University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Size: px
Start display at page:

Download "University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013"

Transcription

1 University of Wisconsin Platteville SE411 Senior Seminar Web System Attacks Maxwell Friederichs April 18, 2013

2 Abstract 1 Data driven web applications are at the cutting edge of technology, and changing the way that we think of modern computing. While web systems come with an incredible amount of accessibility, such accessibility also has its consequences. Careless design and poor programming on the web can have devastating side effects. This paper will address different techniques that can be used to compromise or tamper with web system s assets. Attacks such as cross-site scripting, and SQL injection (among others) will be the focal point of this paper. Possible solutions to all vulnerabilities will be stressed and presented clearly. With a dedication to secure code, any organization can save both themselves and their customers an incredible amount of time and money. Introduction The public face of nearly every organization is its web site. All sorts of important documents, and content are stored on the web. For many, the web is a first impression of an organization. Web system security is of paramount importance to ensure digital integrity for both users, and their data. A small slip in security could cost an organization everything. It is imperative that engineers understand the consequences and details of web system attacks to be better suited to stop them. Software Engineering Implications Critical parts of the software life cycle are effected by computer security. Understanding the technical details of web system attacks are a crucial part of software engineering. With-out a technical understanding of these attacks, systems can not be built securely. Discovering software vulnerabilities is an often overlooked part of the software engineering process. Furthermore, testing for vulnerabilities is much more tedious than standard functional testing. Combinations of program states, inputs, and vulnerabilities in 3rd party software can all be used to compromise a system. Software validation techniques must consider system attack vectors in order to deliver a properly built, secure system to the customer. While the validation stage is critical to the software engineering process, perhaps even more vital to preventing system attacks are the design and development stages. These stages dictate what vulnerabilities are introduced into the system. It is in the development stage that vulnerabilities can go unnoticed by developers who are not familiar with computer security. By educating engineers about the different types of ways system attacks are carried out, systems can be designed to minimize risk.

3 Types of Attacks 2 Three branches of different web attacks will be considered; server side attacks, client side attacks, and finally network based attacks. Each different flavor of attack can impact users and data in a different way. Each attack will be presented with technical detail, followed by countermeasures that can be taken to eliminate the vulnerability. Server Side Attacks Server side attacks categorize attacks that are directed at a web server, and the services it provides. Attacks in this category can include running executable code remotely, stealing information, and even obtaining root access to the machine. Often server side attacks are caused by poor programming or mishandled web server configuration. While these attacks are not directly aimed at the users of a system, they certainly can impact the user experience. SQL Injection SQL injection is an attack vector that exploits poor web application programming practices. The attack, as its name suggests, targets data-driven web systems. Poor input sanitation and poor database privilege management are two main causes for SQL injection. According to Verizon s Data Breach Investigation Report, 14% of enterprise data leaks were directly linked to SQL injection. This number does not pop out as startling until the rest of Verizon s data set is put into perspective. Considering that 55% of data leaks were linked to poor credentials. Additionally the cause of 31% of the data breaches in 2012 were unknown. This leaves the conclusion that SQL injection is the most formidable attack vector used against systems to steal data. [Verizon Enterprises, 2012] Exploitation SQL injection exploits require a respectable knowledge of web programming and databases. In order for an attacker to gain access to a database, an injection point must first be found. Once the injection point is found, the attacker can move forward with the attack and attempt to seize data or control of the website. Injection points on any data-driven web system can be any point in which the user is allowed to specify input to the system. If input is not sanitized, the attacker may be able to control the logic of a database query. Unsanitized input in Fig. 1. could allow users to log-in to the system without proper credentials.

4 3 1 SELECT FROM USERS WHERE 2 Username = $ POST [ user ] 3 AND Password = $ POST [ pass ] Figure 1: A log-in page vulnerable to SQL injection. Values from the web need to be sanitized before use in an application. Data driven applications are inherently subjective to user input. This is a necessary evil that drives most web applications today. If arbitrary input is to drive web applications, specific care must be placed when passing input values between different logic layers in the application. Consider a PHP program that constructs a query similar to the sample in Fig. 1. Data from HTTP POST is directly inserted to the query from the web. This entirely bypasses any sort of security or sanitation filter that could be set up. The natural layered architecture of the web suggests that the database layer will not be able to interpret queries from logic, and will simply execute whatever query it is passed. What if the user had submitted an input that could alter the logic of the database query? For example, the string or 1=1;, could be submitted in the user name field. The query in Fig. 2. is then sent to the database, and the logic of the original query in Fig. 1. has been altered. 1 SELECT FROM USERS WHERE 2 Username = or 1=1; Figure 2: A SQL query that will be loaded into the database after the string or 1=1; is submitted via HTTP POST. The rest of the query becomes a comment. At this point in the exploit, the attacker realizes the vulnerability in the software, and can move to further exploit the system s database. By sifting through different input values to be passed through the injection point, a number of malicious queries could be concocted and run through the database. Just a few examples include inserting data, deleting other data, dropping entire tables, or even dumping an entire database. Countermeasures While SQL injection is an incredibly dangerous attack, its countermeasures are relatively simple. Through advanced database query tactics and some input sanitation, systems can stand up against SQL injection. White Listing When parsing input it is often convenient to think in terms of what inputs the system should reject. It would appear that escaping single quotes from the injection string in Fig. 2. would fix the security hole. However, it is likely that more than just quotes need to be removed from input data (as we will soon discover!). A much better practice is white listing. White listing takes the strategy of only specifying

5 which inputs should be allowed into a system. This is the opposite of black listing, specifying inputs that should not be allowed into the system. White listing is a better practice on the web because of the massive amount of input possibilities. Often, only a finite set of characters will actually be applicable to a given input point. For example, how often does and application need to allow users to enter a single quote in a field that specifies time of day? White listing can be easily implemented with simple regular expressions built into most modern programming languages. Database Privileges Another way to stop SQL injection is by taking advantage of database user accounts. Many SQL implementations require that accounts be set up through the database in order to run queries. Applications wishing to pull information from the database must first log into an account. Database accounts can also specify which data a user should be able to access. For our previous example in Fig. 1., it makes sense that the user running the query would need select privileges. However, the same database account that an application uses to validate log-in credentials should likely not be used to also delete information from the database. The general rule: only provide database accounts with privileges that make sense for the functionality it provides. This countermeasure is not an entire fix, and works best in tandem with other tactics discussed. Parameterized Queries One more discrete method of preventing SQL injection happens in the database layer itself. Many SQL implementations offer an alternative method of passing data to queries, called parameterized queries. Fig. 3. below shows an example of such a parametrized query. Each value from the web will be passed to the database layer, and a statement will be prepared. Since the statement is prepared inside of the database layer itself, the query logic will not be able to change based on the input. The Open Web Application Security Project lists prepared statements as the number 1 option to prevent SQL injection in its SQL Injection Prevention Cheat Sheet. [OWASP, 2012] 1 PREPARE STATEMENT FROM INSERT INTO news VALUES(?,?,CURDATE( ), 0 ) 2 t i t l e = H e l l = World 3 EXECUTE STATEMENT t i t l 4 Figure 3: A sample parameterized query. The query is first sent to the database as an empty shell, then the data is processed separately in the database layer to ensure that the query s logic is not tampered with. Null Byte Injection Null byte injection is an attack that originated in the early days of the internet. Misconfigured web servers and bootstrapping mechanisms can cause arbitrary files to be served by the web server to a clever attacker. While not as prominent an attack as it once was,

6 it is still a threat to web systems and engineers should be understand how to protect against it. 5 Exploitation Null byte injection occurs when an attacker adds a null byte into a URL string, terminating the URL and any sort of filtration past the injected byte. Often, this logic is not implemented in domain specific web applications, but rather the web server that they run in. Specifically, the Apache web server has historically had problems with this attack. An internal configuration of Apache, known as mod rewrite allows web programmers to set up URL rewriting for applications. According to Netcraft s March 2013 Web Server Survey, the Apache web server is used by 61% of all websites today. Mod rewrite allows arbitrary URLs to be processed in a single logical unit, so application code need only load files relevant to the web request. This practice is known as bootstrapping. This is an incredibly flexible and powerful idea that is at the backbone of common web design patterns such as MVC. [Netcraft, 2013] The logic behind bootstrapping is what can get web developers into trouble. An example of bootstrap logic can be seen in Fig. 4. The bootstrap must implement logic necessary to load the correct files for the request. A simple programmatic task that can be accomplished with only a few lines of code. In the case of Fig. 4. an appropriate response could be to load the file, say, bootstrap.php, using the rest of the URL as data. In this general case, the bootstrap file is loaded, processed, and the request is pushed back to the client. 1 http : / / fake domain. com/ bootstrap / load / path Figure 4: A sample bootstrap load path. The bootstrap must parse the URL to determine which files are processed and what data is returned to the client. The example in Fig. 4. explains most engineers would expect to happen when a web request is made to a bootstrapped web server. But what happens when the request isn t as clean? 1 http : / / fake domain. com/ bootstrap /.. /.. / e t c /passwd%00 Figure 5: A sample null byte injection attack URL. If the bootstrap logic does not sanitize input properly, /etc/passwd will be served to the client making the request. In Fig. 5. another web request is made. This time, /../../etc/passwd%00 is appended to the URL. The null byte (%00) at the end of the URL will slice off any filtering past the URL, since in most programming languages strings are null terminated. In other words, even if the bootstrapping logic had some code to add a required file extension to the URL, it would be ignored!

7 6 Countermeasures What gives null byte injection its teeth is its transparency to developers. Most web developers will not need to develop their own bootstrap or other file loading code. Many times, before the vulnerability is even thought of by a software team, it will have been exploited, and data will have been lost. Similar principles to stopping SQL injection can also be applied to stop null byte injection. The clear solution is to not allow null bytes to be entered into the bootstrap unaccounted for. White listing, again, is the clean solution. An alternative solution to writing a bootstrap and other common, boilerplate code is using a web framework. Many different languages commonly used on the web including PHP, python, ruby, and node.js have web frameworks. Web frameworks provide a set of of tools that can be used in place of developing and writing your own bootstrap. Web frameworks can rapidly increase the amount of time spent developing a project and should always be considered to minimize the risk of an attack. Client Side Attacks Especially over the last several years, web application interfaces have dramatically expanded. This is in large part due to the expansion of JavaScript. With this expansion of JavaScript and the browser, more and more computation is being done on the client side of the web. This is great for the web and means that more computation can be pushed away from web servers, reducing communication and improving system speed. With a new emphasis on the client side of the web, the cross-hairs of many attackers now land on the user. Client side attacks are focused on exploiting the users browser and the data that is tied to the browser. This includes any cookies, sessions, or any other data stored in the browser. Specifically, cross-site scripting yields an incredible amount of power to a clever attacker. Cross-Site Scripting Cross-site scripting, otherwise known as XSS, is another injection attack that allows an attacker to embed executable code into a website. This can be incredibly dangerous for users, since the malicious code is run on websites that users otherwise would trust and visit often. After an XSS exploit is found by an attacker, the malicious code can usually be embedded into the URL. The attack sends the URL out to potential victims, and once the link is clicked, the malicious code will be run on the clients machine. XSS attacks spread incredibly fast and are very common on social networks such as Facebook and Twitter. XSS attacks essentially behave as worms in these situations, with such a large number of users clicking the exploit. The worm can quickly spread with almost no way to remove traces of the worm from a system.

8 7 Exploitation Exploiting a vulnerability with cross-site scripting is very similar to how other injection based attacks operate. Once an injection point is selected, malicious JavaScript can be set up to accomplish anything that the attacker desires. This malicious code, sometimes referred to as shellcode or a payload, ultimately decides the severity of the attack. Some examples of common XSS shellcode include cookie stealing code, session hijacking code, and even code that generates HTTP requests. XSS worms that make HTTP requests, if rapidly spread could bring a website and it s users down in a matter of minutes. There are two types of XSS attacks, persistent and non persistent. Non persistent attacks are payloads that take advantage of a vulnerable web page by passing input entirely through a URL. The malicious code is appended to the URL. Upon the web servers response, the payload is executed, and the attack is complete. The malicious input needs to be reloaded and packaged as a HTTP request for the attack to run its course again. This is not the case with persistent XSS. Persistent XSS is malicious input that also is paired with the database. Each time a request pulls data that brings up the payload, it will be executed when the page loads. Persistent XSS is as close to changing the logic behind a website without literally changing any code as one could imagine. Countermeasures Countermeasures to XSS come in several different flavors. The rule with all injection attacks is to white list input, and be cognizant of what inputs might lead to a vulnerability. Since XSS is a client side attack, client side tools can be used to effectively stop XSS from spreading. An incredible amount of research and work has been put into several projects to help browsers stop XSS attacks. Mozilla s Content Security Policy (CSP) can stop XSS before it even reaches users. A small amount of data is added to the standard HTTP header, initiating the CSP. Communication with the browser can be set up after a request and the CSP can monitor data transfer. In addition, the Content Security Policy implements a feature allowing websites to be notified when a vulnerable XSS string was pulled from a request. [Mozilla, 2009] Network Based Attacks System availability and performance are two constantly measured metrics that engineers are always looking to optimize. Network attacks hinder both performance and the availability of a system. Denial of Service attacks can render entire web systems useless by only hindering a systems availability and performance. Other network attacks are capable of stealing valuable data between trusted connections to users or other network entities.

9 Denial of Service 8 Denial of service is a category including many exhaustive network attacks that force a server to deny service to clients by flooding the machine. Each illegitimate request takes processing time or memory usage away from legitimate requests, and eventually some legitimate requests will be dropped. Denial of service encapsulates a large number of specific attack vectors. Several common methods that can effectively force a machine into denial of service will be considered. Distributed Denial of Service Distributed denial of service is an attack vector focused on attacking a system from multiple targets. This attack is incredibly hard to stop since web traffic enters the server from different locations. Filtering out legitimate requests from forged requests may be next to impossible to stop. Syn Ack Flooding Syn Ack Flooding is a more advanced and efficient method of forcing a web server into denial of service. First, the initiator makes many concurrent requests to the listener. Per the TCP protocol, the listener must respond to the initiator with SYN- ACK packets, and wait for the initiator to complete the 3-way handshake. Fig. 6. considers a normal TCP connection between a client and server. The attack is already in motion, the initiator simply does not reply with any ACK packets. The server must wait until a timeout period is reached before dropping data associated with the illegitimate requests. This can force a machine to quickly lock up and have no memory left for new requests. Figure 6: Syn-Ack flooding takes advantage of the TCP protocol s timeout stage. [Cisco, 2006] Smurf Attack This attack focuses on the ICMP (ping) protocol. The attacker forges a ping packet and sends the packet to an arbitrary machine. The attacker stamps the return

10 9 address of this packet with the IP address of the targeted machine. The arbitrary machine that received the ICMP packet will instead forward the packet to the forwarded machine. This attack is popular because it is almost impossible for administrators to track down the original attacker s address. [Symantec, 2013] Countermeasures Stopping denial of service attacks is not as cut and dry as stopping injection attacks. The best tools used to halt the effects DOS attacks are load balancers and firewalls. Distributing critical network entities can also make it harder for a single DOS attack to cripple the entire system. On UNIX systems, Iptables is an excellent choice for both load balancing and firewall protection. Iptables is a rule based firewall system. Rules can be set up to police traffic for certain addresses or speeds. Iptables can also be set up to load balance a system during heavy traffic times in the day. Conclusion The most common attack vectors on the web today are injection attacks. Injection attacks take advantage of poorly designed and poorly developed systems. The common countermeasure to stopping injection attacks is to white list input. Using software components such as web frameworks, or harnessing the power of Mozilla s Content Security Policy can ensure systems are even more secure. Finally, network security can be accomplished using tools such as Iptables to protect and load balance systems. Web system security is an often overlooked, yet vital component of all software systems. Security is always a functional requirement of every computer system. Elements of computer security appear in the design, development, testing, and maintenance phases of the software life cycle. It is important for software engineers to be informed about the technical details of web system attacks, so that better web systems can be developed. References [Cisco, 2006] The Internet Protocol Journal - Volume 9, Number 4. Cisco. N.p., n.d. Web. 20 Mar [Netcraft, 2013] March 2013 Web Server Survey. Netcraft. Netcraft, 1 Mar Web. 19 Mar [LaTeX Templates] Simple Sectioned Essay. LaTeX Templates. N.p., n.d. Web. 19 Mar

11 [Mozilla, 2009] Stopping XSS with the Content Security Policy. Mozilla Security. Mozilla Foundation, 19 Jan Web. 20 Mar [Symantec, 2013] Smurf Dos Attack. Symantec Security Glossary. Symantec Enterprise, n.d. Web. 20 Mar [OWASP, 2012] OWASP. Open Web Application Security Project, 6 Dec Web. 19 Mar SQL Injection Prevention Cheat Sheet. 10 Verizon Data Breach In- [Verizon Enterprises, 2012] Verizon Communications. (2012) vestigation Report, 31.

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION External Vulnerability Assessment -Technical Summary- Prepared for: ABC ORGANIZATI On March 9, 2008 Prepared by: AOS Security Solutions 1 of 13 Table of Contents Executive Summary... 3 Discovered Security

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

Abstract. Introduction. Section I. What is Denial of Service Attack?

Abstract. Introduction. Section I. What is Denial of Service Attack? Abstract In this report, I am describing the main types of DoS attacks and their effect on computer and network environment. This report will form the basis of my forthcoming report which will discuss

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security Presented 2009-05-29 by David Strauss Thinking Securely Security is a process, not

More information

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

FINAL DoIT 11.03.2015 - v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES Purpose: The Department of Information Technology (DoIT) is committed to developing secure applications. DoIT s System Development Methodology (SDM) and Application Development requirements ensure that

More information

Introduction. Two levels of security vulnerabilities:

Introduction. Two levels of security vulnerabilities: Introduction Two levels of security vulnerabilities: Project level (cyphers, standard protocols, BAN logic, etc.) Implementation level (bugs, unhandled inputs, misconfigurations, etc.) There are two levels

More information

How To Classify A Dnet Attack

How To Classify A Dnet Attack Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Acquia Cloud Edge Protect Powered by CloudFlare

Acquia Cloud Edge Protect Powered by CloudFlare Acquia Cloud Edge Protect Powered by CloudFlare Denial-of-service (DoS) Attacks Are on the Rise and Have Evolved into Complex and Overwhelming Security Challenges TECHNICAL GUIDE TABLE OF CONTENTS Introduction....

More information

Introduction to Computer Security

Introduction to Computer Security Introduction to Computer Security Web Application Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Modern threat landscape The majority of modern vulnerabilities are found in web

More information

Network Threats and Vulnerabilities. Ed Crowley

Network Threats and Vulnerabilities. Ed Crowley Network Threats and Vulnerabilities Ed Crowley Objectives At the end of this unit, you will be able to describe and explain: Network attack terms Major types of attacks including Denial of Service DoS

More information

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software

Malicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa

More information

CloudFlare advanced DDoS protection

CloudFlare advanced DDoS protection CloudFlare advanced DDoS protection Denial-of-service (DoS) attacks are on the rise and have evolved into complex and overwhelming security challenges. 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com

More information

SECURING APACHE : DOS & DDOS ATTACKS - I

SECURING APACHE : DOS & DDOS ATTACKS - I SECURING APACHE : DOS & DDOS ATTACKS - I In this part of the series, we focus on DoS/DDoS attacks, which have been among the major threats to Web servers since the beginning of the Web 2.0 era. Denial

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Application security testing: Protecting your application and data

Application security testing: Protecting your application and data E-Book Application security testing: Protecting your application and data Application security testing is critical in ensuring your data and application is safe from security attack. This ebook offers

More information

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference Cracking the Perimeter via Web Application Hacking Zach Grace, CISSP, CEH zgrace@403labs.com January 17, 2014 2014 Mega Conference About 403 Labs 403 Labs is a full-service information security and compliance

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA January 25, 2007 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

Cross Site Scripting in Joomla Acajoom Component

Cross Site Scripting in Joomla Acajoom Component Whitepaper Cross Site Scripting in Joomla Acajoom Component Vandan Joshi December 2011 TABLE OF CONTENTS Abstract... 3 Introduction... 3 A Likely Scenario... 5 The Exploit... 9 The Impact... 12 Recommended

More information

Magento Security and Vulnerabilities. Roman Stepanov

Magento Security and Vulnerabilities. Roman Stepanov Magento Security and Vulnerabilities Roman Stepanov http://ice.eltrino.com/ Table of contents Introduction Open Web Application Security Project OWASP TOP 10 List Common issues in Magento A1 Injection

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Sitefinity Security and Best Practices

Sitefinity Security and Best Practices Sitefinity Security and Best Practices Table of Contents Overview The Ten Most Critical Web Application Security Risks Injection Cross-Site-Scripting (XSS) Broken Authentication and Session Management

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Common Security Vulnerabilities in Online Payment Systems

Common Security Vulnerabilities in Online Payment Systems Common Security Vulnerabilities in Online Payment Systems Author- Hitesh Malviya(Information Security analyst) Qualifications: C!EH, EC!SA, MCITP, CCNA, MCP Current Position: CEO at HCF Infosec Limited

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Network Security Exercise #8

Network Security Exercise #8 Computer and Communication Systems Lehrstuhl für Technische Informatik Network Security Exercise #8 Falko Dressler and Christoph Sommer Computer and Communication Systems Institute of Computer Science,

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

Security: Attack and Defense

Security: Attack and Defense Security: Attack and Defense Aaron Hertz Carnegie Mellon University Outline! Breaking into hosts! DOS Attacks! Firewalls and other tools 15-441 Computer Networks Spring 2003 Breaking Into Hosts! Guessing

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Penetration Testing Report Client: Business Solutions June 15 th 2015

Penetration Testing Report Client: Business Solutions June 15 th 2015 Penetration Testing Report Client: Business Solutions June 15 th 2015 Acumen Innovations 80 S.W 8 th St Suite 2000 Miami, FL 33130 United States of America Tel: 1-888-995-7803 Email: info@acumen-innovations.com

More information

How To Fix A Web Application Security Vulnerability

How To Fix A Web Application Security Vulnerability Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of

More information

Advanced Web Security, Lab

Advanced Web Security, Lab Advanced Web Security, Lab Web Server Security: Attacking and Defending November 13, 2013 Read this earlier than one day before the lab! Note that you will not have any internet access during the lab,

More information

Firewalls and Intrusion Detection

Firewalls and Intrusion Detection Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall

More information

Web application security: Testing for vulnerabilities

Web application security: Testing for vulnerabilities Web application security: Testing for vulnerabilities Using open source tools to test your site Jeff Orloff Technology Coordinator/Consultant Sequoia Media Services Inc. Skill Level: Intermediate Date:

More information

Thick Client Application Security

Thick Client Application Security Thick Client Application Security Arindam Mandal (arindam.mandal@paladion.net) (http://www.paladion.net) January 2005 This paper discusses the critical vulnerabilities and corresponding risks in a two

More information

SQL Injection January 23, 2013

SQL Injection January 23, 2013 Web-based Attack: SQL Injection SQL Injection January 23, 2013 Authored By: Stephanie Reetz, SOC Analyst Contents Introduction Introduction...1 Web applications are everywhere on the Internet. Almost Overview...2

More information

Solution of Exercise Sheet 5

Solution of Exercise Sheet 5 Foundations of Cybersecurity (Winter 15/16) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Protocols = {????} Client Server IP Address =???? IP Address =????

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2013 CS 161 Computer Security Homework 2 Due: Wednesday, March 6, at 10PM Version 1.1 (02Mar13) Instructions. This assignment must be done on your own, and in accordance with the course policies

More information

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.

More information

Course Content: Session 1. Ethics & Hacking

Course Content: Session 1. Ethics & Hacking Course Content: Session 1 Ethics & Hacking Hacking history : How it all begin Why is security needed? What is ethical hacking? Ethical Hacker Vs Malicious hacker Types of Hackers Building an approach for

More information

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Recommended Practice Case Study: Cross-Site Scripting. February 2007 Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber

More information

Web Application Security Considerations

Web Application Security Considerations Web Application Security Considerations Eric Peele, Kevin Gainey International Field Directors & Technology Conference 2006 May 21 24, 2006 RTI International is a trade name of Research Triangle Institute

More information

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats WHITE PAPER FortiWeb and the OWASP Top 10 PAGE 2 Introduction The Open Web Application Security project (OWASP) Top Ten provides a powerful awareness document for web application security. The OWASP Top

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper

Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks. Whitepaper Application Layer Encryption: Protecting against Application Logic and Session Theft Attacks Whitepaper The security industry has extensively focused on protecting against malicious injection attacks like

More information

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES AUTHOR: Chema Alonso Informática 64. Microsoft MVP Enterprise Security Hello and welcome to Intypedia.

More information

Web Application Guidelines

Web Application Guidelines Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Operations and Denial of Service Secure Software Programming 2 Overview

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

allow all such packets? While outgoing communications request information from a

allow all such packets? While outgoing communications request information from a FIREWALL RULES Firewalls operate by examining a data packet and performing a comparison with some predetermined logical rules. The logic is based on a set of guidelines programmed in by a firewall administrator,

More information

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh Web applications Web security: web basics Myrto Arapinis School of Informatics University of Edinburgh HTTP March 19, 2015 Client Server Database (HTML, JavaScript) (PHP) (SQL) 1 / 24 2 / 24 URLs HTTP

More information

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO-6013-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER OCIO-6013-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS

More information

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting SECURITY ADVISORY December 2008 Barracuda Load Balancer admin login Cross-site Scripting Discovered in December 2008 by FortConsult s Security Research Team/Jan Skovgren WARNING NOT FOR DISCLOSURE BEFORE

More information

OWASP AND APPLICATION SECURITY

OWASP AND APPLICATION SECURITY SECURING THE 3DEXPERIENCE PLATFORM OWASP AND APPLICATION SECURITY Milan Bruchter/Shutterstock.com WHITE PAPER EXECUTIVE SUMMARY As part of Dassault Systèmes efforts to counter threats of hacking, particularly

More information

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering How to break in Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering Time Agenda Agenda Item 9:30 10:00 Introduction 10:00 10:45 Web Application Penetration

More information

Application Denial of Service Is it Really That Easy?

Application Denial of Service Is it Really That Easy? Application Denial of Service Is it Really That Easy? Shay Chen Agenda Introduction to Denial of Service Attacks Application Level DoS Techniques Case Study Denial of Service Testing Mitigation Summary

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins During initial stages of penetration testing it is essential to build a strong information foundation before you

More information

Denial Of Service. Types of attacks

Denial Of Service. Types of attacks Denial Of Service The goal of a denial of service attack is to deny legitimate users access to a particular resource. An incident is considered an attack if a malicious user intentionally disrupts service

More information

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding?

1. Introduction. 2. DoS/DDoS. MilsVPN DoS/DDoS and ISP. 2.1 What is DoS/DDoS? 2.2 What is SYN Flooding? Page 1 of 5 1. Introduction The present document explains about common attack scenarios to computer networks and describes with some examples the following features of the MilsGates: Protection against

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

Web Application Report

Web Application Report Web Application Report This report includes important security information about your Web Application. Security Report This report was created by IBM Rational AppScan 8.5.0.1 11/14/2012 8:52:13 AM 11/14/2012

More information

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Web Vulnerability Assessment Report

Web Vulnerability Assessment Report Web Vulnerability Assessment Report Target Scanned: www.daflavan.com Report Generated: Mon May 5 14:43:24 2014 Identified Vulnerabilities: 39 Threat Level: High Screenshot of www.daflavan.com HomePage

More information

Web Application Vulnerability Testing with Nessus

Web Application Vulnerability Testing with Nessus The OWASP Foundation http://www.owasp.org Web Application Vulnerability Testing with Nessus Rïk A. Jones, CISSP rikjones@computer.org Rïk A. Jones Web developer since 1995 (16+ years) Involved with information

More information

Web Application Security

Web Application Security Web Application Security Prof. Sukumar Nandi Indian Institute of Technology Guwahati Agenda Web Application basics Web Network Security Web Host Security Web Application Security Best Practices Questions?

More information

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda Secure Web Application Coding Team Introductory Meeting December 1, 2005 1:00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda 1. Introductions for new members (5 minutes) 2. Name of group 3. Current

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

WEB ATTACKS AND COUNTERMEASURES

WEB ATTACKS AND COUNTERMEASURES WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

More information

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda Threat Modeling/ Security Testing Presented by: Tarun Banga Sr. Manager Quality Engineering, Adobe Quality Leader (India) Adobe Systems India Pvt. Ltd. Agenda Security Principles Why Security Testing Security

More information

co Characterizing and Tracing Packet Floods Using Cisco R

co Characterizing and Tracing Packet Floods Using Cisco R co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1

More information

Protecting and controlling Virtual LANs by Linux router-firewall

Protecting and controlling Virtual LANs by Linux router-firewall Protecting and controlling Virtual LANs by Linux router-firewall Tihomir Katić Mile Šikić Krešimir Šikić Faculty of Electrical Engineering and Computing University of Zagreb Unska 3, HR 10000 Zagreb, Croatia

More information

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks

Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks Analysis on Some Defences against SYN-Flood Based Denial-of-Service Attacks Sau Fan LEE (ID: 3484135) Computer Science Department, University of Auckland Email: slee283@ec.auckland.ac.nz Abstract A denial-of-service

More information

1. Firewall Configuration

1. Firewall Configuration 1. Firewall Configuration A firewall is a method of implementing common as well as user defined security policies in an effort to keep intruders out. Firewalls work by analyzing and filtering out IP packets

More information

Learn Ethical Hacking, Become a Pentester

Learn Ethical Hacking, Become a Pentester Learn Ethical Hacking, Become a Pentester Course Syllabus & Certification Program DOCUMENT CLASSIFICATION: PUBLIC Copyrighted Material No part of this publication, in whole or in part, may be reproduced,

More information

Webapps Vulnerability Report

Webapps Vulnerability Report Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during

More information

Client logo placeholder XXX REPORT. Page 1 of 37

Client logo placeholder XXX REPORT. Page 1 of 37 Client logo placeholder XXX REPORT Page 1 of 37 Report Details Title Xxx Penetration Testing Report Version V1.0 Author Tester(s) Approved by Client Classification Confidential Recipient Name Title Company

More information

HTTPParameter Pollution. ChrysostomosDaniel

HTTPParameter Pollution. ChrysostomosDaniel HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider

More information

Web Application Security 101

Web Application Security 101 dotdefender Web Application Security Web Application Security 101 1 Web Application Security 101 As the Internet has evolved over the years, it has become an integral part of virtually every aspect in

More information

Implementation of Web Application Firewall

Implementation of Web Application Firewall Implementation of Web Application Firewall OuTian 1 Introduction Abstract Web 層 應 用 程 式 之 攻 擊 日 趨 嚴 重, 而 國 內 多 數 企 業 仍 不 知 該 如 何 以 資 安 設 備 阻 擋, 仍 在 採 購 傳 統 的 Firewall/IPS,

More information

Øredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Øredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc. Øredev 2006 Web application testing using a proxy Lucas Nelson, Symantec Inc. Agenda What is a proxy? Setting up your environment Pre-login tests Post-login tests Conclusion A man in the middle proxy The

More information

Basic & Advanced Administration for Citrix NetScaler 9.2

Basic & Advanced Administration for Citrix NetScaler 9.2 Basic & Advanced Administration for Citrix NetScaler 9.2 Day One Introducing and deploying Citrix NetScaler Key - Brief Introduction to the NetScaler system Planning a NetScaler deployment Deployment scenarios

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

Web Application Firewall on SonicWALL SSL VPN

Web Application Firewall on SonicWALL SSL VPN Web Application Firewall on SonicWALL SSL VPN Document Scope This document describes how to configure and use the Web Application Firewall feature in SonicWALL SSL VPN 5.0. This document contains the following

More information

Firewall Firewall August, 2003

Firewall Firewall August, 2003 Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also

More information

A1.1.1.11.1.1.2 1.1.1.3S B

A1.1.1.11.1.1.2 1.1.1.3S B CS Computer 640: Network AdityaAkella Lecture Introduction Networks Security 25 to Security DoS Firewalls and The D-DoS Vulnerabilities Road Ahead Security Attacks Protocol IP ICMP Routing TCP Security

More information

Application Security Testing. Generic Test Strategy

Application Security Testing. Generic Test Strategy Application Security Testing Generic Test Strategy Page 2 of 8 Contents 1 Introduction 3 1.1 Purpose: 3 1.2 Application Security Testing: 3 2 Audience 3 3 Test Strategy guidelines 3 3.1 Authentication

More information

Web Application Security

Web Application Security E-SPIN PROFESSIONAL BOOK Vulnerability Management Web Application Security ALL THE PRACTICAL KNOW HOW AND HOW TO RELATED TO THE SUBJECT MATTERS. COMBATING THE WEB VULNERABILITY THREAT Editor s Summary

More information

Security Whitepaper: ivvy Products

Security Whitepaper: ivvy Products Security Whitepaper: ivvy Products Security Whitepaper ivvy Products Table of Contents Introduction Overview Security Policies Internal Protocol and Employee Education Physical and Environmental Security

More information

Lecture 15 - Web Security

Lecture 15 - Web Security CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 15 - Web Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/

More information