Application Attacks

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 50 minutes
Difficulty
Beginner
CEU/CPE
8
Video Transcription
00:00
>> Our next topic is application attacks.
00:00
Ultimately that's where the vulnerabilities are.
00:00
They're in our applications,
00:00
but first of all, have you
00:00
ever taken a class in programming?
00:00
If so how much of that class
00:00
was devoted to writing secure code?
00:00
I'm going to guess that in another class was devoted to
00:00
writing secure code. I'm I right?
00:00
Probably I'm right because most of the classes,
00:00
especially early on, focus just on functionality.
00:00
Then we tend to think of security as an afterthought.
00:00
As long as we do that, we're
00:00
never going to produce secure code.
00:00
Security needs to be plant-in,
00:00
>> built-in, and designed-in.
00:00
>> It needs to be tested and reviewed.
00:00
Certification processes and accreditation processes
00:00
need to focus on security.
00:00
It really needs to be a purposeful process.
00:00
Until we start designing our applications and
00:00
a more secure fashion and implement security
00:00
>> throughout the software development life-cycle,
00:00
>> we're going to continue to see
00:00
the security issues that we see.
00:00
In this lesson, I'll give you
00:00
an overview of the types of
00:00
application attacks we're going to talk
00:00
about in the next few sections.
00:00
The first attack that we're going to
00:00
look at is a code injection attack.
00:00
You've probably heard the phrase
00:00
>> garbage in, garbage out.
00:00
>> Well, there are certain elements of
00:00
code that I can inject into
00:00
database applications that will
00:00
cause problems on the backend.
00:00
That's code injection.
00:00
Sometimes we call that fuzzing
00:00
or sometimes you'll hear fuzzing used to
00:00
describe a penetration test to determine if
00:00
>> an application can sufficiently
00:00
>> withstand code injection.
00:00
>> Just be familiar with the term fuzzing,
00:00
which is like testing
00:00
the application to see what it will accept.
00:00
The next that we'll look at is cross-site scripting.
00:00
Cross-site scripting is all about taking
00:00
advantage of a user's trust in a website.
00:00
A user visits a website that they trust,
00:00
and yet an attacker has done something on the backend,
00:00
to corrupt the website or
00:00
>> redirects the user to a rogue site
00:00
>> by taking advantage of some scripting
00:00
and causing some malicious attack.
00:00
With cross-site scripting, the attack is going
00:00
to ultimately impact the user system.
00:00
Now, cross-site request forgery
00:00
or excess RF sounds familiar,
00:00
but it's actually like the opposite
00:00
of cross-site scripting.
00:00
Cross-site request forgery is going to take
00:00
advantage of a website to trust and a user.
00:00
Basically, a user logs in and they have already
00:00
authenticated to a site like
00:00
a banking server, for example.
00:00
Then ends hacker is
00:00
going to step in and take advantage of
00:00
that preexisting session and use
00:00
that to manipulate their activity on the backend.
00:00
We'll also talk about race conditions.
00:00
Anytime you hear of an attack
00:00
>> that has to do with timing,
00:00
>> it's always a race condition.
00:00
Last but not least, we're going
00:00
to talk about memory issues.
00:00
A lot of times explaining issues with
00:00
memory is part of a denial of service attack.
00:00
If I can overwhelm what a system is expecting or
00:00
provide it with something out of range
00:00
that can trigger a memory issue,
00:00
which can trigger the system to
00:00
lock up or stop responding.
00:00
[NOISE] That's what we're going to look at next.
Up Next