1 / 19

Web Application Security

i n the Real World. Web Application Security. Shahed Chowdhuri Sr. Technical Evangelist @ Microsoft @ shahedC WakeUpAndCode.com. Overview of Web Applications. Web Server. Internet. Database. Users. SQL Injection. Username. myusername. Password. ' or 1=1)#. Submit.

nickolasj
Télécharger la présentation

Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. in the Real World Web Application Security Shahed Chowdhuri Sr. Technical Evangelist @ Microsoft @shahedC WakeUpAndCode.com

  2. Overview of Web Applications Web Server Internet Database Users

  3. SQL Injection Username myusername Password ' or 1=1)# Submit Enter your username and password… … but what if you can inject SQL code in the input field?

  4. SQL Injection Demo codebashing.com/sql_demo

  5. SQL Injection in the Real World Link 4 Link 1 Link 2 Link 3

  6. Solutions for SQL Injection Avoid SQL strings with parameters Encode user input in parameters Use framework-specific features

  7. Cross-Site Scripting (XSS) Enter text: Hello World! Submit Text Submitted: Hello World! Enter some text and submit it… … but what if you could submit script code?

  8. XSS Demo google.com/about/appsecurity/learning/xss/#BasicExample

  9. Cross-Site Scripting in the Real World Link 3 Link 1 Link 2

  10. Solutions for XSS HTML-Encode <script> tags Strip out <script> tags Use framework-specific features

  11. Data Exposure Enter item: New Item?!! Submit Text Submitted: Error: servername.dbname in code file, line 21 Perform an action that causes an error… … unnecessary information is displayed!

  12. Solutions for Data Exposure Don’t display unnecessary details Log errors in a database Provide an error code for troubleshooting

  13. Next Steps: OWASP Top 10 OWASP Top 10

  14. HP WebInpsect & Fortify Tools http://hp.com/go/fortify

  15. Gartner Magic Quadrant for AST http://www.gartner.com/doc/reprints?id=1-2KU6OUB&ct=150806&st=sb

  16. Q&A

  17. Contact: SHAHED CHOWDHURI, Sr. Technical Evangelist @ Microsoft shchowd@microsoft.com•http://WakeUpAndCode.com/msp

  18. Email:shchowd@microsoft.com Twitter: @shahedC

More Related