Web securityWeb security

Prepared By : Arafat El-Prepared By : Arafat El-mdhonmdhon Ahmed El-falouji Ahmed El-falouji “AnAs”“AnAs”

Supervised By:Ms.Iman Supervised By:Ms.Iman El-ajrameEl-ajrame

OutlineOutline• Introduction• Supply Chain• Supply Chain Management

– E- Supply Chain– E- Supply Chain Management

• E-Supply Chain Transactions over the Internet

• Infrastructure for E-SCM• Information Technology: A Supply Chain

Enabler

First, the definition of Web security is to maintain the security of sites and servers from the following points:

The difference between the operating systems on the security of information:

• First Linux System 1 - is the strongest ever, for several reasons

2 - not support for the lot of the formulas, such as exe is the most serious

3 - Not very much support for the viruses that supported by other systems,

4 - an open source system is entitled to any programmer to modify it for the better and stronger protection

5 - Determination of the powers of its user and administrator and under

6 - support for programming languages Syndicate flexibility 7 - I have opened the way programmers Aktar amendment to be safe

and send what has adjusted to the parent company of Linux 8 - A strong system of saluting not used by any person if any metal

Windows system that would maintain its strength in the security

Cont…Cont…

• Second Windows system: Despite the flaws in the Windows system, but there are advantages :

1 - Easy to use terms of use for users and for its proximity to the systems that are used to all the.

2 - support all programming languages such as php language of the original asp While there are systems such as Linux do not support all programming

languages .

3 - the difficulty in raising directed hacker tools on Windows because of their differing from sql server to msql .

4 - support for the control panels is much safer and less spread.

Con…Con…

Gap is a software error in the script or program or in general we can say .. Software error in the HTML .. Because this code can be a module or addon or have a template up .. And of course what we care about is the gaps to be exploited .. It kinds of ..

Kinds of gaps in systems, web and how to protect them

 

 

Type I: gaps servers Type II: gaps in programs

Type III: gaps sites

Gaps: Servers

• Are loopholes in the system to server or in the nucleus or in the major programs come with the server or the system .. And the exploitation of these vulnerabilities posed a risk to the server Because it will lead to the clicks of the powers to change or do things detrimental to server .. Things that can be caused by a gap to server is too much .. Especially if the nucleus of the system itself and not by the addition of software or similar .. , Because the error in the kernel causes many problems that can be used in a multi-.. Manager such as adding a new system or taking powers of the Director or play the system settings or many of the things

Gaps in programs: • Is a software error in the program code causing the exploitation of the possibility of controlling and directing the

program to do certain things .. Be dangerous gap, according to the program function and fitness regime .. Each hole is different from the other Bhsb type and direction and in the workplace .. Any gap, for example one of the programs that are running the power system administrator .. And be connected to the system and the kernel .. Can be dangerous Ktgrat system or the kernel itself But the gap in the program that is unusual powers or even nobody powers or powers to be not so great .. Will not lead to a relatively simple action or be less dangerous to the system .. And the seriousness of the gap, according to the program as it relates to kernel, according to its terms of reference on the server

Gaps sites:

• Is a software errors in a script .. Would use this error to extract information from the site and some of the gaps to the partial control of the site, which leads to the possibility of Active Control sometimes ..The danger of gaps in sites that are controlled and then Active control or access to the server and files server .. Which will lead to a breakthrough server

Types of gaps sites: Con..

• Gaps injection databases: Are the gaps and be playing the values of the variables used in queries .. And to create a new query based on the original query performs a particular function .. Most manipulations are to display data such as username and password if they are registered in the database .. In some cases, has the authority to create files on the server or read files it .. The danger of gaps in the SQL server that is not protected well and if he can use all the functions query ..

Con>>>Con>>>• They are serious so that the server is well protected because they can cause to know

the user name and password for the site but this site or control script leads to partial control, and Active, and then control access to servers and other things .. Gaps, one of the most dangerous ..

• $user_name="swalif"; $password="softs"; $query = "SELECT * FROM users WHERE user='$user_name' AND password='$password'"; mysql_query($query);  

•Imagine if the password has become

• $password="' OR ''='";  

• Become the sql commands 

• $query = "SELECT * FROM users WHERE user='swalif' AND password='' OR ''='' "; mysql_query($query); 

•In this way may be able to login to your Almokhtpfp sections without the need for the user name or password is correct.

Con…Con…• Does not stop at only that, imagine if he has the introduction of this sentence as a password:• $password="'; DROP DATABASE database_name;"• "It's very compiler:• $query = "SELECT * FROM users WHERE user='swalif' AND password=''; DROP DATABASE database_nam";

mysql_query($query); • Implementation of orders gaps Command Execution:

Are gaps to permit the application orders directly through one of the existing scripts .. These gaps are of the most serious gaps because it enables access to the server directly, without the need for further action or time .. Which is similar to the gaps Remote File Include in the mechanism of work, but more so ..

• local file include:File entry is the process of an internal code and application code that

read the contents inside, or if he is not a code ..Is used to read the clicks of files or to configure the Shell that Shell was

able to raise on the same server along the BayVaries according to conditions of exploitation and Code 

• Remote File Include:Is the process of inclusion and introducing it into an external file for the

applicationThe most serious of the local file include .. Because it does not need to raise the profile on the same server or even abide by the terms and the

search for the points and paths, etc. .. All you need is to raise the external shell will be admitted in any page ..

Is very close to the command execution

Definition: ..Definition: ..

• File Upload:

Are gaps that enables you to raise the files on the server and application Ecuadha

File Disclosure:

Are gaps that enables you to read files on the server

First xss• Are serious gaps and are widely used and is used two uses

The first use to obtain all the information on the target device and all passwords And use the other middle exploit these passwords to hacked sites It relies on stealing passwords of the person targeted and Aktar target sites that are forums and tracker sites that contain a property profile So as to cause it contains the website files on the support the development of small metal files her income html code which is dependent on development of small files an income when he visits the site and the sites a person is stealing all passwords And also being exploited Code and in linking the site and injected seeks to steal passwords for each person who enters the site including the site manager and steal Malomato leading to the site being hacked easily and serious also the site global metal sites Hotmail sites and Paypal and sites that contain Visa

Cont…• Protection, including protection can be cleaned periodically Koicz

browser Disable Active support of these characteristics tracker metal profile and the html and the like

 

Second File include :A tracker the most dangerous saluting are gaps pour certain files

in programming, which allows the hacker upload through that tracker files and metal Chilat and without massage of the type,

Text and reviewed hacker and easily controlled through the shell lifting means that raising prompt Ooms of the system, both by the

system to server or Windows or Linux For example, I knead for example,

www.llllloooooz.com/web.php?r=http://shale.txt ?

<<<<Cont>>>>><<<<Cont>>>>>

• And here was lifted from the variable shell injured site and this type of tracker may cause serious discernible to the Root to the server, and server protection by For this gap, which is the best way to protect against them, a conditional sentence be added the following code before upload files

• $var=$_FILE["file"]["type"];if($var=="application/x-php " or $var=="text/plain ") {echo "error message";}else{//upload code  

Bot Net ContBot Net Cont..

Bot net is a process operating on direct attacks on the server is extremely strong, with inability to many people today about the arrest of those attacks that take place through bot net is the so-called attack parents dos and which is a direct attack

to the server increasingly disorganized by a particular method followed by for example, hackers penetrate the device 100

and the directionality of the 100 non-structured device to the server in this case the firewall fails to repel these attacks and prevent Llano Hadi in case it also attacks the firewall itself

 Firewall can not protect against attacks staged to reflect the firewall itself and the deadline expires depends on the gaps in

the network protocols can not do without them

Cont...

•Apache is a program that is installed on the server which is excellent because it contains additives, such as Front Page and encryption ulna

and Obed encryptions systems that support the Web is good for programmers

Are installed on the server until the server Billz lot of things in the task and the most important things code

Is the one who set the servers and supported encodings support a system of web and a picture library and all those things

Despite its shortcomings and lacunae, but it is updated every period of time can also add programs it is new to him and additions by the user

whose Of its features and powerful is that it is designed to Almajular any

bouquets that you can add him to raise the other of a tool without the need to change things complicated in the program continued .

Cont>>>•And useful of this design of Apache you'll add the things that really need

them and leave things that do not need them and this is what will raise the performance and speed of the server instance, if you want to take advantage of the features of FrontPage Extension enough to add the

package only.

Organizations Apache is done by editing the lines in text files and this is very appropriate for programmers who rely on writing, but it will cause problems for those who are accustomed to the graphical interface, and with that there is a program Comanche, which added to the Apache you

can control options for Apache by the graphical interface. But the command that you should pay attention to him that with every change

must restart Apache to be changes to take effect .

Finally•Safe-mode

Is very important in servers and must be enabled which means that the sword mode is either Off or Online, everything has a meaning

When Off is in this case, the user credentials to the server, open and accessible to other users of data to the server, and this is a big

problem and this case be present in the case of one site to the server, any that there is no something else

When it is online, which means that the sword mode enabled on your situation and Bob this is something good to protect the server and

protect users from data entry to some definitions of terms and this is usually located Balserfrat

Cont..

•Safe-mode has other benefits such as disabling software functions lead to

penetration of the server and the like and prevent certain programming

functions Xi is very important to prevent so-called symylink and tools to help

prevent hackers to move between sites to server

Thanks a lot for all of you, we Thanks a lot for all of you, we hope it was beneficial and hope it was beneficial and interesting presentationinteresting presentationBest regardsBest regards

Arafat El-Arafat El-mdhommdhom

Ahmed El-Ahmed El-falouji falouji

“ “AnAs”AnAs”