Web Security. Attacks on Servers 11/6/2017 1

Transcription

1 Web Security Attacks on Servers 11/6/2017 1

2 Server side Scripting Javascript code is executed on the client side on a user s web browser Server side code is executed on the server side. The server side generally generate an HTML file that will send back to the client 11/6/2017 Web Security 2

3 PHP PHP is a hypertext pre processing language that allows a web server to use scripts to generate HTMLs files on the fly. 11/6/2017 Web Security 3

4 Remote File Inclusion (RFI) RFI enable a web server to execute codes contained in files other than the one that is currently being run. PHP provides the include function which incorporate the file specified by the argument into the current PHP page Web Security 4

5 RFI attack RFI attack: an attacker can include the following link to enable a web server at victim.com to execute the malicious code at evilsite.com/evilcode.php locally. evilsite.com/evilcode.php 11/6/2017 Web Security 5

6 Local file inclusion (LFI) LFI attack allow a web server to execute injected code it would not have otherwise performed. The executed code is contain in file on the same victim server For Example: Attacker navigate to The above might causes the web server to execute the following secretpage.php Attacker navigate to The above might causes the attacker to access the /etc/passwd file 11/6/2017 6

7

8 SQL: Standard Query Language SQL lets you access and manage (Query) databases A database is a large collection of data organized in tables for rapid search and retrieval, with fields and columns A field or Column A Record or Row First_Name Last_Name Code_ID Bernardo Palazzi 345 Roberto Tamassia 122 Alex Heitzman Table: CS166 11/6/2017 Storage Confidentiality 8

9 SQL Syntax SELECT column_name(s) or * FROM table_name WHERE column_name operator value SELECT statement is used to select data FROM one or more tables in a database Result set is stored in a result table WHERE clause is used to filter records 11/6/2017

10 SQL Syntax SELECT column_name(s) or * FROM table_name WHERE column_name operator value ORDER BY column_name ASC DESC LIMIT starting row and number of lines ORDER BY is used to order data following one or more fields (columns) LIMIT allows to retrieve just a certain numbers of records (rows) 11/6/2017 Storage Confidentiality 10

11 SQL Injection Attack Many web applications take user input from a form Often this user input is used literally in the construction of a SQL query submitted to a database. For example: SELECT user FROM table WHERE name = user_input ; An SQL injection attack involves placing SQL statements in the user input 11/6/2017 Web Security

12

13

14 Unintended Information Disclosure When a web server does not check to see whether the GET variable, id is a valid input Attacker could request the following URL UNION SELECT cardno, first, last, , FROM users Web server would execute the following SQL query SELECT * FROM news WHERE id = NULL UNION SELECT cardno, first, last, FROM users 11/6/2017 Web Security 14

15 Login Authentication Query Standard query to authenticate users: select * from users where user='$usern' AND pwd='$password' Classic SQL injection attacks Server side code sets variables $username and $passwd from user input to web form Variables passed to SQL query select * from users where user='$username' AND pwd='$passwd' Special strings can be entered by attacker select * from users where user='m' OR '1=1' AND pwd='m' OR '1=1' Result: access obtained without password 11/6/2017 Web Security 15

16 By passing authentication Attacker input the following sequence OR 1=1; Password : (empty)

17

18 Some improvements Query modify: select user,pwd from users where user='$usern $usern= M' OR '1=1 ; Result: the entire table We can check: only one tuple result formal correctness of the result $usern= M' ; drop table user;? 11/6/2017 Web Security 18

19 Correct Solution We can use an Escape method, where all malicious characters will be changed: Escape( t ' c ) gives as a result t \' c select user,pwd from users where user='$usern' $usern=escape( M' ;drop table user; ) The result is the safe query: select user,pwd from users where user='m\' drop table user;\'' 11/6/2017 Web Security 19