Web Security (Power Point) - ECE Users Pages

sweetlipscasteΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 10 μήνες)

92 εμφανίσεις

Web Security

Group 5

Adam Swett

Brian Marco

Why Web Security?

Web sites and web applications constantly
growing

Complex business applications are now
delivered over the web

Increased “web hacking” activity

Web Worms (Sammy)

Firewalls?

Difficulties In Traditional Hacking

Modern networks more secure

Firewalls being used in all network rollouts

OS vendors patching hole quickly

Increased maturity in coding

Firewalls


Lab Sections

SQL Injection


Basic


Blind

Cross Site Scripting (XSS)


Basics


Cookie Stealing


Java Scripting

Default Pages

CGI Vulnerabilities


Vulnerable Scripts


Nikto

SQL Injection

Exploits a security vulnerability present in
the database layer of an application


With Errors


Blind


Automated

SQL Injection

SQL Injection


Cross Site Scripting

SecurityFocus cataloged over 1,400
issues.

WhiteHat Security has Identified over
1,500 in custom web applications. 8 in 10
websites have XSS.

Tops the Web Hacking Incident Database
(WHID)


Cross Site Scripting

Cookie Stealing


One of the most common uses of XSS


Allows you to impersonate someone

Can Lead To Session Hijacking


HTTP is stateless


Only verifies at the beginning of session

Cross Site Scripting

Java Script


Can be written by anyone and executed on
any computer over the web


Most people have Java Script enabled making
it very dangerous

Cross Site Scripting

Java Script Examples


black hat search engine optimization (SEO)


Click
-
fraud


Distributed Denial of Service


Force access of illegal content


Hack other websites (IDS sirens)


Distributed email spam (Outlook Web Access)


Distributed blog spam


Vote tampering


De
-
Anonymize people


etc.


Cross Site Scripting

Default Pages

Careless hosting

Gives the ability to browse and retreive a
complete directory on the web server

Happens when the default page is missing

Not
-
so
-
strict Web server configuration

Default Pages


CGI Vulnerabilities

A number of widely distributed CGI scripts
contain known security holes

Finding the scripts and exploiting them can
be time consuming

Usually well documented on the web

Some can be worth it

CGI Vulnerabilities

Nph
-
test
-
cgi


Script included with all old versions of Apache
web Server


Allows user to view all files on the computer

Nph
-
test
-
cgi


Nikto

Nikto is an Open Source (
GPL
) web server scanner
which performs comprehensive tests against web
servers for multiple items, including over 3300 potentially
dangerous files/CGIs, versions on over 625 servers, and
version specific problems on over 230 servers. Scan
items and plugins are frequently updated and can be
automatically updated (if desired)


Nikto


Sources

NetSquare Blackhat Asia Presentation

Whitehat Security

Spi Dynamics