Web Application Security - Stanford University

Spring 2014

CS 155

Web Application Security

John Mitchell

Reported Web Vulnerabilities "In the Wild"

Data from aggregator and validator of NVD-reported vulnerabilities

Three top web site vulnerabilites

! SQL Injection

Browser sends malicious input to server

n? Bad input checking leads to malicious SQL query

! CSRF ¨C Cross-site request forgery

n? Bad web site sends browser request to good web

site, using credentials of an innocent victim

! XSS ¨C Cross-site scripting

n? Bad web site sends innocent victim a script that

steals information from an honest web site

n?

Three top web site vulnerabilites

! SQL Injection

Browser sends

malicious

to server

Uses SQL

to changeinput

meaning

of

database command

n? Bad input checking leads to malicious SQL query

! CSRF ¨C Cross-site request forgery

n? Bad web site

sends request

to good

web site, using

Leverage

user¡¯s session

at

victim sever

credentials of an innocent

victim who ¡°visits¡± site

! XSS ¨C Cross-site scripting

n? Bad web site

sends

innocent

Inject

malicious

scriptvictim

into a script that

steals information

fromcontext

an honest web site

trusted

n?

Command Injection

Background for SQL Injection

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download