web security injection attacks
play

Web Security: Injection Attacks CS 161: Computer Security Prof. - PowerPoint PPT Presentation

Mar 20, 2023 •329 likes •702 views

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

  1. Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh

  2. What can go bad if a web server is compromised? Steal sensitive data (e.g., data from many users) Change server data (e.g., affect users) Gateway to enabling attacks on clients Impersonation (of users to servers, or vice versa) Others 2

  3. A set of common attacks SQL Injection n Browser sends malicious input to server n Bad input checking leads to malicious SQL query XSS – Cross-site scripting n Attacker inserts client-side script into pages viewed by other users, script runs in the users’ browsers CSRF – Cross-site request forgery n Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site 3

  4. Today’s focus: injection attacks 4

  5. Historical perspective The first public discussions of SQL injection started appearing around 1998 phreak + hack In the Phrack magazine First published in 1985 Fyodor: "the best, and by far the longest running hacker zine" Hundreds of proposed fixes and solutions 5

  6. – – – – – – – – – – – – Top web vulnerabilities – – – – – – – OWASP Top 10 – 2013 (New) OWASP Top 10 – 2010 (Previous) – – – !!! A1 – Injection – – A1 – Injection – – – – A3 – Broken Authentication and Session Management – A2 – Broken Authentication and Session Management – – – – – A2 – Cross-Site Scripting (XSS) – A3 – Cross-Site Scripting (XSS) – – – – – A4 – Insecure Direct Object References – A4 – Insecure Direct Object References – – – – – – A5 – Security Misconfiguration A6 – Security Misconfiguration – – – – – � � – – – – – – A7 – Insecure Cryptographic Storage – Merged with A9 � � – – A6 – Sensitive Data Exposure – � � – – – – – – A8 – Failure to Restrict URL Access – Broadened into � � – – A7 – Missing Function Level Access Control – – – – – – A8 – Cross-Site Request Forgery (CSRF) A5 – Cross-Site Request Forgery (CSRF) – – – A9 – Using Known Vulnerable Components <buried in A6: Security Misconfiguration> – – – – – – – – – – – – – Please don’t repeat common mistakes!! 6

  7. General code injection attacks • Attacker user provides bad input • Web server does not check input format • Enables attacker to execute arbitrary code on the server

  8. Example: code injection based on eval (PHP) • eval allows a web server to evaluate a string as code • e.g. eval (‘$result = 3+5’) produces 8 calculator: http://site.com/calc.php http://site.com/calc.php?exp=“ 3+5” $exp = $_GET[‘exp']; eval (’$result = ' . $exp . ';'); Attack: http://site.com/calc.php?exp=“ 3+5 ; system(‘rm *.*’)” 8

  9. Code injection using system() Example: PHP server-side code for sending email $email = $_POST[“email”] $subject = $_POST[“subject”] system(“mail $email –s $subject < /tmp/joinmynetwork”) Attacker can post http://yourdomain.com/mail.php? email=hacker@hackerhome.net & subject=“foo < /usr/passwd; ls”

  10. SQL injection 10

  11. Structure of Modern Web Services URL / Form command.php? Browser Web arg1=x&arg2=y server Database server

  12. Structure of Modern Web Services URL / Form command.php? Browser Web arg1=x&arg2=y server Database query built from x and y Database server

  13. Structure of Modern Web Services Browser Web server Custom data corresponding to x & y Database server

  14. Structure of Modern Web Services Browser Web server Web page built using custom data Database server

  15. Databases Structured collection of data n Often storing tuples/rows of related values n Organized in tables Customer AcctNum Username Balance 1199 zuckerberg 35.7 0501 bgates 79.2 … … …

  16. Databases Widely used by web services to store server and user information Database runs as separate process to which web server connects n Web server sends queries or commands derived from incoming HTTP request n Database server returns associated values or modifies/updates values

  17. SQL Widely used database query language n (Pronounced “ess-cue-ell” or “sequel”) Fetch a set of rows: SELECT column FROM table WHERE condition returns the value(s) of the given column in the specified table, for all records where condition is true. e.g: Customer SELECT Balance FROM Customer AcctNum Username Balance 1199 zuckerberg 35.71 WHERE Username='bgates' 0501 bgates 79.2 will return the value 79.2 … … … … … …

  18. SQL (cont.) Can add data to the table (or modify): INSERT INTO Customer VALUES (8477, 'oski', 10.00); Customer AcctNum Username Balance 1199 zuckerberg 35.7 0501 bgates 79.2 8477 oski 10.00 … … …

  19. SQL (cont.) Can delete entire tables: DROP TABLE Customer Issue multiple commands, separated by semicolon: INSERT INTO Customer VALUES (4433, 'vladimir', 70.0); SELECT AcctNum FROM Customer WHERE Username='vladimir' returns 4433.

  20. SQL Injection Scenario Suppose web server runs the following code: $recipient = $_POST[‘recipient’]; $sql = "SELECT AcctNum FROM Customer WHERE Username=' $recipient ' "; $rs = $db->executeQuery($sql); Server stores URL parameter “recipient” in variable $recipient and then builds up a SQL query Query returns recipient’s account number Server will send value of $sql variable to database server to get account #s from database

  21. SQL Injection Scenario Suppose web server runs the following code: $recipient = $_POST[‘recipient’]; $sql = "SELECT AcctNum FROM Customer WHERE Username=' $recipient ' "; $rs = $db->executeQuery($sql); So for “?recipient=Bob” the SQL query is: "SELECT AcctNum FROM Customer WHERE Username='Bob' "

  22. Basic picture: SQL Injection Victim Web Server 1 2 unintended 3 receive valuable data SQL query Attacker How can $recipient cause trouble here? SQL DB 22

  23. Problem $recipient = $_POST[‘recipient’]; $sql = "SELECT AcctNum FROM Customer WHERE Username=' $recipient ' "; $rs = $db->executeQuery($sql); Untrusted user input ‘recipient’ is embedded directly into SQL command Attack: $recipient = alice’; SELECT * FROM Customer; Returns the entire contents of the Customer!

  24. CardSystems Attack CardSystems n credit card payment processing company n SQL injection attack in June 2005 n put out of business The Attack n 263,000 credit card #s stolen from database n credit card #s stored unencrypted n 43 million credit card #s exposed 24

  26. Another example: buggy login page (ASP) set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” ); if not ok.EOF login success else fail; 26

  27. Enter SELECT * Username FROM Users & Web Password Web WHERE user='me' Browser DB Server AND pwd='1234' (Client) (1 row) Normal Query

  28. Another example: buggy login page (ASP) set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” ); if not ok.EOF login success else fail; Is this exploitable? 28

  29. Bad input Suppose user = “ ' or 1=1 -- ” (URL encoded) Then scripts does: ok = execute( SELECT … WHERE user= ' ' or 1=1 -- … ) n The “ -- ” causes rest of line to be ignored. n Now ok.EOF is always false and login succeeds. The bad news: easy login to many sites this way. Besides logging in, what else can attacker do? 29

  30. Even worse: delete all data! Suppose user = “ ′ ; DROP TABLE Users -- ” Then script does: ok = execute( SELECT … WHERE user= ′ ′ ; DROP TABLE Users … ) 30

  31. What else can an attacker do? Add query to create another account with password, or reset a password Suppose user = “ ′ ; INSERT INTO TABLE Users (‘attacker’, ‘attacker secret’); ” And pretty much everything that can be done by running a query on the DB!

  32. SQL Injection Prevention Sanitizate user input: check or enforce that value/string that does not have commands of any sort Disallow special characters, or Escape input string SELECT PersonID FROM People WHERE Username=’ alice\’; SELECT * FROM People;’

  33. SQL Injection Prevention Avoid building a SQL command based on raw user input, use existing tools or frameworks E.g. (1): the Django web framework has built in sanitization and protection for other common vulnerabilities n Django defines a query abstraction layer which sits atop SQL and allows applications to avoid writing raw SQL n The execute function takes a sql query and replaces inputs with escaped values E.g. (2): Or use parameterized/prepared SQL

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

1.13k views • 91 slides
Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

815 views • 25 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

412 views • 5 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks

Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks

Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks thereof) XSS CSRF SQL injection Most of these attacks are enabled by social engineering. Todays Class Pretexting Phishing

587 views • 25 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
False Data Injection Attacks in Smart Grid: Challenges and Solutions Dr. Wei Yu Assistant

False Data Injection Attacks in Smart Grid: Challenges and Solutions Dr. Wei Yu Assistant

False Data Injection Attacks in Smart Grid: Challenges and Solutions Dr. Wei Yu Assistant Professor Department of Computer &amp; Information Sciences Towson University http://www.towson.edu/~wyu Email: wyu@towson.edu NIST Cyber Security for

688 views • 51 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Summary Introduction &amp; Cryptographic Background Hardware Support for Physical Security

Summary Introduction &amp; Cryptographic Background Hardware Support for Physical Security

Summary Introduction &amp; Cryptographic Background Hardware Support for Physical Security Side Channel Attacks Arnaud Tisserand Fault Injection Attacks CNRS, Lab-STICC laboratory CRiSIS 2017, Dinard, France Protections Examples

266 views • 15 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Protocol Attacks What is a protocol attack? How does it work? Different types of

Protocol Attacks What is a protocol attack? How does it work? Different types of

Outline : Part 1 Introduction Protocol Attacks What is a protocol attack? How does it work? Different types of protocol attack By Sushant Rewaskar Introduction: Types of attacks What is a protocol attack? Buffer overflow

518 views • 13 slides
The Journey back to the office Decoding the MindMap Wellness Team - CoreNet Global New England

The Journey back to the office Decoding the MindMap Wellness Team - CoreNet Global New England

The Journey back to the office Decoding the MindMap Wellness Team - CoreNet Global New England And people stayed home. And they read books, and listened, and rested, and exercised, and made Wellness Team CoreNet Global New England

512 views • 11 slides
Cloak of Visibility: Detecting When Machines Browse a Different Web Luca Invernizzi *, Kurt

Cloak of Visibility: Detecting When Machines Browse a Different Web Luca Invernizzi *, Kurt

Cloak of Visibility: Detecting When Machines Browse a Different Web Luca Invernizzi *, Kurt Thomas*, Alexandros Kapravelos , Oxana Comanescu*, Jean-Michel Picod*, and Elie Bursztein* * Google - Anti-fraud and abuse research North Carolina

409 views • 30 slides
1 Why W Water Use r Use E Efficiency? ciency? 2 Current Current W Water Use Use

1 Why W Water Use r Use E Efficiency? ciency? 2 Current Current W Water Use Use

11/9/2018 MWDOCs Current an MWDOCs Current and F d Future W ture Water Use Ef r Use Efficiency Ef ciency Efforts s Joe Berg, Director of WUE Steve Hedges, WUE Supervisor Municipal Water District of Orange County November 13, 2018

739 views • 6 slides
Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

3.43k views • 42 slides
The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet

The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet

The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet Security Has Never Been More Important The cost of security incidents has increased, driven by Ransomware $ 20,752 6M 1.6M $8,699 2013 2016

921 views • 32 slides
Administrative Lab 2 is out please form groups of 1-3 and get to work, its due Nov 21!

Administrative Lab 2 is out please form groups of 1-3 and get to work, its due Nov 21!

CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly

940 views • 48 slides
ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch Duke University Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that

565 views • 28 slides

More recommend