SlideShare a Scribd company logo

Introduction to Web security

Download as PPTX, PDF
J
jeyaselvir

Web security involves protecting websites and web applications from various cyber threats. The document outlines the top 10 PHP application vulnerabilities in 2016, including information leakage, man-in-the-middle attacks, injection attacks, and SQL truncation exploits. It provides tips for preventing vulnerabilities such as checking error logs, updating software regularly, and using strong password hashing. The key is to stay vigilant by monitoring logs and source code for signs of intrusion and preparing to reinstall systems if needed.

Software
Related topics:
Web Security Overview
1 of 11
Downloaded 17 times
1
2
3
4
5
6
7
8
9
10
11
Introduction to Web Security
What is Web Security? Why Web Security?
Top 10 PHP application vulnerabilities 2016
Information Leakage app environment, user specific data ‱ Restrict PHP information leakage ‱ Configuration files – Configuration files should be in php not .ini, xml, etc – Secure App config variables by storing on server ‱ Separate your back up files from root directory HTTP/1.x 200 OK Date: Sun, 21 Aug 2016 16:08:15 GMT Server: Apache X-Powered-By: PHP/5.5.26 ...
Man-in-the-Middle Attack A B
SSL How does HTTPS works? This presume User Accessing Secure Site Requesting Secure SSL connection from Website Host. Website Records Found. Going to the Host Web Server. Check DNS for IP address to find Web host Host responds with valid SSL certificate. Secure connection is established to transfer data WebHost.
Injection Attacks ‱ Cross Site Scripting - XSS ‱ SQL Injection ‱ Code Injection ‱ Command Injection ‱ Log Injection ‱ XML Injection
SQL Truncation Exploit Compromise user login ‱ SELECT * FROM user WHERE username='admin ’ ‱ Username = ‘admin x’ ‱ $userdata = null; if (isPasswordCorrect($username, $password)) { $userdata = getUserDataByLogin($username); ... } SELECT username FROM users WHERE username = ? AND passhash = ? SELECT * FROM users WHERE username = ? Solution: – Mysql strict mode – Unique constraint column
But what if you find you have been hacked ‱ Don’t panic ‱ Check logs (error /access) ‱ Check suspicious file names ‱ Check cron jobs ‱ search source code for keywords like: eval, base64_decode, wget, curl ‱ take DB backup & search for keywords like “iframe, script,
” ‱ Prepare yourself to reinstall your entire server
How to Prevent ‱ Check OWASP ‱ Use STRONG Password hash ‱ Error Reporting – Prodcution – OFF – Development / Other – ON ‱ Stay up-to-date – Framework – OS – 3rd party libraries – Read about new threats and best practice changes ‱ Try to run vulnerabilities scanner
Thank You https://www.linkedin.com/in/jeyasel vi @jeyaselvir

More Related Content

PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PPTX
Web Exploitation Security
Aman Singh
 
PPTX
Group18_Awesome4some:Proxy server.ppt
Anitha Selvan
 
PDF
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Guy Podjarny
 
PPTX
FI-WARE Account and OAuth solution
Javier Cerviño
 
PPTX
IdM and AC
Fernando Lopez Aguilar
 
PPTX
HTTPS at Sydney Alt.Net User Group
Jason Stangroome
 
PPT
Proxy Servers
Sourav Roy
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
Web Exploitation Security
Aman Singh
 
Group18_Awesome4some:Proxy server.ppt
Anitha Selvan
 
HTTPS: What, Why and How (SmashingConf Freiburg, Sep 2015)
Guy Podjarny
 
FI-WARE Account and OAuth solution
Javier Cerviño
 
IdM and AC
Fernando Lopez Aguilar
 
HTTPS at Sydney Alt.Net User Group
Jason Stangroome
 
Proxy Servers
Sourav Roy
 

What's hot (20)

PPT
Firewall with proxy server.
stableproxies
 
PPT
Proxy Servers & Firewalls
Mehdi Poustchi Amin
 
PPTX
Adding Identity Management and Access Control to your Application
Fernando Lopez Aguilar
 
PPTX
Demystifying REST
Kirsten Hunter
 
PDF
Design and Analyze Secure Networked Systems - 3
Don Kim
 
PDF
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
PPTX
Web Cache Poisoning
KuldeepPandya5
 
PPT
Proxy server
Dlovan Salih
 
PPTX
Apache mod security 3.1
Hai Dinh Tuan
 
PPTX
DDD Melbourne 2014 security in ASP.Net Web API 2
Pratik Khasnabis
 
PPT
Php security
Uttam Kumar
 
PPTX
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PPTX
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
PPT
Cache poisoning
AlexandraLacatus
 
PPTX
Demystfying secure certs
Gary Williams
 
PPT
Proxy Servers
Sourav Roy
 
PPTX
Cm2 secure code_training_1day_data_protection
dcervigni
 
PPTX
Cm8 secure code_training_1day_security libraries
dcervigni
 
PDF
10 tips to improve your website security
Sucuri
 
PDF
How to Secure Your WordPress Site
QBurst
 
Firewall with proxy server.
stableproxies
 
Proxy Servers & Firewalls
Mehdi Poustchi Amin
 
Adding Identity Management and Access Control to your Application
Fernando Lopez Aguilar
 
Demystifying REST
Kirsten Hunter
 
Design and Analyze Secure Networked Systems - 3
Don Kim
 
Hack proof your ASP NET Applications
Sarvesh Kushwaha
 
Web Cache Poisoning
KuldeepPandya5
 
Proxy server
Dlovan Salih
 
Apache mod security 3.1
Hai Dinh Tuan
 
DDD Melbourne 2014 security in ASP.Net Web API 2
Pratik Khasnabis
 
Php security
Uttam Kumar
 
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Cache poisoning
AlexandraLacatus
 
Demystfying secure certs
Gary Williams
 
Proxy Servers
Sourav Roy
 
Cm2 secure code_training_1day_data_protection
dcervigni
 
Cm8 secure code_training_1day_security libraries
dcervigni
 
10 tips to improve your website security
Sucuri
 
How to Secure Your WordPress Site
QBurst
 
Ad

Viewers also liked (20)

ODP
Top 10 Web Security Vulnerabilities
Carol McDonald
 
PDF
Web Security 101
Michael Peters
 
PPTX
Web Security
ADIEFEH
 
PPTX
Web Security
Tripad M
 
PDF
Web Security - Introduction v.1.3
Oles Seheda
 
PDF
Top 10 Web App Security Risks
Sperasoft
 
KEY
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
PDF
Security and Privacy on the Web in 2016
Francois Marier
 
PDF
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Ajith Chandran
 
PDF
Remote File Inclusion (RFI) Vulnerabilities 101
Imperva
 
PPT
Top Ten Proactive Web Security Controls v5
Jim Manico
 
PDF
Web Security
Gerald Villorente
 
PPT
Php & Web Security - PHPXperts 2009
mirahman
 
KEY
Introduction to web security @ confess 2012
jakobkorherr
 
PPT
Security in Web 2.0, Social Web and Cloud
ITDogadjaji.com
 
PDF
Web Security
Randy Connolly
 
PDF
Cisco Study: State of Web Security
Cisco Canada
 
PDF
Evolution Of Web Security
Chris Shiflett
 
PDF
How to Prevent RFI and LFI Attacks
Imperva
 
PDF
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Top 10 Web Security Vulnerabilities
Carol McDonald
 
Web Security 101
Michael Peters
 
Web Security
ADIEFEH
 
Web Security
Tripad M
 
Web Security - Introduction v.1.3
Oles Seheda
 
Top 10 Web App Security Risks
Sperasoft
 
ONE Conference: Vulnerabilities in Web Applications
Netcetera
 
Security and Privacy on the Web in 2016
Francois Marier
 
Nullcon Jailbreak CTF 2012,Walkthrough by Team Loosers
Ajith Chandran
 
Remote File Inclusion (RFI) Vulnerabilities 101
Imperva
 
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Web Security
Gerald Villorente
 
Php & Web Security - PHPXperts 2009
mirahman
 
Introduction to web security @ confess 2012
jakobkorherr
 
Security in Web 2.0, Social Web and Cloud
ITDogadjaji.com
 
Web Security
Randy Connolly
 
Cisco Study: State of Web Security
Cisco Canada
 
Evolution Of Web Security
Chris Shiflett
 
How to Prevent RFI and LFI Attacks
Imperva
 
Local File Inclusion to Remote Code Execution
n|u - The Open Security Community
 
Ad

Similar to Introduction to Web security (20)

PPTX
Lesson 6 web based attacks
Frank Victory
 
PPT
IIS-training-document-internal-users.ppt
mschaitanya4466
 
PPT
IIS internet information service NSA.ppt
ImranAhmadAhmad
 
PDF
How to Harden the Security of Your .NET Website
DNN
 
PPTX
Add a web server
AgCharu
 
PDF
Essential Security Practices for Modern Web Developers.pdf
Zinavo Pvt Ltd
 
PDF
Flashack
n|u - The Open Security Community
 
PPT
Pentesting web applications
Satish b
 
PDF
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
PPTX
hardenning Operating System Server Berbasis Linux
jokerman16
 
PPTX
Application and Server Security
Brian Pontarelli
 
PDF
Windows Hosting Documentation
webhostingguy
 
PDF
AOEconf17: Application Security
AOE
 
PDF
AOEconf17: Application Security - Bastian Ike
AOE
 
PDF
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
PDF
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
PPTX
Basics of web technologies
Bambootechies
 
PDF
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
PPT
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
PDF
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 
Lesson 6 web based attacks
Frank Victory
 
IIS-training-document-internal-users.ppt
mschaitanya4466
 
IIS internet information service NSA.ppt
ImranAhmadAhmad
 
How to Harden the Security of Your .NET Website
DNN
 
Add a web server
AgCharu
 
Essential Security Practices for Modern Web Developers.pdf
Zinavo Pvt Ltd
 
Flashack
n|u - The Open Security Community
 
Pentesting web applications
Satish b
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
hardenning Operating System Server Berbasis Linux
jokerman16
 
Application and Server Security
Brian Pontarelli
 
Windows Hosting Documentation
webhostingguy
 
AOEconf17: Application Security
AOE
 
AOEconf17: Application Security - Bastian Ike
AOE
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Building Client-Side Attacks with HTML5 Features
Conviso Application Security
 
Basics of web technologies
Bambootechies
 
BeEF_EUSecWest-2012_Michele-Orru
Michele Orru
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
Krzysztof Kotowicz - Hacking HTML5
DefconRussia
 

Recently uploaded (20)

PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
System and Network Administration Chapter 2
jaramharo
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
AI in Product Development-omnex systems
omnex systems
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
System and Network Administration Chapter 2
jaramharo
 
Introduction to Artificial Intelligence
lohedi9363
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Operating system designcfffgfgggggggvggggggggg
rmskumara09
 
System and Network Administraation Chapter 3
jaramharo
 
AI in Product Development-omnex systems
omnex systems
 

Introduction to Web security

  • 2. What is Web Security? Why Web Security?
  • 3. Top 10 PHP application vulnerabilities 2016
  • 4. Information Leakage app environment, user specific data ‱ Restrict PHP information leakage ‱ Configuration files – Configuration files should be in php not .ini, xml, etc – Secure App config variables by storing on server ‱ Separate your back up files from root directory HTTP/1.x 200 OK Date: Sun, 21 Aug 2016 16:08:15 GMT Server: Apache X-Powered-By: PHP/5.5.26 ...
  • 6. SSL How does HTTPS works? This presume User Accessing Secure Site Requesting Secure SSL connection from Website Host. Website Records Found. Going to the Host Web Server. Check DNS for IP address to find Web host Host responds with valid SSL certificate. Secure connection is established to transfer data WebHost.
  • 7. Injection Attacks ‱ Cross Site Scripting - XSS ‱ SQL Injection ‱ Code Injection ‱ Command Injection ‱ Log Injection ‱ XML Injection
  • 8. SQL Truncation Exploit Compromise user login ‱ SELECT * FROM user WHERE username='admin ’ ‱ Username = ‘admin x’ ‱ $userdata = null; if (isPasswordCorrect($username, $password)) { $userdata = getUserDataByLogin($username); ... } SELECT username FROM users WHERE username = ? AND passhash = ? SELECT * FROM users WHERE username = ? Solution: – Mysql strict mode – Unique constraint column
  • 9. But what if you find you have been hacked ‱ Don’t panic ‱ Check logs (error /access) ‱ Check suspicious file names ‱ Check cron jobs ‱ search source code for keywords like: eval, base64_decode, wget, curl ‱ take DB backup & search for keywords like “iframe, script,
” ‱ Prepare yourself to reinstall your entire server
  • 10. How to Prevent ‱ Check OWASP ‱ Use STRONG Password hash ‱ Error Reporting – Prodcution – OFF – Development / Other – ON ‱ Stay up-to-date – Framework – OS – 3rd party libraries – Read about new threats and best practice changes ‱ Try to run vulnerabilities scanner