bonus slides confused deputy problem original exam ple
play

Bonus slides Confused Deputy Problem Original exam ple Norm al - PowerPoint PPT Presentation

Jan 13, 2023 •140 likes •237 views

Bonus slides Confused Deputy Problem Original exam ple Norm al output file Request: 1. Do action 2. Write results to Im portant server file Client Server Response: OK Im portant server file Original exam ple ( 2 )

  1. Bonus slides – Confused Deputy Problem

  2. Original exam ple Norm al output file Request: 1. Do action 2. Write results to “Im portant server file” Client Server Response: OK Im portant server file

  3. Original exam ple ( 2 ) • Possible if the server executes the command using its own credentials, similarly to a traditional buffer overflow • Used as a prime argument for having capabilities • First appeared in 1988 • Many other attacks can be seen as confused deputy attacks – One example is circumventing a firewall by running traffic through a browser

  4. Cross-site Request Forgery • CDP using a Web browser Web site URL Disguised as <im age> e.g: http:/ / m ail.com / changepw?newpw=hack Login Change PW Resolve Client

  5. CSRF • Cookies and active sessions to other sites can be exploited to execute commands on the client by remote code • Somewhat situational – Requires active session or cookie between the user and the target site – Requires a suitable target command at the target site – The referer header can be checked to avoid this exploit (but this is not always done) – Hidden fields with tokens can be used to avoid this • JavaScript can be used to read information from other open tags • Script languages can be used to send POST

  6. Login CSRF • Cause the victim to log in at a remote site using the attackers credentials • Technically easier that normal CSRF • Opportunities for novel attacks

  7. Cross-site Scripting • 80% of all documented vulnerabilities as of 2007 (according to Wikipedia) • XSS has evolved into meaning injecting e.g. HTML and JavaScript into Web pages • Usually used to steal session cookies • Live example…

  8. XSS • Three types: – Non-persistent: What we just did. – Persistent: Online message boards etc. • Executed more than once – DOM-based: Targeting already existing scripting elements that parse parameters and generate content • Similar to Non-persistent, but can also be used to bypass e.g. client sandboxes • One known weakness was local Firefox error pages

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Bonus Lecture: Introduction to Reinforcement Learning Garima Lalwani, Karan Ganju and Unnat Jain

Bonus Lecture: Introduction to Reinforcement Learning Garima Lalwani, Karan Ganju and Unnat Jain

Bonus Lecture: Introduction to Reinforcement Learning Garima Lalwani, Karan Ganju and Unnat Jain Credits: These slides and images are borrowed from slides by David Silver and Peter Abbeel 4 Model-free Control 5 Summary Outline 1 RL Problem

1.48k views • 88 slides
Most of the slides are borrowed from the authors original presentation. original

Most of the slides are borrowed from the authors original presentation. original

SEG5010 presentation G RAPH C OMPRESSION AND S UMMARIZATION Wei Zhang Dept. of Information Engineering The Chinese University of Hong Kong Most of the slides are borrowed from the authors original presentation. original presentation.

738 views • 59 slides
IRDS: Bonus Slides Charles Sutton University of Edinburgh Hello there I will not present these

IRDS: Bonus Slides Charles Sutton University of Edinburgh Hello there I will not present these

IRDS: Bonus Slides Charles Sutton University of Edinburgh Hello there I will not present these slides in class. Next lecture we will discuss how to choose features for learning algorithms. This means you need to understand a bit about learning

346 views • 10 slides
INSTRUCTIONS **If you get confused or have a question, come back here to solve it J You will be

INSTRUCTIONS **If you get confused or have a question, come back here to solve it J You will be

INSTRUCTIONS **If you get confused or have a question, come back here to solve it J You will be interpreting expressions from the word problems on the following slides. YOU A U ARE N NOT S SOLVIN ING. G. Are you solving? No J You are

273 views • 12 slides
Bonus * Bonus * Bonus * Bonus * Bonus * Bonus Bonus * Bonus * Bonus * Bonus * Bonus * Bonus + ]

Bonus * Bonus * Bonus * Bonus * Bonus * Bonus Bonus * Bonus * Bonus * Bonus * Bonus * Bonus + ]

Bonus * Bonus * Bonus * Bonus * Bonus * Bonus Bonus * Bonus * Bonus * Bonus * Bonus * Bonus + ] from added O + -1 1 M = 0.1 M = 10 - Suppose you have [H 3 Suppose you have [H 3 O ] from added HCl HCl = 0.1 M = 10 M - ] = 10 ][OH - -1 1 ][OH

497 views • 14 slides
Bonus Plan | 1 | 30/05/2018 | AG Employee Benefits - Trust in Expertise Your Bonus Plan: a

Bonus Plan | 1 | 30/05/2018 | AG Employee Benefits - Trust in Expertise Your Bonus Plan: a

Bonus Plan | 1 | 30/05/2018 | AG Employee Benefits - Trust in Expertise Your Bonus Plan: a Tax-Efficient Way to Reward your Employees Sample Case Comparison based on a gross bonus payment of EUR 10,000 paid out as salary vs in the form of

358 views • 13 slides
New Homes Bonus Stuart Ashworth New Homes Bonus What is New Homes Bonus? - It is money received

New Homes Bonus Stuart Ashworth New Homes Bonus What is New Homes Bonus? - It is money received

New Homes Bonus Stuart Ashworth New Homes Bonus What is New Homes Bonus? - It is money received by the Council for each new home that is brought forward, &amp; long-term empty-homes brought back into use. Extra payment is received for

559 views • 8 slides
Closes December 8 th at 11:59PM Feedback is anonymous 1 Point Bonus on final exam for

Closes December 8 th at 11:59PM Feedback is anonymous 1 Point Bonus on final exam for

Week 16.2, Wed, December 4 th PSOs This Week: Review for Final Exam Practice Final Released Today No class on Friday 1 Please let me know what you liked and what could be improved http://www.purdue.edu/idp/courseevaluations/CE_

293 views • 18 slides
Quicksort Sorting Lower Bound Exam Exam Exam Exam 2 2 tomorrow evening 2 2 tomorrow

Quicksort Sorting Lower Bound Exam Exam Exam Exam 2 2 tomorrow evening 2 2 tomorrow

5/7/2012 Quicksort Sorting Lower Bound Exam Exam Exam Exam 2 2 tomorrow evening 2 2 tomorrow evening tomorrow evening tomorrow evening Topics were listed in Day 24 slides Some WA9 problems are good reinforcement of exam

362 views • 9 slides
The original problem Let X 1 , . . . , X n be a random sample from a density f 0 in R d . How

The original problem Let X 1 , . . . , X n be a random sample from a density f 0 in R d . How

L OG - CONCAVE DENSITY ESTIMATION WITH APPLICATIONS Co-authors: Y. Chen, M. Cule, L. D umbgen, R. Gramacy, A Kim, D. Schuhmacher, M. Stewart, M. Yuan R. J. Samworth Log-concave densities The original problem Let X 1 , . . . , X n be a

560 views • 45 slides
Capability Based Systems Chester Rebeiro IIT Madras

Capability Based Systems Chester Rebeiro IIT Madras

Capability Based Systems Chester Rebeiro IIT Madras h8ps://homes.cs.washington.edu/~levy/capabook/Chapter1.pdf 1 Confused Deputy Problem A computer program that is fooled into misusing authority leading to a privilege escalaHon Fortran

405 views • 12 slides
Software development at scale Bonus slides: Unseen GoF design patterns (The end) Michael Hilton

Software development at scale Bonus slides: Unseen GoF design patterns (The end) Michael Hilton

Principles of Software Construction: Objects, Design, and Concurrency Software development at scale Bonus slides: Unseen GoF design patterns (The end) Michael Hilton Bogdan Vasilescu School of Computer Science 17-214 1 Administrivia

857 views • 63 slides
y 0.4m x B 2/5/2019 [tsl342 1/69] Intermediate Exam III: Problem #1 (Spring 05) An

y 0.4m x B 2/5/2019 [tsl342 1/69] Intermediate Exam III: Problem #1 (Spring 05) An

Intermediate Exam III: Problem #1 (Spring 05) An infinitely long straight current of magnitude I = 6 A is directed into the plane ( ) and located a distance d = 0 . 4 m from the coordinate origin (somewhere on the dashed circle). The magnetic

1.92k views • 142 slides
Chapter 6: Methods Find the sum of integers from 1 to 10, from 20 to 30, and from 35 to 45,

Chapter 6: Methods Find the sum of integers from 1 to 10, from 20 to 30, and from 35 to 45,

9/21/18 Opening Problem Chapter 6: Methods Find the sum of integers from 1 to 10, from 20 to 30, and from 35 to 45, respectively. CS1: Java Programming Colorado State University Original slides by Daniel Liang Modified slides by Chris Wilcox

316 views • 13 slides
Question: 1 2 3 4 5 Total Points: 12 13 12 4 9 50 SOC 301 - Spring 2017 Midterm Exam

Question: 1 2 3 4 5 Total Points: 12 13 12 4 9 50 SOC 301 - Spring 2017 Midterm Exam

SOC 301 Name: KEY Social Statistics April 11, 2017 Professor Chester Ismay Midterm Exam Read carefully through each problem. Take your time and relax. Please write your name at the top of each page of the exam. You are to work on

172 views • 5 slides
Session / Discussion Overview 2 I. Development Bonus Program (DBP) 3 I.

Session / Discussion Overview 2 I. Development Bonus Program (DBP) 3 I.

Session / Discussion Overview 2 I. Development Bonus Program (DBP) 3 I. Tempe Development Bonus Program, Approach 4 II. Bonus Elements Onsite Improvements I 5 II. Bonus Elements

708 views • 29 slides
Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th March 2019 Orientation This is the fourth Laboratory Session for Secure Programming It is convened by Arthur and David. The handout and other

441 views • 8 slides
Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal

Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal

Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal February 2011 Overall Agenda The Current Web Has Some Holes Help is On The Way (Some Anyway) Solving Real World Problems Still A Ways To Go 2

971 views • 39 slides
iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

755 views • 41 slides
CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/ Plan for Today XSS (Cross Site Scripting) CSRF (Cross-Site Request Forgery) SQL

626 views • 28 slides
Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro

Revisiting SOHO Router Attacks DeepSec 2015 About us.. ... Meet our research group lvaro Folgado Rueda Independent Researcher Jos Antonio Rodrguez Garca Independent Researcher Ivn Sanz de Castro Security Analyst at Wise Security

1.03k views • 72 slides
User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide end-to-end security User security info to server WS Security XML Encryption XML Signature Tokens

221 views • 6 slides
Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin

Database-enabled web technology Security Instructor: C a gr C oltekin c.coltekin@rug.nl Information science/Informatiekunde Fall 2011/12 Security in Web applications Web, Databases &amp; Security http://xkcd.com/327/ C . C

952 views • 47 slides
Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova

Outline Motivation Symbolic String Verification Experiments Conclusion Symbolic String Verification: An Automata-based Approach Fang Yu Tevfik Bultan Marco Cova Oscar H. Ibarra Dept. of Computer Science University of California Santa

465 views • 35 slides

More recommend