DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Similar documents
Web Application Security. Philippe Bogaerts

C1: Define Security Requirements

Application vulnerabilities and defences

Copyright

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Aguascalientes Local Chapter. Kickoff

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Top 10 Web Application Vulnerabilities

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Your Turn to Hack the OWASP Top 10!

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP TOP 10. By: Ilia

Exploiting and Defending: Common Web Application Vulnerabilities

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.


CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2017

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Hacking Oracle APEX. Welcome. About

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

1 About Web Security. What is application security? So what can happen? see [?]

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Web Application Threats and Remediation. Terry Labach, IST Security Team

Advanced Web Technology 10) XSS, CSRF and SQL Injection

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Securing Your Company s Web Presence

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

SECURITY TESTING. Towards a safer web world

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

NET 311 INFORMATION SECURITY

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

Secure Development Guide

CS 161 Computer Security

eb Security Software Studio

Evaluating the Security Risks of Static vs. Dynamic Websites

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Simplifying Application Security and Compliance with the OWASP Top 10

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CSWAE Certified Secure Web Application Engineer

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Web security: an introduction to attack techniques and defense methods

CSCE 813 Internet Security Case Study II: XSS

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Application Layer Security

Certified Secure Web Application Engineer

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

You are not allowed to use any means of aid. However, according to general rules printed English language dictionaries are allowed.

COMP9321 Web Application Engineering

Web Security Computer Security Peter Reiher December 9, 2014

CS 161 Computer Security

OWASP TOP OWASP TOP

Web Application Security GVSAGE Theater

Web Security. Web Programming.

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

F5 Application Security. Radovan Gibala Field Systems Engineer

16th Annual Karnataka Conference

Client Side Injection on Web Applications

Web Application Penetration Testing

WebGoat& WebScarab. What is computer security for $1000 Alex?

Introduction F rom a management perspective, application security is a difficult topic. Multiple parties within an organization are involved, as well

GOING WHERE NO WAFS HAVE GONE BEFORE

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Applications Security

Large Scale Generation of Complex and Faulty PHP Test Cases

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Common Websites Security Issues. Ziv Perry

CS 155 Project 2. Overview & Part A

CIS 4360 Secure Computer Systems XSS

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

CSE 127 Computer Security

COMP9321 Web Application Engineering

Vulnerabilities in web applications

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Solutions Business Manager Web Application Security Assessment

Adon'tbe an Adobe victim

CS 161 Computer Security

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Welcome to the OWASP TOP 10

Secure Coding, some simple steps help. OWASP EU Tour 2013


OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Sichere Software vom Java-Entwickler

Transcription:

DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Traditional Programming When writing a program, programmers typically focus on what is needed to solve whatever problem the program addresses. (p.391, Stallings/Brown) Common assumptions: inputs a program will receive, environment the program runs in, a cooperative user, etc.

Defensive Programming One should always take care when writing a program code is reused and it is impossible to foresee how and when a module will be used in the future. Never trust user input! Defensive programming / Secure Programming: must always validate assumptions (nothing is assumed), needs an awareness of the consequences of failures, and the techniques used by attackers. Range of similar vulnerabilities exploited over time (CERT) Injection Attacks (ex 12.2) Examples Databases: part of almost all real systems Web apps: often done quickly by junior programmers, but accessible by anyone in the world (see OWASP list) http://www.cert.org/secure-coding/

Domains Handling Program Input Buffer Overflows Injections Attacks Writing Safe Program Code Interacting with OS and other programs Handling Program Output

Example: Command Injection CGI Shell Web server

Example: Command Injection Characters have different meanings? Same privileges as web server CGI Shell Web server

Example: Command Injection Mitigation Technique Define what is known dangerous input Define what is valid input Problems: Definition of what is really dangerous Multiple encodings For web: space = %20, / = %2F, ; = %3B Not only for strings but also other types of data: integer overflows http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=01219077

http://www.kb.cert.org/vuls/id/20276 Vulnerability Note VU#20276 phf CGI Script fails to guard against newline characters CGI script phf, exploited late 1990 s. Tried to sanitize input using a routine supplied in the web server escape_shell_cmd() Removing a number of shell meta characters BUT Buggy: forgot to remove newline character Attack: embed a newline character in the string passed to the CGI script phf, resulting in additional commands to execute.

Example: Command Injection lpb; echo attack lpb; echo attack CGI Shell Web server

Example: Command Injection IDS Snort Rule: No ; allowed lpb; echo attack lpb; echo attack CGI Shell Web server

Example: Command Injection IDS Snort Rule: No ; allowed lpb%3b echo attack lpb; echo attack CGI %3B ; Shell Web server

OWASP The Open Web Application Security Project (OWASP) is organization focused on improving the security of application software. OWASP Local Chapter in Gothenburg https://www.owasp.org/index.php/gothenburg https://www.owasp.org/index.php/main_page

OWASP Top 10 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8- Cross Site Request Forgery (CSRF) A9-Using Known Vulnerable Components A10-Unvalidated Redirects and Forwards https://www.owasp.org/index.php/category:owasp_top_ten_project

OWASP Top 10 2013 Name A1-Injection A2-Broken Authentication and Session Management A3-Cross Site Scripting (XSS) Description Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users identities. XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Cortesy of John Smith, IBM Cooperation, GB

What is it? User-supplied data is sent to an interpreter as part of a command, query or data. What are the implications? SQL Injection Access/modify data in DB SSI Injection Execute commands on server and access sensitive data LDAP Injection Bypass authentication

User input is embedded as-is in predefined SQL statements: jsmith demo1234 query = "SELECT * from tusers where userid='" + password='" + iuserid ipassword + "' AND + "'"; SELECT * from UserID tusers Username where Password Name userid= jsmith' 1824 AND demo1234 password= demo1234' John Smith Hacker supplies input that modifies the original SQL statement, for example: iuserid = ' or 1=1 -- SELECT * from tusers where userid= or 1=1 -- ' AND password='bar' ' AND

User input is embedded as-is in predefined SQL statements: jsmith demo1234 query = "SELECT * from tusers where userid='" + password='" + SELECT * from tusers where userid=' 1 + "' AND + "'"; SELECT * from UserID tusers Username where Password Name userid= jsmith' 1824 AND demo1234 password= demo1234' John Smith Hacker supplies input that modifies the original SQL statement, for example: iuserid = ' or 1=1 -- UserID Username admin iuserid ipassword Password $#kaoefor Name ' AND password='bar' Admin

Common theme with web application vulnerabilities: Unvalidated user input is the attack vector Good security practice: Assume all user input is evil!

OWASP Top 10 2013 Name A1-Injection A2-Broken Authentication and Session Management A3-Cross Site Scripting (XSS) Description Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users identities. XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping. XSS allows attackers to execute scripts in the victim s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.

Google Gruyere Web Application Exploits and Defenses Want to beat the hackers at their own game? Learn how hackers find security vulnerabilities! Learn how hackers exploit web applications! Learn how to stop them! http://google-gruyere.appspot.com/.../ Example XSS attack: same origin policy Injected code stored at site run when user visits site (or tricking user to click on URL in email) Here is an image of a cute <a href="http://google-gruyere.appspot.com/.../ <script>alert(1)</script> >cat</a> http://google-gruyere.appspot.com/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback