... – System uses Kerberos to validate a user password.
– Client obtains ticket for user.
• Service immaterial, usually ticket granting service (TGS).
• If authenticator successfully decrypted, password valid.
• System erases ticket and session key.
Speech Title Here
... Designing Secure Code
Defense in Depth
Secure by Design
Security features != Secure features
Here is the Original File
... Attempt to obtain product information through HTTP headers
that disclose information about the sender’s system.
Attackers may be able to use this data to more effectively
attack the system.
all the web without the risk
... perimeter. The VM is configured so that the VPN is the only
allowed network device for any Internet traffic in or out of the
This restriction ensures that, were malware to access the
VM, it would not be able to see, map or attack any other
infrastructure within the network.
Using a second VPN fr ...
Compensation 101 - Christopher S. Foree
... B. Today’s web applications often store quite a
lot of information in the client’s browser (e.g.
C. Since XSS relies on code that gets executed
on a client’s browser, client-side data can be
manipulated and hijacked, and the user can
be redirected to malicious websites
... • Protect web content from those who don’t have a “need to know”
• Require users to authenticate using a userid/password before they are
allowed access to certain URLs
• HTTP/1.1 requires that when a user makes a request for a protected
resource the server responds with a authentication request head ...
A Hands-On Environment for Teaching Networks
... Use a SYN cookie to carry the capability at first
Place in timestamp of all subsequent ACKs from server
Cookie is computed over connection 4-tuple
Do`s and Don`ts for web application developers
... Examine the data logged to determine if any
sensitive information is being stored in the
logs (e.g. userID, passwords).
Review and remove, where possible,
redundant, readable and downloadable files
on a web server, such as old, backup and
Disable Autocomplete using
AUTOCOMPLETE=OFF at ...
Slides - NUS Security Research
... • Test three sets of applications using major
– Facebook PHP SDK, Miscrosoft Live Connect, Windows 8
Authentication Broker SDK
– 78%, 86%, 67% are vulnerable
– Lead to modification of OAuth 2.0 specification
網站安全 - 國立暨南國際大學
... A2. 注入缺失(Injection Flaw)：SQL Injection與Command Injection
A3. 惡意檔案執行(Malicious File Execution)
A4. 不安全的物件參考(Insecure Direct Object Reference)
A5. 跨網站的偽造要求 (Cross-Site Request Forgery，簡稱CSRF)
A9. 不安全的通訊(Insecure Communication)
A10. 疏於限制URL存取(Failure to Rest ...
Neutral Net Neutrality
... Network Cookie : A small piece of data users append to their traffic
1. Get cookie for each service
2. User appends cookies to the desired traffic
3. Network matches against them and enforces service
Web Application Security
... Unvalidated input can cause web application to fail
or introduce security problems.
Attackers can tamper with any part of an HTTP
request to try to bypass the site’s security
URL, query string, headers, cookies, form fields, hidden
... serving the users of the Internet community. It has 61 agencies
It provides services such as: investigation, tracking, recording,
prosecution, termination of the criminal activities on the
The organization has a database that contains records of every
criminal reported since 19 ...
Security of Cookies in a computer lab setting
... What are cookies?
• “Cookies are a general mechanism which
server side connections can use to both store
and retrieve information on the client side
of the connection.” - Netscape
• Also known as “Magic Cookies”
• Cookies can only be read by the website
that issued them
Cookie - CUHK CSE
... <%-- In login.jsp --%>
<% String attemptParam = request.getParameter("attempt");
Session 8: Working with Form
... Session data: can be trusted if the value is set based on validated data.
$_SERVER super global: comes from browser, can’t be trusted
User data should be checked and escaped properly
... of personal information into a cookie go
unnoticed, so does access to it. Web
servers automatically gain access to
relevant cookies whenever the user
establishes a connection to them
Some people may find this invasive to
their privacy, but usually the use of this
information is harmless
... Third party cookies
• Third party cookies are those set by other
web sites appearing on the selected web site,
such as adverts
• Advertising companies use third-party
cookies to track a user across multiple sites
and build a picture of their browsing history
• This allows the advertising company to ...
An HTTP cookie (also called web cookie, Internet cookie, browser cookie or simply cookie, the latter which is not to be confused with the literal definition), is a small piece of data sent from a website and stored in a user's web browser while the user is browsing that website. Every time the user loads the website, the browser sends the cookie back to the server to notify the website of the user's previous activity. Cookies were designed to be a reliable mechanism for websites to remember stateful information (such as items in a shopping cart) or to record the user's browsing activity (including clicking particular buttons, logging in, or recording which pages were visited by the user as far back as months or years ago).Although when everything is working correctly, cookies cannot carry viruses, and cannot install malware on the host computer, tracking cookies and especially third-party tracking cookies are commonly used as ways to compile long-term records of individuals' browsing histories—a potential privacy concern that prompted European and U.S. law makers to take action in 2011. Cookies can also store passwords and form content a user has previously entered, such as a credit card number or an address.Other kinds of cookies perform essential functions in the modern web. Perhaps most importantly, authentication cookies are the most common method used by web servers to know whether the user is logged in or not, and which account they are logged in with. Without such a mechanism, the site would not know whether to send a page containing sensitive information, or require the user to authenticate themselves by logging in. The security of an authentication cookie generally depends on the security of the issuing website and the user's web browser, and on whether the cookie data is encrypted. Security vulnerabilities may allow a cookie's data to be read by a hacker, used to gain access to user data, or used to gain access (with the user's credentials) to the website to which the cookie belongs (see cross-site scripting and cross-site request forgery for examples).