injection implementation and prevention Rejaul Islam Royel
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injectionmatt_presson
 
Ppt on sql injection
Ppt on sql injectionPpt on sql injection
Ppt on sql injectionashish20012
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesChema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesChema Alonso
 
SQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationSQL Injections - A Powerpoint Presentation
SQL Injections - A Powerpoint PresentationRapid Purple
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
Greensql2007
Greensql2007Greensql2007
Greensql2007Kaustav Sengupta
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Sql injections
Sql injectionsSql injections
Sql injectionsKK004
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)n|u - The Open Security Community
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
Ebook8
Ebook8Ebook8
Ebook8kaashiv1
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksKumar
 
Spring FrameWork Tutorials Java Language
Spring FrameWork Tutorials Java Language Spring FrameWork Tutorials Java Language
Spring FrameWork Tutorials Java Language Mahika Tutorials
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CStutorialsruby
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 
Chapter 5
Chapter 5Chapter 5
Chapter 5application developer
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorialMozaaic Cyber Security
 
Alpine High Tech Forum Pitch
Alpine High Tech Forum PitchAlpine High Tech Forum Pitch
Alpine High Tech Forum PitchFabio Lombardi
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
IoT Security
IoT SecurityIoT Security
IoT SecurityKohki Ohhira
 

Contenu connexe

Tendances

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testingNapendra Singh
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacksKevin Kline
 
Sql injections
Sql injectionsSql injections
Sql injectionsKK004
 
Sql injection
Sql injectionSql injection
Sql injectionZidh
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection TutorialMagno Logan
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi pptAhamed Saleem
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attackijtsrd
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacksKumar
 
Spring FrameWork Tutorials Java Language
Spring FrameWork Tutorials Java Language Spring FrameWork Tutorials Java Language
Spring FrameWork Tutorials Java Language Mahika Tutorials
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CStutorialsruby
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecuritySanad Bhowmik
 

Tendances (19)

Greensql2007
Greensql2007Greensql2007
Greensql2007
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
Sql injection - security testing
Sql injection - security testingSql injection - security testing
Sql injection - security testing
 
Understanding and preventing sql injection attacks
Understanding and preventing sql injection attacksUnderstanding and preventing sql injection attacks
Understanding and preventing sql injection attacks
 
Sql injections
Sql injectionsSql injections
Sql injections
 
SQL Injections (Part 1)
SQL Injections (Part 1)SQL Injections (Part 1)
SQL Injections (Part 1)
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
Practical Approach towards SQLi ppt
Practical Approach towards SQLi pptPractical Approach towards SQLi ppt
Practical Approach towards SQLi ppt
 
Appreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI AttackAppreciative Advanced Blind SQLI Attack
Appreciative Advanced Blind SQLI Attack
 
Ebook8
Ebook8Ebook8
Ebook8
 
Sql injection attacks
Sql injection attacksSql injection attacks
Sql injection attacks
 
Spring FrameWork Tutorials Java Language
Spring FrameWork Tutorials Java Language Spring FrameWork Tutorials Java Language
Spring FrameWork Tutorials Java Language
 
ASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CSASPNET_MVC_Tutorial_06_CS
ASPNET_MVC_Tutorial_06_CS
 
Sql injection in cybersecurity
Sql injection in cybersecuritySql injection in cybersecurity
Sql injection in cybersecurity
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
Sql full tutorial
Sql full tutorialSql full tutorial
Sql full tutorial
 

En vedette

Alpine High Tech Forum Pitch
Alpine High Tech Forum PitchAlpine High Tech Forum Pitch
Alpine High Tech Forum PitchFabio Lombardi
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafePhilippe De Ryck
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourCyren, Inc
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsFabio Lombardi
 
Web Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and TrendsWeb Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and TrendsKrassen Deltchev
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointLuis Grangeia
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security DeploymentCisco Canada
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Cisco Security
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowCyren, Inc
 

En vedette (10)

Alpine High Tech Forum Pitch
Alpine High Tech Forum PitchAlpine High Tech Forum Pitch
Alpine High Tech Forum Pitch
 
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You SafeWhy Traditional Web Security Technologies no Longer Suffice to Keep You Safe
Why Traditional Web Security Technologies no Longer Suffice to Keep You Safe
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
How to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an HourHow to Launch a Web Security Service in an Hour
How to Launch a Web Security Service in an Hour
 
Web security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutionsWeb security: OWASP project, CSRF threat and solutions
Web security: OWASP project, CSRF threat and solutions
 
Web Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and TrendsWeb Application Forensics: Taxonomy and Trends
Web Application Forensics: Taxonomy and Trends
 
IBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's StandpointIBWAS 2010: Web Security From an Auditor's Standpoint
IBWAS 2010: Web Security From an Auditor's Standpoint
 
Web Security Deployment
Web Security DeploymentWeb Security Deployment
Web Security Deployment
 
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
Identify Zero-Day Breaches with Cognitive Threat Analytics on Cisco Web Secur...
 
Webinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to knowWebinar: Is your web security broken? - 10 things you need to know
Webinar: Is your web security broken? - 10 things you need to know
 

Similaire à Web security with Eng Ahmed Galal and Eng Ramy saeid

D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmIOSR Journals
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_NicoleNicole Bili?
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sqlKaustav Sengupta
 

Similaire à Web security with Eng Ahmed Galal and Eng Ramy saeid (20)

Sql injection
Sql injectionSql injection
Sql injection
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql
SqlSql
Sql
 
E017131924
E017131924E017131924
E017131924
 
SQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive AlgorithmSQL Injection Prevention by Adaptive Algorithm
SQL Injection Prevention by Adaptive Algorithm
 
ieee
ieeeieee
ieee
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
Sql injection
Sql injectionSql injection
Sql injection
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Sql injection
Sql injectionSql injection
Sql injection
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Web application security
Web application securityWeb application security
Web application security
 
Code injection and green sql
Code injection and green sqlCode injection and green sql
Code injection and green sql
 
Sql injection
Sql injectionSql injection
Sql injection
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injection
 
Blind sql injection
Blind sql injectionBlind sql injection
Blind sql injection
 
Asp
AspAsp
Asp
 

Dernier

AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYKayeClaireEstoconing
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...JojoEDelaCruz
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptxmary850239
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfTechSoup
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfErwinPantujan2
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptxmary850239
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxVanesaIglesias10
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...Postal Advocate Inc.
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)lakshayb543
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...JhezDiaz1
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxCarlos105
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfJemuel Francisco
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxleah joy valeriano
 

Dernier (20)

YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITYISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
ISYU TUNGKOL SA SEKSWLADIDA (ISSUE ABOUT SEXUALITY
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
ENG 5 Q4 WEEk 1 DAY 1 Restate sentences heard in one’s own words. Use appropr...
 
4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx4.16.24 21st Century Movements for Black Lives.pptx
4.16.24 21st Century Movements for Black Lives.pptx
 
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdfInclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
Inclusivity Essentials_ Creating Accessible Websites for Nonprofits .pdf
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdfVirtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
Virtual-Orientation-on-the-Administration-of-NATG12-NATG6-and-ELLNA.pdf
 
4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx4.18.24 Movement Legacies, Reflection, and Review.pptx
4.18.24 Movement Legacies, Reflection, and Review.pptx
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
ROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptxROLES IN A STAGE PRODUCTION in arts.pptx
ROLES IN A STAGE PRODUCTION in arts.pptx
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
USPS® Forced Meter Migration - How to Know if Your Postage Meter Will Soon be...
 
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
Visit to a blind student's school🧑‍🦯🧑‍🦯(community medicine)
 
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
ENGLISH 7_Q4_LESSON 2_ Employing a Variety of Strategies for Effective Interp...
 
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptxBarangay Council for the Protection of Children (BCPC) Orientation.pptx
Barangay Council for the Protection of Children (BCPC) Orientation.pptx
 
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdfGrade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
Grade 9 Quarter 4 Dll Grade 9 Quarter 4 DLL.pdf
 
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptxMusic 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
Music 9 - 4th quarter - Vocal Music of the Romantic Period.pptx
 

Web security with Eng Ahmed Galal and Eng Ramy saeid

  • 3. OVERVIEW  Introduction  SQL Injection  SQL Injection mitigation  Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART)  Conclusion
  • 4. Web Applications  In computing, a web application is any application that uses a web browser as a client  With the rapid development of Internet, web applications involving database component become more and more popular.  Structured Query Language (SQL)is the major language to interact with database systems , such as MS SQL Server, Oracle, Access, MySQL, etc.
  • 5. SQL injection  SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution  SQL injection must exploit a security vulnerability in an application's software
  • 6. SQL injection  Ex: Suppose that a specific web application uses the following code for user authentication: String query = "SELECT accounts FROM users WHERE login = ' " + login + "' AND pass= ' " + pass + " ''';
  • 7. Normal behavior  If the login and pass fields are filled with “Ali” and ”33214” the resulted query will be SELECT accounts FROM users WHERE login = „Ali' AND pass= „33214„  This query will return true only if the login name “Ali” and the password “33214” exists in the DB
  • 8. Injected SQL statement  If the login and pass fields are filled with “admin” and ” ' or '1'='1 ” the resulted query will be SELECT accounts FROM users WHERE login='admin„ AND pass = „‟ or „1‟=„1‟  In this situation, the WHERE clause always has a true value, and contributes to a query result of all the accounts in table users  If the web application takes the first record to be the authenticated user, the user authentication mechanism would be broken by SQL injection
  • 9. Injected SQL statement cont.  Imagine If we filled the pass field with the following SQL statement a„ ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't SELECT accounts FROM users WHERE login='admin„ AND pass = „a‟ ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't‟
  • 10. SQL injection in URL  Ex: Suppose that a specific website have the following URL for showing books review depending on book ID Original URL: http://books.example.com/showReview.php?ID= 5 Injected URL: http://books.example.com/showReview.php?ID=5 AN D 1=1 Resulted SQL query : SELECT * FROM bookreviews WHERE ID = 5 AND 1=1;
  • 11. Mitigation 1- Prepared statement 2- Escaping Franks's Oracle site => Franks„‟s Oracle site A ''double quoted'' word => A “”double quoted”” word
  • 12. Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART) Related Applications:  Paros : is an open-source security scanner for testing web application vulnerabilities. It is a traditional penetration test which automatically scans web applications with injected HTTP request. By analyzing the response page,  JDBC checker : checks the type correctness of generated SQL queries, in order to find SQLIVs caused by improper type checking.  Sania : proposes syntactic and semantic analysis of the parse tree of intended SQL queries. After filling attack codes in leaf nodes, Sania checks the differences between initially parse tree and modified parse tree, and reports SQLIVs
  • 13. Test SQLIVs in Web Applications Based on Structure Matching (SMART) A. Structure definition ( According to the ANSI SQL standard) B. Structure extraction C. Structure matching D. Validation
  • 14. Test SQLIVs in Web Applications Based on Structure Matching (SMART) A. Structure definition ( According to the ANSI SQL standard) 1. Blank, includes space characters, tabs, carriage returns, line feeds, 2. 3. 4. 5. 6. 7. etc. Single-line comment, often lead by comment symbol "-Multiple-line comment, often cited by a pair of comment symbol "/*" and "*/". Keyword, pre-defined by SQL standard, which makes the SQL query meaningful, such as "SELECT", "INSERT","GRANT", “OR” etc. Punctuation, often used to separate SQL queries, or used in some mathematical operations, such as "=", "(", ";", etc. Identifier, often used to specify database name, table name, variable name, etc. Data, includes all kinds of data used in SQL standard,such as integers, real numbers, strings, dates, times, etc.
  • 15. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. B. Structure extraction 1. 2. 3. To describe the structure of SQL queries, SMART defines the SQL structure features of SQL query Q as a string array S: S=‘a1,a2,a3.. am’ (m≥1) where ai (1≤i≤m) is the ith keyword or punctuation in query Q, and m is the total number of keywords and punctuations. Regular expressions analysis is used on the SQL query to extract its structure features For example, the structure features of query "SELECT accounts FROM users WHERE login= 'admin' AND pass= 'admin ' " is: 'SELECT FROM WHERE = AND ='
  • 16. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. C. Structure matching 1. 2. For a given structure features array S, we define three kinds of operation to modify it: "add" an element into it, "delete" an element from it, and "change" one of its elements into another Given SQL structure features SI=A[1..m], S2=B[1..n], we define d(i, j)=δ (A[1..i], B[1..j]) as the least number of modification operations required to transfer A[1..i] into B[1..j].
  • 17. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. D. Validation Web applications are usually composed by many web pages where each web page has zero or more input parameters. For example, the following HTTP request shows that the "Login.jsp" page has two input parameters "login" and "pass", and their default values are "admin" and "admin": HTTP://www.bookstore.com/Login.jsp?login=admin&pass=admin 1. 2. we test the two input parameters in turn. If "login" parameter is the current parameter being tested, we first send the above original request over HTTP, and get all the SQL queries generated by it, denoted as Q=Q1,Q2..Qm. Then we get all the SQL queries generated by the injected request, denoted as Q'=Q‘1Q‘2 .. Q’n.
  • 18. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont.  If m does not equal n, we cannot determine whether SQL injection succeeds, because the SQL queries are probably generated by different code branches  if m equals n, then we examine each pair of Qi, and Q„i and extract their structure features, denoted as S1 and S2 1. 2. 3. 4. If the extraction of S1 and S2 are both failed, we cannot determine whether SQLIV exists. If the extraction of S1 is failed and S2 is successful, we believe that the injection has broken some authentication mechanism, and alert it as a SQLIV If the extraction of S1 is successful and S2 is failed, we believe that the injection has broken the structure of the generated SQL query, and also alert it as a SQLIV If the extraction of S1and S2 are both successful, we
  • 19. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. If matching_value(S1,S2) equal zero, we believe that the structure of the SQL query doesn't change so the SQL injection doesn't succeed 2. If matching_value(S1,S2) is larger than zero and not larger than a given upper bound specified, we believe that the SQL injection appears and changes the structure of the SQL query, and alert it as a SQLIV 3. if matching_value(S1,S2) is larger than the upper bound, we believe that the change of the structure is caused by executing different code branches 4. If we still cannot determine whether SQL injection succeeds when finishing all the test cases, we believe that the tested input parameter is probably safe against SQL injection. Then we continue to test next input parameter, until all the input parameters are tested 1.
  • 20. CONCLUSION We presented SMART, a new method to automatically test SQL injection vulnerabilities in web applications. SMART tests each input parameter of web applications, matches the SQL queries generated by both original HTTP request and injected HTTP request, and determines whether it has SQL injection vulnerability.
  • 22. OVERVIEW  INTRODUCTION  XSS VULNERABILITIES  A SOLUTION TO BLOCK CROSS SITE SCRIPTING VULNERABILITIES  AVOIDING XSS VULNERABILITIES  CONCLUSION
  • 23. CROSS-SITE SCRIPTING (XSS)  Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications.  XSS allows for code injection by malicious web users into Internet pages viewed by other users.  In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification.
  • 24. XSS VULNERABILITIES  There are Two types of XSS vulnerabilities: Reflected (Non-Persistent) Stored (Persistent)
  • 25. Reflected (NON-PERSISTENT)  It occurs when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user  An example could be when an attacker convinces a user to follow a malicious URL that injects code into the results page; thus giving the attacker full access to that page's content.
  • 26. Reflected (NON-PERSISTENT)  Malicious content dose not get stored in the server
  • 27. Stored (PERSISTENT)  It occurs when the data provided by the attacker is saved by the server (database, file system, other location).  Then permanently displayed on "normal" pages returned to other users in the course of regular browsing,
  • 28. Stored (PERSISTENT)  The server stores the malicious content
  • 29. A solution to block Cross Site Scripting Vulnerabilities
  • 30. A solution to block Cross Site Scripting Vulnerabilities Cont.
  • 31. Components interaction  The schema for each web page, where an input control is present, is generated and stored offline by the developer in a folder structure or in a database.  When a request is received, the HTTP request is passed on to the converter.  Converter converts the input to an XML object and sends it to the validator.
  • 32. Components interaction Cont.  Validator retrieves the corresponding schema for the request and maps the XML object with the schema document.  If the input maps with the schema then the status is returned to the converter as „yes‟, otherwise the status „no‟ is returned.  If the status „yes‟ then the request is forwarded to the web application. Otherwise, the request is forwarded to an error page.
  • 33. AVOIDING XSS VULNERABILITIES  Eliminating scripts  Cookie security  Input validation
  • 34. ELIMINATING SCRIPTS  Some web applications are written to function without the need for client-side scripts.  In this way users would not be susceptible to XSS attacks.
  • 35. COOKIE SECURITY  Because client-side scripts have access to cookies, XSS exploits are able steal these cookies and hinder business functions.  Web applications tie session cookies to the IP address of the user who originally logged in; only that IP address is permitted to use the particular cookie.
  • 36. INPUT VALIDATION  It helps decipher other injection attacks such as SQL injection.  Effective for most types of input, yet when an application by design must be able to accept special HTML characters, HTML entity encoding is the desired choice.
  • 37. AVOIDING XSS VULNERABILITIES  Do not follow links from sites that navigate to security-sensitive pages referencing personal or business information.  Always practice obtaining a list of attacks that have occurred on particular sites or messages boards.
  • 38. AVOIDING XSS VULNERABILITIES  User‟s can disable scripting when not required in order to reduce an XSS-style attack.  Do not trust links given on other sites such as e-mail or message boards.  Always access any site with sensitive information through its address and not third party sites
  • 39. CONCLUISON  Always practice using testing tools during the design phase to eliminate XSS holes in the application.  Input validation and HTML escaping are essential, yet that must be applied at all application points accepting data.
  • 40. III. Denial of Service attacks (DOS)
  • 41. Outlines  Abstract  Introduction  Motivation.  General Attack scenario.  Classification of DOS and DDOS attacks.     General attack classification Definition for DOS and DDOS Dos attack classification From DOS to DDOS  How to protect.  Example of DOS using LOIC.
  • 42. Abstract  Recently many prominent web sites face so called Distributed Denial of Service Attacks (DDoS). While former security threats could be faced by a tight security policy and active measures like using firewalls, vendor patches etc. these DDoS are new in such way that there is no completely satisfying protection yet, in this part of presentation we will cover this topic carefully.  We will classify types of attacks.  Explore different DDOS tools.
  • 43. Introduction  Motivation  Security threats is as old as the internet it self, In fact the first connection between computers in the ARPAnet between SRI and UCLA resulted in a crash of the receiving system due to some bugs in the communication software a classical Denial-of-Service attack.
  • 44. General attack scenario  big web sites usually use more than one system running their web server. The clients access these servers via a load balancing server which redirects the HTTP requests to one of the servers. Todays web servers don't work as stand alone systems but need the support of a number of backend systems (like database or le-servers) to fulll their tasks. The whole LAN network where the site is hosted is typically protected by a firewall system. On the way the IP datagrams have to pass a num-ber of routers. On each of these systems there is at least the hardware, the operating system and (as part of the OS) aTCP/IP protocol stack that can fall victim to attacks.
  • 45.
  • 46. Classification of DOS and DDOS attacks.  a possible classification of IT attacks according to the intention of the cracker could be  Denial of Service attack  The main goal of the attack is the disruption of service, this can be reached by a variety of ways.  Intrusion  Get access to a system and to circumvent certain barriers .  Information Theft  Access to otherwise restricted, sensitive information.  Modification  Attacker try to alter information, the type of attack increased lately
  • 47. DOS definition according to W3C  What is a Denial of Service attack? Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests.
  • 48. DDOS definition according to W3C  A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands
  • 49. Definition of DOS and DOSS  Denial-Of-Service Attack = DOS Attack is a malicious attempt by a single person or a group of people to cause the victim, site or node to deny service to it customers.  DoS = when a single host attacks  DDoS = when simultaneously multiple hosts attack
  • 50. DOS attack classification  DOS and DDOS usually used limited number of well known attacks with names like Smurf, teardrop, or SYN-Flood.  We will try to provide a classification in categories according to specified criteria.  System attacked.  Part of the system attacked.  Bug or overload.
  • 51. System attacked  According to general attack scenario we will identify a number of attack points :  Attack clients themselves ( useless number of users     or large ) Attack the router that connects the site hosting the webserver to its ISP ( Internet Service Provider ) this will effectively cut off all access to the websites. Attack the firewall system although firewalls should be quite immune to direct attacks , firewalls is a bottle nick all in and out bound connection go through it, so if an attack with a high load will stop them. Attack the load balancer. attack the servers it self ( will be hard )
  • 52. Part of the system is attacked  Attacks forms can be further divided by the part of the system that is attacked.  Attack depends on the hardware (rare), theoretically CPU and network card could fail to work due to some data in net work packages.  Attack based on the limitation of the hardware.  Attacks targeting the Operating systems or the TCP/IP stacks of host.  For this type of attack some are bugs that can be fixed some are fundamental limitation. What to do ?!!!
  • 53. Bug or overload  In general one has to distinguish whether a DoS is a cause of a specific bug or just an overload of components that function according to their specification. Although bugs are often more severe in their effects, most of the time the vendors quickly provide fixes. All the administrators have to do is to apply them to their system in order to avoid further attacks. Attacks that are based on an overload are typically harder to cope with. Of course you can buy new hardware, but as long as an attacker finds enough resources to use as relays in the Internet he will always bring your system to a halt. Changing the specification or protocols in order to fix the hole that allows the DoS is nearly impossible as this would often mean changing the software in millions of computers
  • 54. Examples  Jolt2 is an attack targeting most of Microsoft windows systems , jolt2 sends a continuous stream of ICMP ECHO-REPLy fragment with specially tuned fragmentation which almost cause consumption of CPU and Memory 100% which render the system to unusable.  SYN-Flooding attack is to generate many half open TCP connections .  Smurf Attack so called amplifier sites in order to multiply the amount of traffic that hits the destination, this attack ends ICMP_ECHO_REQUEST packets with spoofed sender address to one or more subnet, subnet broadcast addresses, the packets received and replied by as many stations as are connected to the subnet.
  • 55.
  • 56.
  • 57.
  • 58. From DOS to DDOS  Major Internet websites like amazon or Yahoo tend to have Internet connections with very large bandwidth an server farms with lots of components. Furthermore they are typically protected by firewall systems that block the known attacks that are based on malformed packets .  Their fears about large-scale attacks were proved soon later in February 2000 when major Internet sites –ebay amazon…etc where under attack. There are currently a few
  • 59. How the attack happens ?  The actual attack is carried out by so called daemons – hidden programs – a number of the daemon is controlled by handlers and finally this handlers are activated by the attacker using clients tools.
  • 60.
  • 61. How the intrusion to clients computers happen ? (|)  Stolen account is setup as a repository for a daemons program and attack tools .  Sniffers are used scan large ranges of network blocks to identify potential targets . Targets will include (overflow , security bugs,…etc. ).  A list of vulnerable systems is then used to create a script that perform exploit, set up command running under the root account , that listen to TCP port and connects to this port to confirm the success of the exploit .  From the list select one with the desired architecture ,Pre- compiled binaries of the DDoS daemons and handlers programs are created and stored on a stolen account somewhere on the Interne.
  • 62. How the intrusion to clients computers happen ?( ||)  A script is then run which takes this list of "owned“ systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. The result of this automation is the ability for attackers to set up the denial of service network in a very short time frame and on widely dispersed systems whose true owners often don't even realize the attack.
  • 63. Protection from DDOS  General protection  Basic security measures are mandatory.  If a running system is hacked into, no more network attacks are necessary, since local attacks ( processes consuming , memory consuming or simply shutting down )  A set of firewall should be used to separate the interior net from the internet , the firewall rules should include some sanity check for source and destination addresses.  Intrusion detection systems should be used to notify administrators of unusual activities.
  • 64. Protection  IP verify unicast reverse-path( Smurf)  Use the IP verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.  This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.  Configure rate limiting for SYN packets  Limit response time.  Apply ingress and egress filtering  Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.  ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.

Notes de l'éditeur

  1. http://testfire.net/bank/login.aspx