web security vulnerabilities attacks
play

Web Security: Vulnerabilities & Attacks Slide credit: John - PowerPoint PPT Presentation

Sep 01, 2022 •181 likes •652 views

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities & Attacks Slide credit: John Mitchell Dawn Song Security User Interface Dawn Song Safe to type your password?

  1. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities & Attacks Slide credit: John Mitchell Dawn Song

  2. Security User Interface Dawn Song

  3. Safe to type your password? https://www.safebank.com Bank of the Safe https://safebank.com Bank of the Safe (US) (US) SAFEBANK login password Accounts Bill Pay banking content Mail T ransfers https://www.safebank.c om 3 Dawn Song

  4. Safe to type your password? SAFEBANK 4 Dawn Song

  5. Safe to type your password? 5 Dawn Song

  6. Safe to type your password? Bank of the Safe https://www.safebank.com https://safebank.com Bank of the Safe (US) (US) SAFEBANK login password Accounts Bill Pay banking content Mail T ransfers https://www.safebank.c om 7 Dawn Song

  7. Mixed Content: HTTP and HTTPS Dawn Song

  8. Mixed content and network attacks • banks: after login all content over HTTPS – Developer error: Somewhere on bank site write <script src= http ://www.site.com/script.js> </script> – Active network attacker can now hijack any session • Better way to include content: <script src=//www.site.com/script.js> </script> – served over the same protocol as embedding page Dawn Song

  9. The Status Bar • Trivially spoofable <a href=“http://www.paypal.com/” onclick=“this.href = ‘http://www.evil.com/’;”> PayPal</a> Dawn Song

  10. Command Injection Dawn Song

  11. Background Web Server Client UID: Browser foo.php URI www Web Page PHP -> WEB PAGE Dawn Song

  12. Quick Background on PHP display.php: <? echo system("cat ".$_GET['file']); ?> IN THIS EXAMPLE <? php-code ?> executes php-code at this point in the document echo expr: evaluates expr and embeds in doc system(call, args) performs a system call in the working directory “ ….. ”, ‘ ….. ’ String literal. Double-quotes has more possible escaped characters. . (dot). Concatenates strings. _GET[‘key’] returns value corresponding to the key/value pair sent as extra data in the HTTP GET request LATER IN THIS LECTURE preg_match(Regex, Performs a regular expression match. Stiring) proc_open Executes a command and opens fjle pointers for input/output. escapeshellarg() Adds single quotes around a sring and quotes/escapes any existing single quotes. fjle_get_contents(fjle) Retrieves the contents of fjle. Dawn Song

  13. Background Web Server Client display.php?file=notes.txt UID: Browser URI www display.php Web Page system("cat ". $_GET['file']) display.php: <? echo system("cat ".$_GET['file']); ?> Shell Command cat notes.txt Dawn Song

  14. Background Web Server Client Browser UID: display.php?file=notes.txt URI www display.php system("cat ". $_GET['file']) Today we are learning about Web Security. Content of notes.txt Shell Command cat notes.txt display.php: <? echo system("cat ".$_GET['file']); ?> Dawn Song

  15. Command Injection display.php: <? echo system("cat ".$_GET['file']); ?> Q: Assuming the script we’ve been dealing with (reproduced above) for http://www.example.net/display.php . Which one of the following URIs is an attack URI? Hint: Search for a URI Decoder to fjgure out values seen by the PHP code. %3B -> “;” %20 -> “ “ %2F -> “/” a. http://www.example.net/display.php?get=rm b. http://www.example.net/display.php?file=rm%20-rf%20%2F%3B c. http://www.example.net/display.php?file=notes.txt%3B%20rm%20-rf%20%2F%3B%0A%0A d. http://www.example.net/display.php?file=%20%20%20%20%20 Dawn Song

  16. Command Injection display.php: <? echo system("cat ".$_GET['file']); ?> Q: Assuming the script we’ve been dealing with (reproduced above) for http://www.example.net/display.php . Which one of the following URIs is an attack URI? Hint: Search for a URI Decoder to fjgure out values seen by the PHP code. (URIs decoded) a. http://www.example.net/display.php?get=rm b. http://www.example.net/display.php?file=rm -rf /; c. http://www.example.net/display.php?file=notes.txt; rm -rf /; d. http://www.example.net/display.php?file= Dawn Song

  17. Command Injection display.php: <? echo system("cat ".$_GET['file']); ?> Q: Assuming the script we’ve been dealing with (reproduced above) for http://www.example.net/display.php . Which one of the following URIs is an attack URI? Hint: Search for a URI Decoder to fjgure out values seen by the PHP code. (Resulting php) a. <? echo system("cat rm"); ?> b. <? echo system("cat rm -rf /;"); ?> c. <? echo system("cat notes.txt; rm -rf /;"); ?> d. <? echo system("cat "); ?> Dawn Song

  18. Injection • Injection is a general problem: – T ypically, caused when data and code share the same channel. – For example, the code is “ cat ” and the fjlename the data. • But ‘ ; ’ allows attacker to start a new command. Dawn Song

  19. Input Validation • T wo forms: – Blacklisting: Block known attack values – Whitelisting: Only allow known-good values • Blacklists are easily bypassed – Set of ‘attack’ inputs is potentially infjnite – The set can change after you deploy your code – Only rely on blacklists as a part of a defense in depth strategy Dawn Song

  20. Blacklist Bypass Blacklist Bypass Use a pipe Disallow semi - colons Disallow pipes and semi colons Use the backtick operator to call commands in the arguments Disallow pipes, semi - colons, and backticks Use the $ operator which works similar to backtick Disallow rm Use unlink Disallow rm , unlink Use cat to overwrite existing fjles • Ad infjnitum • T omorrow, newer tricks might be discovered Dawn Song

  21. Input Validation: Whitelisting display.php: <? if (!preg_match("/^[a-z0-9A-Z.]*$/", $_GET['file'])) { echo “The file should be alphanumeric."; return ; } echo system("cat ".$_GET['file']); ?> GET INPUT PASSES? Yes notes.txt No notes.txt; rm –rf /; No security notes.txt Dawn Song

  22. Input Escaping display.php: <? #http://www.php.net/manual/en/function.escapeshellarg.php echo system("cat ".escapeshellarg($_GET['file'])); ?> escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument -- http://www.php.net/manual/en/function.escapeshellarg.php GET INPUT Command Executed notes.txt cat 'notes.txt' notes.txt; rm –rf /; cat 'notes.txt rm –rf /;' mary o'donnel cat 'mary o'\''donnel' Dawn Song

  23. Use less powerful API • The system command is too powerful – Executes the string argument in a new shell – If only need to read a fjle and output it, use simpler API display.php: <? echo file_get_contents($_GET['file']); ?> • Similarly, the proc_open (executes commands and opens fjles for I/O) API – Can only execute one command at a time. Dawn Song

  24. Recap • Command Injection: a case of injection, a general vulnerability • Defenses against injection include input validation, input escaping and use of a less powerful API • Next, we will discuss other examples of injection and apply similar defenses Dawn Song

  25. SQL Injection Dawn Song

  26. Background • SQL: A query language for database – E.g., SELECT statement, WHERE clauses • More info – E.g., http://en.wikipedia.org/wiki/SQL Dawn Song

  27. Running Example Consider a web page that logs in a user by seeing if a user exists with the given username and password. login.php: $result = pg_query ("SELECT * from users WHERE uid = '".$_GET['user']."' AND pwd = '".$_GET['pwd']."';"); if ( pg_query_num($result) > 0 ) { echo "Success"; user_control_panel_redirect(); It sees if results exist and if so logs the user in and redirects them to their user control panel. Dawn Song

  28. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Execute query with $_GET['user'] $_GET['pwd'] Dawn Song

  29. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Execute query with $_GET['user'] $_GET['pwd'] dbus SELECT * from users WHERE uid='pikachu' AND pwd = 'password123'; er Quer DB y Server Dawn Song

  30. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Execute query with $_GET['user'] $_GET['pwd'] dbus SELECT * from users WHERE uid='pikachu' AND pwd = 'password123'; er Quer DB y Server Results: 25 | pikachu | password123 | electric Resul Dawn Song ts

  31. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Success and redirect to user control Execute query with $_GET['user'] panel. $_GET['pwd'] dbus SELECT * from users WHERE uid='pikachu' AND pwd = 'password123'; er Quer DB y Server Results: 25 | pikachu | password123 | electric Resul Dawn Song ts

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Computer Security Course. Dawn Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song Example Application Consider a social networking site, GraceBook, that allows users to share happenings from

696 views • 54 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio

Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio

10/25/19 Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio Network Security Byzantine failures in distributed spectrum sensing Security vulnerabilities in IEEE 802.22 Yao Zheng 1 2

383 views • 7 slides
Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

DAISY D ata A nalysis and I nformation S ecurit Y Lab Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to Audio-based Adversarial Attacks Yingying (Jennifer) Chen Professor, Electrical and Computer

1.05k views • 46 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is Cross-site Scripting (XSS)? Vulnerability in web application that

760 views • 53 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon

Hunting beacons Bartosz Jerzman agenda Part I: HTTP beacon detection Part II: HTTPS beacon detection Part III: Lets hunt them early C2 scanning whoami Sysadmin and network defender for the Polish Navy Incident responder

720 views • 52 slides
Content Provider Content Resolver Cursor Content Provider Basics Content providers is one

Content Provider Content Resolver Cursor Content Provider Basics Content providers is one

Content Provider Content Resolver Cursor Content Provider Basics Content providers is one of Androids core components that enables you to access data of other applications where data is stored in databases or flat files. SQLite

1.12k views • 40 slides
Ontology Design Pa/ern-driven Linked Data Publishing Adila Krisnadhi Data Seman1cs Lab (a.k.a.

Ontology Design Pa/ern-driven Linked Data Publishing Adila Krisnadhi Data Seman1cs Lab (a.k.a.

Ontology Design Pa/ern-driven Linked Data Publishing Adila Krisnadhi Data Seman1cs Lab (a.k.a. DaSeLab) Wright State University, Dayton, OH E-mail: krisnadhi@gmail.com GitHub: krisnadhi 2016 ESIP Summer Mee1ng, Durham, NC This talk is about

454 views • 34 slides
A brief history of the Web ...and how one architectural choice got us into a very big mess Tara

A brief history of the Web ...and how one architectural choice got us into a very big mess Tara

A brief history of the Web ...and how one architectural choice got us into a very big mess Tara Vancil @taravancil taravancil.com bluelinklabs.com beakerbrowser.com What is the Web? 1-1 Ted Nelson coins hypertext A

851 views • 50 slides
Building a Database on S3 By Sandeepkrishnan Introduction Next wave on the Web to provide

Building a Database on S3 By Sandeepkrishnan Introduction Next wave on the Web to provide

Building a Database on S3 By Sandeepkrishnan Introduction Next wave on the Web to provide services. Make it easy for everyone to provide services, not just Google, Amazon. Goal of utility computing Storage, CPU, network bandwidth

441 views • 33 slides
Refactoring Sequential Java Code for Concurrency via Concurrent Libraries Danny Dig (MIT

Refactoring Sequential Java Code for Concurrency via Concurrent Libraries Danny Dig (MIT

Refactoring Sequential Java Code for Concurrency via Concurrent Libraries Danny Dig (MIT UPCRC Illinois) John Marrero (MIT) Michael D. Ernst (MIT U of Washington) ICSE 2009 The Shift to Multicores Demands Work from Programmers Users

945 views • 53 slides
Visualizer Basics Jon Storrick Jon.Storrick@gmail.com Center for Computational Analysis of

Visualizer Basics Jon Storrick Jon.Storrick@gmail.com Center for Computational Analysis of

CASOS Visualizer Basics Jon Storrick Jon.Storrick@gmail.com Center for Computational Analysis of Social and Organizational Systems http://www.casos.cs.cmu.edu/ More Demo than Presentation This presentation will be a follow-along

472 views • 19 slides
A Collaborative Named Entity Focused URI Collection to Explore Web Archives Workshop on Web

A Collaborative Named Entity Focused URI Collection to Explore Web Archives Workshop on Web

A Collaborative Named Entity Focused URI Collection to Explore Web Archives Workshop on Web Archiving and Digital Libraries Sergej Wildemann &amp; Helge Holzmann June 6, 2019 L3S Research Center - University of Hannover - Germany Introduction

802 views • 22 slides

More recommend