The three faces. DeepSec Martin Johns University of Hamburg Universität Hamburg
|
|
- Eleanore Dickerson
- 6 years ago
- Views:
Transcription
1 The three faces of CSRF Universität Hamburg DeepSec Martin Johns University of Hamburg Fachbereich Informatik SVS Sicherheit in Verteilten Systemen
2 Me, myself and I Martin Johns johns at informatik.uni-hamburg.de Security researcher at the University of Hamburg Research focus: Web application security Static analysis of source code Member of the secologic project Research project carried out by SAP, Commerzbank, Eurosec and the University of Hamburg Goal: Improving software security Visit us at Martin Johns, UHH, FB Inf, SVS 2
3 A very short introduction In the beginning was HTTP and HTML HTML == Hyper Text Markup Language HTTP == Hyper Text Transport Protocol The hypertext WWW was and is cross-domain by nature Then there was innovation Meaningful web apps Authentication tracking JavaScript...and everybody somewhat forgot about the cross-domain nature of HTTP/HTML Martin Johns, UHH, FB Inf, SVS 3
4 Agenda A brief introduction to browser security Face 1: Exploiting applications Face 2: Information leakage Face 3: Exploring the intranet Countermeasures Martin Johns, UHH, FB Inf, SVS 4
5 The Same Origin Policy (SOP) Basically the only security mechanism applicable to webapps Restricts active client-side code Designed to prevent cross-domain read/write access Applies to JavaScript Affects cookie-access, cross-document interaction and networking communication The SOP is satisfied iff the protocol, the domain and the port of two elements match Java and Flash have similar policies Martin Johns, UHH, FB Inf, SVS 5
6 The Same-Origin Policy (II) So, the SOP provides a nice sandbox: 1. No direct access to the local file system (Protocol-rule) 2. No direct access to other hosts (Domain-rule) 3. No direct access to other applications on the same host (Port- and protocol-rule) The SOP restricts JavaScript to its web application... Martin Johns, UHH, FB Inf, SVS 6
7 A loophole in the SOP JavaScript can initiate network communication through dynamic inclusion of elements in the DOM-tree: The script includes a HTML element in the page which references a network resource IMG, STYLE, SCRIPT, IFRAME By this inclusion of such an element the browser creates an HTTP request The targets of such requests are not restricted by the SOP This in fact enables indirect cross-domain communication Outgoing data: URL parameters Incoming data: Side effects of the inclusion process Martin Johns, UHH, FB Inf, SVS 7
8 Agenda A brief introduction to browser security Face 1: Exploiting applications Face 2: Information leakage Face 3: Exploring the intranet Countermeasures Martin Johns, UHH, FB Inf, SVS 8
9 Implicit authentication Implicit authentication: After the initial authentication step the browser takes care of sending the authentication credentials Methods Cookies HTTP Authentication Client-Side SSL Alternative: Explicit authentication The web application is responsible Methods URL rewriting Form based tracking (hidden form fields) Martin Johns, UHH, FB Inf, SVS 9
10 Session management with cookies After the authentication form the server sets a cookie at the client s browser The browser sends this cookie along with all requests to the domain of the web application Martin Johns, UHH, FB Inf, SVS 10
11 Circumventing the SOP (I) Remember: The SOP prevents cross-domain write access Does it? Cross Site Request Forgery CSRF aka XSRF aka Session Riding aka Sea Surf CSRF exploits implicit authentication mechanisms Creation of hidden, state-changing cross-domain requests These requests are automatically outfitted with the user s credentials The Attack: The attacker creates a hidden http request inside the victim s web browser This request is executed in the victim s authentication context Martin Johns, UHH, FB Inf, SVS 11
12 CSRF (I) Cookie: auth_ok Martin Johns, UHH, FB Inf, SVS 12
13 CSRF (I) GET transfer.cgi?am=10000&an= Cookie: auth_ok Martin Johns, UHH, FB Inf, SVS 13
14 CSRF (II) Cause: The web application does not verify that state changing request were created within the web application Attack methods: Forging GET requests: Image tag with SRC attribute that points to a state changing URL The URL might be obfuscated by a http redirect Forging POST request: Attacker creates an IFRAME (or a pop-up window) The frame is filled with a HTML form This form is submitted via JavaScript Compared to XSS, CSRF s impact is underestimated In 2006 the following numbers were collected by CWE: XSS: 1282 issues CSRF: 5 issues Martin Johns, UHH, FB Inf, SVS 14
15 Agenda A brief introduction to browser security Face 1: Exploiting applications: Examples Face 2: Information leakage Face 3: Exploring the intranet Countermeasures Martin Johns, UHH, FB Inf, SVS 15
16 Example 1: Breaking Applications Vulnerable: digg.com digg.com s frontpage is determined by the number of diggs a certain story gets Using CSRF a webpage was able to cause the victim s browser to digg an arbitrary URL The demo page digged itself Martin Johns, UHH, FB Inf, SVS 16
17 Example 2: Causing Financial Loss Vulnerable: Netflix.com Add movies to your rental queue Add a movie to the top of your rental queue Change the name and address on your account Change the address and password on your account (i.e., takeover your account) Cancel your account (Unconfirmed/Conjectured) Martin Johns, UHH, FB Inf, SVS 17
18 Example 3: Owning the Server Vulnerable: Wordpress 2.02 Wordpress theme editor was susceptible to CSRF Wordpress theme-files can be php-files Via CSRF an attacker could modify those files to contain arbitrary php-code Martin Johns, UHH, FB Inf, SVS 18
19 A CSRF exploit in less than 10 seconds exploit-o-mat.py Small script by Justus Winter Functionality: Bookmarklet finds all HTML forms in the page The respective action-urls are changed to point to exploit-omat.py This way the script receives all parameters that would have been sent to the original action exploit-o-mat.py creates automatically an attacking HTMLpage... Profit Martin Johns, UHH, FB Inf, SVS 19
20 Agenda A brief introduction to browser security Face 1: Exploiting applications: Avoidance Face 2: Information leakage Face 3: Exploring the intranet Countermeasures Martin Johns, UHH, FB Inf, SVS 20
21 CSRF (III) General problem: CSRF vulnerabilities are NOT caused by programming mistakes Completely correct code can be vulnerable The reason for CSRF lies within http: No dedicated authentication credential State-changing GET requests JavaScript Preventing CSRF is actually fixing the protocol Martin Johns, UHH, FB Inf, SVS 21
22 Avoidance Assures that the POST request s origin was an HTML form that was provided by the web application in the first place Switch to explicit authentication Combine implicit and explicit auth Use nonces Example: <form action="submit.cgi" method="post"> <input type="text" name="foo"> <input type="hidden" name="nonce" </form> value="xulkjsf22enbsc"> Martin Johns, UHH, FB Inf, SVS 22
23 Agenda A brief introduction to browser security Face 1: Exploiting Applications Face 2: Information leakage Face 3: Exploring the intranet Countermeasures Martin Johns, UHH, FB Inf, SVS 23
24 JSON (and associates) Disclaimer: Not everything discussed in the following slides is JSON in a strict sense However all techniques follow the same patterns: Designed for asynchronous communication Data encapsulated in executable code Advantage of this approach: No client-side parser necessary Disadvantage: Communicating data through executable code? Come on... Martin Johns, UHH, FB Inf, SVS 24
25 JSON-driven data communication Situation: The web application dynamically requests further data from the server without a page refresh... Variant A: XMLHttpRequest: The received data is evaled var p = eval("var a =" + JSON_text ); Variant B: <script>-tag: The received data is automatically executed Via new global variables Via callback function <script src="json.php?data=foo"></script> Martin Johns, UHH, FB Inf, SVS 25
26 Frequently used patterns There are 4 commonly used techniques: 1. Array format (*) 2. Object format (*) 3. Variable setter format 4. Callback function (*) To be precise, only these two are officially JSON (according to RFC 4627) [ [ ] ] "Joe Smith", "London", "Apples" Martin Johns, UHH, FB Inf, SVS 26
27 Data leakage attack Loading the data s URL in a <script>-tag The script-tag s URL is not subject to the SOP If the data is indeed executable, it is executed in the securitycontext of the attacker s domain <script src= Martin Johns, UHH, FB Inf, SVS 27
28 CSRF (I) Cookie: auth_ok Martin Johns, UHH, FB Inf, SVS 28
29 CSRF (I) Data GET private_stuff_in_json.php Data Cookie: auth_ok Martin Johns, UHH, FB Inf, SVS 29
30 Data leakage attack <script src= Exploitation: Array format Overwriting of the global Array()-Object Variable setter Access the new global variable Callback function Provide an own function with the same name Object format Redefine the definesetter () funtion of the global Object()-object modern browsers only Martin Johns, UHH, FB Inf, SVS 30
31 Example: GMail Adressbook disclosure Address-book data was communicated in JSON But this URL content could also be accessed via script injection <script src=" By overwriting the global array-constructor this data could be read cross-domain Martin Johns, UHH, FB Inf, SVS 31
32 Defense Make sure that your DATA is not EXECUTABLE!!!!!! The correct JSON-object notation is actually safe: { } "person":{ "name":"joe Smith", "location":"london", "fruit":"apples" } Other techniques: Start data with while(1){} Enclose data in /*... */ Use a different format Something that is not eval()-ed is not so prone to XSS Martin Johns, UHH, FB Inf, SVS 32
33 Agenda A brief introduction to browser security Face 1: Exploiting Applications Face 2: Information leakage Face 3: Exploring the intranet Countermeasures Martin Johns, UHH, FB Inf, SVS 33
34 Circumventing the SOP (II) Remember: The SOP prevents cross-domain data-retrieval Does it? The basic reconnaissance attack (BRA) Question: Does the element with URL U exist? Method: Construct URL U pointing to the target of the examination Start a timeout-event t Include a suiting network aware element using U Use JavaScript s eventhandler-framework to determine the result: The timeout t occurs The target does not exist onload() event The target exists onerror() event (specific result depends on the element and target - stay tuned) Martin Johns, UHH, FB Inf, SVS 34
35 IP based authentication Intranet webserver Firewall Martin Johns, UHH, FB Inf, SVS 35
36 Subverting the Firewall with CSRF Firewall == implicit mean of authentication Susceptible to CSRF Malicious host Firewall Intranet Server ( ) Martin Johns, UHH, FB Inf, SVS 36
37 Putting it all together By looking at a webpage we allow JavaScript-execution within the intranet... As we have just discussed, JavaScript can do Reconnaissance (BRA) Exploiting (CSRF) Martin Johns, UHH, FB Inf, SVS 37
38 Intranet exploration with the BRA <img src= > onload()/onerror()/timeout()-events, Host / URL / element exists Intranet Server ( ) Firewall Malicious host Martin Johns, UHH, FB Inf, SVS 38
39 But where to start? My hosts are NATed and use obscure private IPs Java to the rescue: Java applets provide low level sockets The target of these sockets is restricted by the SOP This does not matter as we are interested in the origin of the connection (the local IP) On modern browsers even more convenient with LiveConnect: function natip() { var w = window.location; var host = w.host; var port = w.port 80; var Socket = (new java.net.socket(host,port)).getlocaladdress().gethostaddress(); return Socket; } Martin Johns, UHH, FB Inf, SVS 39
40 Intranet exploration with the BRA (II) Ping sweep / http-server discovery: Iterate through the subnet using the BRA E.g. using images: <IMG src= >, <IMG src= >, <IMG src= >,... Events (depend on element type): Timeout-event: Host does not exist OnLoad-event: Host probably runs a webserver IFrame can confirm OnError-event: Host exists but the port is closed (RST package) OnError fires on most browsers only for the IMG element Varying the port might locate https or development servers Martin Johns, UHH, FB Inf, SVS 40
41 Intranet exploration with the BRA (III) Server/application discovery/fingerprinting Known special DNS names <IFRAME src= > (home router) Known image-urls <IMG src= > (Apache) Web page fingerprinting based on JavaScript errors <SCRIPT src= > <script> function err(msg, url, code) { if ((msg == "missing } in XML expression" ) && (code == 1)) { // Wordpress } else if ((msg == "syntax error" ) && (code == 3)) { // Squirrelmail } else // unknown } window.onerror = err; </script> Martin Johns, UHH, FB Inf, SVS 41
42 Intranet exploration with the BRA (IV) HTTP-authentication If the scanned server is protected by HTTP-auth the browsers displays a login-dialogue This should at least startle the browser s user Avoiding HTTP-authentication pop-ups (Stefan Esser) The trick is to cause the server to drop the request before it is processed This can be achieved by malformed URLs Incomplete entities: Excessively long URLs AAA Breaks fingerprinting Martin Johns, UHH, FB Inf, SVS 42
43 Exploiting the intranet The attacker is able to: locate intranet hosts and fingerprint applications/routers/devices Several promising points for CSRF attacks: Unchanged default passwords on appliances Drive by Pharming Unpatched servers The old and almost forgotten IIS in the basement Outdated intranet applications Wordpress 2.0 for internal communication With DNS rebinding things get ever more interesting...but this is a different talk Martin Johns, UHH, FB Inf, SVS 43
44 Some limitations... Timing Working with timeout-events takes... Time Using parallelization can speed the process up But various restrictions on connections limits exit Windows XPSP2 and later Port restrictions Most browsers only allow HTTP and high-number ports Martin Johns, UHH, FB Inf, SVS 44
45 Agenda A brief introduction to browser security Face 1: Exploiting Applications Face 2: Information leakage Face 3: Exploring the intranet Countermeasures Martin Johns, UHH, FB Inf, SVS 45
46 Client-side protection Why at the client-side CSRF is a client-side attack Many web apps still don t consider CSRF Protecting against intranet attacks on the server-side not always possible RequestRodeo Strips implicit authentication information from cross-domain requests LocalRodeo Segmentation based on the origin of webpages (local/remote) Requests with a remote origin and a local target are denied Martin Johns, UHH, FB Inf, SVS 46
47 More protection NoForge [1] Reverse Proxy Positioned between web application and internet Parses http responses and adds tokens to all internal URLs Drops requests, that do not contain a token Only protects applications that use cookies for session tracking OWASP CSRF Guard [2] J2EE Filter Adds tokens to HTML Forms automatically [1] Nenad Jovanovic, Engin Kirda and Christopher Kruegel, Preventing Cross Site Request Forgery Attacks, IEEE International Conference on Security and Privacy in Communication Networks (SecureComm), Baltimore, MD, August 2006, [2] Martin Johns, UHH, FB Inf, SVS 47
48 Thank you Thanks for listening. Questions? Comments? Martin Johns, UHH, FB Inf, SVS 48
Cross site Requests. One Mechanism Many A6acks. Mar8n Johns, SAP Research, RUB,
Cross site Requests One Mechanism Many A6acks Mar8n Johns, SAP Research, RUB, 16.06.2010 Me, myself and I Senior Researcher at SAP Research Karlsruhe PhD on XSS Universi8es of Hamburg and Passau Worked
More informationESORICS September Martin Johns
SessionSafe: Implementing XSS Immune SessionHandling Universität Hamburg ESORICS 06 20. September 2006 Martin Johns Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Me, myself and I Martin
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationSome Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationWeb Security. Aggelos Kiayias Justin Neumann
Web Security Aggelos Kiayias Justin Neumann Dynamic HTML Umbrella term : HTML Javascript Cascading Style Sheets (CSS) Document Object Model (DOM) : a hierarchical structure API for accessing / manipulating
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationHacking Intranet Websites from the Outside
1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (Japan) 10.05.2006 Jeremiah Grossman (Founder and CTO) WhiteHat Security 2 WhiteHat Sentinel -
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract:
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationFounded the web application security lab
Robert RSnake Hansen - CEO SecTheory LLC Bespoke Boutique Internet Security Web Application/Browser Security Network/OS Security Advisory capacity to VCs/start-ups We solve tough problems. http://www.sectheory.com/
More informationEradicating DNS Rebinding with the Extended Same-Origin Policy
Eradicating DNS Rebinding with the Extended Same-Origin Policy Martin Johns, Sebastian Lekies and Ben Stock USENIX Security August 16th, 2013 Agenda DNS Rebinding The basic attack History repeating HTML5
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationAttacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.
Attacking the Application Dave Ferguson, CISSP Security Consultant FishNet Security Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the
More informationCross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft
Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft Who are we? Chris Evans Troublemaker, Engineer, Tech Lead, Google Security Team
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationRobust Defenses for Cross-Site Request Forgery
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login
More informationComputer Security CS 426 Lecture 41
Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationAcknowledgments... xix
CONTENTS IN DETAIL PREFACE xvii Acknowledgments... xix 1 SECURITY IN THE WORLD OF WEB APPLICATIONS 1 Information Security in a Nutshell... 1 Flirting with Formal Solutions... 2 Enter Risk Management...
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCross Site Request Forgery
Cross Site Request Forgery VULNERABILITY OVERVIEW WHITE PAPER PUBLIC Version: 1.0 By: Acadion Security URL: http://www.acadion.nl/ Date: February 6, 2013 Address: Koornmarkt 46 2611 EH Delft Nederland
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationNoScript, CSP and ABE: When The Browser Is Not Your Enemy
NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationCSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno
CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli,
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationPHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.
PHP Security Kevin Schroeder Zend Technologies Copyright 2007, Zend Technologies Inc. Disclaimer Do not use anything you learn here for nefarious purposes Why Program Securely? Your job/reputation depends
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationYour Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns
Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies (@slekies) / Ben Stock (@kcotsneb) Martin Johns (@datenkeller) Agenda The Same-Origin Policy Cross-Site Script Inclusion (XSSI) Generalizing
More informationWeb Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech
Web Security advanced topics on SOP Yan Huang Credits: slides adapted from Stanford and Cornell Tech Same Origin Policy protocol://domain:port/path?params Same Origin Policy (SOP) for DOM: Origin A can
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationProgress Exchange June, Phoenix, AZ, USA 1
1 COMP-1: Securing your web application against hackers Edwin Lijnzaad & Ronald Smits Consultants Agenda Introduction Issues How to... Questions 2 COMP-1: Securing your web application against hackers
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationAvoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:
Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Department of Computer Science Institute of System Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? LET S TALK HTTP SAFE VS. UNSAFE
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationA Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications
A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University December 8, 2011 1 / 18 Riccardo Pelizzi
More informationRobust Defenses for Cross-Site Request Forgery
University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationCNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components
CNIT 129S: Securing Web Applications Ch 10: Attacking Back-End Components Injecting OS Commands Web server platforms often have APIs To access the filesystem, interface with other processes, and for network
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? 6 SAFE VS. UNSAFE Safe GET HEAD
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationPreventing Image based Cross Site Request Forgery Attacks
Preventing Image based Cross Site Request Forgery Attacks Ramarao R, Radhesh M, Alwyn R Pais Information Security Lab, Department of Computer Engineering, National Institute of Technology Karnataka, Surathkal,
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationWeb Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs
Web Application with AJAX Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar University of Colorado, Colorado Springs CS 526 Advanced Internet and Web Systems Abstract Asynchronous JavaScript and XML or Ajax
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More information01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED
01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED Contents 1. Introduction 3 2. Security Testing Methodologies 3 2.1 Internet Footprint Assessment 4 2.2 Infrastructure Assessments
More informationF5 Application Security. Radovan Gibala Field Systems Engineer
1 F5 Application Security Radovan Gibala Field Systems Engineer r.gibala@f5.com +420 731 137 223 2007 2 Agenda Challenge Websecurity What are the problems? Building blocks of Web Applications Vulnerabilities
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More informationSecure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,
More informationInformation Security. Gabriel Lawrence Director, IT Security UCSD
Information Security Gabriel Lawrence Director, IT Security UCSD Director of IT Security, UCSD Three Startups (2 still around!) Sun Microsystems (Consulting and JavaSoftware) Secure Internet Applications
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Presentation: Inject Javascript in a Page Javascript for manipulating
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation:
More informationshortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge
shortcut Your Short Cut to Knowledge The following is an excerpt from a Short Cut published by one of the Pearson Education imprints. Short Cuts are short, concise, PDF documents designed specifically
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCare & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December
Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December Mee@ng 1 About the Speaker Informa@on Security Architect Areas of exper@se: Applica@on,
More informationAttacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.
Attacking Web2.0 Daiki Fukumori Secure Sky Technology Inc. Agenda Introduction What Is Web2.0 (from Attackers view) Attacking Same-Origin Policy Advanced Attacking Same-Origin
More informationCross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security
Cross-Site Request Forgery: The Sleeping Giant Jeremiah Grossman Founder and CTO, WhiteHat Security Cross-Site Request Forgeries (CSRF) 1. Session Riding 2. Client-Side Trojans 3. Confused Deputy 4. Web
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationUnusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.
Unusual Web Bugs A Web App Hacker s Bag O Tricks Alex kuza55 K. kuza55@gmail.com http://kuza55.blogspot.com/ I'm Alex Starting Uni next year Working for SIFT http://www.sift.com.au/ This talk is Not an
More informationOWASP TOP 10. By: Ilia
OWASP TOP 10 By: Ilia Alshanetsky @iliaa ME, MYSELF & I PHP Core Developer Author of Guide to PHP Security Security Aficionado WEB SECURITY THE CONUNDRUM USABILITY SECURITY YOU CAN HAVE ONE ;-) OPEN WEB
More informationAdvanced CSRF and Stateless at OWASP AppSec Research 2012
Advanced CSRF and Stateless Anti-CSRF @johnwilander at OWASP AppSec Research 2012 Frontend developer at Svenska Handelsbanken Researcher in application security Co-leader OWASP Sweden @johnwilander johnwilander.com
More information