web security
play

Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno - PowerPoint PPT Presentation

Apr 23, 2023 •375 likes •721 views

CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • HW2: Due Nov 7, 4:30pm • Looking ahead, rough plan: • Lab 2 out ~Nov 5, due ~Nov 19 (Quiz Section on Nov 8) • HW 3 out ~Nov 19, due ~Nov 30 • Lab 3 out ~Nov 26, due Dec 7 (Quiz Section on Nov 29) 11/3/2018 CSE 484 / CSE M 584 2

  3. Admin • Final Project Proposals: Nov 16 – group member names and brief description • Final Project Checkpoint: Nov 30 – preliminary outline and references • Final Project Presentation: Dec 10 – 12-15-minute video – must be on time • Explore something of interest to you, that could hopefully benefit you or your career in some way – technical topics, current events, etc 11/3/2018 CSE 484 / CSE M 584 3

  4. Next Week • Monday (Nov 5): Lecture on Lab 2 • Monday (Nov 5): No 11:30am office hours for me; TA office hours are happening • Thursday (Nov 8): Quiz Sections -> Extended Lab 2 Office Hours 11/3/2018 CSE 484 / CSE M 584 - Fall 2017 4

  5. Cross-Site Request Forgery (CSRF/XSRF) 11/3/2018 5

  6. Cookies in Forged Requests Cookie: SessionID=523FA4cd2E User credentials automatically sent by browser 11/3/2018 6

  7. Impact • Hijack any ongoing session (if no protection) – Netflix: change account settings, Gmail: steal contacts, Amazon: one-click purchase • Reprogram the user’s home router • Login to the attacker’s account 11/3/2018 7

  8. Login XSRF: Attacker logs you in as them! User logged in as attacker Attacker’s account reflects user’s behavior 11/3/2018 9

  9. Broader View of CSRF • Abuse of cross-site data export – SOP does not control data export – Malicious webpage can initiates requests from the user’s browser to an honest server – Server thinks requests are part of the established session between the browser and the server (automatically sends cookies) 11/3/2018 10

  10. XSRF Defenses • Secret validation token <input type=hidden value=23a3af01b> • Referer validation Referer: http://www.facebook.com/home.php 11/3/2018 11

  11. Add Secret Token to Forms <input type=hidden value=23a3af01b> • “Synchronizer Token Pattern” • Include a secret challenge token as a hidden input in forms – Token often based on user’s session ID – Server must verify correctness of token before executing sensitive operations • Why does this work? – Same-origin policy: attacker can’t read token out of legitimate forms loaded in user’s browser, so can’t create fake forms with correct token 11/3/2018 12

  12. Referer Validation  Referer: http://www.facebook.com/home.php  Referer: http://www.evil.com/attack.html ? Referer: • Lenient referer checking – header is optional • Strict referer checking – header is required 11/3/2018 13

  13. Why Not Always Strict Checking? • Why might the referer header be suppressed? – Stripped by the organization’s network filter – Stripped by the local machine – Stripped by the browser for HTTPS  HTTP transitions – User preference in browser – Buggy browser • Web applications can’t afford to block these users • Many web application frameworks include CSRF defenses today 11/3/2018 14

  14. Injection 11/3/2018 15

  15. Injection Attacks • http://victim.com/copy.php?name=username • copy.php includes system (“ cp temp.dat $name .dat”) • User calls http://victim.com/copy.php?name =“a; rm *” • copy.php executes system (“ cp temp.dat a; rm *.dat ”); 11/3/2018 16

  16. Basic Issues • User-supplied data is not validated, filtered, or sanitized by application • User input directly used or concatenated to a string that is used by an interpreter • Common Injections: SQL, NoSQL, Object Relational Mapping (ORM), LDAP, Object Graph Navigation Library, … 11/3/2018 17

  17. More Examples • SQL application uses untrusted data in this SQL call String query = "SELECT * FROM accounts WHERE custID='" + request.getParameter("id") + "'"; • Also, be careful with frameworks, e.g., Hibernate Query Language (HQL) call Query HQLQuery = session.createQuery("FROM accounts WHERE custID='" + request.getParameter("id") + "'"); • Attacker sets id to ' or '1'='1 http://example.com/app/accountView?id=' or '1'='1 • Result in both cases: return all records in database 11/3/2018 18

  18. Defenses • Use safe APIs, e.g., prepared statements in SQL with parameterized queries – Define all the SQL code, then pass in each parameter – Separates code from data • Whitelist-based server-side input validation • Escape special characters • Use LIMIT (and other) SQL controls within queries to prevent mass disclosure of records • Remember Defense in Depth, Least Privilege, etc. 11/3/2018 19

  19. XML External Entities 11/3/2018 20

  20. XML External Entities • Consider a web application that accepts XML input, parses it, and outputs the result (or includes untrusted input in XML documents) <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY> <!ENTITY bar "World"> ]> <foo> Hello &bar; </foo> • Parses as Hello World 11/3/2018 21

  21. But What About • Consider an attacker uploading this XML document <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///etc/passwd" >]> <foo>&xxe;</foo> • Attacker attempting to extract information from server 11/3/2018 22

  22. But What About • Consider an attacker uploading this XML document <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "https://192.168.1.1/private" >]> <foo>&xxe;</foo> • Attacker attempting to probe a private network 11/3/2018 23

  23. But What About • Consider an attacker uploading this XML document <?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///dev/random" >]> <foo>&xxe;</foo> • Attacker attempting a DoS by including a potentially never-ending file 11/3/2018 24

  24. Why Call “Server Side Request Forgery?” 11/3/2018 25

  25. What to Do? • Use less complex data formats, such as JSON • Disable XML external entities and DTD processing in all XML parses • Whitelist-based server-side input validation • OWASP very useful source here as well 11/3/2018 26

  26. Authentication Another “Ten Most Critical Web Application Security Risks” 11/3/2018 27

  27. Basic Problem ? How do you prove to someone that you are who you claim to be? Any system with access control must solve this problem. 11/3/2018 28

  28. Many Ways to Prove Who You Are • What you know – Passwords – Answers to questions that only you know • Where you are – IP address, geolocation • What you are – Biometrics • What you have – Secure tokens, mobile devices 11/3/2018 29

  29. Passwords and Computer Security • In 2012, 76% of network intrusions exploited weak or stolen credentials (username/password) – Source: Verizon Data Breach Investigations Report • First step after any successful intrusion: install sniffer or keylogger to steal more passwords • Second step: run cracking tools on password files – Cracking needed because modern systems usually do not store passwords in the clear (how are they stored?) • In Mitnick’s “Art of Intrusion” 8 out of 9 exploits involve password stealing and/or cracking 11/3/2018 30

  30. Password Storage • Recall discussions from crypto section – Don’t store plaintext passwords – Don’t use encrypted passwords – Use hashed passwords – Hash a salt along with the password, and store the salt and the hashed salt+password on the server 11/3/2018 38

  31. Other Password Security Issues • Keystroke loggers – Hardware – Software (spyware) • Shoulder surfing • Same password at multiple sites • Broken implementations – TENEX timing attack 11/3/2018 39

  32. Examples from One Company 11/3/2018 CSE 484 / CSE M 584 - Fall 2017 40

  33. Even More Issues • Usability – Hard-to-remember passwords? – Carry a physical object all the time? • Denial of service – Attacker tries to authenticate as you, account locked after three failures • Social engineering 11/3/2018 41

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Client and Server model Client , like your computer or mobile phone, makes requests to

Client and Server model Client , like your computer or mobile phone, makes requests to

Client and Server model Client , like your computer or mobile phone, makes requests to specific server. Client and Server model Client , like your computer or mobile phone, makes requests to specific server. Server gets the request and

441 views • 25 slides
Who We Are T he F uture o f Priva c y F o rum (F PF ) is a Wa shing to n, DC b a se

Who We Are T he F uture o f Priva c y F o rum (F PF ) is a Wa shing to n, DC b a se

1/12/2012 P E RSONAL I NF ION : T ORMAT HE BE NE F IT S AND R ISKS OF D E - IDE NT IF ICAT ION Jule s Po lo ne tsky, Co -Cha ir &amp; Dire c to r Who We Are T he F uture o f Priva c y F o rum (F PF ) is a Wa shing to n, DC

79 views • 5 slides
the W orld Change the Story Change How often do you tell stories as part of your w ork? A.

the W orld Change the Story Change How often do you tell stories as part of your w ork? A.

Andy Goodman The Goodman Center the W orld Change the Story Change How often do you tell stories as part of your w ork? A. Rarely or Never (I love data. There, I said it.) B. Occasionally (Im story-curious.) C. Frequently (Sipped the

837 views • 58 slides
Which beach? Here are a few of our teams favourite beaches in Cornwall! Coverack Beach and

Which beach? Here are a few of our teams favourite beaches in Cornwall! Coverack Beach and

Which beach? Here are a few of our teams favourite beaches in Cornwall! Coverack Beach and Cove The Lizzard: Hazels choice This is a lovely sandy beach in an unspoilt part of Cornwall, just further along there is a lovely cove with rock

210 views • 8 slides
Situation Recognition: Visual Semantic Role Labeling for Image Understanding By Mark Yatskar,

Situation Recognition: Visual Semantic Role Labeling for Image Understanding By Mark Yatskar,

Situation Recognition: Visual Semantic Role Labeling for Image Understanding By Mark Yatskar, Luke Zettlemoyer, and Ali Farhadi Presentation by Rishub Jain Outline Problem statement Dataset Baseline model Experiments

734 views • 16 slides
1 To allow the President to retrieve the situation after an unprovoked launch of Plan R, there

1 To allow the President to retrieve the situation after an unprovoked launch of Plan R, there

ECO 199 - GAMES OF STRATEGY Spring Term 2004 GUIDE TO STRATEGIES IN DR. STRANGELOVE What follows is a statement and discussion of the many strategic issues and incidents from the movie. It is based on the points brought up in class as well as

517 views • 3 slides
Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic Point of View F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale

1.55k views • 117 slides
Unit 11 - Communications Integrated Marketing Communications: Personal Selling g and Direct

Unit 11 - Communications Integrated Marketing Communications: Personal Selling g and Direct

Unit 11 - Communications Integrated Marketing Communications: Personal Selling g and Direct Marketing CuuDuongThanCong.com https://fb.com/tailieudientucntt The Nature of Personal Selling The Nature of Personal Selling The term

316 views • 17 slides

More recommend