2008: Web Application Security Tutorial
•Télécharger en tant que PPT, PDF•
110 j'aime•30,917 vues
Presented at a four hour pre-conference at the 2008 Annual Educause National Conference.
![[object Object],[object Object],[object Object],[object Object],Copyright © 2008 The Regents of the University of California All Rights Reserved. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials.](https://image.slidesharecdn.com/EducauseAnnualWebAppSecTutorialV3-123014295731-phpapp01/85/2008-web-application-security-tutorial-1-320.jpg)
![Puzzle – What is this? ,[object Object]](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (19)
En vedette
En vedette (11)
Similaire à 2008: Web Application Security Tutorial
Similaire à 2008: Web Application Security Tutorial (20)
Plus de Neil Matatall
Plus de Neil Matatall (8)
Dernier
Dernier (20)
2008: Web Application Security Tutorial
- 28. Cross-Site Scripting (XSS) Attacks
- 43. Application Error Messages ERROR [credit-card-db] (MySqlSystem.java:1331) - Invalid column name java.sql.SQLException: Invalid column name ‘social_security_numbre’: select username, password, ssn from users where id = ? sun.jdbc.rowset.CachedRowSet.getColIdxByName(CachedRowSet.java:1383)at com.mysql.Driver.MySQLDriver.a(MySQLDriver.java:2531) at sun.jdbc.rowset.CachedRowSet.getString(CachedRowSet.java:2167) at com.ppe.db.MySqlSystem.getReciPaying(MySqlSystem.java:1318) at control.action.FindUserAction.perform(FindKeyUserAction.java:81) at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet) at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1586) at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:492) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl icationFilterChain.java:247)
- 49. "admin account info" filetype:log
- 60. SQL Injection Attacks “ SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. “ (Wikipedia)
- 102. AJAX Request Lifecycle XmlHTTPRequest Response (text, JSON, XML, etc) There is nothing special about an XHR request other than its asynchronicity
- 114. Browser Page Cache & History
- 118. NIST: Security Considerations in the Information System Development Life Cycle http://csrc.nist.gov/publications/nistpubs/800-64/NIST-SP800-64.pdf SDLC | Security Considerations -Appropriateness of disposal -Exchange and sale -Internal organization screening -Transfer and donation -Contract closeout _______________ -Information Preservation -Media Sanitization -Hardware and Software Disposal -Performance measurement -Contract modifications -Operations Maintenance ________________ -Configuration Management and Control – Continuous monitoring -Installation -Inspection -Acceptance testing -Initial user training -Documentation ____________________ -Inspection and Acceptance -System Integration -Security Certification -Security Accreditation -Functional Need Doc. -Market Research -Feasibility Study -Requirements Analysis -Alternatives Analysis -Cost-Benefit Analysis -Risk Management -Acquisition Planning __________________ - Risk Assessment -Security Functional Requirements Analysis -Security Assurance Requirements Analysis -Cost considerations -Security Planning -Security Control Development - Security Test and Evaluation - Linkage of Need to Mission and Performance Objectives -Assessment of Alternatives to Capital Assets -Preparing for investment and budgeting ________________ -Security Categorization -Preliminary Risk Assessment Disposition Operations/ Maintenance Implementation Acquisition/ Development Initiation
- 123. Use Educause
- 129. Security Architecture – Multi-layer
- 130. Security Architecture Lifecycle – focus on Standardization
- 142. SDLC Approvals (Moving to JIRA Workflow)
- 155. Tamper Data – Firefox Plugin