







































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
The importance of securing web applications against malicious input attacks, specifically focusing on sql injection and information leakage. The background of these attacks, their impact, and strategies for handling and preventing them. It also touches upon other malicious input attacks and defensive coding practices.
Typology: Slides
1 / 47
This page cannot be seen from the preview
Don't miss anything!








































1
2
Qaiser Mehmood
Student
Sir S.M Haroon
Supervisor
4
Studied Attacks are
Brute Force Attack
Account Hijacking
5
Threats discussed this time are
Malicious Input
SQL Injection
Information leakage
Attackers can often trick the server into revealing customer data, or allowing access to unauthorized files or execution of program code on the server itself.
The problem is in the code which is insecure and it causes risks
11
The attacker gains access to anything that the Web application can access, which usually includes sensitive user data.
Most Web applications are not properly configured to detect and prevent these types of attacks.
13
There are two strategies to handle input
Identifying Input Sources Programming Defensively
14
IDENTIFYING THE INPUT SOURCES
With an ASP.NET application the most obvious place to look for input is any place we use the Request object
ASP.NET provides the HttpRequest class through the Request property of the Page class.
We should always filter data coming from the Request object, and we should never concatenate the Request object directly to a string.
16
Other possible Malicious input Attacks
Accessing a database
Reading the file system
Allowing users to upload or save files
Sending HTML output to the client
Processing a shopping cart purchase. etc
We only focus here on Accessing a Database which is relevant to our project.
17
All application attacks require nothing but reasonable defensive coding practices.
Details are coming in SQL injection.
19
A SQL Injection Attack is when an attacker is able to execute potentially malicious SQL commands by putting SQL queries into web form input or the query string of a page request.
Input forms where user or query string input directly affects the building of dynamic SQL queries or stored procedure input parameters are vulnerable to such an attack.
20
A common scenario is as follows:
A web application has a login page through which access to the application is controlled. The login page requires a login and password to be provided.
The input from the login page is used to build a dynamic SQL statement or as direct input to a stored procedure call.