UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Web Security Never, ever, trust user inputs Supankar.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
How the web works: HTTP and CGI explained
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
JavaScript, Fourth Edition
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
IST 210 Web Application Security. IST 210 Introduction Security is a process of authenticating users and controlling what a user can see or do.
Web 2.0 Security James Walden Northern Kentucky University.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Cross-Site Attacks James Walden Northern Kentucky University.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
1-1 HTTP request message GET /somedir/page.html HTTP/1.1 Host: User-agent: Mozilla/4.0 Connection: close Accept-language:fr request.
Appendix E: Overview of HTTP ©SoftMoore ConsultingSlide 1.
CITA 310 Section 2 HTTP (Selected Topics from Textbook Chapter 6)
ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Embedded Linux Conference Europe November 2008 Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net URL for slides:
National College of Science & Information Technology.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
Module: Software Engineering of Web Applications
Building Secure ColdFusion Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
API Security Auditing Be Aware,Be Safe
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
Client / Session Identification Cookies
PHP / MySQL Introduction
CSC 495/583 Topics of Software Security Intro to Web Security
Lecture 2 - SQL Injection
Web Programming Language
PHP Forms and Databases.
Lecture 27 Security I April 4, 2018 Open news web sites.
Cross Site Request Forgery (CSRF)
Presentation transcript:

UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:

UKUUG Linux 2008 Overview ● Brief introduction to HTTP ● Cross-site scripting (XSS) ● Cross-site request forgery (XSRF) ● SQL injection ● Authentication bypass ● Session Hijacking ● Conclusion and Questions

UKUUG Linux 2008 Theme.... ● Web application security flaws are often caused by: – Trusting and/or not validating user input ● Anything that comes from users or can be controlled by them is suspect: URLs, form data, cookie values, etc.

UKUUG Linux and sub-theme ● Developers often assume, incorrectly, that input to their web applications always comes from browsers – It is trivial to generate HTTP from programs – Javascript validation is only useful as a help to the user. It does not provide any server-side protection

UKUUG Linux 2008 HTTP – the web protocol ● Browser sends HTTP requests and then displays the results (generally HTML/image) ● Very simple protocol, with a few commands: – HEAD – get the headers and dates for the page – GET – get the html (or image or...), parameters are part of URL (.../foo?id=4&page=3) – POST – encodes form parameters into the request which goes to a specific program named in FORM – There are more, these are the most common

UKUUG Linux 2008 HTTP Example ~]$ telnet lwn.net GET /talks/ukuug2008/ HTTP/1.1 Host: lwn.net HTTP/ OK Date: Mon, 03 Nov :49:22 GMT Server: Apache Last-Modified: Mon, 03 Nov :24:32 GMT ETag: "b abecf1e5400" Accept-Ranges: bytes Content-Length: 792 Connection: close Content-Type: text/html UKUUG Linux

UKUUG Linux 2008 HTML Forms ● These are the standard web forms that we fill in all the time: ● The parameters (name, password) will get encoded and submitted as a POST

UKUUG Linux 2008 GET vs. POST ● HTTP GET requests are not meant to change the state of the application – Classic example: ● State changes should be done through POST (i.e. forms) ● This is important to protect against trivial XSRF as well as innocent mistakes like the above

UKUUG Linux 2008 Sessions ● HTTP is a stateless protocol ● Sessions are established to track users through a web application ● A session ID is generated and typically stored in a browser cookie ● Cookies are associated with a particular URL and sent each time a request is made

UKUUG Linux 2008 Cross-site scripting (XSS) ● Comes from echoing user input back to browser without properly handling HTML elements ● Common mistake is to put user input into error message: Unknown input alert(“XSS”) ● Attacker controls Javascript sent by your app ● Can be used to send cookie or other sensitive information to attacker-controlled sites

UKUUG Linux 2008 Avoiding XSS ● The main defense is to filter all user input before sending it back to the browser ● In particular, it is recommended that these characters: ( ) & # be filtered – < > ( &#41 & # are substitutes – Usually the language has a function to call to do that for you: htmlentities(), cgi.escape(), etc.

UKUUG Linux 2008 Cross-site request forgery (XSRF) ● User follows a link (from , irc,...) that quietly causes some action on a different site ● For GETs that change the state, the page could have an – Cookies get helpfully sent along by browser ● An iframe or other scheme to create a FORM and submit it to BankURL/form, cookies too ● Multiple vulnerable sites can be tried to find one where the user has an active cookie

UKUUG Linux 2008 Avoiding XSRF ● Do not use state-changing GETs ● For forms, add a randomly named hidden field with a random value, associate those with a session and check them on FORM submission ● If app is susceptible to XSS, the random name/values can be extracted from forms ● For extremely sensitive operations (changing password, others), require re-authentication

UKUUG Linux 2008 SQL injection ● Abuses SQL queries with crafted data from form variables: SELECT id FROM users WHERE name='$name' AND pass='$pass' if $pass is: ' OR 1=1 -- query becomes: SELECT id FROM users WHERE name='$name' AND pass='' OR 1=1 --' ● SQL injections can be used to retrieve entire database contents ● They can also be used to delete the data

UKUUG Linux 2008 Avoiding SQL injection ● Easiest method is to use placeholders in query: db_call(“SELECT id FROM users WHERE name=? AND pass=?”, $name, $pass) ● If database API does not allow that, use db ‑ specific quote filter on user input: db_quote($name) db_quote($pass) ● Depending on DBMS, stored procedures can also prevent SQL injection

UKUUG Linux 2008 Authentication bypass ● A variety of techniques to circumvent the username/password of a web app ● For apps that check pathnames, aliasing can be a problem. Ex: /path/foo vs. /path//foo ● When links to certain pages are only presented post- login, some believe this effectively protects them, but it is easy to guess/know the path

UKUUG Linux 2008 Avoiding authentication bypass ● App must be coded such that each privileged page checks auth status whenever accessed – There are too many ways to get to the same page with different looking URLs ● Attackers can sign up for app or in some other way determine the paths – “Hidden” paths are security through obscurity ● If separate program is used to perform the privileged operation, it must also check auth

UKUUG Linux 2008 Session Hijacking ● Essentially an authentication bypass ● Attacker somehow gets access to the session ID via a cookie, SQL injection, or other means ● While that session is valid, attacker can act as the real authenticated user

UKUUG Linux 2008 Avoiding Session Hijacking ● There is a window in time while the session is valid. Shorter sessions mean less exposure. ● Sessions can be restricted based on IP, but that is vulnerable to spoofing or ISP IP changes ● Sensitive operations should require re ‑ authentication

UKUUG Linux 2008 Additional threats ● Remote file include – provides a means to retrieve and execute code from a remote server. PHP 4 particularly vulnerable. ● Denial of service – crashing the application or web server to interfere with normal functioning ● HTTP response splitting – unfiltered user input that ends up in the HTTP headers can lead to attacker content sent to browser ● Lots more – new types are found regularly

UKUUG Linux 2008 General web and app security ● All user input should be validated ● All unused services should be disabled ● There are Linux security tools that can assist in locking down web servers: – SELinux – AppArmor – SMACK, Tomoyo Linux, grsecurity, RSBAC, etc.

UKUUG Linux 2008 Theme and sub-theme ● Any input that can be controlled or influenced by a user (or attacker) must be validated carefully. Period. – Validation should use whitelists, not blacklists ● Browsers do not generate very much hostile traffic, programs do. Expect the unexpected. – Javascript validation is not sufficient

UKUUG Linux 2008 Where to get more information? ● A few links: ● Open Web Application Security Project (OWASP): ● Wikipedia has good descriptions of vulnerabilities

UKUUG Linux 2008 Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.