NET 311 INFORMATION SECURITY

Similar documents
SQL Injection. EECS Introduction to Database Management Systems

CS 142 Winter Session Management. Dan Boneh

Code Injection Attacks

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Application Security

Web Security: XSS; Sessions

Web Application Security

Web Security, Part 2

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

John Coggeshall Copyright 2006, Zend Technologies Inc.

Web Applica+on Security

Web Security: Web Application Security [continued]

Web Security Part 2. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Web Application Security. Philippe Bogaerts

Web Security: Vulnerabilities & Attacks

CS 155 Project 2. Overview & Part A

WEB SECURITY: XSS & CSRF

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Copyright

Security. CSC309 TA: Sukwon Oh

SQL Injection SPRING 2018: GANG WANG

SQL Injection: From Basics To Botnet-Based Attack Automation

CIS 4360 Secure Computer Systems XSS

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson)

Web Security Part 2. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Application vulnerabilities and defences

CSE 127 Computer Security

Web Security Computer Security Peter Reiher December 9, 2014

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

1. PASSWORD ATTACK 2. APPLICATION ATTACK

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

P2_L12 Web Security Page 1

Web Security II. Slides from M. Hicks, University of Maryland

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

CSCE 813 Internet Security Case Study II: XSS

Robust Defenses for Cross-Site Request Forgery Review

CSCD 303 Essential Computer Security Fall 2017

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CSCD 303 Essential Computer Security Fall 2018

CS 161 Computer Security

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team


IS 2150 / TEL 2810 Introduction to Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I


OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Security Analyses For The Lazy Superhero

Network Security - ISA 656 Web Security

CS 161 Computer Security

Robust Defenses for Cross-Site Request Forgery

OWASP TOP 10. By: Ilia

Web Security IV: Cross-Site Attacks

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Lecture 4 September Required reading materials for this class

The security of Mozilla Firefox s Extensions. Kristjan Krips

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

WebGoat Lab session overview

Online Intensive Ethical Hacking Training

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Content Security Policy

CS 161 Computer Security

Program Security and Vulnerabilities Class 2

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Application Security. * Original slides were prepared by John Mitchell

CS 161 Computer Security

Solution of Exercise Sheet 5

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Finding Vulnerabilities in Web Applications

Aguascalientes Local Chapter. Kickoff

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Adon'tbe an Adobe victim

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

CS 161 Computer Security

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Security Course. WebGoat Lab sessions

OWASP 5/07/09. The OWASP Foundation OWASP Static Analysis (SA) Track Session 1: Intro to Static Analysis

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Client Side Injection on Web Applications

Finding Vulnerabilities in Source Code

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Robust Defenses for Cross-Site Request Forgery

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Transcription:

NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities

lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS) SQL Injection

Buffer Overflow

Buffer overflow Some functions do not check the size of their input Examples are gets() scanf() strcpy() strcat()

Buffer Overflow A buffer overflow attack occurs when the attacker intentionally enters more data than a program was written to handle The extra data overwrites on top on another portion of memory that was meant to hold something else, like part of the program's instructions This allows an attacker to overwrite data that controls the program and can takeover control of the program to execute the attacker's code instead of the program

Buffer Overflow Perfect for remote access attacks because they give the attacker a great opportunity to launch and execute their attack code on the target computer As a user, the best thing to do is to take away the ability for the vulnerability to be exploited by knowing what programs are in use and keeping patches up to date

Buffer overflow Example It is a program where more data can be put into a buffer (e.g. an array) than is safe, for example in C this could be: #include <stdio.h> int main(int argc, char* argv[]) { // allocate a buffer of a fixed length char buffer[512]; // copy the first command line argument into buffer strcpy(buffer,argv[1]); printf("%s\n",buffer); }

Buffer overflow Example The example program takes the first command line argument passed to it, copies it into buffer and then prints it out. This program works fine for most short input strings (less then 511 chars.) but as no bounds checking is done in the strcpy() function, if more than 511 characters are passed in arg[1] strange things may happen.

Buffer overflow The most important type of buffer overflow is the stack overflow The best paper on buffer overflow: http://insecure.org/stf/smashstack.html The cause of the problem is that the return address and the space for local variables (which potentially can contain user s data) are placed in the areas of memory which are next to each other. thus, the string passed to program will: contain the exploit code, be slightly larger than the vulnerable buffer, and the extra bytes will have the address of the exploit code instead of the original function return address

Cross-Site Scripting (XSS)

Top web site vulnerabilities XSS Cross-site scripting Bad web site sends innocent victim a script that steals information from an honest web site Injects malicious script into trusted context SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query

What is XSS? An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application. Methods for injecting malicious code: Reflected XSS ( type 1 ) the attack script is reflected back to the user as part of a page from the victim site Stored XSS ( type 2 ) the attacker stores the malicious code in a resource managed by the web application, such as a database Others, such as DOM-based attacks

Basic scenario: reflected XSS attack Email version 1 Attack Server 2 5 User Victim Server Victim

2006 Example Vulnerability Attackers contacted users via email and fooled them into accessing a particular URL hosted on the legitimate PayPal website. Injected code redirected PayPal visitors to a page warning users their accounts had been compromised. Victims were then redirected to a phishing site and prompted to enter sensitive financial data. Source: http://www.acunetix.com/news/paypal.htm

Adobe PDF viewer feature PDF documents execute JavaScript code (version <= 7.9) http://path/to/pdf/file.pdf#whatever_name_you_want =javascript:code_here The code will be executed in the context of the domain where the PDF files is hosted This could be used against PDF files hosted on the local filesystem http://jeremiahgrossman.blogspot.com/2007/01/what-you-need-to-know-about-uxss-in.html

Here s how the attack works: Attacker locates a PDF file hosted on website.com Attacker creates a URL pointing to the PDF, with JavaScript Malware in the fragment portion http://website.com/path/to/file.pdf#s=javascript:alert( xss );) Attacker entices a victim to click on the link If the victim has Adobe Acrobat Reader Plugin 7.0.x or less, confirmed in Firefox and Internet Explorer, the JavaScript Malware executes

And if that doesn t bother you... PDF files on the local filesystem: file:///c:/program%20files/adobe/acrobat%207. 0/Resource/ENUtxt.pdf#blah=javascript:alert("XSS") ; JavaScript Malware now runs in local context with the ability to read local files...

Reflected XSS attack Attack Server 5 User Victim Send bad stuff Server Victim Reflect it back

Stored XSS Attack Server 1 Store bad stuff User Victim Inject malicious script Server Victim Download it

Stored XSS using images Suppose pic.jpg on web server contains HTML! request for http://site.com/pic.jpg results in: HTTP/1.1 200 OK Content-Type: image/jpeg <html> fooled ya </html> IE will render this as HTML (despite Content-Type) Consider photo sharing sites that support image uploads What if attacker uploads an image that is a script?

How to Protect Yourself (OWASP) The best way to protect against XSS attacks: Ensure that your app validates all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed. Do not attempt to identify active content and remove, filter, or sanitize it. There are too many types of active content and too many ways of encoding it to get around filters for such content. We strongly recommend a positive security policy that specifies what is allowed. Negative or attack signature based policies are difficult to maintain and are likely to be incomplete.

SQL injection

Database queries with PHP (the wrong way) Sample PHP $recipient = $_POST[ recipient ]; $sql = "SELECT PersonID FROM People WHERE Username='$recipient' "; $rs = $db->executequery($sql); Problem: Untrusted user input recipient is embedded directly into SQL command

Basic picture: SQL Injection Victim Server 1 2 Attacker 3 receive valuable data unintended SQL query Victim SQL DB

CardSystems Attack CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed

Example: buggy login page (ASP) set ok = execute( "SELECT * FROM Users WHERE user=' " & form( user ) & " ' AND pwd=' " & form( pwd ) & ' ); if not ok.eof login success else fail; Is this exploitable?

Web Browser (Client) Enter Username & Password Web Server SELECT * FROM Users WHERE user='me' AND pwd='1234' DB Normal Query

Bad input Suppose user = ' or 1=1 -- (URL encoded) Then scripts does: ok = execute( SELECT WHERE user= ' ' or 1=1 -- ) The -- causes rest of line to be ignored. Now ok.eof is always false and login succeeds. The bad news: easy login to many sites this way.

Even worse Suppose user = ; DROP TABLE Users -- Then script does: ok = execute( SELECT ) WHERE user= ; DROP TABLE Users Deletes user table Similarly: attacker can add users, reset pwds, etc.

Getting private info

Getting private info SQL Query SELECT pizza, toppings, quantity, date FROM orders WHERE userid=. $userid. AND order_month=. _GET[ month ] What if: month = 0 AND 1=0 UNION SELECT name, CC_num, exp_mon, exp_year FROM creditcards

Results Credit Card Info Compromised

References Lecture slides done by: Dan Boneh, sql injection, 2009 Lecture slides done by John Mitchell, XSS Attacks and Defenses,2009, available at: https://crypto.stanford.edu/cs142/lectures/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback