SlideShare a Scribd company logo

Owasp Serbia: sqli,xss

Download as PPT, PDF
Nikola Milosevic
Nikola Milosevic

Predrag Cujanovic from OWASP Serbia talking about Cross site scripting, SQL injection and insecure cryptographic storage. Presentation was held on 9.7.2012. on faculty of Electrical Engineering, University of Belgrade.

Technology
1 of 19
Predrag Cujanović Kontakt • mail: predrag@cujanovic.com • blog: http://www.cujanovic.com • tw: http://www.twitter.com/cujanovic • fb: http://www.facebook.com/predrag.cujanovic
Sadržaj: • Cross side scripting (XSS) napad • SQL injection (SQLi) napad • Insecure cryptographic storage • Primeri
Cross side scripting (XSS) napad • Šta je XSS napad? • Tipovi XSS napada • Opasnost XSS napada • Kako sprečiti XSS napad?
Šta je XSS napad?
Tipovi XSS napada • Non-Persistent (Reflected) • Persistent (Stored) • DOM Based
Opasnost XSS napada XSS Shell
Opasnost XSS napada Cookie stealing Phishing
Kako sprečiti XSS napad? • Filtriranjem podataka preko već predefinisanih php funkcija: strip_tags, htmlspecialchars, htmlentities • Izbegavati pisanje sopstvenih funkcija samo za ovu namenu
SQL injection (SQLi) napad  Šta je SQLi napad?  Tipovi SQLi napada  Opasnost SQLi napada  Kako sprečiti SQLi napad?
Šta je SQLi napad?
Tipovi SQLi napada  Incorrectly filtered escape characters (SELECT * FROM users WHERE name = '' OR '1'='1' -- ';)  Incorrect type handling (SELECT * FROM userinfo WHERE id=1;DROP TABLE users;)  Blind SQL injection (SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='1';)  Time Based SQL injection (download_key=1' AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99))) AND 'uzOQ'='uzOQ)
Opasnost SQLi napada  Pristup podacima u bazi (UNION SELECT 1,2,3,4--)  Izmena, brisanje podataka u bazi – DROP users;  Čitanje fajlova - load_file('/etc/passwd') ili load_file(0x2f6574632f706173737764) funkcija  Pravnjenje novih fajlova - INTO OUTFILE '/var/www/victim.com/shell.php'
Kako sprečiti SQLi napad?  mysql_real_escape_string funkcija  is_numeric funkcija  cast to int – (int)
Insecure cryptographic storage
Insecure cryptographic storage 0. koristiti neki hash algoritam 1. ne korisiti zastrarele hash algoritme (md5 je zvanično mrtav) 2. korisiti salt, najbolje ih ne čuvati u bazi (primer Wordpress) 3. korisiti dva različita hash algoritma (sha1($salt.(des($salt.$pass.$salt))))
Insecure cryptographic storage oclHashcat-plus
Hvala na pažnji :) Pitanja?

Recommended

XSS SQLi sigurnost
XSS SQLi sigurnostXSS SQLi sigurnost
XSS SQLi sigurnostPrelovacMedia
 
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPressDamir Bodor
 
SNS uputstvo za ostavljanje komentara - SNSNET
SNS uputstvo za ostavljanje komentara - SNSNETSNS uputstvo za ostavljanje komentara - SNSNET
SNS uputstvo za ostavljanje komentara - SNSNETzabrinutigradjanin
 
Classifying intangible social innovation concepts using machine learning and ...
Classifying intangible social innovation concepts using machine learning and ...Classifying intangible social innovation concepts using machine learning and ...
Classifying intangible social innovation concepts using machine learning and ...Nikola Milosevic
 
Machine learning (ML) and natural language processing (NLP)
Machine learning (ML) and natural language processing (NLP)Machine learning (ML) and natural language processing (NLP)
Machine learning (ML) and natural language processing (NLP)Nikola Milosevic
 
Veštačka inteligencija
Veštačka inteligencijaVeštačka inteligencija
Veštačka inteligencijaNikola Milosevic
 
AI an the future of society
AI an the future of societyAI an the future of society
AI an the future of societyNikola Milosevic
 
Machine learning prediction of stock markets
Machine learning prediction of stock marketsMachine learning prediction of stock markets
Machine learning prediction of stock marketsNikola Milosevic
 

Recommended

XSS SQLi sigurnost
XSS SQLi sigurnostXSS SQLi sigurnost
XSS SQLi sigurnostPrelovacMedia
 
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPress
Nikola Petrov-Bezbednost WordPress sajtova - Uvod u WordPressDamir Bodor
 
SNS uputstvo za ostavljanje komentara - SNSNET
SNS uputstvo za ostavljanje komentara - SNSNETSNS uputstvo za ostavljanje komentara - SNSNET
SNS uputstvo za ostavljanje komentara - SNSNETzabrinutigradjanin
 
Classifying intangible social innovation concepts using machine learning and ...
Classifying intangible social innovation concepts using machine learning and ...Classifying intangible social innovation concepts using machine learning and ...
Classifying intangible social innovation concepts using machine learning and ...Nikola Milosevic
 
Machine learning (ML) and natural language processing (NLP)
Machine learning (ML) and natural language processing (NLP)Machine learning (ML) and natural language processing (NLP)
Machine learning (ML) and natural language processing (NLP)Nikola Milosevic
 
Veštačka inteligencija
Veštačka inteligencijaVeštačka inteligencija
Veštačka inteligencijaNikola Milosevic
 
AI an the future of society
AI an the future of societyAI an the future of society
AI an the future of societyNikola Milosevic
 
Machine learning prediction of stock markets
Machine learning prediction of stock marketsMachine learning prediction of stock markets
Machine learning prediction of stock marketsNikola Milosevic
 
Equity forecast: Predicting long term stock market prices using machine learning
Equity forecast: Predicting long term stock market prices using machine learningEquity forecast: Predicting long term stock market prices using machine learning
Equity forecast: Predicting long term stock market prices using machine learningNikola Milosevic
 
BelBi2016 presentation: Hybrid methodology for information extraction from ta...
BelBi2016 presentation: Hybrid methodology for information extraction from ta...BelBi2016 presentation: Hybrid methodology for information extraction from ta...
BelBi2016 presentation: Hybrid methodology for information extraction from ta...Nikola Milosevic
 
Extracting patient data from tables in clinical literature
Extracting patient data from tables in clinical literatureExtracting patient data from tables in clinical literature
Extracting patient data from tables in clinical literatureNikola Milosevic
 
Supporting clinical trial data curation and integration with table mining
Supporting clinical trial data curation and integration with table miningSupporting clinical trial data curation and integration with table mining
Supporting clinical trial data curation and integration with table miningNikola Milosevic
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Serbia2
Serbia2Serbia2
Serbia2Nikola Milosevic
 
Table mining and data curation from biomedical literature
Table mining and data curation from biomedical literatureTable mining and data curation from biomedical literature
Table mining and data curation from biomedical literatureNikola Milosevic
 
Malware
MalwareMalware
MalwareNikola Milosevic
 
Sentiment analysis for Serbian language
Sentiment analysis for Serbian languageSentiment analysis for Serbian language
Sentiment analysis for Serbian languageNikola Milosevic
 
Http and security
Http and securityHttp and security
Http and securityNikola Milosevic
 
Android business models
Android business modelsAndroid business models
Android business modelsNikola Milosevic
 
Android(1)
Android(1)Android(1)
Android(1)Nikola Milosevic
 
Sigurnosne prijetnje i mjere zaštite IT infrastrukture
Sigurnosne prijetnje i mjere zaštite IT infrastrukture Sigurnosne prijetnje i mjere zaštite IT infrastrukture
Sigurnosne prijetnje i mjere zaštite IT infrastrukture Nikola Milosevic
 
Mašinska analiza sentimenta rečenica na srpskom jeziku
Mašinska analiza sentimenta rečenica na srpskom jezikuMašinska analiza sentimenta rečenica na srpskom jeziku
Mašinska analiza sentimenta rečenica na srpskom jezikuNikola Milosevic
 
Malware
MalwareMalware
MalwareNikola Milosevic
 
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...Nikola Milosevic
 
Software Freedom day Serbia - Owasp open source resenja
Software Freedom day Serbia - Owasp open source resenjaSoftware Freedom day Serbia - Owasp open source resenja
Software Freedom day Serbia - Owasp open source resenjaNikola Milosevic
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 

More Related Content

More from Nikola Milosevic

Equity forecast: Predicting long term stock market prices using machine learning
Equity forecast: Predicting long term stock market prices using machine learningEquity forecast: Predicting long term stock market prices using machine learning
Equity forecast: Predicting long term stock market prices using machine learningNikola Milosevic
 
BelBi2016 presentation: Hybrid methodology for information extraction from ta...
BelBi2016 presentation: Hybrid methodology for information extraction from ta...BelBi2016 presentation: Hybrid methodology for information extraction from ta...
BelBi2016 presentation: Hybrid methodology for information extraction from ta...Nikola Milosevic
 
Extracting patient data from tables in clinical literature
Extracting patient data from tables in clinical literatureExtracting patient data from tables in clinical literature
Extracting patient data from tables in clinical literatureNikola Milosevic
 
Supporting clinical trial data curation and integration with table mining
Supporting clinical trial data curation and integration with table miningSupporting clinical trial data curation and integration with table mining
Supporting clinical trial data curation and integration with table miningNikola Milosevic
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidNikola Milosevic
 
Table mining and data curation from biomedical literature
Table mining and data curation from biomedical literatureTable mining and data curation from biomedical literature
Table mining and data curation from biomedical literatureNikola Milosevic
 
Sentiment analysis for Serbian language
Sentiment analysis for Serbian languageSentiment analysis for Serbian language
Sentiment analysis for Serbian languageNikola Milosevic
 
Sigurnosne prijetnje i mjere zaštite IT infrastrukture
Sigurnosne prijetnje i mjere zaštite IT infrastrukture Sigurnosne prijetnje i mjere zaštite IT infrastrukture
Sigurnosne prijetnje i mjere zaštite IT infrastrukture Nikola Milosevic
 
Mašinska analiza sentimenta rečenica na srpskom jeziku
Mašinska analiza sentimenta rečenica na srpskom jezikuMašinska analiza sentimenta rečenica na srpskom jeziku
Mašinska analiza sentimenta rečenica na srpskom jezikuNikola Milosevic
 
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...Nikola Milosevic
 
Software Freedom day Serbia - Owasp open source resenja
Software Freedom day Serbia - Owasp open source resenjaSoftware Freedom day Serbia - Owasp open source resenja
Software Freedom day Serbia - Owasp open source resenjaNikola Milosevic
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationNikola Milosevic
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryNikola Milosevic
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementNikola Milosevic
 

More from Nikola Milosevic (20)

Equity forecast: Predicting long term stock market prices using machine learning
Equity forecast: Predicting long term stock market prices using machine learningEquity forecast: Predicting long term stock market prices using machine learning
Equity forecast: Predicting long term stock market prices using machine learning
 
BelBi2016 presentation: Hybrid methodology for information extraction from ta...
BelBi2016 presentation: Hybrid methodology for information extraction from ta...BelBi2016 presentation: Hybrid methodology for information extraction from ta...
BelBi2016 presentation: Hybrid methodology for information extraction from ta...
 
Extracting patient data from tables in clinical literature
Extracting patient data from tables in clinical literatureExtracting patient data from tables in clinical literature
Extracting patient data from tables in clinical literature
 
Supporting clinical trial data curation and integration with table mining
Supporting clinical trial data curation and integration with table miningSupporting clinical trial data curation and integration with table mining
Supporting clinical trial data curation and integration with table mining
 
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP SeraphimdroidMobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
Mobile security, OWASP Mobile Top 10, OWASP Seraphimdroid
 
Serbia2
Serbia2Serbia2
Serbia2
 
Table mining and data curation from biomedical literature
Table mining and data curation from biomedical literatureTable mining and data curation from biomedical literature
Table mining and data curation from biomedical literature
 
Malware
MalwareMalware
Malware
 
Sentiment analysis for Serbian language
Sentiment analysis for Serbian languageSentiment analysis for Serbian language
Sentiment analysis for Serbian language
 
Http and security
Http and securityHttp and security
Http and security
 
Android business models
Android business modelsAndroid business models
Android business models
 
Android(1)
Android(1)Android(1)
Android(1)
 
Sigurnosne prijetnje i mjere zaštite IT infrastrukture
Sigurnosne prijetnje i mjere zaštite IT infrastrukture Sigurnosne prijetnje i mjere zaštite IT infrastrukture
Sigurnosne prijetnje i mjere zaštite IT infrastrukture
 
Mašinska analiza sentimenta rečenica na srpskom jeziku
Mašinska analiza sentimenta rečenica na srpskom jezikuMašinska analiza sentimenta rečenica na srpskom jeziku
Mašinska analiza sentimenta rečenica na srpskom jeziku
 
Malware
MalwareMalware
Malware
 
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
Software Freedom day Serbia - Owasp - informaciona bezbednost u Srbiji open s...
 
Software Freedom day Serbia - Owasp open source resenja
Software Freedom day Serbia - Owasp open source resenjaSoftware Freedom day Serbia - Owasp open source resenja
Software Freedom day Serbia - Owasp open source resenja
 
OWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfigurationOWASP Serbia - A6 security misconfiguration
OWASP Serbia - A6 security misconfiguration
 
OWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgeryOWASP Serbia - A5 cross-site request forgery
OWASP Serbia - A5 cross-site request forgery
 
OWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session managementOWASP Serbia - A3 broken authentication and session management
OWASP Serbia - A3 broken authentication and session management
 

Owasp Serbia: sqli,xss

  • 1.
  • 2. Predrag Cujanović Kontakt • mail: predrag@cujanovic.com • blog: http://www.cujanovic.com • tw: http://www.twitter.com/cujanovic • fb: http://www.facebook.com/predrag.cujanovic
  • 3. Sadržaj: • Cross side scripting (XSS) napad • SQL injection (SQLi) napad • Insecure cryptographic storage • Primeri
  • 4. Cross side scripting (XSS) napad • Šta je XSS napad? • Tipovi XSS napada • Opasnost XSS napada • Kako sprečiti XSS napad?
  • 5. Šta je XSS napad?
  • 6. Tipovi XSS napada • Non-Persistent (Reflected) • Persistent (Stored) • DOM Based
  • 8.
  • 9. Opasnost XSS napada Cookie stealing Phishing
  • 10. Kako sprečiti XSS napad? • Filtriranjem podataka preko već predefinisanih php funkcija: strip_tags, htmlspecialchars, htmlentities • Izbegavati pisanje sopstvenih funkcija samo za ovu namenu
  • 11. SQL injection (SQLi) napad  Šta je SQLi napad?  Tipovi SQLi napada  Opasnost SQLi napada  Kako sprečiti SQLi napad?
  • 12. Šta je SQLi napad?
  • 13. Tipovi SQLi napada  Incorrectly filtered escape characters (SELECT * FROM users WHERE name = '' OR '1'='1' -- ';)  Incorrect type handling (SELECT * FROM userinfo WHERE id=1;DROP TABLE users;)  Blind SQL injection (SELECT booktitle FROM booklist WHERE bookId = 'OOk14cd' AND '1'='1';)  Time Based SQL injection (download_key=1' AND 6424=BENCHMARK(5000000,MD5(CHAR(102,100,78,99))) AND 'uzOQ'='uzOQ)
  • 14. Opasnost SQLi napada  Pristup podacima u bazi (UNION SELECT 1,2,3,4--)  Izmena, brisanje podataka u bazi – DROP users;  Čitanje fajlova - load_file('/etc/passwd') ili load_file(0x2f6574632f706173737764) funkcija  Pravnjenje novih fajlova - INTO OUTFILE '/var/www/victim.com/shell.php'
  • 15. Kako sprečiti SQLi napad?  mysql_real_escape_string funkcija  is_numeric funkcija  cast to int – (int)
  • 17. Insecure cryptographic storage 0. koristiti neki hash algoritam 1. ne korisiti zastrarele hash algoritme (md5 je zvanično mrtav) 2. korisiti salt, najbolje ih ne čuvati u bazi (primer Wordpress) 3. korisiti dva različita hash algoritma (sha1($salt.(des($salt.$pass.$salt))))
  • 19. Hvala na pažnji :) Pitanja?