際際滷

際際滷Share a Scribd company logo

Web application security

Download as PPSX, PDF
Akhil Raj
Akhil Raj

This document discusses various security threats to web applications such as cross-site scripting, SQL injection, denial-of-service attacks, and brute force attacks. It provides details on each threat, including how they occur and methods of prevention. Defense tactics covered include input validation, account lockouts, CAPTCHAs, encryption, access restrictions, and server hardening techniques.

1 of 30
Downloaded 29 times
Web Application Security
Components & Architecture 2
Security Threats Cross-site scripting SQL injection Denial-of-service attack Brute Force attack Remote file inclusion Man in Middle Attack Other Server side Threats.
Web application security
Cross-site scripting(XSS) Allows attackers to inject their own malicious scripts onto web pages and have it executed by the users browser Vulnerability commonly seen in : Search results that display back the text that was entered Error messages that display the text that caused the error Forms which are filled out whose values are later displayed to the user Web message boards where users can post messages
Web application security
Web application security
Defense tactics Write an HTMLEncode
SQL Injection The process of attacker adding his own SQL Statements in user input Used by attackers to Gain confidential information (Credit Card numbers, Account details etc.) Bypass authorization Perform unauthorized updates Injection occurs through : Input fields (e.g. UserID and Password entry) Query string (values added to websites URL) Manipulated values in HTML
10 UserID: Test Password : 123 Select * from Users where UserID = Test and Password = 123; Web Applications take user input and build an SQL statement which they send to the database Drop example
11 UserID: Test; drop table users; -- Password : 123 Select * from Users where UserID = Test; drop table users; -- and Password = 123; Web Applications take user input and build an SQL statement which they send to the database
SQL Injection Defense It is quite simple: input validation Check all input Web Applications should not directly build SQL statements based on user input
Brute Force Attack A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking.
Preventing Brute Force Attack Implement an account lockout policy Another technique is to use a challenge- response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA Web application should enforce the use of strong passwords
Dos and DDOS Attempt to make a machine or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests attacks usually lead to a server overload
Web application security
Effects of DDOS Consumption of computational resources, such as bandwidth, memory, disk space, or processor time. Disruption of configuration information, such as routing information. Disruption of state information, such as unsolicited resetting of TCP sessions. Disruption of physical network components. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
DDOS Prevention An effective defense against an HTTP flood can be the deployment of a reverse proxy increase the capability of the system. Load-balancing tools can distribute requests among many servers scattered across a wide geographical area
Remote file inclusion It allows an attacker to include a file, usually through a script on the web server. vulnerability occurs due to the use of user- supplied input without proper validation
This can lead to Code execution on the web server Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS) Denial of service (DoS) Data theft/manipulation
Prevention This type of attack can be defended against at the .htaccess level and by filtering the inputs. Make sure you keep the Global Registers OFF. This is a biggie that will prevent much evil! Hardening the Server
Man in Middle Attack A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.
Web application security
Prevention use a strong encryption between the client and the server you can use a browser plug-in such as HTTPS Everywhere or ForceTLS.
Server Hardening Shut down unused Services Hide Services with Port Knocking Example: Web Server Service is public hide SFTP-, SSH- Services Use Onetime Passwords by generating them with Password generators 25
Restrict Resources to avoid DoS-Attacks Change Default TimeOut Restrict HTTP-Requests Restrict access to Web Resources Often resources are not to be accessible for everyone htaccess is a simple mechanism for access Protection htaccess is activated by a file .htaccess to protected directory (or above in one) 26 Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/
Hide our Informations
Linux Systems Monitoring Cycle 28
OWASP The Open Web Application Security Project is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world https://www.owasp.org/
Web application security

Recommended

Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
WSO2
Application Security
Application SecurityApplication Security
Application Security
florinc
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
Application Security
Application SecurityApplication Security
Application Security
Reggie Niccolo Santos
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
DARSHANBHAVSAR14
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
APNIC
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
nanangAris1
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu

More Related Content

What's hot (20)

Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
APNIC
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
Fundamentals of Network security
Fundamentals of Network securityFundamentals of Network security
Fundamentals of Network security
APNIC
Ethical Hacking & Penetration Testing
Ethical Hacking & Penetration TestingEthical Hacking & Penetration Testing
Ethical Hacking & Penetration Testing
ecmee
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodology
Rashad Aliyev
Web application security
Web application securityWeb application security
Web application security
Kapil Sharma
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
Security Vulnerabilities
Security VulnerabilitiesSecurity Vulnerabilities
Security Vulnerabilities
Marius Vorster
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
Threat Modelling
Threat ModellingThreat Modelling
Threat Modelling
n|u - The Open Security Community
OWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application VulnerabilitiesOWASP Top 10 Web Application Vulnerabilities
OWASP Top 10 Web Application Vulnerabilities
Software Guru
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
Lenur Dzhemiliev
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
Whitman_Ch02.pptx
Whitman_Ch02.pptxWhitman_Ch02.pptx
Whitman_Ch02.pptx
Siphamandla9
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
Chris Gates
Supply Chain Attacks
Supply Chain AttacksSupply Chain Attacks
Supply Chain Attacks
Lionel Faleiro
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
OWASP Top Ten 2017
OWASP Top Ten 2017OWASP Top Ten 2017
OWASP Top Ten 2017
Michael Furman
Ethical hacking/ Penetration Testing
Ethical hacking/ Penetration TestingEthical hacking/ Penetration Testing
Ethical hacking/ Penetration Testing
ANURAG CHAKRABORTY

Similar to Web application security (20)

Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
nanangAris1
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
Types of attack
Types of attackTypes of attack
Types of attack
RajuPrasad33
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
ShivamBajaj36
Internet Security
Internet SecurityInternet Security
Internet Security
Mitesh Gupta
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
VSAM Technologies India Private Limited
3-types of attacks_Types of attacks.pptx
3-types of attacks_Types of attacks.pptx3-types of attacks_Types of attacks.pptx
3-types of attacks_Types of attacks.pptx
AmandeepSohal4
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Sachintha Gunasena
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
Cyber attack
Cyber attackCyber attack
Cyber attack
Manjushree Mashal
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
Murali Mohan
Codeinjection
CodeinjectionCodeinjection
Codeinjection
Nitish Kumar
Cloud Security in cloud computing 1.pptx
Cloud Security in cloud computing 1.pptxCloud Security in cloud computing 1.pptx
Cloud Security in cloud computing 1.pptx
RahulBhole12
Software security
Software security Software security
Software security
Akshay Jaryal
Unit 5 - Designing Internet Systems and Servers - IT
Unit 5 - Designing Internet Systems and Servers - ITUnit 5 - Designing Internet Systems and Servers - IT
Unit 5 - Designing Internet Systems and Servers - IT
Deepraj Bhujel
A general security rule is that if an individual can physically touch a devic...
A general security rule is that if an individual can physically touch a devic...A general security rule is that if an individual can physically touch a devic...
A general security rule is that if an individual can physically touch a devic...
Chandravathi Dittakavi
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptx
janani603976
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
nanangAris1
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
Types of attack
Types of attackTypes of attack
Types of attack
RajuPrasad33
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
ShivamBajaj36
Internet Security
Internet SecurityInternet Security
Internet Security
Mitesh Gupta
cyber security and threats.pptx
cyber security and threats.pptxcyber security and threats.pptx
cyber security and threats.pptx
VSAM Technologies India Private Limited
3-types of attacks_Types of attacks.pptx
3-types of attacks_Types of attacks.pptx3-types of attacks_Types of attacks.pptx
3-types of attacks_Types of attacks.pptx
AmandeepSohal4
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Sachintha Gunasena
Web and Mobile Application Security
Web and Mobile Application SecurityWeb and Mobile Application Security
Web and Mobile Application Security
Prateek Jain
Cyber attack
Cyber attackCyber attack
Cyber attack
Manjushree Mashal
Network security and firewalls
Network security and firewallsNetwork security and firewalls
Network security and firewalls
Murali Mohan
Codeinjection
CodeinjectionCodeinjection
Codeinjection
Nitish Kumar
Cloud Security in cloud computing 1.pptx
Cloud Security in cloud computing 1.pptxCloud Security in cloud computing 1.pptx
Cloud Security in cloud computing 1.pptx
RahulBhole12
Software security
Software security Software security
Software security
Akshay Jaryal
Unit 5 - Designing Internet Systems and Servers - IT
Unit 5 - Designing Internet Systems and Servers - ITUnit 5 - Designing Internet Systems and Servers - IT
Unit 5 - Designing Internet Systems and Servers - IT
Deepraj Bhujel
A general security rule is that if an individual can physically touch a devic...
A general security rule is that if an individual can physically touch a devic...A general security rule is that if an individual can physically touch a devic...
A general security rule is that if an individual can physically touch a devic...
Chandravathi Dittakavi
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )
Jay Nagar
UNIT 5 (2).pptx
UNIT 5 (2).pptxUNIT 5 (2).pptx
UNIT 5 (2).pptx
janani603976

Recently uploaded (18)

2a Solving Equations Bar Method.pkdkdmptx
2a Solving Equations Bar Method.pkdkdmptx2a Solving Equations Bar Method.pkdkdmptx
2a Solving Equations Bar Method.pkdkdmptx
alvinlibre
Hygiene-and-Sanitation with healthcare and the most important hygiene to be
Hygiene-and-Sanitation with healthcare and the most important hygiene to beHygiene-and-Sanitation with healthcare and the most important hygiene to be
Hygiene-and-Sanitation with healthcare and the most important hygiene to be
LoveJade1
A Teaching Guide for Those interested in teaching monkey beach
A Teaching Guide for Those interested in teaching monkey beachA Teaching Guide for Those interested in teaching monkey beach
A Teaching Guide for Those interested in teaching monkey beach
sethiserena
QasyndaAIFinalVersionPresentationStartup
QasyndaAIFinalVersionPresentationStartupQasyndaAIFinalVersionPresentationStartup
QasyndaAIFinalVersionPresentationStartup
AidarIsakhanov
HITRUST Overview and AI Assessments Webinar.pptx
HITRUST Overview and AI Assessments Webinar.pptxHITRUST Overview and AI Assessments Webinar.pptx
HITRUST Overview and AI Assessments Webinar.pptx
AmyPoblete3
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...
IJCNCJournal
IPv6 - Global and Malaysia's Perspectives
IPv6 - Global and Malaysia's PerspectivesIPv6 - Global and Malaysia's Perspectives
IPv6 - Global and Malaysia's Perspectives
APNIC
Introduction on how unique identifier systems are managed and coordinated - R...
Introduction on how unique identifier systems are managed and coordinated - R...Introduction on how unique identifier systems are managed and coordinated - R...
Introduction on how unique identifier systems are managed and coordinated - R...
APNIC
phase_4_presentation[1] - Read-Only.pptx Iot
phase_4_presentation[1] - Read-Only.pptx Iotphase_4_presentation[1] - Read-Only.pptx Iot
phase_4_presentation[1] - Read-Only.pptx Iot
harshithamandya49
Here are the Top 10 Writers Of 2025 by GLCP
Here are the Top 10 Writers Of 2025 by GLCPHere are the Top 10 Writers Of 2025 by GLCP
Here are the Top 10 Writers Of 2025 by GLCP
glcppro
IDM Crack 2025 Internet Download Manger Patch
IDM Crack 2025 Internet Download Manger PatchIDM Crack 2025 Internet Download Manger Patch
IDM Crack 2025 Internet Download Manger Patch
wistrendugftr
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...
CartCoders
BSNL - ( Bharat Sanchar Nigam limited ).
BSNL - ( Bharat Sanchar Nigam limited ).BSNL - ( Bharat Sanchar Nigam limited ).
BSNL - ( Bharat Sanchar Nigam limited ).
VkHits
cyber hacking and cyber fraud by internet online money
cyber hacking and cyber fraud by internet online moneycyber hacking and cyber fraud by internet online money
cyber hacking and cyber fraud by internet online money
VEENAKSHI PATHAK
Intelligent-Systems-in-Manufacturing.pptx
Intelligent-Systems-in-Manufacturing.pptxIntelligent-Systems-in-Manufacturing.pptx
Intelligent-Systems-in-Manufacturing.pptx
ErickWasonga2
Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...
Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...
Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...
CartCoders
KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdf
KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdfKeepItOn-2024-Internet-Shutdowns-Annual-Report.pdf
KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdf
sabranghindi
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...
TANGKI4D
2a Solving Equations Bar Method.pkdkdmptx
2a Solving Equations Bar Method.pkdkdmptx2a Solving Equations Bar Method.pkdkdmptx
2a Solving Equations Bar Method.pkdkdmptx
alvinlibre
Hygiene-and-Sanitation with healthcare and the most important hygiene to be
Hygiene-and-Sanitation with healthcare and the most important hygiene to beHygiene-and-Sanitation with healthcare and the most important hygiene to be
Hygiene-and-Sanitation with healthcare and the most important hygiene to be
LoveJade1
A Teaching Guide for Those interested in teaching monkey beach
A Teaching Guide for Those interested in teaching monkey beachA Teaching Guide for Those interested in teaching monkey beach
A Teaching Guide for Those interested in teaching monkey beach
sethiserena
QasyndaAIFinalVersionPresentationStartup
QasyndaAIFinalVersionPresentationStartupQasyndaAIFinalVersionPresentationStartup
QasyndaAIFinalVersionPresentationStartup
AidarIsakhanov
HITRUST Overview and AI Assessments Webinar.pptx
HITRUST Overview and AI Assessments Webinar.pptxHITRUST Overview and AI Assessments Webinar.pptx
HITRUST Overview and AI Assessments Webinar.pptx
AmyPoblete3
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...
Elliptic Curve Cryptography Algorithm with Recurrent Neural Networks for Atta...
IJCNCJournal
IPv6 - Global and Malaysia's Perspectives
IPv6 - Global and Malaysia's PerspectivesIPv6 - Global and Malaysia's Perspectives
IPv6 - Global and Malaysia's Perspectives
APNIC
Introduction on how unique identifier systems are managed and coordinated - R...
Introduction on how unique identifier systems are managed and coordinated - R...Introduction on how unique identifier systems are managed and coordinated - R...
Introduction on how unique identifier systems are managed and coordinated - R...
APNIC
phase_4_presentation[1] - Read-Only.pptx Iot
phase_4_presentation[1] - Read-Only.pptx Iotphase_4_presentation[1] - Read-Only.pptx Iot
phase_4_presentation[1] - Read-Only.pptx Iot
harshithamandya49
Here are the Top 10 Writers Of 2025 by GLCP
Here are the Top 10 Writers Of 2025 by GLCPHere are the Top 10 Writers Of 2025 by GLCP
Here are the Top 10 Writers Of 2025 by GLCP
glcppro
IDM Crack 2025 Internet Download Manger Patch
IDM Crack 2025 Internet Download Manger PatchIDM Crack 2025 Internet Download Manger Patch
IDM Crack 2025 Internet Download Manger Patch
wistrendugftr
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...
Custom Development vs Off-the-Shelf Solutions for Shopify Plus ERP Integratio...
CartCoders
BSNL - ( Bharat Sanchar Nigam limited ).
BSNL - ( Bharat Sanchar Nigam limited ).BSNL - ( Bharat Sanchar Nigam limited ).
BSNL - ( Bharat Sanchar Nigam limited ).
VkHits
cyber hacking and cyber fraud by internet online money
cyber hacking and cyber fraud by internet online moneycyber hacking and cyber fraud by internet online money
cyber hacking and cyber fraud by internet online money
VEENAKSHI PATHAK
Intelligent-Systems-in-Manufacturing.pptx
Intelligent-Systems-in-Manufacturing.pptxIntelligent-Systems-in-Manufacturing.pptx
Intelligent-Systems-in-Manufacturing.pptx
ErickWasonga2
Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...
Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...
Shopify API Integration for Custom Analytics_ Advanced Metrics & Reporting Gu...
CartCoders
KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdf
KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdfKeepItOn-2024-Internet-Shutdowns-Annual-Report.pdf
KeepItOn-2024-Internet-Shutdowns-Annual-Report.pdf
sabranghindi
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...
JACKPOT TANGKI4D BERMAIN MENGGUNAKAN ID PRO 2025 TEPERCAYA LISENSI STAR GAMIN...
TANGKI4D

Web application security

  • 3. Security Threats Cross-site scripting SQL injection Denial-of-service attack Brute Force attack Remote file inclusion Man in Middle Attack Other Server side Threats.
  • 5. Cross-site scripting(XSS) Allows attackers to inject their own malicious scripts onto web pages and have it executed by the users browser Vulnerability commonly seen in : Search results that display back the text that was entered Error messages that display the text that caused the error Forms which are filled out whose values are later displayed to the user Web message boards where users can post messages
  • 9. SQL Injection The process of attacker adding his own SQL Statements in user input Used by attackers to Gain confidential information (Credit Card numbers, Account details etc.) Bypass authorization Perform unauthorized updates Injection occurs through : Input fields (e.g. UserID and Password entry) Query string (values added to websites URL) Manipulated values in HTML
  • 10. 10 UserID: Test Password : 123 Select * from Users where UserID = Test and Password = 123; Web Applications take user input and build an SQL statement which they send to the database Drop example
  • 11. 11 UserID: Test; drop table users; -- Password : 123 Select * from Users where UserID = Test; drop table users; -- and Password = 123; Web Applications take user input and build an SQL statement which they send to the database
  • 12. SQL Injection Defense It is quite simple: input validation Check all input Web Applications should not directly build SQL statements based on user input
  • 13. Brute Force Attack A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization's network security. A brute force attack may also be referred to as brute force cracking.
  • 14. Preventing Brute Force Attack Implement an account lockout policy Another technique is to use a challenge- response test to prevent automated submissions of the login page. Tools such as the free reCAPTCHA Web application should enforce the use of strong passwords
  • 15. Dos and DDOS Attempt to make a machine or network resource unavailable to its intended users. One common method of attack involves saturating the target machine with external communications requests attacks usually lead to a server overload
  • 17. Effects of DDOS Consumption of computational resources, such as bandwidth, memory, disk space, or processor time. Disruption of configuration information, such as routing information. Disruption of state information, such as unsolicited resetting of TCP sessions. Disruption of physical network components. Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
  • 18. DDOS Prevention An effective defense against an HTTP flood can be the deployment of a reverse proxy increase the capability of the system. Load-balancing tools can distribute requests among many servers scattered across a wide geographical area
  • 19. Remote file inclusion It allows an attacker to include a file, usually through a script on the web server. vulnerability occurs due to the use of user- supplied input without proper validation
  • 20. This can lead to Code execution on the web server Code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS) Denial of service (DoS) Data theft/manipulation
  • 21. Prevention This type of attack can be defended against at the .htaccess level and by filtering the inputs. Make sure you keep the Global Registers OFF. This is a biggie that will prevent much evil! Hardening the Server
  • 22. Man in Middle Attack A man-in-the-middle attack is a type of cyberattack where a malicious actor inserts him/herself into a conversation between two parties, A MITM attack exploits the real-time processing of transactions, conversations or transfer of other data.
  • 24. Prevention use a strong encryption between the client and the server you can use a browser plug-in such as HTTPS Everywhere or ForceTLS.
  • 25. Server Hardening Shut down unused Services Hide Services with Port Knocking Example: Web Server Service is public hide SFTP-, SSH- Services Use Onetime Passwords by generating them with Password generators 25
  • 26. Restrict Resources to avoid DoS-Attacks Change Default TimeOut Restrict HTTP-Requests Restrict access to Web Resources Often resources are not to be accessible for everyone htaccess is a simple mechanism for access Protection htaccess is activated by a file .htaccess to protected directory (or above in one) 26 Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/
  • 29. OWASP The Open Web Application Security Project is an online community dedicated to web application security. The OWASP community includes corporations, educational organizations, and individuals from around the world https://www.owasp.org/

Editor's Notes

  • #13: Input validation is the most important part of defending against SQL injection. You should enforce input validation in all new applications through strong design. Any you should audit all your existing code and websites. You should additionally always harden your servers as well.
  • #26: 掘庄稼馨温鉛-永温壊壊敬旦姻岳艶姻
  • #27: LimitRequestBody can be unlimited (practically up 2 GB to go!)
AboutCopyright
息 2025 際際滷