SlideShare a Scribd company logo

Web Security Extensible Markup Language.pptx

Download as PPTX, PDF
S
SidduSKamatar

XML (Extensible Markup Language) is a markup language designed to store and transport data in a format that is both human-readable and machine-readable. It defines syntax rules for elements, attributes, and document structure, and can use Document Type Definitions (DTD) or XML Schema Definitions (XSD) for validation. Web security concepts, along with various vulnerabilities and authentication methods, are also discussed in relation to protecting data and applications.

Education
1 of 43
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
XML
DEFINITION Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine- readable. XML stands for extensible Markup Language XML is a markup language like HTML XML is designed to store and transport data XML is designed to be self-descriptive
XML SYNTAX XML Declaration The XML document can optionally have an XML declaration. It is written as follows − <?xml version = "1.0" encoding = "UTF-8"?> •The XML declaration is case sensitive and must begin with "<?xml>" where "xml" is written in lower-case. •If document contains XML declaration, then it strictly needs to be the first statement of the XML document. •The XML declaration strictly needs be the first statement in the XML document. •An HTTP protocol can override the value of encoding that you put in the XML declaration. Where version is the XML version and encoding specifies the character encoding used in the document
TAGS AND ELEMENTS An XML file is structured by several XML-elements, also called XML-nodes or XML-tags. The names of XML- elements are enclosed in triangular brackets < > as shown below − <element> Syntax Rules for Tags and Elements Element Syntax Each XML-element needs to be closed either with start or with end elements as shown below − − <element>....</element> or in simple-cases, just this way − <element/>
XML elements can be defined as building blocks of an XML. Elements can behave as containers to hold text, elements, attributes, media objects or all of these. Each XML document contains one or more elements, the scope of which are either delimited by start and end tags, or for empty elements, by an empty-element tag. Syntax Following is the syntax to write an XML element − <element-name attribute1 attribute2> ....content </element-name> where, element-name is the name of the element. The name its case in the start and end tags must match. attribute1, attribute2 are attributes of the element separated by white spaces. An attribute defines a property of the element. It associates a name with a value, which is a string of characters. An attribute is written as − name = "value" name is followed by an = sign and a string value inside double(" ") or single(' ') quotes.
XML ATTRIBUTES An attribute specifies a single property for the element, using a name/value pair. An XML- element can have one or more attributes. For example − <a href = "http://www.tutorialspoint.com/">Tutorialspoint!</a> Here href is the attribute name and http://www.tutorialspoint.com/ is attribute value. Syntax Rules for XML Attributes Attribute names in XML (unlike HTML) are case sensitive. That is, HREF and href are considered two different XML attributes. Same attribute cannot have two values in a syntax. The following example shows incorrect syntax because the attribute b is specified twice
XML TAGS RULES Following are the rules that need to be followed to use XML tags − Rule 1 XML tags are case-sensitive. Following line of code is an example of wrong syntax </Address>, because of the case difference in two tags, which is treated as erroneous syntax in XML. <address>This is wrong syntax</Address> Following code shows a correct way, where we use the same case to name the start and the end tag. <address>This is correct syntax</address>
XML TREE An XML document is always descriptive. The tree structure is often referred to as XML Tree and plays an important role to describe any XML document easily. The tree structure contains root (parent) elements, child elements and so on. By using tree structure, you can get to know all succeeding branches and sub- branches starting from the root. The parsing starts at the root, then moves down the first branch to an element, take the first branch from there, and so on to the leaf nodes.
Example Following example demonstrates simple XML tree structure − <?xml version = "1.0"?> <Company> <Employee> <FirstName>Tanmay</FirstName> <LastName>Patil</LastName> <ContactNo>1234567890</ContactNo> <Email>tanmaypatil@xyz.com</Email> <Address> <City>Bangalore</City> <State>Karnataka</State> <Zip>560212</Zip> </Address> </Employee> </Company>
FOLLOWING TREE STRUCTURE REPRESENTS THE ABOVE XML DOCUMENT −
XML DTD The XML Document Type Declaration, commonly known as DTD, is a way to describe XML language precisely. DTDs check vocabulary and validity of the structure of XML documents against grammatical rules of appropriate XML language. An XML DTD can be either specified inside the document, or it can be kept in a separate document and then liked separately. Basic syntax of a DTD is as follows − <!DOCTYPE element DTD identifier [ declaration1 declaration2 ........ ]> In the above syntax, The DTD starts with <!DOCTYPE delimiter. An element tells the parser to parse the document from the specified root element. DTD identifier is an identifier for the document type definition, which may be the path to a file on the system or URL to a file on the internet. If the DTD is pointing to external path, it is called External Subset. The square brackets [ ] enclose an optional list of entity declarations called Internal Subset.
INTERNAL DTD A DTD is referred to as an internal DTD if elements are declared within the XML files. To refer it as internal DTD, standalone attribute in XML declaration must be set to yes. This means, the declaration works independent of an external source. Following is the syntax of internal DTD − <!DOCTYPE root-element [element-declarations]> where root-element is the name of root element and element-declarations is where you declare the elements.
EXAMPLE Following is a simple example of internal DTD − <?xml version = "1.0" encoding = "UTF-8" standalone = "yes" ?> <!DOCTYPE address [ <!ELEMENT address (name,company,phone)> <!ELEMENT name (#PCDATA)> <!ELEMENT company (#PCDATA)> <!ELEMENT phone (#PCDATA)> ]> <address> <name>Tanmay Patil</name> <company>TutorialsPoint</company> <phone>(011) 123-4567</phone> </address>
EXTERNAL DTD In external DTD elements are declared outside the XML file. They are accessed by specifying the system attributes which may be either the legal .dtd file or a valid URL. To refer it as external DTD, standalone attribute in the XML declaration must be set as no. This means, declaration includes information from the external source. Syntax Following is the syntax for external DTD − <!DOCTYPE root-element SYSTEM "file-name"> where file-name is the file with .dtd extension.
EXAMPLE The following example shows external DTD usage − <?xml version = "1.0" encoding = "UTF-8" standalone = "no" ?> <!DOCTYPE address SYSTEM "address.dtd"> <address> <name>Tanmay Patil</name> <company>TutorialsPoint</company> <phone>(011) 123-4567</phone> </address> The content of the DTD file address.dtd is as shown − <!ELEMENT address (name,company,phone)> <!ELEMENT name (#PCDATA)> <!ELEMENT company (#PCDATA)> <!ELEMENT phone (#PCDATA)>
XML SCHEMA XML Schema is commonly known as XML Schema Definition (XSD). It is used to describe and validate the structure and the content of XML data. XML schema defines the elements, attributes and data types. Schema element supports Namespaces. It is similar to a database schema that describes the data in a database. Syntax You need to declare a schema in your XML document as follows −
EXAMPLE The following example shows how to use schema − <?xml version = "1.0" encoding = "UTF-8"?> <xs:schema xmlns:xs = "http://www.w3.org/2001/XMLSchema"> <xs:element name = "contact"> <xs:complexType> <xs:sequence> <xs:element name = "name" type = "xs:string" /> <xs:element name = "company" type = "xs:string" /> <xs:element name = "phone" type = "xs:int" /> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> The basic idea behind XML Schemas is that they describe the legitimate format that an XML document can take.
NAMESPACE A Namespace is a set of unique names. Namespace is a mechanisms by which element and attribute name can be assigned to a group. The Namespace is identified by URI(Uniform Resource Identifiers). Namespace Declaration A Namespace is declared using reserved attributes. Such an attribute name must either be xmlns or begin with xmlns: shown as below − <element xmlns:name = "URL"> Syntax The Namespace starts with the keyword xmlns. The word name is the Namespace prefix. The URL is the Namespace identifier.
Web Security Extensible Markup Language.pptx
WEB SECURITY
DEFINITION Web security protects networks, servers, and computer systems from damage to or the theft of software, hardware, or data. It includes defending computer systems from misdirecting or disrupting the services they are designed to provide.
WHAT ARE THE BENEFITS OF WEB SECURITY? For a modern enterprise, effective web security has broad technical and human benefits: Protect your business and stay compliant by preventing loss of sensitive data Protect customers and employees by securing their private information Avoid costly service interruptions by preventing infections and exploits Offer a better user experience by helping your users stay safe and productive Maintain customer loyalty and trust by staying secure and out of the news
SQL INJECTION SQL injection is a technique an attacker uses to exploit vulnerabilities in a database’s search process. With SQL injection, an attacker can obtain access to privileged information, create user permissions, modify permissions, or execute plans to change, manipulate, or destroy data. In this way, a hacker can capture sensitive information or alter it to interrupt or control the functioning of a crucial system.
NOSQL INJECTION NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database. NoSQL injection may enable an attacker to: Bypass authentication or protection mechanisms. Extract or edit data. Cause a denial of service. Execute code on the server. NoSQL databases store and retrieve data in a format other than traditional SQL relational tables. They use a wide range of query languages instead of a universal standard like SQL, and have fewer relational constraints.
XPATH INJECTION XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that they may not normally have access to. They may even be able to elevate their privileges on the web site if the XML data is being used for authentication (such as an XML based user file).
LDAP INJECTION Lightweight Directory Access Protocol (LDAP) is a common software protocol designed to enable anyone on a network to find resources such as other individuals, files, and devices. Directory services such as LDAP are useful for intranets. It can also be used to store usernames and passwords as part of a single sign-on (SSO) system.
XML INJECTION also known as XML External Entity (XXE) injection, is a security vulnerability that occurs when an application processes XML input incorrectly. Attackers can exploit this vulnerability to inject malicious code into an XML input field or parameter, which can lead to a number of risks: Sensitive data exposure: Attackers can gain unauthorized access to sensitive data Denial of service: Attackers can overload a web app's memory or block legitimate traffic Remote code execution: Attackers can execute unintended commands that could lead to remote code execution Data manipulation or corruption: Attackers can change the data contained within XML files Information disclosure: Attackers can view files on the application server filesystem or interact with external systems
HTTP INJECTION also known as HTTP header injection, is a web application security vulnerability that occurs when an attacker tricks a web application into inserting extra HTTP headers into legitimate HTTP responses. This can happen when HTTP headers are dynamically generated based on user input, or when user-supplied data is copied into a response header in an unsafe way
EMAIL INJECTION? Email injection is a vulnerability that lets a malicious hacker abuse email-related functionality, such as email contact forms on web pages, to send malicious email content to arbitrary recipients. Because email injection is based on injecting end-of-the-line characters, it is sometimes considered a type of CRLF injection attack. Email injection is also called email header injection, SMTP header injection, or mail command injection.
5 COMMON AUTHENTICATION TYPES Cybercriminals always improve their attacks. As a result, security teams are facing plenty of authentication-related challenges. This is why companies are starting to implement more sophisticated incident response strategies, including authentication as part of the process. The list below reviews some common authentication methods used to secure modern systems.
1. PASSWORD-BASED AUTHENTICATION Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options.
2. MULTI-FACTOR AUTHENTICATION Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent ways to identify a user. Examples include codes generated from the user’s smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition.
3. CERTIFICATE-BASED AUTHENTICATION Certificate-based authentication technologies identify users, machines or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. The certificate contains the digital identity of a user including a public key, and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and issued only by a certification authority.
4. BIOMETRIC AUTHENTICATION Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. Here are key advantages of using biometric authentication technologies: Biological characteristics can be easily compared to authorized features saved in a database. Biometric authentication can control physical access when installed on gates and doors. You can add biometrics into your multi-factor authentication process. Biometric authentication technologies are used by consumers, governments and private corporations including airports, military bases, and national borders.
5. TOKEN-BASED AUTHENTICATION Token-based authentication technologies enable users to enter their credentials once and receive a unique encrypted string of random characters in exchange. You can then use the token to access protected systems instead of entering your credentials all over again. The digital token proves that you already have access permission. Use cases of token-based authentication include RESTful APIs that are used by multiple frameworks and clients.
PATH TRAVERSAL ATTACKS A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system). This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
TYPES OF XSS Stored XSS, Reflected XSS and DOM-based XSS
STORED XSS (PERSISTENT XSS) The most damaging type of XSS is Stored XSS (Persistent XSS). An attacker uses Stored XSS to inject malicious content (referred to as the payload), most often JavaScript code, into the target application. If there is no input validation, this malicious code is permanently stored (persisted) by the target application, for example within a database.
REFLECTED XSS (NON-PERSISTENT XSS) The second and the most common type of XSS is Reflected XSS (Non-persistent XSS). In this case, the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. The reflected XSS payload is then executed in the user’s browser.
DOM-BASED XSS DOM-based XSS is an advanced XSS attack. It is possible if the web application’s client-side scripts write data provided by the user to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.
HERE ARE METHODS ATTACKERS USE TO COMPROMISE WEBSITES USING XSS ATTACK:  Targeting website functions that accept user input—examples include login forms, search bars, and comment boxes. The attacker loads their malicious code on top of the valid website, deceiving the browser into running their malware whenever users load the site. Malicious code on another domain—according to how the attacker injects the code, malicious content may not be on the actual website. It can be a transient element that only looks like part of the site at the time of exploitation. Stealing session data—the JavaScript runs on the victim’s browser page, permitting the attacker to steal sensitive information about the user from the website session. The attacker can compromise the user’s session and gain unauthorized access.
HERE ARE DIFFERENT WAYS TO TRIGGER AN XSS ATTACK: A user can trigger the execution automatically when they load the page or hover over certain page elements, including hyperlinks. Attackers can carry out XSS directly, for example, in an email message containing a malicious link. Certain XSS attacks don’t have a particular target. Rather the attacker exploits a vulnerability in a site or application targeting random victims.
IMPACT OF XSS VULNERABILITIES The impact of an XSS vulnerability depends on the type of application. Here is how an XSS attack will affect three types of web applications: Static content—in a web application with static content, such as a news site with no login functionality, XSS will have minimal impact, because all users are anonymous and information is publicly available. Sensitive data—if an application stores sensitive user data, such as financial or health services, XSS can do major damage because it can allow attackers to compromise user accounts. Privileged users—if an attacker can use XSS to take over the session of a privileged user, such as the web application administrator, they can gain full control over the application and compromise all its data.

More Related Content

PDF
xml introduction in web technologies subject
UdayKumar693239
 
PPTX
distributed system concerned lab sessions
milkesa13
 
PPTX
WEB PROGRAMMING
sweetysweety8
 
PPT
web program-Extended MARKUP Language XML.ppt
mcjaya2024
 
PPT
XML-Unit 1.ppt
ssuseree7dcd
 
PDF
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XML
Dr.Florence Dayana
 
PPTX
Xml 1
pavishkumarsingh
 
PPTX
Xml
Yoga Raja
 
xml introduction in web technologies subject
UdayKumar693239
 
distributed system concerned lab sessions
milkesa13
 
WEB PROGRAMMING
sweetysweety8
 
web program-Extended MARKUP Language XML.ppt
mcjaya2024
 
XML-Unit 1.ppt
ssuseree7dcd
 
M.FLORENCE DAYANA WEB DESIGN -Unit 5 XML
Dr.Florence Dayana
 
Xml 1
pavishkumarsingh
 
Xml
Yoga Raja
 

Similar to Web Security Extensible Markup Language.pptx (20)

PDF
Web Technologies Unit 2 Print.pdf
AnonymousXhmybK
 
PPTX
Xml schema
Akshaya Akshaya
 
PPTX
Unit 5 xml (1)
manochitra10
 
PPT
Xml and DTD's
Swati Parmar
 
PDF
II UNIT PPT NOTES.pdf this is the data structures
PriyankaRamavath3
 
PPT
Xml by Luqman
Luqman Shareef
 
PPTX
XML notes.pptx
AmarYa2
 
PDF
Xml
soumya
 
DOC
Web Technology XML Attributes and elementsUnit 3.doc
uthayashangar1
 
PPTX
XML External Entity (XXE)
Jay Thakker
 
PPTX
web design technology- mark up languages
ssuser2efca7
 
PPTX
Xml intro1
Alfonso Gabriel López Ceballos
 
PPT
Intro to xml
Tarun Jain
 
PPTX
chapter 4 web authoring unit 4 xml.pptx
amare63
 
PPT
Xml sasidhar
Sasidhar Kothuru
 
PDF
IT6801-Service Oriented Architecture- UNIT-I notes
Ramco Institute of Technology, Rajapalayam, Tamilnadu, India
 
PPT
01 xml document structure
Baskarkncet
 
PPTX
Unit-III_JQuery.pptx engineering subject for third year students
MARasheed3
 
PPTX
programming with xml for graduate students
RameshPrasadBhatta2
 
PPT
Xml
Santosh Pandey
 
Web Technologies Unit 2 Print.pdf
AnonymousXhmybK
 
Xml schema
Akshaya Akshaya
 
Unit 5 xml (1)
manochitra10
 
Xml and DTD's
Swati Parmar
 
II UNIT PPT NOTES.pdf this is the data structures
PriyankaRamavath3
 
Xml by Luqman
Luqman Shareef
 
XML notes.pptx
AmarYa2
 
Xml
soumya
 
Web Technology XML Attributes and elementsUnit 3.doc
uthayashangar1
 
XML External Entity (XXE)
Jay Thakker
 
web design technology- mark up languages
ssuser2efca7
 
Xml intro1
Alfonso Gabriel López Ceballos
 
Intro to xml
Tarun Jain
 
chapter 4 web authoring unit 4 xml.pptx
amare63
 
Xml sasidhar
Sasidhar Kothuru
 
IT6801-Service Oriented Architecture- UNIT-I notes
Ramco Institute of Technology, Rajapalayam, Tamilnadu, India
 
01 xml document structure
Baskarkncet
 
Unit-III_JQuery.pptx engineering subject for third year students
MARasheed3
 
programming with xml for graduate students
RameshPrasadBhatta2
 
Xml
Santosh Pandey
 
Ad

Recently uploaded (20)

PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
PDF
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
PDF
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
Basic Mud Logging Guide for educational purpose
wdandworks
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PDF
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
PPTX
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PPTX
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Microbial disease of the cardiovascular and lymphatic systems
KeyaSharma
 
O5-L3 Freight Transport Ops (International) V1.pdf
labyankof
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Saundersa Comprehensive Review for the NCLEX-RN Examination.pdf
sreejithcareers
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Basic Mud Logging Guide for educational purpose
wdandworks
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
GDM (1) (1).pptx small presentation for students
shrawanbpkihs
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
VCE English Exam - Section C Student Revision Booklet
jpinnuck
 
Microbial diseases, their pathogenesis and prophylaxis
DevlinaSengupta
 
RMMM.pdf make it easy to upload and study
sajedul2
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
Pharmacology of Heart Failure /Pharmacotherapy of CHF
Rajshri Ghogare
 
Ad

Web Security Extensible Markup Language.pptx

  • 1. XML
  • 2. DEFINITION Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine- readable. XML stands for extensible Markup Language XML is a markup language like HTML XML is designed to store and transport data XML is designed to be self-descriptive
  • 3. XML SYNTAX XML Declaration The XML document can optionally have an XML declaration. It is written as follows − <?xml version = "1.0" encoding = "UTF-8"?> •The XML declaration is case sensitive and must begin with "<?xml>" where "xml" is written in lower-case. •If document contains XML declaration, then it strictly needs to be the first statement of the XML document. •The XML declaration strictly needs be the first statement in the XML document. •An HTTP protocol can override the value of encoding that you put in the XML declaration. Where version is the XML version and encoding specifies the character encoding used in the document
  • 4. TAGS AND ELEMENTS An XML file is structured by several XML-elements, also called XML-nodes or XML-tags. The names of XML- elements are enclosed in triangular brackets < > as shown below − <element> Syntax Rules for Tags and Elements Element Syntax Each XML-element needs to be closed either with start or with end elements as shown below − − <element>....</element> or in simple-cases, just this way − <element/>
  • 5. XML elements can be defined as building blocks of an XML. Elements can behave as containers to hold text, elements, attributes, media objects or all of these. Each XML document contains one or more elements, the scope of which are either delimited by start and end tags, or for empty elements, by an empty-element tag. Syntax Following is the syntax to write an XML element − <element-name attribute1 attribute2> ....content </element-name> where, element-name is the name of the element. The name its case in the start and end tags must match. attribute1, attribute2 are attributes of the element separated by white spaces. An attribute defines a property of the element. It associates a name with a value, which is a string of characters. An attribute is written as − name = "value" name is followed by an = sign and a string value inside double(" ") or single(' ') quotes.
  • 6. XML ATTRIBUTES An attribute specifies a single property for the element, using a name/value pair. An XML- element can have one or more attributes. For example − <a href = "http://www.tutorialspoint.com/">Tutorialspoint!</a> Here href is the attribute name and http://www.tutorialspoint.com/ is attribute value. Syntax Rules for XML Attributes Attribute names in XML (unlike HTML) are case sensitive. That is, HREF and href are considered two different XML attributes. Same attribute cannot have two values in a syntax. The following example shows incorrect syntax because the attribute b is specified twice
  • 7. XML TAGS RULES Following are the rules that need to be followed to use XML tags − Rule 1 XML tags are case-sensitive. Following line of code is an example of wrong syntax </Address>, because of the case difference in two tags, which is treated as erroneous syntax in XML. <address>This is wrong syntax</Address> Following code shows a correct way, where we use the same case to name the start and the end tag. <address>This is correct syntax</address>
  • 8. XML TREE An XML document is always descriptive. The tree structure is often referred to as XML Tree and plays an important role to describe any XML document easily. The tree structure contains root (parent) elements, child elements and so on. By using tree structure, you can get to know all succeeding branches and sub- branches starting from the root. The parsing starts at the root, then moves down the first branch to an element, take the first branch from there, and so on to the leaf nodes.
  • 9. Example Following example demonstrates simple XML tree structure − <?xml version = "1.0"?> <Company> <Employee> <FirstName>Tanmay</FirstName> <LastName>Patil</LastName> <ContactNo>1234567890</ContactNo> <Email>tanmaypatil@xyz.com</Email> <Address> <City>Bangalore</City> <State>Karnataka</State> <Zip>560212</Zip> </Address> </Employee> </Company>
  • 10. FOLLOWING TREE STRUCTURE REPRESENTS THE ABOVE XML DOCUMENT −
  • 11. XML DTD The XML Document Type Declaration, commonly known as DTD, is a way to describe XML language precisely. DTDs check vocabulary and validity of the structure of XML documents against grammatical rules of appropriate XML language. An XML DTD can be either specified inside the document, or it can be kept in a separate document and then liked separately. Basic syntax of a DTD is as follows − <!DOCTYPE element DTD identifier [ declaration1 declaration2 ........ ]> In the above syntax, The DTD starts with <!DOCTYPE delimiter. An element tells the parser to parse the document from the specified root element. DTD identifier is an identifier for the document type definition, which may be the path to a file on the system or URL to a file on the internet. If the DTD is pointing to external path, it is called External Subset. The square brackets [ ] enclose an optional list of entity declarations called Internal Subset.
  • 12. INTERNAL DTD A DTD is referred to as an internal DTD if elements are declared within the XML files. To refer it as internal DTD, standalone attribute in XML declaration must be set to yes. This means, the declaration works independent of an external source. Following is the syntax of internal DTD − <!DOCTYPE root-element [element-declarations]> where root-element is the name of root element and element-declarations is where you declare the elements.
  • 13. EXAMPLE Following is a simple example of internal DTD − <?xml version = "1.0" encoding = "UTF-8" standalone = "yes" ?> <!DOCTYPE address [ <!ELEMENT address (name,company,phone)> <!ELEMENT name (#PCDATA)> <!ELEMENT company (#PCDATA)> <!ELEMENT phone (#PCDATA)> ]> <address> <name>Tanmay Patil</name> <company>TutorialsPoint</company> <phone>(011) 123-4567</phone> </address>
  • 14. EXTERNAL DTD In external DTD elements are declared outside the XML file. They are accessed by specifying the system attributes which may be either the legal .dtd file or a valid URL. To refer it as external DTD, standalone attribute in the XML declaration must be set as no. This means, declaration includes information from the external source. Syntax Following is the syntax for external DTD − <!DOCTYPE root-element SYSTEM "file-name"> where file-name is the file with .dtd extension.
  • 15. EXAMPLE The following example shows external DTD usage − <?xml version = "1.0" encoding = "UTF-8" standalone = "no" ?> <!DOCTYPE address SYSTEM "address.dtd"> <address> <name>Tanmay Patil</name> <company>TutorialsPoint</company> <phone>(011) 123-4567</phone> </address> The content of the DTD file address.dtd is as shown − <!ELEMENT address (name,company,phone)> <!ELEMENT name (#PCDATA)> <!ELEMENT company (#PCDATA)> <!ELEMENT phone (#PCDATA)>
  • 16. XML SCHEMA XML Schema is commonly known as XML Schema Definition (XSD). It is used to describe and validate the structure and the content of XML data. XML schema defines the elements, attributes and data types. Schema element supports Namespaces. It is similar to a database schema that describes the data in a database. Syntax You need to declare a schema in your XML document as follows −
  • 17. EXAMPLE The following example shows how to use schema − <?xml version = "1.0" encoding = "UTF-8"?> <xs:schema xmlns:xs = "http://www.w3.org/2001/XMLSchema"> <xs:element name = "contact"> <xs:complexType> <xs:sequence> <xs:element name = "name" type = "xs:string" /> <xs:element name = "company" type = "xs:string" /> <xs:element name = "phone" type = "xs:int" /> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> The basic idea behind XML Schemas is that they describe the legitimate format that an XML document can take.
  • 18. NAMESPACE A Namespace is a set of unique names. Namespace is a mechanisms by which element and attribute name can be assigned to a group. The Namespace is identified by URI(Uniform Resource Identifiers). Namespace Declaration A Namespace is declared using reserved attributes. Such an attribute name must either be xmlns or begin with xmlns: shown as below − <element xmlns:name = "URL"> Syntax The Namespace starts with the keyword xmlns. The word name is the Namespace prefix. The URL is the Namespace identifier.
  • 21. DEFINITION Web security protects networks, servers, and computer systems from damage to or the theft of software, hardware, or data. It includes defending computer systems from misdirecting or disrupting the services they are designed to provide.
  • 22. WHAT ARE THE BENEFITS OF WEB SECURITY? For a modern enterprise, effective web security has broad technical and human benefits: Protect your business and stay compliant by preventing loss of sensitive data Protect customers and employees by securing their private information Avoid costly service interruptions by preventing infections and exploits Offer a better user experience by helping your users stay safe and productive Maintain customer loyalty and trust by staying secure and out of the news
  • 23. SQL INJECTION SQL injection is a technique an attacker uses to exploit vulnerabilities in a database’s search process. With SQL injection, an attacker can obtain access to privileged information, create user permissions, modify permissions, or execute plans to change, manipulate, or destroy data. In this way, a hacker can capture sensitive information or alter it to interrupt or control the functioning of a crucial system.
  • 24. NOSQL INJECTION NoSQL injection is a vulnerability where an attacker is able to interfere with the queries that an application makes to a NoSQL database. NoSQL injection may enable an attacker to: Bypass authentication or protection mechanisms. Extract or edit data. Cause a denial of service. Execute code on the server. NoSQL databases store and retrieve data in a format other than traditional SQL relational tables. They use a wide range of query languages instead of a universal standard like SQL, and have fewer relational constraints.
  • 25. XPATH INJECTION XPath Injection attacks occur when a web site uses user-supplied information to construct an XPath query for XML data. By sending intentionally malformed information into the web site, an attacker can find out how the XML data is structured, or access data that they may not normally have access to. They may even be able to elevate their privileges on the web site if the XML data is being used for authentication (such as an XML based user file).
  • 26. LDAP INJECTION Lightweight Directory Access Protocol (LDAP) is a common software protocol designed to enable anyone on a network to find resources such as other individuals, files, and devices. Directory services such as LDAP are useful for intranets. It can also be used to store usernames and passwords as part of a single sign-on (SSO) system.
  • 27. XML INJECTION also known as XML External Entity (XXE) injection, is a security vulnerability that occurs when an application processes XML input incorrectly. Attackers can exploit this vulnerability to inject malicious code into an XML input field or parameter, which can lead to a number of risks: Sensitive data exposure: Attackers can gain unauthorized access to sensitive data Denial of service: Attackers can overload a web app's memory or block legitimate traffic Remote code execution: Attackers can execute unintended commands that could lead to remote code execution Data manipulation or corruption: Attackers can change the data contained within XML files Information disclosure: Attackers can view files on the application server filesystem or interact with external systems
  • 28. HTTP INJECTION also known as HTTP header injection, is a web application security vulnerability that occurs when an attacker tricks a web application into inserting extra HTTP headers into legitimate HTTP responses. This can happen when HTTP headers are dynamically generated based on user input, or when user-supplied data is copied into a response header in an unsafe way
  • 29. EMAIL INJECTION? Email injection is a vulnerability that lets a malicious hacker abuse email-related functionality, such as email contact forms on web pages, to send malicious email content to arbitrary recipients. Because email injection is based on injecting end-of-the-line characters, it is sometimes considered a type of CRLF injection attack. Email injection is also called email header injection, SMTP header injection, or mail command injection.
  • 30. 5 COMMON AUTHENTICATION TYPES Cybercriminals always improve their attacks. As a result, security teams are facing plenty of authentication-related challenges. This is why companies are starting to implement more sophisticated incident response strategies, including authentication as part of the process. The list below reviews some common authentication methods used to secure modern systems.
  • 31. 1. PASSWORD-BASED AUTHENTICATION Passwords are the most common methods of authentication. Passwords can be in the form of a string of letters, numbers, or special characters. To protect yourself you need to create strong passwords that include a combination of all possible options.
  • 32. 2. MULTI-FACTOR AUTHENTICATION Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent ways to identify a user. Examples include codes generated from the user’s smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition.
  • 33. 3. CERTIFICATE-BASED AUTHENTICATION Certificate-based authentication technologies identify users, machines or devices by using digital certificates. A digital certificate is an electronic document based on the idea of a driver’s license or a passport. The certificate contains the digital identity of a user including a public key, and the digital signature of a certification authority. Digital certificates prove the ownership of a public key and issued only by a certification authority.
  • 34. 4. BIOMETRIC AUTHENTICATION Biometrics authentication is a security process that relies on the unique biological characteristics of an individual. Here are key advantages of using biometric authentication technologies: Biological characteristics can be easily compared to authorized features saved in a database. Biometric authentication can control physical access when installed on gates and doors. You can add biometrics into your multi-factor authentication process. Biometric authentication technologies are used by consumers, governments and private corporations including airports, military bases, and national borders.
  • 35. 5. TOKEN-BASED AUTHENTICATION Token-based authentication technologies enable users to enter their credentials once and receive a unique encrypted string of random characters in exchange. You can then use the token to access protected systems instead of entering your credentials all over again. The digital token proves that you already have access permission. Use cases of token-based authentication include RESTful APIs that are used by multiple frameworks and clients.
  • 36. PATH TRAVERSAL ATTACKS A path traversal attack (also known as directory traversal) aims to access files and directories that are stored outside the web root folder. By manipulating variables that reference files with “dot-dot-slash (../)” sequences and its variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system including application source code or configuration and critical system files. It should be noted that access to files is limited by system operational access control (such as in the case of locked or in-use files on the Microsoft Windows operating system). This attack is also known as “dot-dot-slash”, “directory traversal”, “directory climbing” and “backtracking”.
  • 37. TYPES OF XSS Stored XSS, Reflected XSS and DOM-based XSS
  • 38. STORED XSS (PERSISTENT XSS) The most damaging type of XSS is Stored XSS (Persistent XSS). An attacker uses Stored XSS to inject malicious content (referred to as the payload), most often JavaScript code, into the target application. If there is no input validation, this malicious code is permanently stored (persisted) by the target application, for example within a database.
  • 39. REFLECTED XSS (NON-PERSISTENT XSS) The second and the most common type of XSS is Reflected XSS (Non-persistent XSS). In this case, the attacker’s payload has to be a part of the request that is sent to the web server. It is then reflected back in such a way that the HTTP response includes the payload from the HTTP request. Attackers use malicious links, phishing emails, and other social engineering techniques to lure the victim into making a request to the server. The reflected XSS payload is then executed in the user’s browser.
  • 40. DOM-BASED XSS DOM-based XSS is an advanced XSS attack. It is possible if the web application’s client-side scripts write data provided by the user to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.
  • 41. HERE ARE METHODS ATTACKERS USE TO COMPROMISE WEBSITES USING XSS ATTACK:  Targeting website functions that accept user input—examples include login forms, search bars, and comment boxes. The attacker loads their malicious code on top of the valid website, deceiving the browser into running their malware whenever users load the site. Malicious code on another domain—according to how the attacker injects the code, malicious content may not be on the actual website. It can be a transient element that only looks like part of the site at the time of exploitation. Stealing session data—the JavaScript runs on the victim’s browser page, permitting the attacker to steal sensitive information about the user from the website session. The attacker can compromise the user’s session and gain unauthorized access.
  • 42. HERE ARE DIFFERENT WAYS TO TRIGGER AN XSS ATTACK: A user can trigger the execution automatically when they load the page or hover over certain page elements, including hyperlinks. Attackers can carry out XSS directly, for example, in an email message containing a malicious link. Certain XSS attacks don’t have a particular target. Rather the attacker exploits a vulnerability in a site or application targeting random victims.
  • 43. IMPACT OF XSS VULNERABILITIES The impact of an XSS vulnerability depends on the type of application. Here is how an XSS attack will affect three types of web applications: Static content—in a web application with static content, such as a news site with no login functionality, XSS will have minimal impact, because all users are anonymous and information is publicly available. Sensitive data—if an application stores sensitive user data, such as financial or health services, XSS can do major damage because it can allow attackers to compromise user accounts. Privileged users—if an attacker can use XSS to take over the session of a privileged user, such as the web application administrator, they can gain full control over the application and compromise all its data.