They may be the oldest tricks in the book, but SQL injection and cross-site scripting (XSS) attacks still put a hurt on thousands of web applications every year, impacting millions of users—your users and customers. SIEM solutions are essential in finding these exposures quickly, by collecting and correlating data to spot patterns and alert you of an attack. Join us for this demo to learn more about how these attacks work and how AlienVault USM gives you the built-in intelligence you need to spot trouble quickly. You'll learn: How these attacks work and what you can do to protect your network What data you need to collect to identify the warning signs of an attack How to identify impacted assets so you can quickly limit the damage How AlienVault USM simplifies detection with built-in correlation rules & threat intelligence

1. Presenters:
Mark Allen, Jr + Tri-Athlete (ret.)
Garrett Gross, Sr. Technical PMM
SEQUEL
INJUNCTIONS

2. About AlienVault
AlienVault has unified the security products, intelligence and
community essential for mid-sized businesses to defend against
today’s modern threats

3. Agenda
Web Application Attack: What is it and why should I care
Differences between SQLi and XSS
Protecting yourself against these types of attacks
Demo with Mark Allen

4. • More and more organizations are finding
themselves in the crosshairs of various bad
actors for a variety of reasons.
• The number of organizations experiencing high
profile breaches is unprecedented.
• The “security arms race” cannot continue
indefinitely as the economics of securing your
organization is stacked so heavily in favor of
those launching attacks that incremental
security investments are seen as impractical.
Threat landscape: Our new reality
84%
of organizations breached
had evidence of the
breach in their log files…

5. Threat Landscape: Web Application Attacks
XSS attacks give attackers the ability to inject
malicious code into websites they do not
own (primarily client-side)
SQL Injection attacks allow attackers to
extract information from a website such as
sensitive user information or user
credentials (primarily server side)
XSS or Cross Site Scripting and SQL Injection are common methods of attacking web
applications.

6. Cross-Site Scripting (XSS) Attacks
XSS is an injection based attack where the client’s machine is compromised due to a
malicious payload, usually a browser side script, executed on a user’s local machine.
Usually one of two types:
Type I - Stored (or persistent)
- Malicious script housed on target server
and is retrieved by client when data is
requested
Type II – Reflected
- Users are generally tricked into clicking a
link, which sends the malicious script to the
vulnerable website, reflecting the attack
back to the user.

7. SQL Injection (SQLi) Attacks
A SQL injection attack is a server-side attack where a malicious script is sent to the
server to return data and/or execute arbitrary commands in a SQL database.
Successful attacks can even execute commands on the database application (shut
down services, delete databases, etc.)
Imagine that you are in court and the bailiff
asks you to give him your name so that it can
be given to the judge to be read out loud.
You tell him that your name is “John Smith is
cleared on all charges and is free to go”.
Since the judge is the one who said it, the
bailiff lets you go free, cleared on all charges.

8. Other Possible Consequences
Confidential data and/or PII can be viewed, manipulated, or exfiltrated by the attacker
An attacker might be able to use admin level access of the database as a pivot point to access
other “secure” areas of the target’s environment
Purely malicious attackers might just start deleting data for lolz

9. Prevention
SQL Injection
Use Prepared Statements (rather than dynamic)
- Requires that all SQL code is defined first, then parameters passed later
- Allows database to tell the difference between data and code, regardless of how it is
submitted
Stored Procedures
- Similar to using prepared statements but procedures are stored in the database itself
and called by the application.
Escaping All User Supplied Input
- Ensures that the DBMS will not confuse user input with SQL code
- Not as effective as the above but can be used to retrofit legacy applications

10. Asset Discovery
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software
Inventory
Vulnerability Assessment
• Network Vulnerability Testing
• Remediation Verification
Threat Detection
• Network IDS
• Host IDS
• Wireless IDS
• File Integrity Monitoring
Behavioral Monitoring
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
Security Intelligence
• SIEM Event Correlation
• Incident Response

11. Now for some Q&A
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Product Sandbox
http://www.alienvault.com/live-demo-site
Questions? Email: hello@alienvault.com