James Walden Northern Kentucky University

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science
WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš by Martin Kruliš (v1.0)1.
Workshop 3 Web Application Security Li Weichao March
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
HTTP and Server Security James Walden Northern Kentucky University.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Penetration Testing James Walden Northern Kentucky University.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
Honeypot and Intrusion Detection System
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.
Cross-Site Attacks James Walden Northern Kentucky University.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
SIGITE 2008: Oct Integrating Web Application Security into the IT Curriculum James Walden Northern Kentucky University.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Building Secure Web Applications With ASP.Net MVC.
Crash Course in Web Hacking
An Intro to Webhackery Parisa Tabriz. How the web was born Stage 1 : Network Protocols Stage 2 : HTTP Stage 3 : Server Side Scripting Stage 4 : Client.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.
ASP. What is ASP? ASP stands for Active Server Pages ASP is a Microsoft Technology ASP is a program that runs inside IIS IIS stands for Internet Information.
The Module Road Map Assignment 1 Road Map We will look at… Internet / World Wide Web Aspects of their operation The role of clients and servers ASPX.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Introduction SQL Injection is a very old security attack. It first came into existence in the early 1990's ex: ”Hackers” movie hero does SQL Injection.
National College of Science & Information Technology.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.
ArcGIS for Server Security: Advanced
Javascript worms By Benjamin Mossé SecPro
Building Secure ColdFusion Applications
XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)
Running a Forms Developer Application
Chapter 7: Identifying Advanced Attacks
World Wide Web policy.
Theodore Lawson CSCE548 Student Presentation, Topic #2
A Security Review Process for Existing Software Applications
AJAX.
PHP / MySQL Introduction
James Walden Northern Kentucky University
Telnet/SSH Connecting to Hosts Internet Technology.
Chapter 27 WWW and HTTP.
CSC 495/583 Topics of Software Security Intro to Web Security
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
An Attack Surface Metric
Lecture 14: JSON and Web SERVICES
PHP Forms and Databases.
DR. JOHN ABRAHAM PROFESSOR UTPA
Lecture 27 Security I April 4, 2018 Open news web sites.
Designing IIS Security (IIS – Internet Information Service)
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

James Walden Northern Kentucky University Attack Surface James Walden Northern Kentucky University

CSC 666: Secure Software Engineering Topics Attack Surface Attack Surface Reduction Measuring Attack Surface Web Application Attack Surface AJAX Attack Surface CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Attack Surface Attack surface: the set of ways an application can be attacked. Used to measure attackability of app. The larger the attack surface of a system, the more likely an attacker is to exploit its vulnerabilities and the more damage is likely to result from attack. Compare to measuring vulnerability by counting number of reported security bugs. Both are useful measures of security, but have very different meanings. CSC 666: Secure Software Engineering

Why Attack Surface Reduction? If your code is perfect, why worry? All code has a nonzero probability of containing vulnerabilities. Even if code is perfect now, new vulns arise. Format string vulnerability was discovered in 1999. A particular application was immune to XML injection until you added an XML storage feature. Allows focus on more dangerous code. ASR eliminates unnecessary exposures. Allows focus on required exposures. CSC 666: Secure Software Engineering

Attack Surface Reduction Reduce code that executes by default. Restrict who can access the code. Reduce privilege level of code. CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Code Reduction IIS Example Feature Level IIS5 default in W2k IIS6 not in W2k3 Micro-Feature IIS6 static only by default. Figure 7.1 from The Security Development Lifecycle CSC 666: Secure Software Engineering

Reducing Who Can Access User Level Access Anonymous Authenticated User Administrator Network Access Local PC Only Restricted Network Limited to some IPs Remote Access Admin Anon Local Remote Increasing Attack Surface Restricted Auth User CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Reduce Privilege Remove Admin Many programs don’t need admin. Change file ACLs so program can use. Privilege Separation Divide software into root and non-root processes by function. SSH needs root for Open port 25. Switch UID on login. Privilege Separated OpenSSH Image from http://www.citi.umich.edu/u/provos/ssh/privsep.html CSC 666: Secure Software Engineering

Relative Attack Surface Rankings Higher Attack Surface Lower Attack Surface Feature runs by default. Feature doesn’t run by default. Open network connection. Closed network connection. Listening for UDP and TCP. Listening for TCP only. Anonymous access. Authenticated access only. Internet access. Subnet, link-local, or site-local network access. Local machine access. Code running as Admin/root. Code running in low priv account. Broad ACLs. Strict ACLs. Many URLs are entry points. Only one/few URLs are entry points. CSC 666: Secure Software Engineering

Measuring Attack Surface Sum of resources that make up surface. Advantages Easy to compute. Categories can be measured independently. Disadvantages Counts root access equal to anon access. Ignores interactions among resources. CSC 666: Secure Software Engineering

Damage-Potential Effort Ratio Damage Potential is Resources * (Item Privilege/Access Required) Resource Types Methods: entry points and exit points. Channels: ports, RPCs, web services. Data Items: files, db entries. Attack Surface defined as triple (Method der, Channel der, Data Item der) CSC 666: Secure Software Engineering

IMAP Server Comparison Courier IMAP <522.00, 2.25, 72.13> Cyrus <383.60,3.25,66.50> Courier Computation Details Methods: 56 x 5 + 31 x (5/3) + 142 x (3/3) Channels: 1 x 1 + 1 x 1 + 1 x (1/4) Data Items: 74 x (1/5) + 13 x (1/3) + 53 x 1 Example from TR: CMU-CS-07-146 CSC 666: Secure Software Engineering

Traditional Web Applications HTTP Request (form submission)‏ User waits Server processing HTTP Response (new web page)‏ User interaction HTTP Request (form submission)‏ Server processing User waits HTTP Response (new web page)‏ CSC 666: Secure Software Engineering

Web Methods, Channels, and Data URL paths URL action parameters Channels Port 80 Port 443 SSL Web Services Data Items Cookies Other client-side storage Server files Database CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering AJAX Asynchronous Javascript and XML User interacts with client-side Javascript. Javascript makes asynchronous requests to server for data. Continues to allow user to interact with application. Updates when receives encoded data from server. CSC 666: Secure Software Engineering

AJAX Applications Client-side Code HTTP request (asynchronous)‏ HTTP Response (data)‏ Server processing User interaction partial update partial update HTTP request (asynchronous)‏ User interaction Server processing HTTP Response (data)‏ HTTP request (asynchronous)‏ User interaction HTTP Response (data)‏ partial update Server processing partial update CSC 666: Secure Software Engineering

Architecture Differences Traditional Application on server. Entire form sent to server. User fills in input items. Clicks on submit. Server returns new page. Presentation + Data. AJAX App on client and server. JavaScript receives user input, issues function calls to server when needed. Get map tile. Save location data. Server returns individual data items. JavaScript incorporates data items into existing page. CSC 666: Secure Software Engineering

AJAX: More Entry Points Purchase Item getPrice() debitAccount() downloadItem() CSC 666: Secure Software Engineering

Example Client-side Code var auth = checkPassword(user, pass); if (auth == false) { alert(‘Authentication failed.’); return; } var itemPrice = getPrice(itemID); debitAccount(user, itemPrice); downloadItem(itemID); CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Client Side Data Use Firebug to view + modify variables. Modifying session state Set auth to true. Set itemPrice to $0.01, $0, -$1.00. Viewing sensitive data if (discountCode == “HALF_OFF”) { window.location(“discount_order.html”); } CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering Client Side Code Example Code (AJAX Security, p. 176) <script> function sum(x,y) { var z = x + y; alert(“Sum is “ + z); } </script> <input type=“button” value=“5 + 6 = ?” onclick=“sum(5,6);” /> Insert code with Firebug to replace sum() in 5s: setTimeout(“sum = function() { alert(‘hijacked!’); }”, 5000); CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering AJAX: More Client Data Server returns HTML page that displays desired data. SQL Injection SQL Injection Intended Data Extra Data Selected Data Presentation (HTML) Database Web Server Server returns XML/JSON full data for AJAX client to display. SQL Injection SQL Injection Intended Data Extra Data Selected Data Data (XML,JSON) Database Web Server CSC 666: Secure Software Engineering

Client Data Vulnerability SQL Query SELECT * FROM USERS WHERE UID=<> Injected Query SELECT * FROM USERS WHERE UID=12345 UNION SELECT * FROM CREDITCARDS XML Data <data> <user> <uid>12345</uid> <name>John Smith</name> </user> <creditcard> <ccnumber>4444-4444-4444-4444</ccnumber> <expire>01/01/2011</expire> </creditcard> </data> CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering JSON Evaluation var json = getItem() // json = “[ ‘Toshiba’, 499, ‘LCD TV’]” var item = eval(json) // item[0] = ‘Toshiba’ // item[1] = 499 // item[2] = ‘LCD TV’ CSC 666: Secure Software Engineering

CSC 666: Secure Software Engineering JSON Injection Evil input: ‘];alert(‘XSS’);// var json = getItem() // json = “[ ‘Toshiba’, 499, ‘’];alert(‘XSS’);//” var item = eval(json) // Alert box with ‘XSS’ appears. // Use json2.js validation library to prevent. CSC 666: Secure Software Engineering

Client-Side State Storage Technologies Client-Side Storage Issues Cookies DOM Storage (HTML5) Flash LSOs UserData (IE) Client-Side Storage Issues User can always modify client-side data. Cross-domain Attacks (between subdomains). Cross-directory Attacks. Cross-port Attacks. CSC 666: Secure Software Engineering

References Billy Hoffman and Bryan Sullivan, AJAX Security, Addison- Wesley, 2008. Michael Howard and Steve Lipner, The Security Development Lifecycle, Microsoft Press, 2006. Michael Howard, “Mitigating Attack Risks by Minimizing the Code You Expose to Untrusted Users,” MSDN Magazine, http://msdn.microsoft.com/en-us/magazine/cc163882.aspx, 2004. Pratyusa .K. Manadhata, Jeannette .M. Wing, Mark .A. Flynn, and Miles .A. McQueen, Measuring the Attack Surfaces of Two FTP Daemons [pdf], ACM Computer and Communications Security (CCS) Workshop on Quality of Protection (QoP), Alexandria, VA, October 2006. Pratyusa K. Manadhata, Kymie M. C. Tan, Roy A. Maxion, and Jeannette M. Wing, An Approach to Measuring A System's Attack Surface [pdf], CMU Technical Report CMU-CS-07-146, August 2007.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.