Upload
melissa-walton
View
213
Download
1
Embed Size (px)
Citation preview
Application Security 1Spring, 2009© 2009 Stephen Wolff
OWASP Top Ten
Ten most critical WebApp security flaws. The top 2 are:1. XSS – Cross Site Scripting
Unvalidated data sent to a browser
2. Injection Flaws User supplied data (unvalidated) sent to SQL
This is the consensus of security experts globally Some of the best are right here in Central Texas!
http://www.youtube.com/watch?v=GsRbpshqqII
Application Security 2Spring, 2009© 2009 Stephen Wolff
SQL Basic Terminology
SQL is a Relational Database Management System - RDBMS Table - Rows that have the same attributes Row - collection of related information Column - attributes of an object, e.g., an Employee Primary Key - unique for each row
Name Emp# Title Mgr Pay
Dick 101 Sales Spot $50Jane 102 IT Spot $60Spot 103 Exec BoD $100
Employee Table
Application Security 3Spring, 2009© 2009 Stephen Wolff
SQL Basic Query Format
Select – From – Where SELECT * FROM employee WHERE (emp# = 102)
This will returnwhich can beused or printed.
SELECT * FROM employee WHERE (TRUE) will return all rows.
Jane 102 IT Spot $60
tablename condition
Application Security 4Spring, 2009© 2009 Stephen Wolff
Other SQL Syntax
-- is the comment sequence used for documenting code. It causes the SQL interpreter to ignore all else that follows.
; ends one SQL statement and starts another.
‘ in matched sets is used to enclose a character string.
Application Security 5Spring, 2009© 2009 Stephen Wolff
SQL Injection Tutorial (YouTube)
www.youtube.com/watch?v=z7eXjBvB2B4&feature=channel_page
Note: there are plenty of SQL Injection automated tools available, and of course, some are better than others.
Application Security 6Spring, 2009© 2009 Stephen Wolff
Simple XSS Tutorial (YouTube)
Stored and Reflected XSS Similar, but reflected doesn’t require login credentials! Failure on both due to no input or output sanitization.
Storedwww.youtube.com/watch?v=7M-R6U2i5iI&feature=related
Reflectedwww.youtube.com/watch?v=V79Dp7i4LRM&feature=channel
Application Security 7Spring, 2009© 2009 Stephen Wolff
Final Thoughts…
Why consider Application Security? It’s the most current category of vulnerabilities and
attacks, it is widespread, and it is devastating. Barriers to entry (code skilz) are high but coming down,
i.e., more tools like MetaSploit On Whitehat side: more teaching of secure coding
practices, groups like OWASP• More tools like MetaSploit, WebGoat
Significant local expertise! • Rsnake, Matt Tesauro, The Denim Group, others in OWASP