[mmf@devent2~]#

Connecting to agenda…Reply from agenda [127.0.0.1] topics=4 time=45min

- Introduction

- Famous Attacks & How 2 avoid ?

- Best Practices while coding

- End!

2 / 27

show agenda

3 / 27

HTML

CSS

JavaScript

PHP / MySQL

4 / 27

HTML

CSS

JavaScript

PHP / MySQL

5 / 27

HTML

CSS

JavaScript

PHP / MySQL

6 / 27

HTML

CSS

JavaScript

PHP / MySQL

7 / 27

- Military Reasons

- 4 Money

- Steal sensitive data

- 4 Fun!

- 4 nothing

- and more…

8 / 27

ال يوجد نـظــام أمـنــى خــالى من الثــغـــرات

أدهم صبرىرجل جامد جداا , داخل ع الستين من عمره

( , حرف الميم يعنى أنه من 404يرمز له بالرمز )م – فيعنى أنه يدمر جميع أعداه 404المنصورة ,, أما الكود

و يجلعهم غير موجدين!, كما أنه قادر على قيادة كل أنواع المواصالت ) الموتيسكالت, السيارات ,

السوبرجيت وحتى التوك توك (,, و يجيد استخدام !جميع أنواع األسلحة من المسداسات وبمب العيد

لغة بالصالة ع النبى 66القنابل الهيدوجينية ,ويجيد اتعلم معظمهم وهو نايم

27 / 9 “لذا استحق لقب ”رجل المستحيل

Vulnerability

Exploit

A weakness in the system that allow attacker to attack the system

Successful implementation or attack that takes advantage of vulnerability

10 / 27

Find latest exploits on www.exploit-db.com

11 / 27

12 / 27

Random Attack!

13 / 27

Get information about website

www.netcraft.comwww.whois.net

http://www.yougetsignal.com/tools/web-sites-on-web-server/

http://domainsbyip.com/

14 / 27

15 / 27

# Don’t trust user input

# User can write a malicious so, you must sanitize every input.

16 / 27

# a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database.

17 / 27

found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users

18 / 27

It is a vulnerability that may allow an attacker to execute arbitrary scripts on a host server by causing an existing script to include an arbitrary file

19 / 27

- Session Hijacking

- Cookie Hijacking

- Spoofed Form Submission

- Cookie Poisoning

- Command Execution

- Cross-Site Request Forgeries

- Clickjacking

- Likejacking

- Form Grabbing

- HTTP Header Injection

and more…

20 / 27

21 / 27

- A directory-level configuration file supported by several web servers.

You can use it for:

- Authentication

- Customize Response Errors

- URL Rewriting

- Cache Control

- Deny IP

- and more…

22 / 27

- File Upload is a big risk to your app.

- Don’t use $_FILES[‘fname’][‘type’]

23 / 27

It is a technique use to ensure that the response is generated by Human Not a computer!

Some Application

- Prevent comment spam

- registration pages

- online poll

- prevent Dictionary Attacks

24 / 27

25 / 27

26 / 27

Mohamed Mahmoud Fouad

www.eng-mmf.com

@mmf

/eng.mmf