How they work and how to stop them.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Past, Present and Future By Eoin Keary and Jim Manico
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Security in SQL Jon Holmes CIS 407 Fall Outline Surface Area Connection Strings Authenticating Permissions Data Storage Injections.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.
Session 11: Security with ASP.NET
OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Attacking Applications: SQL Injection & Buffer Overflows.
Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Module 11: Securing a Microsoft ASP.NET Web Application.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
10 Tips for Building a Secure PHP Application. Tip 1: Use Proper Error Reporting/Handling  The development process of the application can become very.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
Defense In Depth: Minimizing the Risk of SQL Injection
Module: Software Engineering of Web Applications
Building Secure ColdFusion Applications
Web Application Vulnerabilities
An Introduction to Web Application Security
SQL Server Security & Intrusion Prevention
# 66.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
SQL Injection.
Cross-Site Forgery
Security mechanisms and vulnerabilities in .NET
Defense in Depth Web Server Custom HTTP Handler Input Validation
Lecture 2 - SQL Injection
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Protecting Against Common Web Application Vulnerabilities
6. Application Software Security
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

How they work and how to stop them. SQL Injection and XSS How they work and how to stop them. Rob Kraft, Rob@RobKraft.org October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com What r hackers looking 4? Non-specific attacks Identifying vulnerable servers Turning the computer into a zombie (botnet) Hard disk space Specific attacks Info to exploit: Financial Data Doing damage October 29, 2011 Rob Kraft – www.KraftSoftware.com

SQL Injection Prevention Overview Programmers Don’t use Dynamic SQL Validate Inputs (on the server side) Don’t provide detailed errors to users DBAs Restrict database permissions Review Logs Disable unneeded features Encrypt data, Strong Procedures October 29, 2011 Rob Kraft – www.KraftSoftware.com

SQL Injection Prevention Overview Network Administrators Configure firewalls to watch for scans Windows Administrators Configure IIS to use URL Scanning Require strong passwords with expirations Use different accounts for SQL Services Auditing Review configurations and logs October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Don’t use dynamic SQL Do NOT build SQL Dynamically like this: sql = "select title from titles where id =" + id; October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Do use Parameters DO use parameters (not just on strings) sql = “select title from titles where id = @id"; myCmd.Parameters.AddWithValue("@id",txt1.Text); Or – Write your own formatter sql = sql.Replace(“'”, “''” ); Tip: It is usually easier to review code that uses parameters for proper usage. Tip: Review code. October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Comparison strCity = “Lee's Summit”; sql = “… where city = '“ + strCity + “' ”; …where city = 'Lee's Summit' - Error sql = “… where city = @city”; …Parameters.Add(“@city”,strCity); …where city = 'Lee''s Summit' – No Error October 29, 2011 Rob Kraft – www.KraftSoftware.com

Dangerous Stored Procedure CREATE PROCEDURE dbo.LoginAccount ( @UserName nvarchar(20), @Password nvarchar(20)) AS EXECUTE (‘SELECT USERNAME, USERID FROM USERS WHERE USERNAME = ‘’’ + @UserName + ‘’’ AND PASSWORD = ‘’’ + @Password + ‘’’’) RETURN Don’t build dynamic SQL in stored procedures. October 29, 2011 Rob Kraft – www.KraftSoftware.com

Preventing SQL Injection IIS Sites: Set the mode of <customErrors> in web.config to On or RemoteOnly to minimize information returned to the client’s browser that a hacker could use to learn about your databases. October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Validate Input Validate data input Use javascript to provide a friendly and responsive UI to users, but don’t rely on it for security Use ASP.Net Validators, but don’t rely on them Check input lengths (and log rejections) Use a Regex Whitelist (and log rejections) October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Regex Example Regex allowRegex = new Regex(@“^[a-zA-Z\s\’]*$”); // But we disallow common SQL functions Regex disallowRegex = new Regex(“(union|select|drop|delete)”); if ((!allowRegex.IsMatch(textBoxLastName.Text)) || (disallowRegex.IsMatch(textBoxLastName.Text))) { labelErrorMessage.Text = “Invalid name.”; return; } October 29, 2011 Rob Kraft – www.KraftSoftware.com

Restrict Database Permissions NEVER use ‘sa’ for an application NEVER use an Admin account for an application Use a database logon, or logons with minimal database permissions required by the application. Use stored procedures – don’t give the dbms logon account permission to the underlying tables Turn off xp_cmdshell Use SQL 2008/2005 instead of SQL 2000 October 29, 2011 Rob Kraft – www.KraftSoftware.com

Don’t depend on front-end devices Do NOT rely on signature based detection You can block --; but what about %2d%2d You can block union; but what about ‘un’ + ‘ion’ Internet October 29, 2011 Rob Kraft – www.KraftSoftware.com

Preventing SQL Injection Review logs: Failed SQL Logins URL Requests October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Other technologies Web Services Web services are also at risk for SQL Injection LINQ to SQL is safe by default Dim q = From c in db.Customers Where c.city = “Lee’s Summit” Nhibernate is safe by default MS Entity Framework is safe by default October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com October 29, 2011 Rob Kraft – www.KraftSoftware.com

Topic 2: Cross Site Scripting (XSS) XSS is also called 2nd Order SQL Injection Data is injected into a database, and is used later to attack. HTML or Javascript stored in the database that executes when rendered on a web page. October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com A Script embedded in a web site sends data to the hacker’s site. In this example, a hacker may have embedded a script in a book review on Amazon. When any user navigates to the page with the book review, information from their cookie is sent to the hacker’s web site. October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com How to stop XSS Check that ASP.Net request validation is enabled ValidateRequest=true on ASP.Net web pages Check input lengths or use a Regex Whitelist HttpUtility.HTMLEncode and URLEncode (blacklist) Better: https://www.owasp.org/index.php/ESAPI Better: Microsoft Anti-XSS Libraries Use the innerText Property Instead of innerHTML Better: jquery: $(‘tagname’).html(value) October 29, 2011 Rob Kraft – www.KraftSoftware.com

How to stop XSS - Dilemma To prevent XSS we must encode output. To render output correctly we must not double encode it. Therefore we need to know what encodings may be in the raw data: HTML, javascript, CSS, XML We need to know where to perform encoding (server side or client side) Use Jquery-Encoder for client side October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Microsoft Resources A Microsoft tool for scanning for injection problems: www.pnpguidance.net/Post/MicrosoftSourceCodeAnalyzerSQLInjectionToolFindSQLInjectionProblems.aspx Microsoft guidance in SQL 2008: msdn2.microsoft.com/en-us/library/ms161953.aspx How To: Protect From SQL Injection in ASP.NET msdn.microsoft.com/en-us/library/ms998271.aspx Microsoft Guidance on XSS msdn.microsoft.com/en-us/library/ms998274.aspx Microsoft Security Development Lifecycle (SDL)-- Microsoft Anti-Scripting library 4.0: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651 October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Good resources OWASP https://www.owasp.org/index.php/Template:Cheatsheet_Navigation Examples of using Regex against injection www.developerfusion.com/article/5855/beyond-stored-procedures-defenseindepth-against-sql-injection Good examples of SQL Injection en.wikipedia.org/wiki/SQL_injection www.unixwiz.net/techtips/sql-injection.html CSRF: en.wikipedia.org/wiki/Cross-site_request_forgery www.freedom-to-tinker.com/sites/default/files/csrf.pdf October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Tools to help Absinthe: blind injection attack and analysis tool www.0x90.org/releases/absinthe FXCop msdn.microsoft.com/en-us/library/bb429476(VS.80).aspx Microsoft Security Runtime Engine blogs.msdn.com/cisg/archive/2008/10/24/a-sneak-peak-at-the-security-runtime-engine.aspx October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com Summation BAD: "select Title from titles where title like '%" + input + "%'" GOOD: myCmd = new SqlDataAdapter("select Title from titles where title like @query", m_SQLConn); parm = myCmd.SelectCommand.Parameters.Add( "@query", SqlDbType.VarChar, 10); parm.Value = "%" + input + "%"; October 29, 2011 Rob Kraft – www.KraftSoftware.com

All the links and slides are at: www.KraftSoftware.com October 29, 2011 Rob Kraft – www.KraftSoftware.com

Cross Site Request Forgeries (CSRF) 1. User goes to site 3. User navigates to injected site 2. Page goes to Paypal Server PayPal Server 4. Injected site performs action on “still authenticated” site. <img src="http://paypal.com/withdraw?account=rkraft&amount=1000000&for=hacker"> October 29, 2011 Rob Kraft – www.KraftSoftware.com

Rob Kraft – www.KraftSoftware.com How to stop CSRF Only use POST for modifications, not GET Require all requests to include pseudo-random value (session independent) – include on POST form and cookie – must match User’s should Log Out of sites October 29, 2011 Rob Kraft – www.KraftSoftware.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.