Upload
eng-mmf
View
2.124
Download
1
Embed Size (px)
DESCRIPTION
A web Security Presentation. Talking about common web attacks and how to avoid.
Citation preview
[mmf@devent2~]#
Connecting to agenda…Reply from agenda [127.0.0.1] topics=4 time=45min
- Introduction
- Famous Attacks & How 2 avoid ?
- Best Practices while coding
- End!
2 / 27
show agenda
3 / 27
HTML
CSS
JavaScript
PHP / MySQL
4 / 27
HTML
CSS
JavaScript
PHP / MySQL
5 / 27
HTML
CSS
JavaScript
PHP / MySQL
6 / 27
HTML
CSS
JavaScript
PHP / MySQL
7 / 27
- Military Reasons
- 4 Money
- Steal sensitive data
- 4 Fun!
- 4 nothing
- and more…
8 / 27
ال يوجد نـظــام أمـنــى خــالى من الثــغـــرات
أدهم صبرىرجل جامد جداا , داخل ع الستين من عمره
( , حرف الميم يعنى أنه من 404يرمز له بالرمز )م – فيعنى أنه يدمر جميع أعداه 404المنصورة ,, أما الكود
و يجلعهم غير موجدين!, كما أنه قادر على قيادة كل أنواع المواصالت ) الموتيسكالت, السيارات ,
السوبرجيت وحتى التوك توك (,, و يجيد استخدام !جميع أنواع األسلحة من المسداسات وبمب العيد
لغة بالصالة ع النبى 66القنابل الهيدوجينية ,ويجيد اتعلم معظمهم وهو نايم
27 / 9 “لذا استحق لقب ”رجل المستحيل
Vulnerability
Exploit
A weakness in the system that allow attacker to attack the system
Successful implementation or attack that takes advantage of vulnerability
10 / 27
Find latest exploits on www.exploit-db.com
11 / 27
12 / 27
Random Attack!
13 / 27
Get information about website
www.netcraft.comwww.whois.net
http://www.yougetsignal.com/tools/web-sites-on-web-server/
http://domainsbyip.com/
14 / 27
15 / 27
# Don’t trust user input
# User can write a malicious so, you must sanitize every input.
16 / 27
# a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database.
17 / 27
found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users
18 / 27
It is a vulnerability that may allow an attacker to execute arbitrary scripts on a host server by causing an existing script to include an arbitrary file
19 / 27
- Session Hijacking
- Cookie Hijacking
- Spoofed Form Submission
- Cookie Poisoning
- Command Execution
- Cross-Site Request Forgeries
- Clickjacking
- Likejacking
- Form Grabbing
- HTTP Header Injection
and more…
20 / 27
21 / 27
- A directory-level configuration file supported by several web servers.
You can use it for:
- Authentication
- Customize Response Errors
- URL Rewriting
- Cache Control
- Deny IP
- and more…
22 / 27
- File Upload is a big risk to your app.
- Don’t use $_FILES[‘fname’][‘type’]
23 / 27
It is a technique use to ensure that the response is generated by Human Not a computer!
Some Application
- Prevent comment spam
- registration pages
- online poll
- prevent Dictionary Attacks
24 / 27
25 / 27
26 / 27
Mohamed Mahmoud Fouad
www.eng-mmf.com
@mmf
/eng.mmf