Embed Size (px)
Citation preview
-Ajay Babu .Dy5cs022.
ContentsWho is hacker?History of hackingTypes of hackingDo You Know?What do hackers do? - Some Examples on Web application
hacking.How can protect the system?What should do after hacked?
Who is hacker?
HackExamine something very minutely
HackerThe person who hacks
CrackerSystem intruder/destroyer
History of hacking
Telephone hackingUse telephone freelyIt’s called phreaking
Computer virusDestroy many computers
Network hackingHack the important server remotely and
destroy/modify/disclose the information
Types of hackingNormal
data transfer
Interruption Interception
Modification Fabrication
Do you know?
75% of attacks today happen at the Application (Gartner). Desktop augmented by Network and then Web Application Security.
Many “easy hacking recipes” published on web.
3 out of 4 vendor apps that are tested had serious SQL Injection bugs!
“The cost of correcting code in production increases up to 100 times as compared to in development...”
What do Hackers do?A few examples of Web application hacks
SQL Injection Cross-site Scripting (# 1 threat today!)
SQL Injection Attacks
Web App
Hacker
Uses SQL scriptinjection to
access data
“SQL injection is a security vulnerability that occurs in the database layer of an application. Its source is the incorrect escaping of dynamically-generated string literals embedded in SQL statements. “ (Wikipedia)
SQL Injection AttacksExample of attack:
SQL Query in Web application code: “SELECT * FROM users WHERE login = ‘” + username + “’ and password= ‘” + password + “’;”
Hacker logs in as: ‘ or ‘’ = ‘’; -- SELECT * FROM users WHERE login = ‘’ or ‘’ = ‘’; --'; and password=‘’;
Hacker deletes the users table with: ‘ or ‘’ = ‘’; DROP TABLE users; -- SELECT * FROM users WHERE login = ‘’ or ‘’=‘’; DROP TABLE users; --'; and password=‘’;
SQL Injection examples are outlined in: http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf http://www.unixwiz.net/techtips/sql-injection.html
SQL Injection Attacks Demo
SQL Injection Attacks Demo
SQL Injection Attacks Demo
Cross-Site Scripting (XSS) Attacks
Web App
Hacker
Injects scriptinto web site
CompromisedWeb App
Retrieves compromisedpage content
Unknowinglyexecutes script
End User
XSS: Script Injection Demo
XSS: Script Injection Demo
Preventing SQL injection and XSSSCRUB Error handling
Error messages divulge information that can be used by hacker…
VALIDATE all user entered parametersCHECK data types and lengthsDISALLOW unwanted data (e.g. HTML tags,
JavaScript)
How can protect the system?
Encrypt important data Ex) .pgp, .ssh
Do not run unused information Remove unused programs Setup firewall
Ex) IP chain Check unintentional change Backup the system often
What should do after hacked?Shutdown the system
Or turn off the systemSeparate the system from networkRestore the system with the backup
Or reinstall all programsIt can be good to report the police
Thank you
-Ajay Babu .DY5cs022.
