web security
play

Web Security 1 last time: command injection placing user input in - PowerPoint PPT Presentation

Sep 15, 2022 •113 likes •630 views

Web Security 1 last time: command injection placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string constant) defenses: better APIs:

  1. Web Security 1

  2. last time: command injection placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string constant) defenses: better APIs: pass constants/etc. seperately whitelisting acceptable characters escaping (if done carefully!) taint-tracking (did you forgot to do one of the above?) 2

  3. a command injection example 3

  4. other shell features shells support scripting with “functions” cr4bd@labunix01:~$ foo quux called foo; args: quux 4 cr4bd@labunix01:~$ foo() { echo "called foo; args: $*"; }

  5. bash function exports bash (popular shell) wanted to transfer functions from one shell to another it runs mechanism: environment variables Unix/Linux feature; passed to programs automatically example: foo() { echo "called foo"; } , want to export? set env. var. foo to () {echo "called foo"; } how would you implement this? 5

  6. bash shellshock if foo set to () {...;} bash ran foo() {...;} if foo set to () {...;}; dangerousCommand bash ran foo() {...;}; dangerousCommand defjne a function; then run a command right away! 6

  7. bash shellshock if foo set to () {...;} bash ran foo() {...;} if foo set to () {...;}; dangerousCommand bash ran foo() {...;}; dangerousCommand defjne a function; then run a command right away! 6

  8. shellshock exploitability example: DHCP client runs program to confjgure a new network DHCP: most common “get connected to a network” protocol program is often shell (bash) script — or uses shell script easy way to pass information — environment variables network: our domain name is (){;}; dangerousCommand set env. var. DOMAIN_NAME to (){;}; dangerousCommand 7 can contain strings from network connected to

  9. more command injection saw: shell comamnds, SQL one more very important category: HTML special name: cross-site scripting or XSS 8

  10. stored cross-site scripting 10

  11. the web Web Browser facebook.com foobar.com (uses facebook login) evil.com (run by attacker) one web browser talks to multiple websites how does it (or does it) keep each websites seperate? even though websites can link to each other/etc.? 11

  12. the browser is basically an OS websites are JavaScript programs websites can communicate with each other one website can embed another cause browser to send requests to another websites can store data on the browser cookies local storage 12

  13. HTTP requests https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Host: server.com Other-Key : Other-Value … method: GET or POST most common GET — read web page POST — submit form headers: extra information with request example extra info: domain name from URL servers can host mutliple domains 13

  14. HTTP requests https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Host: server.com Other-Key : Other-Value … method: GET or POST most common GET — read web page POST — submit form headers: extra information with request example extra info: domain name from URL servers can host mutliple domains 13

  15. HTTP requests https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Host: server.com Other-Key : Other-Value … method: GET or POST most common GET — read web page POST — submit form headers: extra information with request example extra info: domain name from URL servers can host mutliple domains 13

  16. HTTP requests https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Other-Key : Other-Value … method: GET or POST most common GET — read web page POST — submit form headers: extra information with request example extra info: domain name from URL servers can host mutliple domains 13 Host: server.com

  17. HTTP responses https://server.com/path/to/file?query=string#an- chor after browser sends request; server sends: HTTP/1.1 200 OK Content-Type: text/html Other-Key : Other-Value <html>… 14

  18. demo 15

  19. HTML forms (1) < form action="https://example.com/search/" method="GET"> < input type="hidden" name="recipient" value="webmaster@example.com"> Search for: < input name="q" value="">< br > < input type="submit" value="Search"> </ form > GET /search/?q=What%20I%20searched%20for HTTP/1.1 Host: example.com q is “ What I searched for ” %20 — character hexadecimal 20 (space) 16

  20. HTML forms (2) < form action="https://example.com/formmail.pl" method="POST"> < input type="hidden" name="recipient" value="webmaster@example.com"> Your email: < input name="from" value="">< br > Your message:< textarea name="message"></ textarea > < input type="submit"> </ form > POST /formmail.pl HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded recipient=webmaster@example.com&from= what%20I%20Entered &message= Some%20message%0a… 17

  21. Yes, because attacker could make own version of form trusting the client (1) < form action="https://example.com/formmail.pl" method="POST"> < input type="hidden" name="recipient" value="webmaster@example.com"> Your email: < input name="from" value="">< br > Your message: < textarea name="message"></ textarea > ... < input type="submit"> </ form > if this my form, can I get a recipient of spamtarget@foo.com ? Am I enabling spammers?? 18

  22. trusting the client (1) < form action="https://example.com/formmail.pl" method="POST"> < input type="hidden" name="recipient" value="webmaster@example.com"> Your email: < input name="from" value="">< br > Your message: < textarea name="message"></ textarea > ... < input type="submit"> </ form > if this my form, can I get a recipient of spamtarget@foo.com ? Am I enabling spammers?? Yes, because attacker could make own version of form 18

  23. Referer header Submitting form at https://example.com/feedback.html : POST /formmail.pl HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Referer: https://example.com/feedback.html recipient=webmaster@example.com&from=… sometimes sent by web browser if browser always sends, does this help? 19

  24. Yes, because attacker can customize their browser trusting the client (2) < form action="https://example.com/formmail.pl" method="POST"> < input type="hidden" name="recipient" value="webmaster@example.com"> ... < input type="submit"> </ form > right referer header? attacker can’t modify the form on example.com! browser sends header with URL of form 20 can I get a recipient of spamtarget@example.com and the

  25. trusting the client (2) < form action="https://example.com/formmail.pl" method="POST"> < input type="hidden" name="recipient" value="webmaster@example.com"> ... < input type="submit"> </ form > right referer header? attacker can’t modify the form on example.com! browser sends header with URL of form Yes, because attacker can customize their browser 20 can I get a recipient of spamtarget@example.com and the

  26. trusting the client (3) ISS E-Security Alert February 1, 2000 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications … Many web-based shopping cart applications use hidden fields in HTML forms to hold parameters for items in an online store. These parameters can include the item's name, weight, quantity, product ID, and price.… … Several of these applications use a security method based on the HTTP header to verify the request is coming from an appropriate site.… The ISS X-Force has identified eleven shopping cart applications that are vulnerable to form tampering. … 21

  27. HTTP and state HTTP is stateless each request stands alone no idea of session current login? what you did before (pages read, what page you’re on, etc.)? … this functionality was added on later 22

  28. implementing logins on HTTP typical mechanism: cookies information for client to send with future requests to server Server sets cookie set via header in HTTP response Set-Cookie: key=theInfo; domain=example.com; expires=Wed, Apr … Cookie: key=theInfo JavaScript can also read or set Cookie 23 limited to particular domain (or domain+path) Client sends back cookie with every HTTP request

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Announcements Class cancelled on Wednesday Web Security CS642:

Announcements Class cancelled on Wednesday Web Security CS642:

Announcements Class cancelled on Wednesday Web Security CS642: Computer Security Professor Ristenpart h=p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot

516 views • 36 slides
IT350: Web &amp; Internet Programming JavaScript Dynamic HTML CGI / PHP Set 12: CGI

IT350: Web &amp; Internet Programming JavaScript Dynamic HTML CGI / PHP Set 12: CGI

Things well learn and do HTML5 basics, tables, forms Cascading Style Sheets IT350: Web &amp; Internet Programming JavaScript Dynamic HTML CGI / PHP Set 12: CGI and PHP 1 Outline The Three-Tier Architecture

362 views • 18 slides
Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur Catakoglu 2 , Davide

Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur Catakoglu 2 , Davide

Uses and Abuses of Server-Side Requests Giancarlo Pellegrino 1 , Onur Catakoglu 2 , Davide Balzarotti 2 , and Christian Rossow 1 giancarlo.pellegrino@cispa.saarland 19th International Symposium on Research in Attacks, Intrusions and Defenses

564 views • 38 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for

CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for

CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for use by students in CS1520 at the University of Pittsburgh. They are provided free of charge and may not be sold in any shape or form. These

539 views • 19 slides
End End-to-end File Encr Encryp yption i in n the the Web Br eb Browser er A Ca Case

End End-to-end File Encr Encryp yption i in n the the Web Br eb Browser er A Ca Case

End End-to-end File Encr Encryp yption i in n the the Web Br eb Browser er A Ca Case e Study dy Thomas Konrad, SBA Research Vue.js Meetup Vienna, Feb 11, 2020 SBA Research gGmbH, 2020 Classification: Public 1 ~ $ whoami Thomas

770 views • 50 slides
Analyzing Facebook Privacy Settings: User Expectations vs. Reality Yabing Liu Krishna Gummadi

Analyzing Facebook Privacy Settings: User Expectations vs. Reality Yabing Liu Krishna Gummadi

Analyzing Facebook Privacy Settings: User Expectations vs. Reality Yabing Liu Krishna Gummadi Balachander Krishnamurthy Alan Mislove Northeastern University MPI-SWS AT&amp;T LabsResearch November 2, 2011, IMC11

501 views • 24 slides
Pivot: Finding Funding &amp; Collaborating Opportunities for International Postdocs Min-Lin

Pivot: Finding Funding &amp; Collaborating Opportunities for International Postdocs Min-Lin

Pivot: Finding Funding &amp; Collaborating Opportunities for International Postdocs Min-Lin Fang, MLS Research and Education Librarian Min-lin.fang@ucsf.edu Learning Objectives By the end of the training, participants will be able to:

588 views • 30 slides
Contracts 7 January 2019 OSU CSE 1 Contract Details Contracts in the APIs for OSU CSE

Contracts 7 January 2019 OSU CSE 1 Contract Details Contracts in the APIs for OSU CSE

Contracts 7 January 2019 OSU CSE 1 Contract Details Contracts in the APIs for OSU CSE components include these important features: Parameter modes Two stipulations: Parameter names in requires and ensures clauses always

408 views • 25 slides

More recommend