SlideShare a Scribd company logo

Vulnerabilities in modern web applications

Download as PPTX, PDF
N
Niyas Nazar

The document discusses vulnerabilities in modern web applications, highlighting the shift to remote server applications and the associated security risks. It details penetration testing phases, including reconnaissance and application exploitation, and outlines various vulnerabilities such as XSS, CSRF, SQL injection, and insecure direct object reference. Additionally, it provides recommendations for preventing these vulnerabilities through secure coding practices and the use of specific penetration testing tools.

Software
1 of 34
Downloaded 87 times
1
2
3
4
5
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Most read
24
25
26
27
Most read
28
29
30
31
32
33
34
NIYAS N S 14CS246 Vulnerabilities in Modern Web Applications
Introduction • Trend in modern application design is to move applications into a remote server . • Consistent and quick updates • Application monitoring • and lower requirements on local hardware performance. • eg Office 365, Google Docs etc. • Need good quality of Internet connection • Security
Contents • Penetration Testing Tools • Web Application Vulnerabilities • Security Recommendations
Penetration Testing Tools • Higher Security risk of remotely run applications has to be verified, expressed, and minimized. • Main goal - improve the application security via pointing out its security flaws. • There are two basic phases of the testing – Reconnaissance – Application Exploitation
Reconnaisance Phase • Passive • gather as much info about targeted network. • network itself not accesed. • Active • interact directly with targeted devices. • to identify OS, running services and potential vulnerabilities. • Application Scanning • automatized scanning of web applications. • results can present a general idea of the application • guidance in exploiting existing flaws.
Passive Phase • Maltego – OSINT (Open Source Intelligence) type. – group of tools using publicly available data. – uses lists of indexes and databases to search for info. • Discover Scripts – OSINT type. – integrates search and scanning utilities in Kali linux OS
Active Phase • Ettercap – open source multi platform tool for network traffic sniffing – it can capture comm. between two users in a network. – used for gather sensitive informations like password. • Nmap – it can find connected networks end devices,open ports. – it can build a network map – versions of OS, services and running daemons etc
Application Scanning • Arachni – automatized multi-platform tool for security audits. – using asynchronous HTTP requests, parallel processing of javascript op's and multi-thread scanning. – integreted browser engine , scans web app using advan. tec • OWASP ZAP (Zed Attack Proxy) – Proxy ( comm. capturing) , Scanner (passive,active) Fuzzer (sequ. sends dangerous payload to identify vulnerability), spider(traverse all web pages) ,forced browsing (discover direct access to files stored on the server)
Web Application Exploitation • SQL Tools – SQLMap • open source tool for testing database part of web app • typical exploitation is SQL injection • in case of succesfull exploitation, the SQLmap can access shell • data can be saved in a file ,if attack is succesfull – NoSQLMap • currently supports only MongoDB, but extensions of NoSQL databases like CouchDB, Redis and Cassandra are planned. • attack itself can take a few minutes , depends on scope.
Web Application Exploitation • Password Attacks – Hashcat • open source tool supporting many hash algorithms.(SHA,MD) • computation run either on CPU or GPU (parallelized arch) – cudaHashcat for Nvidia – oclHashcat for AMD • hashcat contains following attack modes – straight (classical dictionary attack) – combination (words connected from multiple dictionaries) – brute-force (mask specification allows to omit unused password comb.)
Web Application Exploitation • Burp Suite • Web Vulnerability Scanner • Proxy (captures and modify communication) • Spider (create map of web application and send forms) • Intruder (realizes attack based on performed analysis) • Repeater (repeatedly modifies HTTP requests &analyze replies) • Sequencer (analyzes the level of security tokens randomness)
Web Application Exploitation • BeEF (Browser Exploitation Framework) – focused on XSS attacks – BeEF is modular framework – main functionality is hooking process.
Web Application Vulnerabilities • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF) • Insecure Direct Object Reference • SQL Injection • Broken Authentication and Session Management
Cross Site Scripting (XSS) • Malicious code that can change the look and function of a legitimate web application. • More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend. • It can be identified using OWASP ZAP and exploit using BeEF.
Cross Site Scripting (XSS) • Impact of XSS – Data residing in web page can be sent anywhere in the world. – Facilitates many other types of attacks (CSRF, Session Attacks) – site's behaviour can be hijacked.
Cross Site Scripting (XSS) • Demo – WebGoat Stored XSS
Preventing XSS • Escape all user input when it is displayed – Escaping converts the output to harmless html entities • <script> becomes &lt;script&gt; • but still displayed as <script> • Ensure your filter uses a white list approach – Filters based on blacklisting have historically been flawed • E.g. PHP, Ruby on Rails sanitize method – New encoding schemes can easily bypass filters that use a blacklist approach
Cross Site Request Forgery (CSRF) • A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. • Occurs when an authenticated user unknowingly initiates a request • XSS facilitates CSRF via “Link Injection”
Cross Site Request Forgery (CSRF) http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money
Preventing CSRF • Add a secondary authentication mechanism –Such as an impossible to guess token • Require a confirmation page before executing potentially dangerous actions • Eliminate XSS vulnerabilities • Use POST as your form action and only accept POST requests on the server for sensitive data !
Insecure Direct Object Reference • A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. • Attackers can manipulate those references to access other objects without authorization. • E.g. /BankAccount.jsp?acct_nmbr=123 –The hacker modifies the parameter to view another users account
Insecure Direct Object Reference
Session Attacks Session Fixation Session Hijacking • The hacker predicts a valid session key (usually via phishing) • The hacker masquerades as another user by stealing the users session id (usually via XSS)
Insecure Direct Object Reference • Demo – Bypass a path based access control scheme
Preventing Direct Object Reference • Properly validate data! • All input data MUST be validated server side for each request – client side validation is EASILY bypassed • Do not expose internals to the user • Such as IDs (if possible/necessary) • Use an indirect reference map with hard to guess keys (hash) • POST /BankAccount.jsp?acct_nmbr=d83OJdm3 • The server then uses the key to get the real value »Key: d83OJdm3 value: 123
SQL Injection • SQL injection is a security vulnerability that occurs in the database layer of an application. • Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements.
SQL Injection • Login Example Attack – Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code • Dynamically Build SQL String performing authentication: – “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; • Hacker logs in as: ‘ or ‘’ = ‘’; -- – SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ and password=‘’
SQL Injection • Demo – SQL String Injection
Preventing SQL Injection • Use Prepared Statements (aka Parameterized Queries) – $id=1234 – “select * from accounts where id = “ + $id vs – “select * from accounts where id =1234” • Escape questionable characters (ticks, --, semi-colon, brackets, etc.) • Validate input – Strong typing • If the id parameter is a number, try parsing it into an integer
Broken Authentication and Session Management • Account credentials and session tokens are often not properly protected. • Attackers compromise passwords, keys, or authentication tokens to assume other user's identities.
Authentication Checks • Never store passwords in plaintext – Encrypt or Hash+Salt (preferred) • Architect applications to check every request to see that the authentication data is still valid • Issue a new session token when a change in privilege occurs • If you absolutely must use “remember me” functionality, use a difficult to guess authentication cookie • Authentication data is sent with every request, so protect it
Preventing Authentication and Session Attacks • Use built in session management! • Use secure randomly generated session keys to make prediction impossible –Don’t expose the user to session ids if possible • Use reasonable session timeouts
Preventing Authentication and Session Attacks • Demo – Session Fixation
Thank You ------------------------------------

More Related Content

What's hot (20)

PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
PPTX
Cross Site Scripting ( XSS)
Amit Tyagi
 
PPT
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
PDF
Cross site scripting attacks and defenses
Mohammed A. Imran
 
PPTX
Xss attack
Manjushree Mashal
 
PPTX
How to Test for The OWASP Top Ten
Security Innovation
 
PPTX
OWASP Top 10 2021 What's New
Michael Furman
 
PDF
Threat Modelling
n|u - The Open Security Community
 
PDF
Secure coding presentation Oct 3 2020
Moataz Kamel
 
PPTX
Web application attacks
hruth
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
PDF
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
PPTX
Introduction to penetration testing
Nezar Alazzabi
 
PDF
Web application security & Testing
Deepu S Nath
 
PDF
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
PPTX
Command injection
penetration Tester
 
PDF
Web Application Security and Awareness
Abdul Rahman Sherzad
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPTX
Security misconfiguration
Micho Hayek
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Cross Site Scripting ( XSS)
Amit Tyagi
 
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Cross site scripting attacks and defenses
Mohammed A. Imran
 
Xss attack
Manjushree Mashal
 
How to Test for The OWASP Top Ten
Security Innovation
 
OWASP Top 10 2021 What's New
Michael Furman
 
Threat Modelling
n|u - The Open Security Community
 
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Web application attacks
hruth
 
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Introduction to penetration testing
Nezar Alazzabi
 
Web application security & Testing
Deepu S Nath
 
Neat tricks to bypass CSRF-protection
Mikhail Egorov
 
Command injection
penetration Tester
 
Web Application Security and Awareness
Abdul Rahman Sherzad
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Security misconfiguration
Micho Hayek
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 

Similar to Vulnerabilities in modern web applications (20)

PDF
Common Web Application Attacks
Ahmed Sherif
 
PPT
Intro to Web Application Security
Rob Ragan
 
PPTX
OWASP top 10-2013
tmd800
 
PPTX
Security testing for web developers
matthewhughes
 
PPTX
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
PDF
C01461422
IOSR Journals
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PPTX
State of the information security nation
SensePost
 
PDF
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
PPTX
6 - Web Application Security.pptx
AlmaOraevi
 
PPTX
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
PPTX
Web application security
Jin Castor
 
PDF
Web vulnerabilities
Krishna Gehlot
 
PPT
Web Application Security
Chris Hillman
 
PDF
Become a Security Ninja
Paul Gilzow
 
PDF
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
PPTX
CyberSecurityppt. pptx
iamayesha2526
 
PDF
Web application sec_3
vhimsikal
 
PPT
Web Apps Security
Victor Bucutea
 
PPT
Hacking web applications
Adeel Javaid
 
Common Web Application Attacks
Ahmed Sherif
 
Intro to Web Application Security
Rob Ragan
 
OWASP top 10-2013
tmd800
 
Security testing for web developers
matthewhughes
 
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
C01461422
IOSR Journals
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
State of the information security nation
SensePost
 
Secure Coding BSSN Semarang Material.pdf
nanangAris1
 
6 - Web Application Security.pptx
AlmaOraevi
 
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
Web application security
Jin Castor
 
Web vulnerabilities
Krishna Gehlot
 
Web Application Security
Chris Hillman
 
Become a Security Ninja
Paul Gilzow
 
Owasp top 10 vulnerabilities 2013
Vishrut Sharma
 
CyberSecurityppt. pptx
iamayesha2526
 
Web application sec_3
vhimsikal
 
Web Apps Security
Victor Bucutea
 
Hacking web applications
Adeel Javaid
 
Ad

Recently uploaded (20)

PDF
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
PPTX
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
PPTX
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
PPTX
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
PDF
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
PPTX
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
PPTX
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PPTX
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
PPTX
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
PDF
Unlock Efficiency with Insurance Policy Administration Systems
Insurance Tech Services
 
PDF
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
PDF
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
PDF
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
PDF
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
PDF
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
PPTX
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
PDF
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
PDF
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
PDF
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
PPTX
Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...
SatishKumar2651
 
[Solution] Why Choose the VeryPDF DRM Protector Custom-Built Solution for You...
Lingwen1998
 
OpenChain @ OSS NA - In From the Cold: Open Source as Part of Mainstream Soft...
Shane Coughlan
 
Agentic Automation Journey Session 1/5: Context Grounding and Autopilot for E...
klpathrudu
 
Home Care Tools: Benefits, features and more
Third Rock Techkno
 
Why Businesses Are Switching to Open Source Alternatives to Crystal Reports.pdf
Varsha Nayak
 
Agentic Automation: Build & Deploy Your First UiPath Agent
klpathrudu
 
Change Common Properties in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Hardware(Central Processing Unit ) CU and ALU
RizwanaKalsoom2
 
ChiSquare Procedure in IBM SPSS Statistics Version 31.pptx
Version 1 Analytics
 
Unlock Efficiency with Insurance Policy Administration Systems
Insurance Tech Services
 
Wondershare PDFelement Pro Crack for MacOS New Version Latest 2025
bashirkhan333g
 
Automate Cybersecurity Tasks with Python
VICTOR MAESTRE RAMIREZ
 
vMix Pro 28.0.0.42 Download vMix Registration key Bundle
kulindacore
 
Odoo CRM vs Zoho CRM: Honest Comparison 2025
Odiware Technologies Private Limited
 
Generic or Specific? Making sensible software design decisions
Bert Jan Schrijver
 
Help for Correlations in IBM SPSS Statistics.pptx
Version 1 Analytics
 
Alexander Marshalov - How to use AI Assistants with your Monitoring system Q2...
VictoriaMetrics
 
SciPy 2025 - Packaging a Scientific Python Project
Henry Schreiner
 
Open Chain Q2 Steering Committee Meeting - 2025-06-25
Shane Coughlan
 
Transforming Mining & Engineering Operations with Odoo ERP | Streamline Proje...
SatishKumar2651
 
Ad

Vulnerabilities in modern web applications

  • 1. NIYAS N S 14CS246 Vulnerabilities in Modern Web Applications
  • 2. Introduction • Trend in modern application design is to move applications into a remote server . • Consistent and quick updates • Application monitoring • and lower requirements on local hardware performance. • eg Office 365, Google Docs etc. • Need good quality of Internet connection • Security
  • 3. Contents • Penetration Testing Tools • Web Application Vulnerabilities • Security Recommendations
  • 4. Penetration Testing Tools • Higher Security risk of remotely run applications has to be verified, expressed, and minimized. • Main goal - improve the application security via pointing out its security flaws. • There are two basic phases of the testing – Reconnaissance – Application Exploitation
  • 5. Reconnaisance Phase • Passive • gather as much info about targeted network. • network itself not accesed. • Active • interact directly with targeted devices. • to identify OS, running services and potential vulnerabilities. • Application Scanning • automatized scanning of web applications. • results can present a general idea of the application • guidance in exploiting existing flaws.
  • 6. Passive Phase • Maltego – OSINT (Open Source Intelligence) type. – group of tools using publicly available data. – uses lists of indexes and databases to search for info. • Discover Scripts – OSINT type. – integrates search and scanning utilities in Kali linux OS
  • 7. Active Phase • Ettercap – open source multi platform tool for network traffic sniffing – it can capture comm. between two users in a network. – used for gather sensitive informations like password. • Nmap – it can find connected networks end devices,open ports. – it can build a network map – versions of OS, services and running daemons etc
  • 8. Application Scanning • Arachni – automatized multi-platform tool for security audits. – using asynchronous HTTP requests, parallel processing of javascript op's and multi-thread scanning. – integreted browser engine , scans web app using advan. tec • OWASP ZAP (Zed Attack Proxy) – Proxy ( comm. capturing) , Scanner (passive,active) Fuzzer (sequ. sends dangerous payload to identify vulnerability), spider(traverse all web pages) ,forced browsing (discover direct access to files stored on the server)
  • 9. Web Application Exploitation • SQL Tools – SQLMap • open source tool for testing database part of web app • typical exploitation is SQL injection • in case of succesfull exploitation, the SQLmap can access shell • data can be saved in a file ,if attack is succesfull – NoSQLMap • currently supports only MongoDB, but extensions of NoSQL databases like CouchDB, Redis and Cassandra are planned. • attack itself can take a few minutes , depends on scope.
  • 10. Web Application Exploitation • Password Attacks – Hashcat • open source tool supporting many hash algorithms.(SHA,MD) • computation run either on CPU or GPU (parallelized arch) – cudaHashcat for Nvidia – oclHashcat for AMD • hashcat contains following attack modes – straight (classical dictionary attack) – combination (words connected from multiple dictionaries) – brute-force (mask specification allows to omit unused password comb.)
  • 11. Web Application Exploitation • Burp Suite • Web Vulnerability Scanner • Proxy (captures and modify communication) • Spider (create map of web application and send forms) • Intruder (realizes attack based on performed analysis) • Repeater (repeatedly modifies HTTP requests &analyze replies) • Sequencer (analyzes the level of security tokens randomness)
  • 12. Web Application Exploitation • BeEF (Browser Exploitation Framework) – focused on XSS attacks – BeEF is modular framework – main functionality is hooking process.
  • 13. Web Application Vulnerabilities • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF) • Insecure Direct Object Reference • SQL Injection • Broken Authentication and Session Management
  • 14. Cross Site Scripting (XSS) • Malicious code that can change the look and function of a legitimate web application. • More widespread now because of move to more rich Internet applications using dynamic content and JavaScript and the latest AJAX trend. • It can be identified using OWASP ZAP and exploit using BeEF.
  • 15. Cross Site Scripting (XSS) • Impact of XSS – Data residing in web page can be sent anywhere in the world. – Facilitates many other types of attacks (CSRF, Session Attacks) – site's behaviour can be hijacked.
  • 16. Cross Site Scripting (XSS) • Demo – WebGoat Stored XSS
  • 17. Preventing XSS • Escape all user input when it is displayed – Escaping converts the output to harmless html entities • <script> becomes &lt;script&gt; • but still displayed as <script> • Ensure your filter uses a white list approach – Filters based on blacklisting have historically been flawed • E.g. PHP, Ruby on Rails sanitize method – New encoding schemes can easily bypass filters that use a blacklist approach
  • 18. Cross Site Request Forgery (CSRF) • A CSRF attack forces a logged-on victim's browser to send a pre-authenticated request to a vulnerable web application. • Occurs when an authenticated user unknowingly initiates a request • XSS facilitates CSRF via “Link Injection”
  • 19. Cross Site Request Forgery (CSRF) http://yourbank.com/transfer? to_account=my_account_number&amount=all_of_your_money
  • 20. Preventing CSRF • Add a secondary authentication mechanism –Such as an impossible to guess token • Require a confirmation page before executing potentially dangerous actions • Eliminate XSS vulnerabilities • Use POST as your form action and only accept POST requests on the server for sensitive data !
  • 21. Insecure Direct Object Reference • A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. • Attackers can manipulate those references to access other objects without authorization. • E.g. /BankAccount.jsp?acct_nmbr=123 –The hacker modifies the parameter to view another users account
  • 23. Session Attacks Session Fixation Session Hijacking • The hacker predicts a valid session key (usually via phishing) • The hacker masquerades as another user by stealing the users session id (usually via XSS)
  • 24. Insecure Direct Object Reference • Demo – Bypass a path based access control scheme
  • 25. Preventing Direct Object Reference • Properly validate data! • All input data MUST be validated server side for each request – client side validation is EASILY bypassed • Do not expose internals to the user • Such as IDs (if possible/necessary) • Use an indirect reference map with hard to guess keys (hash) • POST /BankAccount.jsp?acct_nmbr=d83OJdm3 • The server then uses the key to get the real value »Key: d83OJdm3 value: 123
  • 26. SQL Injection • SQL injection is a security vulnerability that occurs in the database layer of an application. • Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements.
  • 27. SQL Injection • Login Example Attack – Text in blue is your SQL code, Text in orange is the hacker input, black text is your application code • Dynamically Build SQL String performing authentication: – “SELECT * FROM users WHERE login = ‘” + userName + “’ and password= ‘” + password + “’”; • Hacker logs in as: ‘ or ‘’ = ‘’; -- – SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --‘ and password=‘’
  • 28. SQL Injection • Demo – SQL String Injection
  • 29. Preventing SQL Injection • Use Prepared Statements (aka Parameterized Queries) – $id=1234 – “select * from accounts where id = “ + $id vs – “select * from accounts where id =1234” • Escape questionable characters (ticks, --, semi-colon, brackets, etc.) • Validate input – Strong typing • If the id parameter is a number, try parsing it into an integer
  • 30. Broken Authentication and Session Management • Account credentials and session tokens are often not properly protected. • Attackers compromise passwords, keys, or authentication tokens to assume other user's identities.
  • 31. Authentication Checks • Never store passwords in plaintext – Encrypt or Hash+Salt (preferred) • Architect applications to check every request to see that the authentication data is still valid • Issue a new session token when a change in privilege occurs • If you absolutely must use “remember me” functionality, use a difficult to guess authentication cookie • Authentication data is sent with every request, so protect it
  • 32. Preventing Authentication and Session Attacks • Use built in session management! • Use secure randomly generated session keys to make prediction impossible –Don’t expose the user to session ids if possible • Use reasonable session timeouts
  • 33. Preventing Authentication and Session Attacks • Demo – Session Fixation