KEMBAR78
web _security_ for _confedindality s.ppt
Uploaded bynaghamallella
PPT, PDF4 views

web _security_ for _confedindality s.ppt

This document provides an overview of web security, defining key terms like the world wide web (WWW), web servers, and web browsers. It discusses web security from the perspectives of users and servers, explaining they expect secure and private communications. The document outlines common web site attacks like threats to information integrity and confidentiality from modification or eavesdropping. It also covers attacks on web site accessibility through denial of service and on authentication through impersonation. Finally, it categorizes some classes of attacks on authentication, authorization, clients, and command execution like SQL injection and cross-site scripting.

Download to read offline
Web Security By Ansam Osama Abdul-Majeed Muna Jaffer Sedeeq
Overview Of Web Security Web (WWW or world wide web) Web Server Web Browsers Web Security
Definitions Web The world wide web (WWW) is an interconnection of networks of computer systems that provides information and services to users of the web . Computer systems in this interconnection of networks that provide services and information to other computer systems are called Web Servers Web Servers
Definitions (continue) Computer systems that request services and infomation are call Web Browsers Web Browsers Web security is a set of procedures , practices , and technologies for protecting web servers, web browser and their surrounding organizations. Web Security
Web Security From the users' perspective Legitimate Safe Private
Web Security From the server's perspective Legitimate Responsible From the perspective of both the server and the user They have an expectation that their communications will be free from eavesdropping and reliable in terms that their transmissions will not be modified by a third party
Web Site Attacks (Threats) I. Attacks on Web Site Information A. Integrity of Information Attacks 1.Threats a. Modification of user data b. Modification of message traffic in transit 2. Consequences a. Loss of information b. Vulnerability to all other threats 3. Countermeasures - cryptographic checksums
Web Site Attacks (Threats) B. Confidentiality of Information Attacks 1. Threats a. Eavesdropping on the Net b. Theft of info from server c. Theft of data from client d. Info about network configuration e. Info about which client talks to server 2 . Consequences a. Loss of information b. Loss of privacy
3. Countermeasures a. Encryption b. Web proxies II. Attacks on Web Site Accessibility A. Denial of Service Attacks 1.Threats a. Flooding of machine with bogus requests b. Isolating machine by DNS attacks 2.Consequences a. Disruptive b. Annoying c. Prevent user from getting work done
B. Authentication Attacks 1. Threats a. Impersonation of legitimate user b. Data forgery 2. Consequences a. Misrepresentation of user b. Belief that false information is valid 3. Countermeasures - cryptographic techniques 3. Countermeasures - difficult to prevent
Some Classes of Attacks on Web
Attacks on Authentication Attacks that used to circumvent or exploit the authentication process of a web site. 1
Attacks on Authentication 1 Brute Force Attack Automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key
Insufficient Authentication Occurs when a web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Attacks on Authentication 1
Weak Password Recovery Validation Occurs when a web site permits attacker to illegally obtain, change or recover another user’s password. Attacks on Authentication 1
Attacks on Authorization Attacks that target a web site's method of determining if a user, service, or application has the necessary permissions to perform a requested action 2
Attacks on Authorization Credential/Session Prediction A method of hijacking or impersonating a web site user guessing the unique value that identifies a particular session or user 2
Insufficient Authorization Occurs when a web site permits access to sensitive content or functionality that should require increased access control restrictions. Attacks on Authorization 2
Client-side Attacks Focuses on the abuse or exploitation of a web site's users. 3
Client-side Attacks Content Spoofing An attack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. http://foo.example/page?frame_src=http://foo.example/file.html. An attacker may be able to replace the “frame_src” parameter value with “frame_src=http://attacker.example/spoof.html” The browser location bar visibly remains under the user expected domain( foo.example). 3
Cross-Site Scripting An attack technique that forces a web site to echo attacker-supplied executable code, which loads in a user’s browser Client-side Attacks 3
Command Execution Covers attacks designed to execute remote commands on the web site. All web sites utilize user-supplied input to fulfill requests 4
Command Execution SQL Injection An attack technique used to exploit web sites that construct SQL statements from user-supplied input. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=1 should return the same web page as: http://example/article.asp?ID=2 because the SQL statement 'and 1=1' is always true. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=0 4
SSI Injection SSI Injection (Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application Command Execution 4
Than ks

More Related Content

PPTX
Web Security Attacks
bySajid Hasan
 
PDF
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
PPT
unit1_last.pptsfsfsfsfsgeeyeeeyyeyeywwww
byzmulani8
 
PPT
Internet Security
byMitesh Gupta
 
PPSX
Web application security
byAkhil Raj
 
PPTX
Unit 5.pptx
byRajanarayanan subramanian
 
PPTX
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
PPTX
Social networks security risks
byosuhaibany
 
Web Security Attacks
bySajid Hasan
 
Secure Coding BSSN Semarang Material.pdf
bynanangAris1
 
unit1_last.pptsfsfsfsfsgeeyeeeyyeyeywwww
byzmulani8
 
Internet Security
byMitesh Gupta
 
Web application security
byAkhil Raj
 
Unit 5.pptx
byRajanarayanan subramanian
 
Web Application Security Session for Web Developers
byKrishna Srikanth Manda
 
Social networks security risks
byosuhaibany
 

Similar to web _security_ for _confedindality s.ppt

PDF
IRJET- Survey on Web Application Vulnerabilities
byIRJET Journal
 
PDF
Module 1.pdf
bySitamarhi Institute of Technology
 
PDF
module 1 Cyber Security Concepts
bySitamarhi Institute of Technology
 
PPTX
INTRODUCTION AND ACCESS CONTROL.pptx
byDAKSHATAPANCHAL2
 
PDF
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
PDF
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
PPTX
Ecommerce_Ch4.pptx
byAYNETUTEREFE1
 
PPTX
The Whys and Wherefores of Web Security – by United Security Providers
byUnited Security Providers AG
 
PPTX
Web Application
byprimeteacher32
 
PPTX
Web SecurityWeb SecurityWeb SecurityWeb Security
byuser201002adobe
 
PPTX
Advance Web Vulnerabilities Chapter 3 to 5
byarjayVicencio
 
PPTX
Cyber.pptx
byMahalakshmiShetty3
 
PPTX
Types of Cyber Attacks
byRubal Sagwal
 
PDF
Network security
bynafisarayhana1
 
PPTX
chapter1 Introduction to Software Security.pptx
byLina Shimelis
 
PPTX
nCircle Webinar: Get your Black Belt
bynCircle - a Tripwire Company
 
PPTX
Website security
byRIPPER95
 
PPTX
Presentation on Web Attacks
byVivek Sinha Anurag
 
PDF
AuditSDFXCGVHNBMBGFDSFGHNBMBGFVCGVBNMBVCB.pdf
byAyushDeshmukh18
 
PPTX
3-types of attacks_Types of attacks.pptx
byAmandeepSohal4
 
IRJET- Survey on Web Application Vulnerabilities
byIRJET Journal
 
Module 1.pdf
bySitamarhi Institute of Technology
 
module 1 Cyber Security Concepts
bySitamarhi Institute of Technology
 
INTRODUCTION AND ACCESS CONTROL.pptx
byDAKSHATAPANCHAL2
 
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
TECHNIQUES FOR ATTACKING WEB APPLICATION SECURITY
byijistjournal
 
Ecommerce_Ch4.pptx
byAYNETUTEREFE1
 
The Whys and Wherefores of Web Security – by United Security Providers
byUnited Security Providers AG
 
Web Application
byprimeteacher32
 
Web SecurityWeb SecurityWeb SecurityWeb Security
byuser201002adobe
 
Advance Web Vulnerabilities Chapter 3 to 5
byarjayVicencio
 
Cyber.pptx
byMahalakshmiShetty3
 
Types of Cyber Attacks
byRubal Sagwal
 
Network security
bynafisarayhana1
 
chapter1 Introduction to Software Security.pptx
byLina Shimelis
 
nCircle Webinar: Get your Black Belt
bynCircle - a Tripwire Company
 
Website security
byRIPPER95
 
Presentation on Web Attacks
byVivek Sinha Anurag
 
AuditSDFXCGVHNBMBGFDSFGHNBMBGFVCGVBNMBVCB.pdf
byAyushDeshmukh18
 
3-types of attacks_Types of attacks.pptx
byAmandeepSohal4
 

More from naghamallella

PPT
OS-20210426203801 introduction to os.ppt
bynaghamallella
 
PPT
basic logic gate presentation date23.ppt
bynaghamallella
 
PPT
logic gate presentation for and or n.ppt
bynaghamallella
 
PPT
6_2019_04_09!08_59_48_PM logic gate_.ppt
bynaghamallella
 
PPT
bin packing 2 for real time scheduli.ppt
bynaghamallella
 
PPTX
bin packing2 and scheduling for mul.pptx
bynaghamallella
 
PPT
BOOTP computer science for multiproc.ppt
bynaghamallella
 
PPT
trusted computing platform alliancee.ppt
bynaghamallella
 
PPT
trusted computing for security confe.ppt
bynaghamallella
 
PPT
bin packing and scheduling multiproc.ppt
bynaghamallella
 
PPT
multiprocessor _system _presentation.ppt
bynaghamallella
 
PPT
image processing for jpeg presentati.ppt
bynaghamallella
 
PPT
introduction to jpeg for image proce.ppt
bynaghamallella
 
PPT
jpg image processing nagham salim_as.ppt
bynaghamallella
 
PPTX
lips _reading_nagham _salim compute.pptx
bynaghamallella
 
PPT
electronic mail security for authent.ppt
bynaghamallella
 
PPT
lips _reading _in computer_ vision_n.ppt
bynaghamallella
 
PPT
thread_ multiprocessor_ scheduling_a.ppt
bynaghamallella
 
PPT
distributed real time system schedul.ppt
bynaghamallella
 
PPT
Trusted Computing security _platform.ppt
bynaghamallella
 
OS-20210426203801 introduction to os.ppt
bynaghamallella
 
basic logic gate presentation date23.ppt
bynaghamallella
 
logic gate presentation for and or n.ppt
bynaghamallella
 
6_2019_04_09!08_59_48_PM logic gate_.ppt
bynaghamallella
 
bin packing 2 for real time scheduli.ppt
bynaghamallella
 
bin packing2 and scheduling for mul.pptx
bynaghamallella
 
BOOTP computer science for multiproc.ppt
bynaghamallella
 
trusted computing platform alliancee.ppt
bynaghamallella
 
trusted computing for security confe.ppt
bynaghamallella
 
bin packing and scheduling multiproc.ppt
bynaghamallella
 
multiprocessor _system _presentation.ppt
bynaghamallella
 
image processing for jpeg presentati.ppt
bynaghamallella
 
introduction to jpeg for image proce.ppt
bynaghamallella
 
jpg image processing nagham salim_as.ppt
bynaghamallella
 
lips _reading_nagham _salim compute.pptx
bynaghamallella
 
electronic mail security for authent.ppt
bynaghamallella
 
lips _reading _in computer_ vision_n.ppt
bynaghamallella
 
thread_ multiprocessor_ scheduling_a.ppt
bynaghamallella
 
distributed real time system schedul.ppt
bynaghamallella
 
Trusted Computing security _platform.ppt
bynaghamallella
 

Recently uploaded

PPTX
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
PPTX
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
PDF
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
PPTX
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
PPTX
Welcome to our Open Evening 2025 Ballinrobe CS
byjacollins1515
 
PPTX
Exploring Entrepreneurial Qualities: A Curated Presentation for Grade 11 Busi...
bySamanthaNkoana
 
PDF
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
DOCX
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
PPTX
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
PPTX
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
PPTX
How to Create a Manifest File in Odoo 18
byCeline George
 
PDF
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
PDF
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 
PPTX
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
PPTX
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
PPTX
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
PPTX
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
PPTX
DO 34 s 2025 - ammendment of DO 24 s 2025.pptx
byJeanalynEstrellado3
 
PDF
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
PPTX
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 
Capital Budgeting - Risk Analysis Using Payback Period Method
bySundar B N
 
PECTORAL REGION.pptx Human anatomy,Bmls,
byKISMAT ALI
 
The Minority Caucus in Parliament has called on government to take immediate ...
bynservice241
 
Classification and Applied Aspects of Joints.pptx
byMathew Joseph
 
Welcome to our Open Evening 2025 Ballinrobe CS
byjacollins1515
 
Exploring Entrepreneurial Qualities: A Curated Presentation for Grade 11 Busi...
bySamanthaNkoana
 
Phase Equilibria and Colligative Properties.pdf
byMithil Fal Desai
 
Extension Education: From theory to practice by Dr Subin K Mohan.docx
byDrSubinKMohan
 
Capitol Webinar October 2025 Dr. Jha.pptx
byCapitolTechU
 
Hudson Vitale "AI Essentials: From Tools to Strategies: A 2025 NISO Training ...
byNational Information Standards Organization (NISO)
 
How to Create a Manifest File in Odoo 18
byCeline George
 
Who Owns the Narrative? Data, Disinformation, and the Missing Voice of Academia
byIsmail Fahmi
 
BUSINESS ETHICS – UNIT I: Introduction to Business Ethics
byD NANEE
 
🧪“Blood Chemistry Tests in Pharmacy Practice: Clinical Laboratory Guide for P...
byBanny S.V
 
DPSM-BITDA Introduction Presentation Slides
byGreat Files
 
psychoanalytic Theory.pptx, MSc. Nursing
byKomalJaiswal46
 
Single entry System Vs Double entry System.pptx
bylavanyafranklin0804
 
DO 34 s 2025 - ammendment of DO 24 s 2025.pptx
byJeanalynEstrellado3
 
Umlando kaMufi. IsiZulu Ulimi Lwebele...
byNokwandaNzuza2
 
Agriculture Lesson Note for Grade 11 Chapter 3 & 4.pptx
byNajibMuhidin
 

web _security_ for _confedindality s.ppt

  • 1.
    Web Security By Ansam OsamaAbdul-Majeed Muna Jaffer Sedeeq
  • 2.
    Overview Of WebSecurity Web (WWW or world wide web) Web Server Web Browsers Web Security
  • 3.
    Definitions Web The world wideweb (WWW) is an interconnection of networks of computer systems that provides information and services to users of the web . Computer systems in this interconnection of networks that provide services and information to other computer systems are called Web Servers Web Servers
  • 4.
    Definitions (continue) Computer systemsthat request services and infomation are call Web Browsers Web Browsers Web security is a set of procedures , practices , and technologies for protecting web servers, web browser and their surrounding organizations. Web Security
  • 5.
    Web Security From theusers' perspective Legitimate Safe Private
  • 6.
    Web Security From theserver's perspective Legitimate Responsible From the perspective of both the server and the user They have an expectation that their communications will be free from eavesdropping and reliable in terms that their transmissions will not be modified by a third party
  • 7.
    Web Site Attacks(Threats) I. Attacks on Web Site Information A. Integrity of Information Attacks 1.Threats a. Modification of user data b. Modification of message traffic in transit 2. Consequences a. Loss of information b. Vulnerability to all other threats 3. Countermeasures - cryptographic checksums
  • 8.
    Web Site Attacks(Threats) B. Confidentiality of Information Attacks 1. Threats a. Eavesdropping on the Net b. Theft of info from server c. Theft of data from client d. Info about network configuration e. Info about which client talks to server 2 . Consequences a. Loss of information b. Loss of privacy
  • 9.
    3. Countermeasures a. Encryption b.Web proxies II. Attacks on Web Site Accessibility A. Denial of Service Attacks 1.Threats a. Flooding of machine with bogus requests b. Isolating machine by DNS attacks 2.Consequences a. Disruptive b. Annoying c. Prevent user from getting work done
  • 10.
    B. Authentication Attacks 1.Threats a. Impersonation of legitimate user b. Data forgery 2. Consequences a. Misrepresentation of user b. Belief that false information is valid 3. Countermeasures - cryptographic techniques 3. Countermeasures - difficult to prevent
  • 11.
    Some Classes ofAttacks on Web
  • 12.
    Attacks on Authentication Attacksthat used to circumvent or exploit the authentication process of a web site. 1
  • 13.
    Attacks on Authentication 1 BruteForce Attack Automated process of trial and error used to guess a person's username, password, credit-card number or cryptographic key
  • 14.
    Insufficient Authentication Occurs whena web site permits an attacker to access sensitive content or functionality without having to properly authenticate. Attacks on Authentication 1
  • 15.
    Weak Password RecoveryValidation Occurs when a web site permits attacker to illegally obtain, change or recover another user’s password. Attacks on Authentication 1
  • 16.
    Attacks on Authorization Attacksthat target a web site's method of determining if a user, service, or application has the necessary permissions to perform a requested action 2
  • 17.
    Attacks on Authorization Credential/SessionPrediction A method of hijacking or impersonating a web site user guessing the unique value that identifies a particular session or user 2
  • 18.
    Insufficient Authorization Occurs whena web site permits access to sensitive content or functionality that should require increased access control restrictions. Attacks on Authorization 2
  • 19.
    Client-side Attacks Focuses onthe abuse or exploitation of a web site's users. 3
  • 20.
    Client-side Attacks Content Spoofing Anattack technique used to trick a user into believing that certain content appearing on a web site is legitimate and not from an external source. http://foo.example/page?frame_src=http://foo.example/file.html. An attacker may be able to replace the “frame_src” parameter value with “frame_src=http://attacker.example/spoof.html” The browser location bar visibly remains under the user expected domain( foo.example). 3
  • 21.
    Cross-Site Scripting An attacktechnique that forces a web site to echo attacker-supplied executable code, which loads in a user’s browser Client-side Attacks 3
  • 22.
    Command Execution Covers attacksdesigned to execute remote commands on the web site. All web sites utilize user-supplied input to fulfill requests 4
  • 23.
    Command Execution SQL Injection Anattack technique used to exploit web sites that construct SQL statements from user-supplied input. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=1 should return the same web page as: http://example/article.asp?ID=2 because the SQL statement 'and 1=1' is always true. Executing the following request to a web site: http://example/article.asp?ID=2+and+1=0 4
  • 24.
    SSI Injection SSI Injection(Server-side Include) is a server-side exploit technique that allows an attacker to send code into a web application Command Execution 4
  • 25.