Transcript Hacking

Defense in Depth
Web Server
Custom
HTTP
Handler
IfFinally,
The
the
Aa Hackers
hacker
request
hacker
request
any
can
input
discovers
could
isenters
processed
choose
persisted
attempt
the
the
toweb
bypass
by
server
to
the
server
a database
code
or
is forge
(usually
in the
IfThe
Hashing
SQL
Injection
passwords,
may
attempt
manages
encrypting
to
to
access
bypass
all
The
The
hacker
Net
sheep
Appliance
could
represents
attempt
looks
the
at
to
data
a
run
black
sent
list
from
of a
Unnecessary
features
like
vulnerable
web
should
IIS
obtain
almost
or
page.
Apache).
be
passwords
any
to
“sanitized”
The
SQL
client
code
The
Injection,
or
side
request
could
sensitive
by
validation
using
perform
he
may
can
parameters,
be
techniques,
then
input
attempts
sensitive
other data
databases
to to
prevent
and
database
and
it,
what
features,
the one
SQL passes
xp_cmdshell
suspicious
computer
characters,
to
our
gain
web
access
site.
but
this
to
xp_cmdshell
should
be
disabled.
use
validation
stored
examined
data
such
SQL
like
as
procs,
Injection
javascript
social
such
bycan
and
a as
custom
security
toreplacing
analyzing
code
attempt
numbers
to
single
validate
the
tohandler
exploit
length
quotes
data.
of
Injector
permissions
but
what
can
they
protect
can
doHTTP
is
data.
islargely
limited
the
the
host
list.
OS.accomplish
unsecured
input
with
written
and
credit
in
specific
to
single
database
look
card
quotes.
for
fields,
numbers.
suspicious
features
or looking
and
input.
data.
for
determined
bytwo
the
connection
by the
permissions
string.
provided
by
suspicious
characters.
the database
connection string.
Master
database
Xp_cmdshell
September 22, 2011
Input
Validation
Sanitize
Input
DB Conn String
Pwds and
SSNs
Rob Kraft – www.KraftSoftware.com