Date post: | 17-Jul-2015 |
Category: |
Technology |
Upload: | sandra-sukarieh |
View: | 49 times |
Download: | 1 times |
Database ThreatsInformation System Security
Presented by:
Abdul Majeed Al-Kattan
Rabee Al-Rass
Rahaf Aamer
Rimon Koroni
Sandra Sukarieh
The Content
• Sensitive Data Exposure.
• Security Misconfiguration.
• SQL Injection (Blind)
• Insecure Direct Object Reference
• Cross Site Scripting
• Denial of Service
Information System Security 2
SQL Injection
• Can be achieved when sending unreliable data to the interpreter as a part of a command or a query.
• Malicious data of the attacker can fool the interpreter to:
1. Execute banned orders.
2. Access data without authority .
3. Harm the content of the database.
Information System Security 5
SQL Injection Prevention
• Escape String :
1. mysqli_real_escape_string()
2. Addslashes()
• Example:
x’ or ‘x’=‘x’ –
When mysqli_real_escape_string is applied
x\’ or \’x\’=\’x\’ --
Information System Security 7
Insecure Direct Object Reference
• The insecure gap of direct object reference comes up when the programmer expose the references to internal components such as files, folders, or database keys.
• Without access control tools and other methods of protection, the hacker can manipulate these references to reach the data without proper authority.
Information System Security 8
Insecure Direct Object Reference Prevention
• Never expose application or database internal details to public.
• Hide system objects with ambiguous names and do encryption to values.
• Use sessions instead of cookies alone.
Information System Security 10
Cross Site Scripting
• Programming gaps appear across the site when the application receives non reliable data and sends it to the browser without checking or overcoming (escaping).
• Programming gaps across the site allow the attacker to implement “scripts” in the browser of the victim, which may lead to:
1. The theft of the user’s session.
2. Distortion of the website.
3. Redirect the user to other malicious sites.
Information System Security 11
Cross Site Scripting Prevention
• Contextual Encoding:
1. HTML Encoding.
2. JavaScript Encoding.
3. CSS Encoding.
Information System Security 13
Denial Of Service
• One of the methods used to inundate the special service of the database or the application with a stream of requests, leading to deprive the real users from the service.
• This attack can be achieved with the tool
slowhttptest.
Information System Security 14
Denial of Service Prevention
• Firewall.
• Cloud Mitigation Provider DDoS attack Detection and Monitoring.
• Flow-Based Monitoring (PLXfbm) .
• service monitors netflow on your router.
Information System Security 16