SlideShare a Scribd company logo

Web Vulnerabilities_NGAN Seok Chern

Quek Lilian, profile picture
Quek Lilian

The document discusses various website vulnerabilities and methods of attack, as well as countermeasures. It describes common attacks like cross-site scripting, SQL injection, buffer overflows, and directory traversals. It also covers exploiting error messages, vulnerabilities in website configuration files, and reasons for attacking websites, such as defacing or stealing credit card numbers. The document emphasizes the importance of validating and sanitizing user input, controlling access rights, updating servers with patches, and modifying error messages to prevent attacks.

Technology
1 of 16
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
WEBSITE VULNERABILITIES Ngan Seok Chern MCP | CEH | MVP – ASP / ASP.NET seokchern85@hotmail.com http://blog.scnetstudio.com
Agenda  Web application setup  Why attack  Type of attack & countermeasure
Web Application Setup
Why Attack ?  DefacingWebsite  Sealing credit card information  exploting server-side scripting  exploiting buffer overflow  and etc
Step 1. Scanning 2. Gather Information 3.Testing 4. Plan 5. Launch
Type of Attack  Cross-site Scripting / XSS Flaws  SQL Injection  Buffer Overflow  DirectoryTraversal  Error message interception attack  Web.config  and etc
Cross-site Scripting / XSS Flaws  Typically found in web applications which allow code injection by malicious users into the web pages viewed by other users.  JavaScript is commonly used.  During an attack "everything looks fine" to the end-user.  <script> </script>  Countermeasure :  Validate all your sources.  Filtering script output.
SQL Injection  SQL to manipulate database’s data  Execute from address bar, queries / searches.  SELECT fieldlist FROM table WHERE field = '$EMAIL';  SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x';  Countermeasure:  Check user input.  Validate and sanitize user input that passed to database.
Buffer Overflow  Where a process stores data in a buffer outside the memory the programmer set aside for it.  Countermeasure:  Validate input length.  Check and pay extra care on loop function which carry data.
Directory Traversal  Attacker able to browse directories and files.  Expose the directory structure of application and often the underlying web server and operating system.  Eg. “../Images/logo.gif”  Countermeasure:  Define access right to the protected area  Apply checks/hot fixes  Update web server with patches in timely manner
Error Message Attack  Based on error message that show.  Example:  Your password is incorrect.  Connecting to the database on ……. With …..is not unsuccessful.  Countermeasure:  Modify and display common error message.
Web.config  Connection String Information  Example:  Data Source=190.190.200.100,1433;Network Library=DBMSSOCN;Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;  Countermeasure:  Encrypt your web.config.  aspnet_regiis.exe -pef "connectionStrings Name" "C:InetpubwwwrootMySite" –prov "DataProtectionConfigurationProvider”
Web.config (Original)
Web.config (Encrypted)
Summary  Programmer played important roles.  Patches your server.
Thank you Q&A

More Related Content

PPTX
Web application attacks
hruth
 
PPTX
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
PPTX
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
PPTX
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
PDF
Common Web Application Attacks
Ahmed Sherif
 
PPT
Web Application Security
Colin English
 
PDF
Broken access controls
Akansha Kesharwani
 
PPTX
Secure Code Warrior - Authentication
Secure Code Warrior
 
Web application attacks
hruth
 
ASP.NET View State - Security Issues
Ronan Dunne, CEH, SSCP
 
Secure Code Warrior - Cross site scripting
Secure Code Warrior
 
Top 10 Web Application Security Risks - Murat Lostar @ ISACA EUROCACS 2013
Lostar
 
Common Web Application Attacks
Ahmed Sherif
 
Web Application Security
Colin English
 
Broken access controls
Akansha Kesharwani
 
Secure Code Warrior - Authentication
Secure Code Warrior
 

What's hot (20)

PPTX
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
PDF
AJAX: How to Divert Threats
Cenzic
 
PPTX
2 . web app s canners
Rashid Khatmey
 
PDF
Ajax Security Dangers
drkimsky
 
PDF
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
PPT
Hacking web applications
Adeel Javaid
 
PPT
Using Proxies To Secure Applications And More
Josh Sokol
 
PPTX
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
PPTX
A5: Security Misconfiguration
Tariq Islam
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
PPTX
Dzhengis 93098 ajax - security
dzhengo44
 
PDF
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
PPT
Ajax Security
Roberto Suggi Liverani
 
PPT
IEEE KUET SPAC presentation
ahsanmm
 
PPTX
Rapid Android Application Security Testing
Nutan Kumar Panda
 
PPTX
Owasp first5 presentation
Ashwini Paranjpe
 
PDF
Web App Footprints Discovery
Aung Khant
 
PPTX
Presentation on Web Attacks
Vivek Sinha Anurag
 
PDF
Web Application Security
n|u - The Open Security Community
 
PPTX
Web application vulnerability assessment
Ravikumar Paghdal
 
Secure Code Warrior - Remote file inclusion
Secure Code Warrior
 
AJAX: How to Divert Threats
Cenzic
 
2 . web app s canners
Rashid Khatmey
 
Ajax Security Dangers
drkimsky
 
AJAX Security - LAC2016
Julia Logan a.k.a. IrishWonder
 
Hacking web applications
Adeel Javaid
 
Using Proxies To Secure Applications And More
Josh Sokol
 
Error codes & custom 404s
Ronan Dunne, CEH, SSCP
 
A5: Security Misconfiguration
Tariq Islam
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
Dzhengis 93098 ajax - security
dzhengo44
 
Web Application Security 101 - 04 Testing Methodology
Websecurify
 
Ajax Security
Roberto Suggi Liverani
 
IEEE KUET SPAC presentation
ahsanmm
 
Rapid Android Application Security Testing
Nutan Kumar Panda
 
Owasp first5 presentation
Ashwini Paranjpe
 
Web App Footprints Discovery
Aung Khant
 
Presentation on Web Attacks
Vivek Sinha Anurag
 
Web Application Security
n|u - The Open Security Community
 
Web application vulnerability assessment
Ravikumar Paghdal
 
Ad

Viewers also liked (8)

PDF
STUDY: Website Vulnerability Assessment
Symantec
 
PPSX
06 asp.net session08
Vivek Singh Chandel
 
PPTX
Cyber Security Predictions 2016
Quick Heal Technologies Ltd.
 
PPTX
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
PDF
JavaScript Security
Jason Harwig
 
PDF
Statistics - Top Website Vulnerabilities
Jeremiah Grossman
 
PDF
Secure development automatic identification and mitigation of application v...
peihsin1980
 
PPTX
Slideshare.Com Powerpoint
guested929b
 
STUDY: Website Vulnerability Assessment
Symantec
 
06 asp.net session08
Vivek Singh Chandel
 
Cyber Security Predictions 2016
Quick Heal Technologies Ltd.
 
15 Years of Web Security: The Rebellious Teenage Years
Jeremiah Grossman
 
JavaScript Security
Jason Harwig
 
Statistics - Top Website Vulnerabilities
Jeremiah Grossman
 
Secure development automatic identification and mitigation of application v...
peihsin1980
 
Slideshare.Com Powerpoint
guested929b
 
Ad

Similar to Web Vulnerabilities_NGAN Seok Chern (20)

PPTX
Altitude SF 2017: Security at the edge
Fastly
 
PPTX
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
PPT
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
ODP
Web Security
Chatree Kunjai
 
PDF
Attques web
Tarek MOHAMED
 
PPT
Intro to Web Application Security
Rob Ragan
 
PPS
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
PDF
Romulus OWASP
Grupo Gesfor I+D+i
 
PPTX
Owasp web security
Pankaj Kumar Sharma
 
PPTX
Cyber ppt
karthik menon
 
PPT
Jan 2008 Allup
llangit
 
PDF
ieee
Radheshyam Dhakad
 
PDF
Security Awareness
Lucas Hendrich
 
DOC
Attackers Vs Programmers
robin_bene
 
PPTX
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
PPT
performing security testing of web applications.web-and- -hacking.ppt
waudit1
 
PDF
Web application sec_3
vhimsikal
 
PPT
Hacking web applications
phanleson
 
PPT
Web Hacking
Information Technology
 
PDF
Cross Site Attacks
UTD Computer Security Group
 
Altitude SF 2017: Security at the edge
Fastly
 
webapplicationattacks-101005070110-phpapp02.pptx
SyedAliShahid3
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
abhijitapatil
 
Web Security
Chatree Kunjai
 
Attques web
Tarek MOHAMED
 
Intro to Web Application Security
Rob Ragan
 
Manindra kishore _incident_handling_n_log_analysis - ClubHack2009
ClubHack
 
Romulus OWASP
Grupo Gesfor I+D+i
 
Owasp web security
Pankaj Kumar Sharma
 
Cyber ppt
karthik menon
 
Jan 2008 Allup
llangit
 
ieee
Radheshyam Dhakad
 
Security Awareness
Lucas Hendrich
 
Attackers Vs Programmers
robin_bene
 
MS Innovation Day: A Lap Around Web Application Vulnerabilities by MVP Walter...
Quek Lilian
 
performing security testing of web applications.web-and- -hacking.ppt
waudit1
 
Web application sec_3
vhimsikal
 
Hacking web applications
phanleson
 
Web Hacking
Information Technology
 
Cross Site Attacks
UTD Computer Security Group
 

More from Quek Lilian (20)

PDF
Sgug print copy pdf ll
Quek Lilian
 
PDF
Singapore MVP gazette
Quek Lilian
 
PPTX
Expression studio overview_MVP Kok Chiann
Quek Lilian
 
PPTX
Installation and Adminstration of AD_MVP Padman
Quek Lilian
 
PPTX
Exchange server 2010 overview_MVP Padman
Quek Lilian
 
PPTX
Installing managing windows server 2008 r2_MVP Shaminda
Quek Lilian
 
PPTX
SharePoint 2010 launch_MVP Sampath Perera
Quek Lilian
 
PPT
NUS exam 70-432_MVP Choirul Amri
Quek Lilian
 
PDF
Windows server 2008 r2 and web platform_MVP Fajar
Quek Lilian
 
PPTX
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
Quek Lilian
 
PPTX
Windows 7 For Students_MVP Jabez Gan
Quek Lilian
 
PPTX
Lkw Security Part 1_MVPs Azra & Sanjay
Quek Lilian
 
PDF
Sql2008 R2 Dw (Phua Chiu Kiang)
Quek Lilian
 
PPTX
Commercial Launch Win7 Dev Chalermvong
Quek Lilian
 
PPTX
Commercial Launch Win7 Dev Chalermvong
Quek Lilian
 
PPTX
Unveiling Share Point 2010_MVP Joy Pradeep
Quek Lilian
 
PPTX
Unveiling Share Point 2010_MVP Joy Pradeep
Quek Lilian
 
PPTX
Introduction To Virtualization_MVP Jabez Gan
Quek Lilian
 
PPTX
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
Quek Lilian
 
PPTX
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Quek Lilian
 
Sgug print copy pdf ll
Quek Lilian
 
Singapore MVP gazette
Quek Lilian
 
Expression studio overview_MVP Kok Chiann
Quek Lilian
 
Installation and Adminstration of AD_MVP Padman
Quek Lilian
 
Exchange server 2010 overview_MVP Padman
Quek Lilian
 
Installing managing windows server 2008 r2_MVP Shaminda
Quek Lilian
 
SharePoint 2010 launch_MVP Sampath Perera
Quek Lilian
 
NUS exam 70-432_MVP Choirul Amri
Quek Lilian
 
Windows server 2008 r2 and web platform_MVP Fajar
Quek Lilian
 
Express web development with visual studio 2010 express_MVP Ronald Rajagukguk
Quek Lilian
 
Windows 7 For Students_MVP Jabez Gan
Quek Lilian
 
Lkw Security Part 1_MVPs Azra & Sanjay
Quek Lilian
 
Sql2008 R2 Dw (Phua Chiu Kiang)
Quek Lilian
 
Commercial Launch Win7 Dev Chalermvong
Quek Lilian
 
Commercial Launch Win7 Dev Chalermvong
Quek Lilian
 
Unveiling Share Point 2010_MVP Joy Pradeep
Quek Lilian
 
Unveiling Share Point 2010_MVP Joy Pradeep
Quek Lilian
 
Introduction To Virtualization_MVP Jabez Gan
Quek Lilian
 
Vs2010 Aspnet MSP Bootcamp_MVP Ngan Seok Chern
Quek Lilian
 
Windows 2008 Active Directory Branch office Management_MVP Sampath Perera
Quek Lilian
 

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
PPTX
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Mushroom cultivation and it's methods.pdf
mailmeonrishi
 
TechTalks-8-2019-Service-Management-ITIL-Refresh-ITIL-4-Framework-Supports-Ou...
bonakiduza1024
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
cloud_computing_Infrastucture_as_cloud_p
mainakbhattacharya20
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 

Web Vulnerabilities_NGAN Seok Chern

  • 1. WEBSITE VULNERABILITIES Ngan Seok Chern MCP | CEH | MVP – ASP / ASP.NET seokchern85@hotmail.com http://blog.scnetstudio.com
  • 2. Agenda  Web application setup  Why attack  Type of attack & countermeasure
  • 4. Why Attack ?  DefacingWebsite  Sealing credit card information  exploting server-side scripting  exploiting buffer overflow  and etc
  • 6. Type of Attack  Cross-site Scripting / XSS Flaws  SQL Injection  Buffer Overflow  DirectoryTraversal  Error message interception attack  Web.config  and etc
  • 7. Cross-site Scripting / XSS Flaws  Typically found in web applications which allow code injection by malicious users into the web pages viewed by other users.  JavaScript is commonly used.  During an attack "everything looks fine" to the end-user.  <script> </script>  Countermeasure :  Validate all your sources.  Filtering script output.
  • 8. SQL Injection  SQL to manipulate database’s data  Execute from address bar, queries / searches.  SELECT fieldlist FROM table WHERE field = '$EMAIL';  SELECT fieldlist FROM table WHERE field = 'anything' OR 'x'='x';  Countermeasure:  Check user input.  Validate and sanitize user input that passed to database.
  • 9. Buffer Overflow  Where a process stores data in a buffer outside the memory the programmer set aside for it.  Countermeasure:  Validate input length.  Check and pay extra care on loop function which carry data.
  • 10. Directory Traversal  Attacker able to browse directories and files.  Expose the directory structure of application and often the underlying web server and operating system.  Eg. “../Images/logo.gif”  Countermeasure:  Define access right to the protected area  Apply checks/hot fixes  Update web server with patches in timely manner
  • 11. Error Message Attack  Based on error message that show.  Example:  Your password is incorrect.  Connecting to the database on ……. With …..is not unsuccessful.  Countermeasure:  Modify and display common error message.
  • 12. Web.config  Connection String Information  Example:  Data Source=190.190.200.100,1433;Network Library=DBMSSOCN;Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;  Countermeasure:  Encrypt your web.config.  aspnet_regiis.exe -pef "connectionStrings Name" "C:InetpubwwwrootMySite" –prov "DataProtectionConfigurationProvider”
  • 15. Summary  Programmer played important roles.  Patches your server.