Programarea Aplicatiilor Windows in Visual Basic[Ro][Cristina-elena Turcu][Editura Universitatii
Prezentarea "Securitatea Aplicatiilor Online" de la ODO
-
Upload
gabriel-curcudel -
Category
Technology
-
view
1.337 -
download
0
description
Transcript of Prezentarea "Securitatea Aplicatiilor Online" de la ODO
Securitatea aplicatiilor online
Vulnerabilitati
Solutii folosite
•Servere WEB (IIS, Apache)
•Database (MySql,Oracle, MSSQL)
• Interpretoare (Php, PERL, ASP)
Codul scris
•SQL injection
•XSS
•CSRF/XSRF
•Email Injection
•Directory traversal
Network
• MITM attack
SQL Injection• Atac asupra bazei de date
http://www.example.com/view.php?id_cat=4
"SELECT * FROM data WHERE id_category = " + $_GET[‘id’] + ";"
http://www.example.com/view.php?id_cat=4 OR 1=1
"SELECT * FROM data WHERE id = 1 OR 1=1;"
OR 1=1
why ?
•Furtul de informatii•Alterarea datelor• Just for the fun of it
•Se intampla si la case mai mari ▫2007 Microsoft UK ▫2007 UN web site▫2008 Kaspersky website
Protectie
•Tot input-ul trebuie verificat
•Criptarea datelor importante
•Backup zilnic
•Update la database server
Demonstratie
XSS
• Input-ul nu este verificat•Este acceptat input-ul de HTML•Tipuri :
▫Non-persistent
▫Persistent
Non-persistent
http://www.example.com?search.php?s=<script>alert(document.cookie)</script>
Rezultatul :
persistent
CSRF/XSRF
• Impotriva site-urilor care folosesc autentificarile din coockie/session
• “Hacker-ul” – are informatii despre site-ul pe care victima are access
<img src=“http://www.other-example.com?deleteuser.php?u=vasile” />
Email injection
Codul din spateNu verificam input-ul
String-ul trimis la serverul de mail :
Directory traversal
HTTP requests
MITM attack
•Transferul datelor
Demonstratie
Concluzii
•Verifica tot input-ul
•Informatii criptate
•Back-up
•Users can’t be trusted
•Fii paranoic