Soumettre la recherche
Mettre en ligne
THE ANATOMY OF A WEB ATTACK: COMMON THREATS AND DEFENSES
•
1 j'aime
•
369 vues
Titre amélioré par l'IA
CMR WORLD TECH
Suivre
owasp infographic
Lire moins
Lire la suite
Données & analyses
Signaler
Partager
Signaler
Partager
1 sur 1
Télécharger maintenant
Télécharger pour lire hors ligne
Recommandé
OWASP Top 10 Overview
OWASP Top 10 Overview
PiTechnologies
OWASP
OWASP
gehad hamdy
Web Sec Auditor
Web Sec Auditor
Aung Khant
OWASP Evening #10
OWASP Evening #10
Predrag Cujanović
OWASP Evening #10 Serbia
OWASP Evening #10 Serbia
Predrag Cujanović
Top 10 web server security flaws
Top 10 web server security flaws
tobybear30
Web Application Security Tips
Web Application Security Tips
tcellsn
Web authentication & authorization
Web authentication & authorization
Alexandru Pasaila
Recommandé
OWASP Top 10 Overview
OWASP Top 10 Overview
PiTechnologies
OWASP
OWASP
gehad hamdy
Web Sec Auditor
Web Sec Auditor
Aung Khant
OWASP Evening #10
OWASP Evening #10
Predrag Cujanović
OWASP Evening #10 Serbia
OWASP Evening #10 Serbia
Predrag Cujanović
Top 10 web server security flaws
Top 10 web server security flaws
tobybear30
Web Application Security Tips
Web Application Security Tips
tcellsn
Web authentication & authorization
Web authentication & authorization
Alexandru Pasaila
Web Server Web Site Security
Web Server Web Site Security
Steven Cahill
Web server security challenges
Web server security challenges
Martins Chibuike Onuoha
Most Common Application Level Attacks
Most Common Application Level Attacks
EC-Council
Information security
Information security
Sathyanarayana Panduranga
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
Manjyot Singh
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
What is a malware attack?
What is a malware attack?
AariyaRathi
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
Bhargav Modi
Security Testing
Security Testing
BOSS Webtech
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge Ahead
eLearning Papers
Security Breaches from Compromised User Logins
Security Breaches from Compromised User Logins
IS Decisions
Owasp Top 10
Owasp Top 10
Shivam Porwal
Attack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
Security in Computing and IT
Security in Computing and IT
Komalah Nair
Web Server Security Guidelines
Web Server Security Guidelines
webhostingguy
Secure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior
Introduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
Web application security I
Web application security I
Md Syed Ahamad
2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack
Raleigh ISSA
Web Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
Contenu connexe
Tendances
Web Server Web Site Security
Web Server Web Site Security
Steven Cahill
Web server security challenges
Web server security challenges
Martins Chibuike Onuoha
Most Common Application Level Attacks
Most Common Application Level Attacks
EC-Council
Information security
Information security
Sathyanarayana Panduranga
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
Manjyot Singh
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
Ishan Mathur
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
EMC
What is a malware attack?
What is a malware attack?
AariyaRathi
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
Bhargav Modi
Security Testing
Security Testing
BOSS Webtech
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge Ahead
eLearning Papers
Security Breaches from Compromised User Logins
Security Breaches from Compromised User Logins
IS Decisions
Owasp Top 10
Owasp Top 10
Shivam Porwal
Attack chaining for web exploitation
Attack chaining for web exploitation
n|u - The Open Security Community
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
African Cyber Security Summit
Security in Computing and IT
Security in Computing and IT
Komalah Nair
Web Server Security Guidelines
Web Server Security Guidelines
webhostingguy
Secure Code Warrior - Authentication
Secure Code Warrior - Authentication
Secure Code Warrior
Introduction to security testing raj
Introduction to security testing raj
Rajakrishnan S, MCA,MBA,MA Phil,PMP,CSM,ISTQB-Test Mgr,ITIL
Web application security I
Web application security I
Md Syed Ahamad
Tendances
(20)
Web Server Web Site Security
Web Server Web Site Security
Web server security challenges
Web server security challenges
Most Common Application Level Attacks
Most Common Application Level Attacks
Information security
Information security
Security workshop - Lets get our hands dirty!!
Security workshop - Lets get our hands dirty!!
OWASP Top 10 Vulnerabilities 2017- AppTrana
OWASP Top 10 Vulnerabilities 2017- AppTrana
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
2014 Threat Detection Checklist: Six ways to tell a criminal from a customer
What is a malware attack?
What is a malware attack?
Are you fighting_new_threats_with_old_weapons
Are you fighting_new_threats_with_old_weapons
Security Testing
Security Testing
Phishing Attacks: A Challenge Ahead
Phishing Attacks: A Challenge Ahead
Security Breaches from Compromised User Logins
Security Breaches from Compromised User Logins
Owasp Top 10
Owasp Top 10
Attack chaining for web exploitation
Attack chaining for web exploitation
Atelier Technique - F5 - #ACSS2019
Atelier Technique - F5 - #ACSS2019
Security in Computing and IT
Security in Computing and IT
Web Server Security Guidelines
Web Server Security Guidelines
Secure Code Warrior - Authentication
Secure Code Warrior - Authentication
Introduction to security testing raj
Introduction to security testing raj
Web application security I
Web application security I
En vedette
2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack
Raleigh ISSA
Web Application Vulnerabilities
Web Application Vulnerabilities
Preetish Panda
Anatomy of an Attack
Anatomy of an Attack
spoofyroot
Ddos dos
Ddos dos
arichoana
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Matt Johansen
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
Top Ten Web Attacks
Top Ten Web Attacks
Ajay Ohri
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Shreeraj Shah
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
cmd injection
cmd injection
hackstuff
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
Marco Balduzzi
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Mario Heiderich
Web attacks
Web attacks
husnara mohammad
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
Stefano Di Paola
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15
Benjamin D. Brooks, CISSP
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
Sophos Benelux
Automated Targeted Attacks: The New Age of Cybercrime
Automated Targeted Attacks: The New Age of Cybercrime
Stefan Tanase
En vedette
(20)
2010-11 The Anatomy of a Web Attack
2010-11 The Anatomy of a Web Attack
Web Application Vulnerabilities
Web Application Vulnerabilities
Anatomy of an Attack
Anatomy of an Attack
Ddos dos
Ddos dos
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
Using the Zed Attack Proxy as a Web App testing tool
Using the Zed Attack Proxy as a Web App testing tool
Top Ten Web Attacks
Top Ten Web Attacks
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
Hacking Ajax & Web Services - Next Generation Web Attacks on the Rise
OWASP 2013 APPSEC USA ZAP Hackathon
OWASP 2013 APPSEC USA ZAP Hackathon
cmd injection
cmd injection
2014 ZAP Workshop 2: Contexts and Fuzzing
2014 ZAP Workshop 2: Contexts and Fuzzing
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
HTTP Parameter Pollution Vulnerabilities in Web Applications (Black Hat EU 2011)
The Future of Web Attacks - CONFidence 2010
The Future of Web Attacks - CONFidence 2010
Web attacks
Web attacks
2014 ZAP Workshop 1: Getting Started
2014 ZAP Workshop 1: Getting Started
Http Parameter Pollution, a new category of web attacks
Http Parameter Pollution, a new category of web attacks
OWASP 2014 AppSec EU ZAP Advanced Features
OWASP 2014 AppSec EU ZAP Advanced Features
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15
Anatomy of an Attack - Sophos Day Belux 2014
Anatomy of an Attack - Sophos Day Belux 2014
Automated Targeted Attacks: The New Age of Cybercrime
Automated Targeted Attacks: The New Age of Cybercrime
Similaire à THE ANATOMY OF A WEB ATTACK: COMMON THREATS AND DEFENSES
Web and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For Hackers
Jaime Manteiga
Top 10 Web App Security Risks
Top 10 Web App Security Risks
Sperasoft
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
Sumanth Damarla
Application security testing an integrated approach
Application security testing an integrated approach
Idexcel Technologies
Secure code practices
Secure code practices
Hina Rawal
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Richard Sullivan
Security communication
Security communication
Say Shyong
OWASP Top 10 Project
OWASP Top 10 Project
Muhammad Shehata
BDSE03-1121-API-PresentationTemplate.pptx
BDSE03-1121-API-PresentationTemplate.pptx
SudhanshuKachhotia
Web application sec_3
Web application sec_3
vhimsikal
Owasp Top 10-2013
Owasp Top 10-2013
n|u - The Open Security Community
Computer Security
Computer Security
Vaibhavi Patel
Computer Security
Computer Security
Vaibhavi Patel
Secure coding guidelines
Secure coding guidelines
Zakaria SMAHI
owasp features in secure coding techniques
owasp features in secure coding techniques
Sri Latha
AW-Infs201101067.pptx
AW-Infs201101067.pptx
AnonymousDevil2
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
RIZWAN HASAN
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
Shivam Sahu
Owasp top 10
Owasp top 10
YasserElsnbary
Similaire à THE ANATOMY OF A WEB ATTACK: COMMON THREATS AND DEFENSES
(20)
Web and Mobile Application Security
Web and Mobile Application Security
What Makes Web Applications Desirable For Hackers
What Makes Web Applications Desirable For Hackers
Top 10 Web App Security Risks
Top 10 Web App Security Risks
Securing the Web @RivieraDev2016
Securing the Web @RivieraDev2016
Application security testing an integrated approach
Application security testing an integrated approach
Secure code practices
Secure code practices
Soteria Cybersecurity Healthcheck-FB01
Soteria Cybersecurity Healthcheck-FB01
Security communication
Security communication
OWASP Top 10 Project
OWASP Top 10 Project
BDSE03-1121-API-PresentationTemplate.pptx
BDSE03-1121-API-PresentationTemplate.pptx
Web application sec_3
Web application sec_3
Owasp Top 10-2013
Owasp Top 10-2013
Computer Security
Computer Security
Computer Security
Computer Security
Secure coding guidelines
Secure coding guidelines
owasp features in secure coding techniques
owasp features in secure coding techniques
AW-Infs201101067.pptx
AW-Infs201101067.pptx
Owasp top 10 & Web vulnerabilities
Owasp top 10 & Web vulnerabilities
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
PowerPoint Presentation On Ethical Hacking in Brief (Simple)
Owasp top 10
Owasp top 10
Plus de CMR WORLD TECH
Cyber Security
Cyber Security
CMR WORLD TECH
Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project Presentation
CMR WORLD TECH
CPQ Básico
CPQ Básico
CMR WORLD TECH
Cpq basics bycesaribeiro
Cpq basics bycesaribeiro
CMR WORLD TECH
Apexbasic
Apexbasic
CMR WORLD TECH
Questoes processautomation
Questoes processautomation
CMR WORLD TECH
Process automationppt
Process automationppt
CMR WORLD TECH
Transcript mva.cesar
Transcript mva.cesar
CMR WORLD TECH
Aws migration-whitepaper-en
Aws migration-whitepaper-en
CMR WORLD TECH
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volume
CMR WORLD TECH
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagement
CMR WORLD TECH
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure
CMR WORLD TECH
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance
CMR WORLD TECH
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensus
CMR WORLD TECH
Master lob-e-book
Master lob-e-book
CMR WORLD TECH
Apexand visualforcearchitecture
Apexand visualforcearchitecture
CMR WORLD TECH
Trailblazers guide-to-apps
Trailblazers guide-to-apps
CMR WORLD TECH
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1
CMR WORLD TECH
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
CMR WORLD TECH
Salesforce voice-and-tone
Salesforce voice-and-tone
CMR WORLD TECH
Plus de CMR WORLD TECH
(20)
Cyber Security
Cyber Security
Cyber Security for Everyone Course - Final Project Presentation
Cyber Security for Everyone Course - Final Project Presentation
CPQ Básico
CPQ Básico
Cpq basics bycesaribeiro
Cpq basics bycesaribeiro
Apexbasic
Apexbasic
Questoes processautomation
Questoes processautomation
Process automationppt
Process automationppt
Transcript mva.cesar
Transcript mva.cesar
Aws migration-whitepaper-en
Aws migration-whitepaper-en
Delivery readness for pick season and higth volume
Delivery readness for pick season and higth volume
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Why digital-will-become-the-primary-channel-for-b2 b-engagement
Transcript Micrsosft Java Azure
Transcript Micrsosft Java Azure
Buisiness UK Trading Marketing Finance
Buisiness UK Trading Marketing Finance
Hyperledger arch wg_paper_1_consensus
Hyperledger arch wg_paper_1_consensus
Master lob-e-book
Master lob-e-book
Apexand visualforcearchitecture
Apexand visualforcearchitecture
Trailblazers guide-to-apps
Trailblazers guide-to-apps
Berkeley program on_data_science___analytics_1
Berkeley program on_data_science___analytics_1
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Rep consumer experience_in_the_retail_renaissance_en_28_mar18_final_dm_
Salesforce voice-and-tone
Salesforce voice-and-tone
Dernier
Minimizing AI Hallucinations/Confabulations and the Path towards AGI with Exa...
Minimizing AI Hallucinations/Confabulations and the Path towards AGI with Exa...
Thomas Poetter
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
yuu sss
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
Boston Institute of Analytics
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population Mean
MYRABACSAFRA2
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Boston Institute of Analytics
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
e4aez8ss
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max Princeton
Timothy Spann
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Boston Institute of Analytics
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
GQ Research
Vision, Mission, Goals and Objectives ppt..pptx
Vision, Mission, Goals and Objectives ppt..pptx
ellehsormae
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...
Seán Kennedy
Top 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In Queens
dataanalyticsqueen03
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
thyngster
Easter Eggs From Star Wars and in cars 1 and 2
Easter Eggs From Star Wars and in cars 1 and 2
17djon017
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
aleedritatuxx
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)
Cathrine Wilhelmsen
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
jennyeacort
April 2024 - NLIT Cloudera Real-Time LLM Streaming 2024
April 2024 - NLIT Cloudera Real-Time LLM Streaming 2024
Timothy Spann
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhh
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhh
Yasamin16
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
Rafezzaman
Dernier
(20)
Minimizing AI Hallucinations/Confabulations and the Path towards AGI with Exa...
Minimizing AI Hallucinations/Confabulations and the Path towards AGI with Exa...
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
办美国阿肯色大学小石城分校毕业证成绩单pdf电子版制作修改#真实留信入库#永久存档#真实可查#diploma#degree
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
NLP Data Science Project Presentation:Predicting Heart Disease with NLP Data ...
Identifying Appropriate Test Statistics Involving Population Mean
Identifying Appropriate Test Statistics Involving Population Mean
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
Predicting Salary Using Data Science: A Comprehensive Analysis.pdf
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
科罗拉多大学波尔得分校毕业证学位证成绩单-可办理
Real-Time AI Streaming - AI Max Princeton
Real-Time AI Streaming - AI Max Princeton
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Data Analysis Project : Targeting the Right Customers, Presentation on Bank M...
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
Biometric Authentication: The Evolution, Applications, Benefits and Challenge...
Vision, Mission, Goals and Objectives ppt..pptx
Vision, Mission, Goals and Objectives ppt..pptx
Student Profile Sample report on improving academic performance by uniting gr...
Student Profile Sample report on improving academic performance by uniting gr...
Top 5 Best Data Analytics Courses In Queens
Top 5 Best Data Analytics Courses In Queens
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Consent & Privacy Signals on Google *Pixels* - MeasureCamp Amsterdam 2024
Easter Eggs From Star Wars and in cars 1 and 2
Easter Eggs From Star Wars and in cars 1 and 2
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
modul pembelajaran robotic Workshop _ by Slidesgo.pptx
Data Factory in Microsoft Fabric (MsBIP #82)
Data Factory in Microsoft Fabric (MsBIP #82)
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
9711147426✨Call In girls Gurgaon Sector 31. SCO 25 escort service
April 2024 - NLIT Cloudera Real-Time LLM Streaming 2024
April 2024 - NLIT Cloudera Real-Time LLM Streaming 2024
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhh
Thiophen Mechanism khhjjjjjjjhhhhhhhhhhh
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
INTERNSHIP ON PURBASHA COMPOSITE TEX LTD
THE ANATOMY OF A WEB ATTACK: COMMON THREATS AND DEFENSES
1.
THE ANATOMY OF
A WEB ATTACK 35% WEBAPPATTACKSMADEUPOF OFALLBREACHESIN2013 Followedby Cyber-espionageat22% POSintrusionsat14% CardSkimmersat9% InsiderMisuseat8% Everythingelseat6% Crimewareat4% Misc.Errorsat2% PhysicalTheft/Loss<1% © COPYRIGHT 2015 ALERT LOGIC, INC. ALL RIGHTS RESERVED. PROTECTING YOUR ENVIRONMENT Whether your data lives on-premises, cloud or hybrid infrastructures, security measures are necessary to protect your data from attacks. TYPE OF ATTACKSTYPE OF ATTACKS Security measures are necessary to protect your data that may be subject to attacks. Unfortunately, there are several types of attacks that can be used to compromise your network. PING SWEEP METASPLOIT / KALI LINUX / NESSUS NMAP / NIKTO METASPLOIT / KALI LINUX / NESSUS NMAP / NIKTO HAVIJ / SQLMAP / SQL NINJA / BEEF SELECT * FROM Users WHERE Username=’$username’ AND Password=’$password’ <IMG SRC=jAvascript:alert(’test2’)> $incfile = $_REQUEST[”file”]; include($incfile.”.php”); OWASP XENOTIX / XSSSERVER FIMAP / DARKJUMPER VULNERABILITY SCANNING SQL INJECTION SQLI causes the database or source code calling the database to confuse [data context] and ANSI SQL [execution context]. CROSS SITE SCRIPTING XSS causes the browser to execute user supplied input as code. The input breaks out of the [data context] and becomes [execution context]. Sites vulnerable to XSS are exploited through features of the search engine, login forms and comment fields. There are three different types of attack vectors. Local, Non-Persistent, and Persistent RFI: REMOTE FILE INCLUSION An attempt to damage, disrupt, or gain unauthorized access to a computer, computer system, or electronic communications network As security vulnerabilities and motivations for attacks evolve, so do the attack vectors used to compromise your network. POPULAR ATTACK VECTORS INTRUSION DETECTION Keep System Patched Test & Sanitize All User Input Never use arbitrary input data in a literal file include request WEB APPLICATION FIREWALL LOG COLLECTION & ANALYSIS Secure HTTP Response Headers Developers should use tools like XSS Me to test their sites for vulnerabilities ReportedbyVerizon’s2014DataBreachInvestigationsReport INJECTION BROKEN AUTHENTICATION & SESSION MANAGEMENT 1 2 3 4 5 Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities. CROSS-SITE SCRIPTING (XSS) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites. INSECURE DIRECT OBJECT REFERENCES A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, or database key. Without an access control check or other protection, attackers can manipulate these references to access unauthorized data. SECURITY MISCONFIGURATIONS Good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. Secure settings should be defined, implemented, and maintained, as defaults are often insecure. Additionally, software should be kept up to date. SENSITIVE DATA EXPOSURE MISSING FUNCTION LEVEL ACCESS CONTROL 6 7 8 9 10 Many web applications do not properly protect sensitive data, such as credit cards, tax IDs, and authentication credentials. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data deserves extra protection such as encryption at rest or in transit, as well as special precautions when exchanged with the browser. Most web applications verify function level access rights before making that functionality visible in the UI. However, applications need to perform the same access control checks on the server when each function is accessed. If requests are not verified, attackers will be able to forge requests in order to access functionality without proper authorization. CROSS-SITE REQUEST FORGERY (CSRF) A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. USING COMPONENTS WITH KNOWN VULNERABILITIES Components, such as libraries, frameworks, and other software modules, almost always run with full privileges. If a vulnerable component is exploited, such an attack can facilitate serious data loss or server takeover. Applications using components with known vulnerabilities may undermine application defenses and enable a range of possible attacks and impacts. UNVALIDATED REQUESTS AND FORWARDS Web applications frequently redirect and forward users to other pages and websites, and use untrusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites, or use forwards to access unauthorized pages. OWASPTOP102013 ALERTLOGIC.COM / U.S. 877.484.8383 / U.K. +44 (0) 203 011 5533 Source:https://www.owasp.org/index.php/Top_10_2013-Top_10
Télécharger maintenant