server side security risks
play

Server -side security risks (esp sp. . injection jection atta - PowerPoint PPT Presentation

Mar 02, 2023 •982 likes •1.86k views

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

  1. Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1

  2. Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker is not interested in the • output (unless the output is used to DoS other systems) Integrity: attack to corrupt the behaviour or data of the web server • Confidentiality: attack that causes information leak, e.g. • – credit card numbers, usernames & passwords, … – or: information about the server that is useful to improve future attacks websec 2

  3. Various attacker models on the web web Man-in-the-Middle • browser server attacks (last week) Attacks on web servers • web (this week) server Attacks on browsers • & the user browser (next week) websec 3

  4. Security concerns with static web pages websec 4

  5. Security worries for static HTML Recall the first stage of the evolution of the web: static HTML. Security risk: • Accidentally exposing parts of the file system on the internet http://www.cs.ru.nl/~erikpoll/websec/exam/exam2019.pdf Even making this searchable using search engines • Countermeasures The OS (Operating System) imposes access control on the • web server .htaccess file can be used to configure which files are • exposed to the internet by the web server. Access restrictions for automated web crawlers, as used by • search engines, can be specified in robots.txt files, – but it is up to the client to respect these - or not … websec 5

  6. Security concerns with dynamically created web pages websec 6

  7. Recall: dynamically created web pages Most web pages you see are dynamically created execution to dynamically create a webpage web browser server dynamically generated HTML websec 7

  8. Background on dynamically created webpages websec 8

  9. CGI (Common Gateway Interface) Early but old-fashioned way to have dynamically generated web pages Given an HTTP request to a cgi executable http://bla.com/cgi-bin/my_script?yr=2014&str=a%20name the web server executes the program my_script passing parameters as input, and returning the (HTML) output to client. For the URL above, the web server would execute cgi-bin/my_script 2014 "a name" The executable my_script can be in any programming language. websec 9

  10. Example: CGI bash script #!/bin/bash echo 'Content-type: text/html' echo '' echo '<html>' echo '<head>' echo '<title>My first CGI bash script</title>' echo '</head>' echo '<body>' echo 'Hello World' cat some_html_content.html echo '</body>' echo '</html>' exit 0 websec 10

  11. Example: CGI program in C int main(){ /* Print CGI response header, required for all HTML output. Note the extra \n, to send the blank line. */ printf("Content-type: text/html\n\n") ; /* Now print the HTML response. */ printf("<html>\n") ; printf("<head><title>Hello world</title></head>\n"); printf("<body>\n"); printf("<h1>Hello, world.</h1>\n") ; printf("</body>\n"); printf("</html>\n"); exit(0); } Why is writing a dynamic web application in C a bad idea? It could be vulnerable to buffer overflow attacks (Recall Hacking in C) websec 11

  12. Example: CGI perl script #!/usr/bin/perl print "Content-type: text/html\n\n"; print <<HTML; <html> <head> <title>My first perl CGI script </title> </head> <body> <p>Hello World</p> </body> </html> HTML exit; websec 12

  13. Languages & frameworks for the web CGI is simple but very clumsy Therefore: • dedicated programming languages for web applications PHP, Ruby on Rails, Adobe ColdFusion, ... and/or web frameworks offering a lot of standard software • components Drupal (PHP), Spring (Java), Angular & AngularJS (JavaScript), ASP.NET (Microsoft CLR/.NET), … websec 13

  14. Example: PHP script <html> <title>A simple PHP script </title> <body> The number you choose was <?php echo $x = $_GET['number']; ?> This number squared plus 1 is <?php $y = $x*$x; $y++; echo $y; ?> Btw, I know that your IP address is <?php echo $_SERVER['REMOTE_ADDR']; ?> <script> alert('Hello World!'); </script> </body> </html> Note this looks just like an HTML page, with pieces of PHP code in it. PHP code is executed server-side -browser only sees the HTML output. JavaScript code in the HTML is executed client-side . websec 14

  15. Se Securit curity wor orries ries wi with h dynamically namically crea eate ted web b pages es websec 15

  16. Command injection (in a CGI script) A CGI bash script might contain cat thefile | mail clientaddress to email a file to a user-supplied email address. How would you attack this? erik@cs.ru.nl ; rm – fr / What happens then ? cat thefile | mail erik@cs.ru.nl ; rm – fr / websec 16

  17. OS command injection Any server-side code that uses client input to interact with the underlying OS might be used to inject commands to the OS. This is possibly in any programming language. Dangerous things to look out for – C/C++ system(), execvp(), ShellExecute(), .. – Java Runtime.exec(), ... – Perl system, exec, open, `, /e, ... – Python exec, eval, input, execfile, ... How would you prevent this or mitigate the potential impact? 1. input validation: check for malicious inputs • easier said than done… 2. the server should run with minimal rights eg . you don’t want to run it as super -user/admin • websec 17

  18. How would you attack this? Suppose a website contains a link http:/somesite.com/get-files.php?file=exam2019.pdf exam2019.pdf looks like a filename … You can try any other filename, e.g. exam2020.pdf Or even any other path name, e.g. ../../../etc/passwd Known as path traversal or directory traversal attack Open question: Does this work for Brightspace? https://brightspace.ru.nl/d2l/common/dialogs/quickLink/ quickLink.d2l?ou=12729&type=coursefile& fileId=SurvivingTheWeb_annotated.pdf websec 18

  19. Directory traversal attack Consider PHP code below, which uses PHP string concatenation operator . $base_dir = ”/ usr/local/clientdata /”; echo file_get_contents($base_dir . $_ GET[’ username ’]) ; // concatenates base_dir and username This can be attacked in the same way. websec 19

  20. DoS by directory traversal Directory traversals can also cause Denial-of-Service, if you access a file or directory that does not exists • This may crash a web application, though it ’ s unlikely – • device files, ie pseudo-files that provide interfaces to devices – / var/spool/printer This printer queue cannot be opened for reading, only for writing. Opening it for reading may cause web application to hang. – /dev/urandom The random number generator that provides infinite stream of random numbers websec 20

  21. Real life example Page in Dutch, based on IP address or language settings of browser/OS Thanks to Arne Swinnen. See his blog at http://www.arneswinnen.net. websec 21

  22. websec 22

  23. No error message: ./en gives same result as en websec 23

  24. Strange input leads to the Dutch page. Why? Presumably the page reverts to the default language if value of hl gives an error websec 24

  25. Looking up some documentation (for Django framework used by Instagram) websec 25

  26. Webpage in English, so ../locale/en exists websec 26

  27. Using fuzzdb to fuzz common file names websec 27

  28. Success! Fuzzdb finds 42 hits for ../<GUESS>/../locale/nl/ Facebook’s bug bounty program paid Arne 500$ Trying out could have caused serious damage websec 28

  29. The NULL trick If the attacker’s input ends up in the middle of a concatenation /usr/local/web/conf/ <INPUT> .html then attacker can only access files with .html extensions But: with NULL character, URL-encoded as %00 , at the end of <INPUT> , the web server may ignore the rest of the string websec 29

  30. Recent example Path traversal weakness in a back-end API Explanation at https://www.youtube.com/watch?v=sjvW79tjWoM websec 30

  31. Fooling Starbuck’s Web Application Firewall (WAF) W web A server F Starbuck’s WAF disallows multiple .. So you cannot include ../.. in your malicious input  How would you circumvent this? Type .././.. instead  A WAF (Web Application Firewall) sits in front of the web server and tries to filter generic malicious inputs. Some WAFs are pretty crappy… websec 31

  32. Countermeasures websec 32

  33. 1. Input validation aka input sanitisation Different ways to do this, eg reject the entire input if it is ‘ invalid ’ • Because it contains a dangerous character, or because it does not make sense (eg November 31 st ) remove dangerous characters or strings • escape or encode dangerous characters • Turning characters by harmless variants escape whole strings • Putting some “ quotes ” around strings so that they are handled differently, removing any special meaning of characters inside Potential pitfall: what are the dangerous characters? Eg for OS command injection : – ; | > & < .... websec 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client

Cookies and Sessions Thierry Security assumptions You have absolutely no control on the client Client Side Server Side Web Server Database Web Browser Cookies The big picture key/value pairs data Client Side Server Side HTTP request

783 views • 13 slides
Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa

Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa

Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa February 9, 2016 Top web vulnerabilities OWASP Top 10

719 views • 49 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html

An Introduction to Php for Web API Principle of server side script WEB Client WEB SERVER html document SCRIPT HTTP SCRIPT Script engine Pages are generated by a program A html document at the server side includes the code to be

741 views • 72 slides
Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content Static Static (HTML) Dynamic Dynamic (XML, ASP, JSP) Server-side scripts Client-side scripts (JScript) Fetch content from

621 views • 24 slides
COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart

COMP7306: Web technologies Server-side Web programming 6 February 2013 1 / 73 Pierre Senellart Licence de droits dusage Outline HTML forms Principles Input fields Server-side languages An example: PHP Introduction to database

1.08k views • 74 slides
Adaptive Mobile Web Design with a server side flavour James Rosewell &amp; Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell &amp; Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell &amp; Thomas Holmes 1st June 2012 Explain Server Side options Objective = Efficient use of 1. your time 2. resources (server, client and data network) 1st June 2012 Agenda

626 views • 51 slides
Server-side browsing considered harmful 06/19/2015 Nicolas Grgoire Agarri Offensive security

Server-side browsing considered harmful 06/19/2015 Nicolas Grgoire Agarri Offensive security

Agarri Offensive security Server-side browsing considered harmful 06/19/2015 Nicolas Grgoire Agarri Offensive security Context Vectors Targets Blacklists Bugs Toolbox 06/19/2015 Nicolas Grgoire Agarri Offensive security Context

959 views • 73 slides
Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of Computer Science CS 431/531 Fall 2019 Sawood Alam &lt;salam@cs.odu.edu&gt; 2019-10-24 Original slides by Michael L. Nelson Common Gateway Interface

653 views • 16 slides
SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW

SERVER-SIDE RENDERING ISN'T ENOUGH SERVER-SIDE RENDERING ISN'T ENOUGH MATTHEW PHILLIPS MATTHEW PHILLIPS GITHUB.COM/CANJS/CAN-SSR GITHUB.COM/CANJS/CAN-SSR TERMS TERMS Shared codebase Isomorphic Universal WHY BOTHER WHY BOTHER This sucks

453 views • 29 slides
CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side

CSCC09 Programming on the Web Thierry Sans Architecture of a Web Application Client Side Server Side Web Server Web Browser Web Technologies Content Resources Presentation management Client Side Processing Multimedia The evolution of

1.24k views • 23 slides
Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side)

Server and Threads vanilladb.org Where are we? VanillaCore JDBC Interface (at Client Side) Remote.JDBC (Client/Server) Server Query Interface Tx Planner Parse Algebra Storage Interface Sql/Util Concurrency Recovery Metadata Index

787 views • 66 slides
Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Objectives The basics of servlets mapping and

Server Side Internet Programming Server Side Internet Programming Objectives The basics of servlets mapping and configuration compilation and execution Cookies and sessions Request and session attributes JSP execution,

946 views • 53 slides
Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects

645 views • 36 slides
Web Security Abram Hindle abram.hindle@ualberta.ca Department of Computing Science University

Web Security Abram Hindle abram.hindle@ualberta.ca Department of Computing Science University

Web Security Abram Hindle abram.hindle@ualberta.ca Department of Computing Science University of Alberta http://softwareprocess.es/ CC-BY-SA 4.0 Security On the Web Multiple facets Client Side Server Side High value targets

500 views • 34 slides
Examines Americas foreign economic objectives, assesses the role and depth of corporate

Examines Americas foreign economic objectives, assesses the role and depth of corporate

Jan 30, Feb 1 US Power and Multinational Corporations Examines Americas foreign economic objectives, assesses the role and depth of corporate influence in the policy-making process, and examines US concerns, attitudes, and policies as the

509 views • 14 slides
Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure

Squeezing State Spaces of (Attack-Defence) Trees l Knapik 1 Wojciech Penczek 1 Micha Laure Petrucci 2 Teofil Sidoruk 1 1 Institute of Computer Science, Polish Academy of Sciences 2 LIPN, CNRS UMR 7030, Universit e Sorbonne Paris Nord LAMAS

388 views • 23 slides
Software Security CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn

Software Security CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn

Software Security CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 9 Dr Hans Georg Schaathun Software Security Autumn 2008 Week 9 1 / 30 The session Outline The session 1 Examples 2

2.26k views • 40 slides
Overview of HPM as a Pulsed Overview of HPM as a Pulsed Power Application at FOI Power

Overview of HPM as a Pulsed Overview of HPM as a Pulsed Power Application at FOI Power

Overview of HPM as a Pulsed Overview of HPM as a Pulsed Power Application at FOI Power Application at FOI Sten E Nyholm , Mose Akyuz, Patrik Appelgren, Mattias Elfsberg, Sten E Nyholm , Mose Akyuz, Patrik Appelgren, Mattias Elfsberg, Tomas

639 views • 26 slides
Vienna PhD School of Informatics www.informatik.tuwien.ac.at/phdschool M. C. Calatrava, H.

Vienna PhD School of Informatics www.informatik.tuwien.ac.at/phdschool M. C. Calatrava, H.

Vienna PhD School of Informatics www.informatik.tuwien.ac.at/phdschool M. C. Calatrava, H. Werthner Outline Objectives and design Some results First summary Objectives Structured full-time program with scientific focus Focus on

551 views • 15 slides
The Case for Cloud Robotics and Real-Time Big Data Richard Voyles Program Director, National

The Case for Cloud Robotics and Real-Time Big Data Richard Voyles Program Director, National

Robotics as a Singularity: The Case for Cloud Robotics and Real-Time Big Data Richard Voyles Program Director, National Science Foundation Computer &amp; Information Science and Engineering Directorate August 17, 2013 Risk-Averse

704 views • 28 slides
Generating Large Graphs for Benchmarking Ali Pinar, Tamara G. Kolda,C. Seshadhri, Todd Plantenga

Generating Large Graphs for Benchmarking Ali Pinar, Tamara G. Kolda,C. Seshadhri, Todd Plantenga

Generating Large Graphs for Benchmarking Ali Pinar, Tamara G. Kolda,C. Seshadhri, Todd Plantenga U.S. Department of Energy U.S. Department of Defense Office of Advanced Scientific Computing Research 2/21/2014 Defense Advanced Research

416 views • 23 slides
Information Extraction and Question-Answering Systems Foundations and methods Dr. Gnter

Information Extraction and Question-Answering Systems Foundations and methods Dr. Gnter

Information Extraction and Question-Answering Systems Foundations and methods Dr. Gnter Neumann LT-Lab, DFKI neumann@dfki.de 22/02/2002 1 What the lecture will cover Statistical Methods Machine Learning for lexical processing for IE

535 views • 26 slides

More recommend