misc announcements
Download
Skip this Video
Download Presentation
Misc. Announcements

Loading in 2 Seconds...

play fullscreen
1 / 10

Last Set of Slides - PowerPoint PPT Presentation


  • 233 Views
  • Uploaded on

Misc. Announcements Pre-Test2 (with past test questions!) and Final Milestone are posted! Which teams to go first? 2 options Any volunteers for the first meeting day next week? We need at least two!

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Last Set of Slides' - adamdaniel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
misc announcements
Misc. Announcements
  • Pre-Test2 (with past test questions!) and Final Milestone are posted!
  • Which teams to go first?
    • 2 options
      • Any volunteers for the first meeting day next week? We need at least two!
      • Consolidate project presentations into 1 marathon day (on the 2nd meeting day) (Work on your project on the 1st meeting day)
misc announcements2
Misc. Announcements
  • Project presentations to be held in OU 129
  • Make sure that you load up everything you need on a machine and be ready to present by simply typing the URL when you’re at the lead station. You’re not to load anything on the lead station!
  • Project presentation orders (alphabetical):
    • TBA
i d probably cover the following topics in greater details
I’d probably cover the following topics in greater details
  • More Web services
    • SOAP
    • WSDL
    • UDDI
  • Security
    • SQL injection & XSS (Cross Site Scripting)
    • HTTPS
    • Various server-supported authentications, etc.
  • More XML
    • XML Parsing
      • DOM
      • SAX
    • XSLT (extensible stylesheet language transformation)
    • DTD/XML Schema
topics cont d
Topics (cont’d)
  • AJAX
  • M-Commerce (Mobile-Commerce)
  • Deploying WAR to server
  • More Architectural Issues
    • Scalability
    • Reliability
    • Portal Development
    • etc.
sql injection
SQL Injection
  • Consider the following code segment for LoginServlet:

String queryStr = "Select count(*) from IdPassword where Id = ‘ " +

userName + " ‘ and Password = ‘ " + password + " ‘ ";

rs = stmt.executeQuery(queryStr);

// if login info is invalid, rs will have a row and the count will be 0.

// Else, login is good.

rs.next(); // get the count

if (rs.getInt(1) == 0)

outStr += "Your login info is incorrect. Try again.";

else

outStr += "Welcome back," + userName + ". Please buy something this time :)";

sql injection7
SQL Injection
  • Now consider the input:
    • Id:
      • 12345’ OR ‘1’=‘1
    • Password:
      • abcxyz\' OR \'1\'=\'1
  • The hacker gets in!!!
    • Instead of

Select count(*)

from IdPassword

where Id = ‘11111’ and Password = \'helloJava\';

    • You issue the query

Select count(*)

from IdPassword

where Id = ‘12345’ or ‘1’=‘1’

and Password = \'abcxyz\' or \'1\'=\'1\';

sql injection8
SQL Injection
  • Another example of SQL Injection:
    • http://www.foo.com/news.jsp?story=\'100\' UNION SELECT number from creditcards where type=\'visa\'
    • This effectively makes the SQL statement:
    • SELECT story from news where id=\'100\' UNION SELECT number from creditcards where type=\'visa\'
a tour of the vulnerabilities
A Tour of the Vulnerabilities
  • Buffer Overflow
    • Cause: An unchecked boundary condition allows an attacker to write data outside the bounds of allocated memory
    • Effect: An attacker may be able to insert new instructions into the program and have the program execute those instructions
    • Sample code:
      • char buf[128];
      • gets(buf);

Ref: sdtimes, 2006

vulnerabilities cont d
Vulnerabilities (cont’d)
  • Cross-Site Scripting
    • Cause: The application writes unvalidated output in an HTTP response
    • Effect: An attacker is able to write data to the victim’s browser. The attacker may exploit a known browser vulnerability, or use JavaScript to run a phishing scam. More advanced attacks against a victim’s intranet are possible.
    • Sample code:
      • String name = request.getParameter(“name”);
      • response.getWriter().println(name);
ad