Security: 22May2017
Application security
End point security
Network security: Authentication
Content security
One factor authentication
Two factor authentication : Ex:
ATM card & Pin
Content Security:
Public data: Username
Private data: Password
Confidentiality: Encryption
Encryption + Decryption =
Cryptography
Integrity: Hash code for
checking the completeness of the data received from the sender
Security Trio:
All the below three cannot be
obtained, if the application is more secure, ease of use will be difficult.
1 Security
2 Functionality
3 Ease of Use
Security Terminology:
1 Asset:
Tangible asset: Physical assets
Intangible asset:
Software and Licenses
2. Threat: Change to asset from
intruder
3. Vulnerably: Weakness in the
application
4 Attack:
5. Exploit: Stealing the data
and intruder benefit
6. Payload: Attacker write
query and get data
7. Zero-Day: Attack with no
solution
Initially SQL injection had no
solution
8. Risk
Security Control:
OWAS: Open Web App
Attack Surface:
Attack surface is the sum total
of all the vulnerability’s in an application
E: User Input. Protocol,
Interfaces
Elements of Security:
1. Confidentiality
2. Integrity
3. Availability: Negative
factor is Denial of Service
Authorization: Access Control
Authentication: Identification
of valid user of not
Non-Repudiation:
Digital Certificate:
SHA: Secure has algorithm
MD5- Message Digest
RSA
Kinds of Attack:
Injection
Command
Code SQL injection
SQL injection:
Numerical SQL Injection
String SQL Injection
Web scarab tool for editing the
request and response
Blind SQL Injection
To know the database, tables
and contents of the website, Kali 2016 OS with SQLMAP tool can be used.
There are several command where
we can get all the details, whenever there is an error in the page.
ex: sqlmap - h
(for help)
sqlmap -u
"websiteurl" -dbs ( for getting database name)
Cross -Site Scripting:
1. Store / Persistence
2. Reflected / Temporary
Cross-Site Request Forgery: (in
.Net its also called as view state one click attack)
(CSRF/XSRF)
