web security
play

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber - PowerPoint PPT Presentation

Nov 27, 2023 •177 likes •588 views

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

  1. Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1

  2. Outline  Web application weaknesses − XSS − AJAX weaknesses  SQL Injection Attacks − (Slides from Lars Olson) − http://www.cs.uiuc.edu/class/fa07/cs461/slides 04/15/10 Cyber Security Lab 2

  3. The Web as a Ripe Target  Attack targets − Client browser/machine  Install adware  Email address book  Bank information displayed in browser − Web server  Infect pages to be served to others, e.g. Knoppix − Backend server  Grab valuable customer data 04/15/10 Cyber Security Lab 3

  4. Attack Tools  Used to be HTML, CGI and Java  Now Javascript and AJAX − Active content which may not be apparent − Script access to current page (DOM) − Ability to make additional HTTP requests  SQL injections to attack the backend 04/15/10 Cyber Security Lab 4

  5. Cross Site Scripting (XSS)  Goal – Inject malicious code into web pages viewed by others.  Cross site a bit of a misnomer. − Term applies to general injection of malicious script  Three types  Wikipedia reference − http://en.wikipedia.org/wiki/Cross_site_scripting 04/15/10 Cyber Security Lab 5

  6. Type 2 XSS  Type 2 – Stored or persistent − User entered data is stored − Later used to create dynamic pages − Very powerful attack  Examples − Sites that allow HTML formatted user input, e.g. Blog comments, wiki entries. 04/15/10 Cyber Security Lab 6

  7. Second Order XSS  Combine type 2 attack with social engineering  Sign up for an account − Enter exploit script in address field  Call help desk − Display your record − Launch from the inside 04/15/10 Cyber Security Lab 7

  8. Type 1 XSS  Type 1 – Non-persistent or reflected − User enters data. Server uses data to dynamically create page, e.g. Search engine − Generally attacking self, but could be tool for social engineering.  E.g., enter the following into a form that then shows the original query in the response. − <script>confirm("Do you hate purple dinosaurs?");</ script> 04/15/10 Cyber Security Lab 8

  9. Type 0 XSS  Type 0 -DOM-based or Local − Very similar to Type 1 except the actual script is passed argument and parsed on client side only − Server processing cannot fix the problem − Again self attack. Likely invoked through phishing link, email HTML rendering, or hidden link in main page. 04/15/10 Cyber Security Lab 9

  10. Type 0 XSS  Consider − <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.length)); </SCRIPT> <BR> Welcome to our system…</HTML>  Invoke as − http://vulsystem.com/welcome.html?name=Bob − http://vulsystem.com/welcome.html? name=<script>alert(document.cookie)</script> 04/15/10 Cyber Security Lab 10

  11. Input Cleansing  Ensure that the user is providing the type of information you are expecting. − No HTML tags in blog comments − Perform escaping of all special characters  Mozilla and “get” arguments  Could defeat by alternative encodings 04/15/10 Cyber Security Lab 11

  12. Example MySpace Exploit  Samy Worm – October '05 − Person views infected myspace page − Executes javascript exploit  Adds Samy to viewer's hero list  Adds infection to viewer's myspace page − http://namb.la/popular/tech.html - Technical explanation apparently from Samy  Many cases of tediously finding alternative ways of expressing javascript components 04/15/10 Cyber Security Lab 12

  13. Newer Exploits  Quicktime worm – December '06 − Blank movie provides hook to execute malicious script − Script redirects to phishing page that looks like myspace login page − http://www.securityfocus.com/brief/375 Koobface virus on MySpace and Facebook See link to movie. Movie requires flash update (really virus) 04/15/10 Cyber Security Lab 13

  14. Multi-Encoding Techniques  Trick system into incorrectly processing “special characters” − US-ASCII − Unicode encodings - UTF-8 or UTF-16 − ISO 8859-n  Different prefixes for different languages  Multiple ways of encoding the same character  Multiple ways of encoding and IP address − 192.168.1.1 or C0.A8.1.1 or 3232235777 04/15/10 Cyber Security Lab 14

  15. Cleansing Options  Improve input cleansing in code  Web firewall − Hosting solution  Web proxy − Client solution  A couple packages 04/15/10 Cyber Security Lab 15

  16. Web security packages  Pen test tools and proxies − Web Scarab  http://www.owasp.org/index.php/Category:OWASP_WebS − BURP  http://www.portswigger.net/suite/  Web application firewall (WAF) – Imperva WAF - http://www.imperva.com/waf/ – WAF Evaluation Criteria http://www.webappsec.org/projects/wafec/ 04/15/10 Cyber Security Lab 16

  17. Play with Flawed Web Sites  Examine missions to discover and exploit each web sites flaw − http://www.hackthissite.org/missions/ 04/15/10 Cyber Security Lab 17

  18. AJAX  Allows JavaScript to request additional data − Dynamically update part of page  XmlHttpRequest (XHR) is the key class − http://www.w3.org/TR/XMLHttpRequest/ − Generally used to pull new information or send information 04/15/10 Cyber Security Lab 18

  19. Same origin policy  Script can only make requests to the domain of its original source  Script can only access document it fetched  Bound what sneaky scripts can access  Could avert − Signed scripts − ActiveX/Java proxies − Trusted security zones 04/15/10 Cyber Security Lab 19

  20. Mashups  Combine data from two sources in one new groovy page − E.g., Google map data plus address information from corporate directory − Create personal desktop by combining scripts from multiple sources  What if you include my “magic 8” service in your desktop? 04/15/10 Cyber Security Lab 20

  21. Mashup restrictions  In general cross domain communication forbidden by same origin policy  Ad Hoc workarounds − Proxy, iframes, dynamic script creation  New mashup explicit standards being developed 04/15/10 Cyber Security Lab 21

  22. Data Harvesting  XML or JSON data offered via HTTP − Intended as target for AJAX apps − Could be accessed directly  Fetching entire data set may be undesirable − Load on server − Possibility of competitor leveraging your data collection work  Introduce throttling or metering mechanisms 04/15/10 Cyber Security Lab 22

  23. Web Services  Standards for enabling machine to machine communication over the web. − Web Service Standards - WS-*  Many thoroughly defined standards  Generally encoded through XML and SOAP  Perceived as very heavy weight − Representational State Transfer – RESTful web services  Just use simple set of HTTP operations GET, PUT, and DELETE 04/15/10 Cyber Security Lab 23

  24. SQL Injections • http://xkcd.com/327/ 04/15/10 Cyber Security Lab 24

  25. Disclaimer!!  Do not use your powers for evil.  The purpose of showing these attacks is to teach you how to prevent them.  Established e-commerce sites are already hardened to this type of attack.  You might cause irreparable harm to a small “mom-and-pop” business.  Even if you don’t, breaking into someone else’s database is illegal and unethical. 04/15/10 Cyber Security Lab 25

  26. Characterization of Attack  Not a weakness of SQL − ...at least in general − SQL Server may run with administrator privileges, and has commands for invoking shell commands  Not a weakness of database, PHP/scripting languages, or Apache  Building executable code using data from an untrusted user − Perl taint mode was created to solve a similar problem 04/15/10 Cyber Security Lab 26

  27. Simple Attack Example  Logging in with: select count (*) from login where username = '$username' and password = '$password';  Setting the password to “ ' or 'a' = 'a ”: select count (*) from login where username = 'alice' and password = '' or 'a' = 'a';  In fact, username doesn’t even have to match anyone in the database 04/15/10 Cyber Security Lab 27

  28. Detecting Vulnerability  Try single apostrophe − If quotes aren’t filtered, this should yield an error message − Error message may be useful to attackers − May reveal database vendor (important later on)  Try a comment character (double-hyphen in some databases, # symbol in others) − Only works for numeric fields, if quotes are filtered − Not as commonly filtered 04/15/10 Cyber Security Lab 28

  29. Inferring Database Layout (1)  Guess at column names ' and email is null -- ' and email_addr is null --  Use error messages (or lack of) 04/15/10 Cyber Security Lab 29

  30. Inferring Database Layout (2)  Guess at table name ' and users.email_addr is null -- ' and login.email_addr is null -- − Can be done with an automated dictionary attack − Might discover more than one table in the query  Guess at other table names ' and 1=( select count (*) from test)-- 04/15/10 Cyber Security Lab 30

  31. Discovering Table Data  Depends on query structure, output format  May be directed at a particular user or account ( e.g. root) ' or username like '%admin%'--  May include brute-force password attacks 04/15/10 Cyber Security Lab 31

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Complexity of Integration, Special Values, and Recent Developments James H. Davenport 1

Complexity of Integration, Special Values, and Recent Developments James H. Davenport 1

Introduction Transcendental Integrands Algebraic Functions Complexity of Integration, Special Values, and Recent Developments James H. Davenport 1 Departments of Computer Science and Mathematical Sciences University of Bath International

813 views • 34 slides
Administrative Stuff Time &amp; Place: Tuesdays 11:10am-1pm DHT Fac Room South * CS3 Database

Administrative Stuff Time &amp; Place: Tuesdays 11:10am-1pm DHT Fac Room South * CS3 Database

Administrative Stuff Time &amp; Place: Tuesdays 11:10am-1pm DHT Fac Room South * CS3 Database Systems Handout 1 Web site: http://homepages.inf.ed.ac.uk/opb/dbs Introduction and XML Instructors: Peter Buneman ( opb at inf.ed.ac.uk ) Office

578 views • 25 slides
M O N E Y M A S T E R Y MODULE TWO: What gets in your way of receiving? AHH! WELCOME BACK!

M O N E Y M A S T E R Y MODULE TWO: What gets in your way of receiving? AHH! WELCOME BACK!

M O N E Y M A S T E R Y MODULE TWO: What gets in your way of receiving? AHH! WELCOME BACK! Hello, hello, hello! Once again, so excited to have you! I hope your homework went SUPER well and that you already feel big shifts

429 views • 28 slides
Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats

Web Security, Part 1 (as usual, thanks to Dave Wagner and Vern Paxson) Web Server Threats What can happen? Compromise Defacement Gateway to attacking clients Disclosure (not mutually exclusive) And what makes

1.27k views • 96 slides
Music Notation with SuperCollider Bernardo Barros May, 2013 Bernardo Barros Music Notation with

Music Notation with SuperCollider Bernardo Barros May, 2013 Bernardo Barros Music Notation with

Introduction SuperCollider + LilyPond Future Work Music Notation with SuperCollider Bernardo Barros May, 2013 Bernardo Barros Music Notation with SuperCollider Introduction SuperCollider + LilyPond Future Work Outline 1 About myself 2

790 views • 41 slides
BSC Panel 209 15 January 2013 Report Phase P289: Enabling ELEXON to participate in tendering

BSC Panel 209 15 January 2013 Report Phase P289: Enabling ELEXON to participate in tendering

BSC Panel 209 15 January 2013 Report Phase P289: Enabling ELEXON to participate in tendering for the DCC Licensee role via a subsidiary Recommendation: Approve Proposed 208/01 Dean Riddell 15 January 2013 P289: Issue ELEXON cannot bid

716 views • 46 slides
Local Place Names Cotati: From kotati , the name of a Coast Miwok Indian village. Marin: The name

Local Place Names Cotati: From kotati , the name of a Coast Miwok Indian village. Marin: The name

Local Place Names Cotati: From kotati , the name of a Coast Miwok Indian village. Marin: The name Marin was first applied around 1830 to the Marin Islands between San Pedro and San Quentin Points, perhaps because the bay there was named Baha

266 views • 3 slides
Presentations Focus Area: Communication and Control Protocols Presented by Klara Nahrstedt

Presentations Focus Area: Communication and Control Protocols Presented by Klara Nahrstedt

Trustworthy Cyber Infrastructure for the Power Grid Presentations Focus Area: Communication and Control Protocols Presented by Klara Nahrstedt University of Illinois Dartmouth College Cornell University Washington State

481 views • 8 slides

More recommend