Securing Web Applications: Understanding and Preventing Malicious Input Attacks, Slides of Applications of Computer Sciences

The importance of securing web applications against malicious input attacks, specifically focusing on sql injection and information leakage. The background of these attacks, their impact, and strategies for handling and preventing them. It also touches upon other malicious input attacks and defensive coding practices.

Typology: Slides

2011/2012

Uploaded on 07/18/2012

padmavati
padmavati 🇮🇳

4.6

(24)

154 documents

1 / 47

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Topics of discussion today
A brief Background
Malicious input
SQL Injection
Information leakage
Future planning
References
docsity.com
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f

Partial preview of the text

Download Securing Web Applications: Understanding and Preventing Malicious Input Attacks and more Slides Applications of Computer Sciences in PDF only on Docsity!

1

Topics of discussion today

A brief Background

Malicious input

SQL Injection

Information leakage

Future planning

References

2

Project team

 Qaiser Mehmood

Student

 Sir S.M Haroon

Supervisor

4

PHASES COVERED LAST TIME

 PHASE 1

Studied Attacks are

Brute Force Attack

Account Hijacking

5

PRESENTLY DONE WORK

PHASE 2

Threats discussed this time are

 Malicious Input

SQL Injection

 Information leakage

  • PHASE

Malicious Input

Attacks and Defense

Contd..

 Attackers can often trick the server into revealing customer data, or allowing access to unauthorized files or execution of program code on the server itself.

 The problem is in the code which is insecure and it causes risks

11

Contd..

Reasons for risks are

The attacker gains access to anything that the Web application can access, which usually includes sensitive user data.

Most Web applications are not properly configured to detect and prevent these types of attacks.

13

Contd..

 There are two strategies to handle input

Identifying Input Sources Programming Defensively

14

IDENTIFYING THE INPUT SOURCES

 With an ASP.NET application the most obvious place to look for input is any place we use the Request object

 ASP.NET provides the HttpRequest class through the Request property of the Page class.

 We should always filter data coming from the Request object, and we should never concatenate the Request object directly to a string.

16

Other possible Malicious input Attacks

 Accessing a database

 Reading the file system

 Allowing users to upload or save files

 Sending HTML output to the client

 Processing a shopping cart purchase. etc

We only focus here on Accessing a Database which is relevant to our project.

17

Programming defensively

 All application attacks require nothing but reasonable defensive coding practices.

 Details are coming in SQL injection.

19

SQL Injection

 A SQL Injection Attack is when an attacker is able to execute potentially malicious SQL commands by putting SQL queries into web form input or the query string of a page request.

 Input forms where user or query string input directly affects the building of dynamic SQL queries or stored procedure input parameters are vulnerable to such an attack.

20

Contd..

 A common scenario is as follows:

A web application has a login page through which access to the application is controlled. The login page requires a login and password to be provided.

The input from the login page is used to build a dynamic SQL statement or as direct input to a stored procedure call.