it s worth a shot
play

Its worth a shot. https://youtu.be/7W5au-IJUEc Approach 1. What - PowerPoint PPT Presentation

Apr 30, 2023 •9 likes •199 views

Its worth a shot. https://youtu.be/7W5au-IJUEc Approach 1. What created the vulnerability. 2. How the vulnerability is exploited. 3. How to protect yourself. Web 2.0 What could possibly go wrong?! Servers send HTML and JS to clients

  1. It’s worth a shot. https://youtu.be/7W5au-IJUEc

  2. Approach 1. What created the vulnerability. 2. How the vulnerability is exploited. 3. How to protect yourself.

  3. Web 2.0 What could possibly go wrong?! Servers send HTML and JS to clients ● Clients execute JS that changes the ● DOM and makes requests back to the server HTML, CSS, JS Server Bingo

  4. Authentication Username and password… easy. Usually requires a username and password ● What kinds of passwords are acceptable? ● How should we send the username and password? ● How should we store and validate the username and password? ●

  5. Authentication Don’t store passwords in plaintext ● Hash! ●

  6. Authentication Password Storage random salt hash Hash password salt+hash function

  7. Authentication Password Validation salt Hash password salt+hash function hash to hash check Are hashed passwords match? uncrackable? No!

  8. Authentication Encryption We’re hashing passwords, so do we need encryption? ● We sure do! ● Thanks! Bongo HTTP POST Server salt+hash username, password Bingo

  9. Authentication Tokens We don’t want people to have to constantly log in ● We need to give the client a token that they can use to prove ● that they have authenticated successfully HTTPS POST username, password Server token Bingo

  10. Authentication Tokens Bongo fake Must identify the user ● token Must be signed with the server’s private key ● nope token Server OK Bingo

  11. SQL Injection What happens when name is “ or “” = “ ●

  12. SQL Injection Solving the problem. Blacklist certain characters ● Whitelist certain characters ● Use prepared statements ●

  13. Cross-site Scripting (XSS) Just stick to the script. www.bongo.com Stored XSS ● Check this out! Reflected XSS ● www.bank.com/profile?name=<script>...

  14. Cross-site Scripting (XSS) Protection. Sanitize inputs ● Escape HTML ● Use auto-escaping framework like React or Vue.js ●

  15. Cookies Just maintain state! No problem! HTTP is stateless ● Cookies are used to maintain state ● Store session information ○ Store user preferences ○ Track your every move... ○

  16. Cross-site Request Forgery (CSRF) It really wasn’t me this time. Your browser automatically attaches cookies to requests to the ● domain they came from

  17. Cross-site Request Forgery (CSRF) www.bongo.com malicious GET content www.bongo.com transfer <cookie> Server OK Bingo

  18. Cross-site Request Forgery (CSRF) Prevention. Don’t use GET to modify state ● Hidden nonces in forms ● Use Samesite cookies ● Check the origin or referer of the request ●

  19. Honorable Mentions Containers ● Metasploit (penetration testing): www.metasploit.com ● OWASP (web application security): www.owasp.org ● WebGoat: github.com/WebGoat/WebGoat ●

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Your Health is Worth A Shot Arpita Jindani Program Manager Immunization Initiative Partnership

Your Health is Worth A Shot Arpita Jindani Program Manager Immunization Initiative Partnership

Your Health is Worth A Shot Arpita Jindani Program Manager Immunization Initiative Partnership for Maternal and Child of Northern New Jersey by by Demographic Target Tweens and adolescents have low awareness regarding the need for

434 views • 17 slides
Kigali a fjlm by Andy Amadi Okoroafor Synopsis Kigali, Rwanda. For hot-shot expats, there are

Kigali a fjlm by Andy Amadi Okoroafor Synopsis Kigali, Rwanda. For hot-shot expats, there are

Kigali a fjlm by Andy Amadi Okoroafor Synopsis Kigali, Rwanda. For hot-shot expats, there are three things worth doing in the capital city: closing deals, partying, and playing moto polo the Rwandan-invented version of polo that substitutes

1.39k views • 7 slides
Fort Worth Public Art a City of Fort Worth Program Fort Worth Public Art (FWPA) FWPA

Fort Worth Public Art a City of Fort Worth Program Fort Worth Public Art (FWPA) FWPA

Fort Worth Public Art a City of Fort Worth Program Fort Worth Public Art (FWPA) FWPA established by City Ordinance in 2001 Funded by 2% of Bond Programs (Streets and Transportation 1%) City Council-appointed Fort Worth Art Commission

163 views • 15 slides
SHOT Brand Price NOTES WEST COAST MAGNUM SIZES 4 - 9 $ 39.20 Eagle shot prices may not be

SHOT Brand Price NOTES WEST COAST MAGNUM SIZES 4 - 9 $ 39.20 Eagle shot prices may not be

SHOT Brand Price NOTES WEST COAST MAGNUM SIZES 4 - 9 $ 39.20 Eagle shot prices may not be stable as prices are set when $ 37.20 EAGLE SHOT SIZES 7.5, 8.5, 9 supplier receives from Peru SPARTAN MAGNUM SHOT SIZES 7.5, 8.5, 9 $ 40.50

298 views • 6 slides
A New Vision of Assessment Texts Worth Reading Problems Worth Solving Tests Worth Taking NCSA

A New Vision of Assessment Texts Worth Reading Problems Worth Solving Tests Worth Taking NCSA

A New Vision of Assessment Texts Worth Reading Problems Worth Solving Tests Worth Taking NCSA June 2013 1 PARCC States PARCC Priorities 1. Determine whether students are college and career ready or on track 2. Connect to the Common Core

423 views • 41 slides
Zero-Shot Learning for Word Translation: Successes and Failures Ndapa Nakashole, University of

Zero-Shot Learning for Word Translation: Successes and Failures Ndapa Nakashole, University of

Zero-Shot Learning for Word Translation: Successes and Failures Ndapa Nakashole, University of California, San Diego 05 June 2018 Outline Introduction Successes Limitations 2 Zero-shot learning Zero-shot learning: ) at test

881 views • 49 slides
Siamese Network &amp; Matching Network for one-shot learning Reference Papers Siamese Neural

Siamese Network &amp; Matching Network for one-shot learning Reference Papers Siamese Neural

Reading Group 2016.11.22 Siamese Network &amp; Matching Network for one-shot learning Reference Papers Siamese Neural Networks for One-Shot Image Recognition (Gregory Koch, Ruslan Salakhutdinov) Matching Network for One-shot Learning (Oriol

802 views • 16 slides
Competing as an Innovation Community Some things worth knowing Some things worth considering

Competing as an Innovation Community Some things worth knowing Some things worth considering

Competing as an Innovation Community Some things worth knowing Some things worth considering Presented by: Jonathan Aberman Terry Clower Dean, Business School Northern Virginia Chair Marymount University Director, Center for Regional

352 views • 12 slides
Fred Yarur Nothing in the world is worth having or worth doing unless it means effort, pain,

Fred Yarur Nothing in the world is worth having or worth doing unless it means effort, pain,

Fred Yarur Nothing in the world is worth having or worth doing unless it means effort, pain, difficulty -T. Roosevelt 1. 2. 3. 4. 5. Repeat Acquire Estimate Sell Schedule Survey Qualify Produce Refer 2. 1. 3. 4. 5.

910 views • 55 slides
Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged

Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged

Passages worth the dig Passages worth the dig Matt 7.1-5 Judge not, that ye not be judged David Capes Senior Research Fellow Lanier Theological Library Judge Not . . . Really David Kinnamon, Barna Group Gabe Lyons, Fermi Project

390 views • 15 slides
Concepts with Few-shot Supervision Xuming He ShanghaiTech University

Concepts with Few-shot Supervision Xuming He ShanghaiTech University

Learning Structured Visual Concepts with Few-shot Supervision Xuming He ShanghaiTech University hexm@shanghaitech.edu.cn 1 12/5/2019 Outline Introduction Learning from very limited annotated data Background in few-shot

807 views • 52 slides
Horizontal Movable Shot Blasting Machine PW2-40DA Horizontal movable shot blasting machine Dust

Horizontal Movable Shot Blasting Machine PW2-40DA Horizontal movable shot blasting machine Dust

Horizontal Movable Shot Blasting Machine PW2-40DA Horizontal movable shot blasting machine Dust Collector QS1700 Road Cleaning Equipment Automatic Asphalt Distributor Chippings Spreader SS4000 self-propelled chip spreader Asphalt Rubber

372 views • 19 slides
Research Ethics Tyson S. Barrett, PhD PSY 3500 Was it worth it?

Research Ethics Tyson S. Barrett, PhD PSY 3500 Was it worth it?

Research Ethics Tyson S. Barrett, PhD PSY 3500 Was it worth it? https://www.britannica.com/event/Tuskegee-syphilis-study Was it worth it? Milgram (1963) Was it worth it? Milgram (1963) &quot;In a large number of cases, the degree of

165 views • 5 slides
Co-Representation Network for Generalized Zero-Shot Learning Fei Zhang, Guangming Shi XIDIAN

Co-Representation Network for Generalized Zero-Shot Learning Fei Zhang, Guangming Shi XIDIAN

Co-Representation Network for Generalized Zero-Shot Learning Fei Zhang, Guangming Shi XIDIAN UNIVERSITY ICML 2019 In Intr troduct oduction ion Classic Deep CNN Data requirements decrease Predict Transfer Learning Few-Shot

456 views • 11 slides
2017 Audit and Accounting update Peter Worth Director Worth Technical Accounting Solutions

2017 Audit and Accounting update Peter Worth Director Worth Technical Accounting Solutions

cipfa.org.uk Local Government Pension Funds: 2017 Audit and Accounting update Peter Worth Director Worth Technical Accounting Solutions Worth Technical Accounting Solutions Worth Technical Accounting Solutions 1 1 This session will cover:

468 views • 14 slides
Predicting Deep Zero-Shot Convolutional Neural Networks using Textual Descriptions Jimmy Lei Ba,

Predicting Deep Zero-Shot Convolutional Neural Networks using Textual Descriptions Jimmy Lei Ba,

Predicting Deep Zero-Shot Convolutional Neural Networks using Textual Descriptions Jimmy Lei Ba, Kevin Swersky, Sanja Fidler, Ruslan Salakhutdinov ICCV 2015 Presenter: Fartash Faghri Zero-shot Learning Classify images of an unseen class

156 views • 12 slides
WORKING FOR A HEALTHIER TENNESSEE September Wellness Council Webinar In collaboration with the

WORKING FOR A HEALTHIER TENNESSEE September Wellness Council Webinar In collaboration with the

Follow us! Join us on social media for health and wellness news, recipe ideas, motivation to reach your goals and more! /WFHTN @WFHTN /TNSiteChampions @WorkingForAHealthierTN WORKING FOR A HEALTHIER TENNESSEE September Wellness Council

284 views • 26 slides
Workshop 4: Posing Purposeful Ques4ons NCTM Interac4ve Ins4tute, 2016 Name Title/Posi4on

Workshop 4: Posing Purposeful Ques4ons NCTM Interac4ve Ins4tute, 2016 Name Title/Posi4on

Workshop 4: Posing Purposeful Ques4ons NCTM Interac4ve Ins4tute, 2016 Name Title/Posi4on Affilia4on Email Address Warm Up Make a 3 x 3 grid on your paper. Select 9 different numbers in the range 20 to 20. Arrange them in any order in

503 views • 19 slides
Overview InfoVis Validation Approaches Paper Types: Technique algorithm complexity analysis

Overview InfoVis Validation Approaches Paper Types: Technique algorithm complexity analysis

Overview InfoVis Validation Approaches Paper Types: Technique algorithm complexity analysis Lecture 16: Writing InfoVis Papers Initial Stage: Paper Types implementation performance (speed, memory) paper types as guide through

285 views • 4 slides
Fractal Prefetching B+-Trees: Optimizing Both Cache and Disk Performance Shimin Chen, Phillip B.

Fractal Prefetching B+-Trees: Optimizing Both Cache and Disk Performance Shimin Chen, Phillip B.

Introduction Optimizing I/O Performance Optimizing Cache Performance Evaluation Discussion Fractal Prefetching B+-Trees: Optimizing Both Cache and Disk Performance Shimin Chen, Phillip B. Gibbons, Todd C. Mowry, and Gary Valentin October 3,

341 views • 32 slides
Workshop Hanna Layton Management Intern Center for Mindfulness, Compassion and Resilience

Workshop Hanna Layton Management Intern Center for Mindfulness, Compassion and Resilience

Compassion Fatigue Workshop Hanna Layton Management Intern Center for Mindfulness, Compassion and Resilience Centering Practice What is Compassion Fatigue? Natural consequent behaviors and emotions of stress Result from caring

508 views • 20 slides
What is a biography? Biographies A biography gives facts about a persons life. It is not

What is a biography? Biographies A biography gives facts about a persons life. It is not

w/c 8 th June What is a biography? Biographies A biography gives facts about a persons life. It is not written by the subject of the book but by an author who has done their research and knows a great deal about that person. Biographies

483 views • 9 slides
Welcome Lakehurst Small Business Roundtable (LKE-SBR) July General Meeting Topic: Winning

Welcome Lakehurst Small Business Roundtable (LKE-SBR) July General Meeting Topic: Winning

Welcome Lakehurst Small Business Roundtable (LKE-SBR) July General Meeting Topic: Winning Proposals Guest Speakers from: NAWCAD Lakehurst Program Management Department NAWCAD Lakehurst Contracts Department JMR Program Management LLC Account

132 views • 12 slides
COMPLEX ORGANIZATIONS Prepared for: UW Foster School of Business Executive MBA Program October

COMPLEX ORGANIZATIONS Prepared for: UW Foster School of Business Executive MBA Program October

LEADERSHIP OF COMPLEX ORGANIZATIONS Prepared for: UW Foster School of Business Executive MBA Program October 11, 2017 BARRY R. McCAFFREY GENERAL, USA (RETIRED) 3213 West Wheeler St, Suite 701 GEN Barry R. McCaffrey, USA (Ret.) Seattle, WA

248 views • 10 slides

More recommend