to get the file

More documents

Recommendations

Info

Injection – SQL injection illustrated Application Layer Database Layer OS/Platform layer Network Layer HTTP request APPLICATION ATTACK Firewall Accounts Finance Administration Transactions Communication Knowledge Mgmt Custom Code App Server Web Server Hardened OS E-Commerce HTTP SQL response query Bus. Functions Firewall Databases Legacy Systems Web Services Directories Human Resources DB Table Billing "SELECT * FROM Account Summary Account: accounts WHERE acct=‘’ SKU: OR 1=1-- ’" Acct:5424-6066-2134-4334 Acct:4128-7574-3921-0192 Acct:5424-9383-2039-4029 Acct:4128-0004-1234-0293 1. Application presents a form to the attacker 2. Attacker sends an attack in the form data 3. Application forwards attack to the database in a SQL query 4. Database runs query containing attack and sends encrypted results back to application 5. Application decrypts data as normal and sends results to the user image source: www.owasp.org 20
More SQL injection examples Query = "SELECT user_id FROM member WHERE user_id = ' "&strUser_id&" ' AND password = ' '&strPassword&" ' “ strAuthCheck = GetQueryResult(Query) If strAuthCheck = " " then boolAuthenticated = Fasle Else boolAuthenticated = True EndIf Query = "SELECT user_id FROM member WHERE user_id = „„ or „‟=„„ AND password = ' „ or „‟=„ „ “ strAuthCheck = GetQueryResult(Query) If strAuthCheck = " " then boolAuthenticated = Fasle Else boolAuthenticated = True EndIf Then try to inject these Id : ‘ or ‘’=‘ password : ‘ or ‘’=‘ 21
Page 1 and 2: Chapter 7. Web Application Firewall
Page 3 and 4: Remind - term project Selected data
Page 5 and 6: Agenda • I. Notice for term proje
Page 7 and 8: Web application (2/2) ▣ web appli
Page 9 and 10: Why is web security important Netwo
Page 11 and 12: Is it easy to hack into web GET / H
Page 13 and 14: Basic web hacking technique • Dir
Page 15 and 16: OWASP top 10 • OWASP top 10 proje
Page 17 and 18: What‟s new in OWASP Top 10 (2010)
Page 19: OWASP Top 10 (2010) 19
Page 23 and 24: Injection - how to defend 1. Use a
Page 25 and 26: More XSS example • url="http://14
Page 27 and 28: XSS - how to defend 1.Filter all un
Page 29 and 30: 2. Broken Access Control • Access
Page 31 and 32: 3. Broken Account and Session Manag
Page 33 and 34: 5. Buffer Overflows • Web applica
Page 35 and 36: 7. Error Handling Problems • Erro
Page 37: 8. Insecure Use of Cryptography •
Page 40 and 41: 10. Web and Application Server Misc
Page 42 and 43: Web Application Firewall • Why do
Page 44 and 45: WAF Protection models • WAF‟s m
Page 46 and 47: WAF - negative filtering model •
Page 48 and 49: WAF - Output Detection Model/Conten
Page 50 and 51: VA+WAF • Some commercial WAF prod
Page 52 and 53: Commercial WAF • art of defence -
Page 54 and 55: Agenda • I. Notice for term proje
Page 56 and 57: More practical recommendations •
Page 58 and 59: More practical recommendations •
Page 60: References • http://www.owasp.org

to get the file

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?