Time
9 hours 48 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Transcription

00:00
Okay, So one of the things that constantly amuses me is how we will try whatever we can to get around the system. This actually doesn't work. But what the driver of this car was hoping to do is to bypass those security cameras where they snapshots your license plate and enter them into a database.
00:20
So
00:21
his idea is, Hey, if I dropped the database table, maybe my information will be cleared from the record. And this said it. Full speed traps. It doesn't. This doesn't actually work there a couple of little issues with it. But the bottom line is,
00:36
we tend to be crafty, especially when it comes to getting around traffic tickets. I know that. That's one of
00:43
one of the things that I liketo think about doing.
00:47
No.
00:48
Did I just admit to that that's not what I meant at all?
00:51
Okay, but the bottom line, an example of code injection. And how do we mitigate code injection? We mitigate code injection by using input validation, limit field links, limited data types. So, for instance, for a date, you have no business entering in letters, right? Should be,
01:08
you know, two characters, two characters, four characters,
01:11
all numeric. Um, making sure that certain that a definition languages like drop tables are not allowed us input. There's no reason for that. Nobody's named Johnny drop tables, right? So don't allow that stuff in your database
01:27
now. Like I said, I'm not gonna read every one of the's. But just to enhance your knowledge, it's probably as I scroll through them worth you getting a screenshot? Numbness, if I don't talk about, is probably not testable, but just again to enhance your knowledge. And you can go upto a wasp. You don't have to, you know, take my screen shots.
01:47
But it's all about
01:49
what we know, right? So broken authentication, Just some way that authentication fails. I don't properly authenticate you. I'm just using password authentication, authentication, information, being sent in clear text. You know, lots of different ways in sensitive bad exposure can happen
02:07
a 1,000,000 different ways. We don't rip that in storage. We don't encrypt it. Motion. We allow, um
02:15
uh, social engineering people to bypass the normal security mechanisms. You know, this isn't a specific attack. This is just a general exploit.
02:27
Hey, um,
02:29
security, Miss configurations.
02:31
Just not, you know, leaving default settings
02:36
having um not locking down the ability to traverse folders or files on a website, Right? Just
02:44
any sort of miss configuration. Will we test to ensure we don't have those miss those miss configurations? We test as much as possible, right?
02:53
Um, cross site scripting cross site scripting is an issue that has been the thorn in our sides for a long time now. It is actually less popular, less common than it waas in the 2013 a wasp, it was the number one exploit
03:10
in 2013. Now it's fallen down to number seven. That still means it's quite heavy, right?
03:15
Still a lot of risk with cross site scripting. So the idea is any cross site Scripting is a threat to the end user,
03:23
so they are perhaps directed to a page that's either been compromised or to a rogue page. And when they dio and their browser goes toe load, what's on the page? There's a malicious script that runs. There are lots of ways that that can happen. But the bottom line is
03:42
this isn't a threat to the backend database.
03:44
This is a threat to the user appliance system in their browser. So, for instance, you know the job of your browser is to run the code that's displayed, or that's, you know, the code that's present in the website. If there's a malicious code that it's gonna be one, um,
04:02
vulnerable component usage, that simply means that we sometimes copy and paste code. We sometimes use deprecate ID code that's not still supported. We may use AP eyes that are not secure. You basically just the fact that we cut corners, sometimes
04:23
insufficient logging and monitoring. If we're not watching, we don't know what happens, all right. So, like I said, not meant to be an in depth study of a loss. But just hitting a couple off the issues that our greatest concern tow us,
04:35
understand the benefits of a WASP and understand the handful of attacks there, and some of these will get into more in depth.
04:44
But ultimately, just understanding is part of due diligence that we educate ourselves and that we're aware off the threats that exist in Goa specifically dresses those threats in relation to Web applications

Up Next

Certified Cloud Security Professional (CCSP)

This Certified Cloud Security Professional (CCSP) certification course covers topics across six domains, to ensure the candidate has a wide range of competencies and is capable in the assessment and implementation of cloud service solutions.

Instructed By

Instructor Profile Image
Kelly Handerhan
Senior Instructor