CHND 10
what is open database connectivity ODBC
A standard database access method developed by the SQL Access Group• ODBC interface • Allows an application to access data stored in a database management system (DBMS),or any system that can recognize and issue ODBC command
what are Active Server Pages
ASP and ASP.NET• Two other technologies that developers can use to display HTML documents to users onthe fly Uses a compiled server-side language (such as C#) and the .NET framework
what is Dynamic Application Security Testing (D A S T)
Analysis of a running application for vulnerabilities• Can be used alongside SAST to prioritize SAST findings
what is Apache Web Server
Another web server program • 2021: Apache Web Server has 31.7% of the web server market share compared to 6.7%for IIS• Advantages • Works in just about any *nix and Windows platform• Free• Apache Web Server daemon (httpd) is included by default in Kali Linux
what is nteractive Application Security Testing (IAST
Combines elements of both SAST and D A S T • Uses an agent inside the application to perform its analysis in real-time at any pointin the development process
what are Steps for accessing a database from an ASP webpage
Create an A D O connection to the database you want to access• Open the database connection you created in Step 1• Create an A D O recordset• Open the recordset • Select the data you need from the recordset, based on particular criteria• Close recordset and database connection
What are static webpages
Created using HTML• Display the same information regardless of the time of day or the user who accesses thepage
what can Attackers controlling a web server do
Deface the website• Destroy the application's database or sell its contents• Gain control of user accounts • Perform secondary attacks from the web server• Gain access to other servers that are part of the network infrastructure
what questions should Security testers look for answers to
Does the application have a database?• Does the application require authentication?• Does the application have static or dynamic pages?• What languages and platform does the application use?• Are there devices between your web browser and the application designed to stopattacks from occurring?• How does data flow in the application?
what is PHP Hypertext Processor (PHP)
Enables creation of dynamic webpages•An open-source server-side scripting language• Embedded in an HTML webpage by using the PHP tags <?php and ?>• Users cannot see PHP code on their web browser• Because PHP webpages run on the server• Originally used mainly on UNIX systems• More widely used now on many platforms, including Macintosh and Windows
what is Common Gateway Interface (CGI)
Handles moving data from a web server to a web browser• Enables web designers to create dynamic HTML web applications• Many dynamic webpages are created with CGI and scripting languages CGI programs can be written in many programming and scripting languages• C/C++, Perl, UNIX shells, Visual Basic, and Java
What are dynamic webpages
Information that is displayed varies• Need special components for displaying information that changes depending on userinput or information from a back-end server• Use a variety of tools• <form> element, Asynchronous JavaScript and XML (AJAX), Common GatewayInterface (CGI), Active Server Pages (ASP.NET), Java Server Pages (JSP),Hypertext Preprocessor (PHP), ColdFusion (CF), JavaScript (JS), and databaseconnector strings
nteroperability is accomplished by what
Library of ODBC function calls that allow an application to connect to a DBMS, run SQLstatements, and retrieve the results• Standard method of connecting to and logging onto a DBMS
what is Object Linking and Embedding Database (OLE DB)
OLE DB• Set of interfaces that enable applications to access data stored in a DBMS• Designed by Microsoft• Faster, more efficient, and more stable than ODBC• Relies on connection strings that allow the application to access data stored on an externaldevice• Different providers can be used• Depends on the data source
what is cold fusion
Server-side scripting language • Used to develop dynamic webpages• Created by Allaire Corporation• Now owned by Adobe Systems, Inc.• Uses proprietary tags• Written in ColdFusion Markup Language (CFML)• CFML web applications• Can contain other client-side technologies, such as HTML and JavaScript
What is input validation
The act of filtering, rejecting, or sanitizing a user's untrusted input before the applicationprocesses it Security testers should check for possibility of SQL injection used to attack the system• SQL injection (SQLi): Attacker supplies SQL commands when prompted to fill in a webapplication field
What doe <form> do in html
To allow customers to submit information to the web server
What is webgoat
Webgoat: An online utility that helps beginning security testers understand the webapplication vulnerabilities covered in this list• WebGoat project• Helps security testers learn how to conduct vulnerability testing on web applications• Experts from all over the world use WebGoat and offer their input• The following slides contain images of WebGoat
what are ActiveX Data Objects
ctiveX Data Objects (A D O)• A programming interface for connecting a web application to a database• Defines a set of technologies that allow applications to interact with the web
what is Static Application Security Testing (SAST
nalyzing an application's source code for vulnerabilitie so Only possible when the source code is available• A reliable way to enumerate most application vulnerabilities
what is Open Web Application Security Project (OWASP)
ot-for-profit organization• Finds and fights the causes of web application vulnerabilities• Publishes the "Ten Most Critical Web Application Security Risks" paper• Built into the Payment Card Industry (PCI) Data Security Standard (DSS)
what is javascript
scripting language used for creating dynamic webpages• Has the power of a programming language• Branching• Looping• Testing• Creates functions and procedures in HTML webpages
