CSE 154 Lecture 26: web security.

Slides:



Advertisements
Similar presentations
Web Security Never, ever, trust user inputs Supankar.
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
PHP Security.
1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, 2007.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.
PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Crash Course in Web Hacking
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
CSE 154 Lecture 25: web security.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
TOPIC: Web Security (Part-4)
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
CS 371 Web Application Programming
SQL Injection Attacks Many web servers have backing databases
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
Web Security Advanced Network Security Peter Reiher August, 2014
Lecture 2 - SQL Injection
Faculty of Science IT Department By Raz Dara MA.
Lecture 26: Regular Expressions and Security
Web Security CS 136 Computer Security Peter Reiher March 11, 2010
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Lecture 27 Security I April 4, 2018 Open news web sites.
CSc 337 Lecture 24: Security.
Security: Attacks & Countermeasures
Cross Site Request Forgery (CSRF)
Presentation transcript:

CSE 154 Lecture 26: web security

Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic!

The real world in order to write secure code, we must assume: invalid input evil users incompetent users everything that can go wrong, will go wrong everybody is out to get you botnets, hackers, script kiddies, KGB, etc. are out there the security mindset: assume nothing; trust no one

Attackers' goals Why would an attacker target my site? Read private data (user names, passwords, credit card numbers, grades, prices) Change data (change a student's grades, prices of products, passwords) Spoofing (pretending to be someone they are not) Damage or shut down the site, so that it cannot be successfully used by others Harm the reputation or credibility of the organization running the site Spread viruses and other malware

Tools that attackers use Assume that the attacker knows about web dev and has the same tools you have: Firebug extensions e.g. Web Dev Toolbar port scanners, e.g. nmap network sniffers, e.g. Wireshark, EtherDetect, Firesheep

Some kinds of attacks Denial of Service (DoS): Making a server unavailable by bombarding it with requests. Social Engineering: Tricking a user into willingly compromising the security of a site (e.g. phishing). Privilege Escalation: Causing code to run as a "privileged" context (e.g. "root"). Information Leakage: Allowing an attacker to look at data, files, etc. that he/she should not be allowed to see. Man-in-the-Middle: Placing a malicious machine in the network and using it to intercept traffic. Session Hijacking: Stealing another user's session cookie to masquerade as that user. Cross-Site Scripting (XSS) or HTML Injection: Inserting malicious HTML or JavaScript content into a web page. SQL Injection: Inserting malicious SQL query code to reveal or modify sensitive data.

Information leakage files on web server that should not be there when the attacker can look at data, files, etc. that he/she should not be allowed to see files on web server that should not be there or have too generous of permissions (read/write to all) directories that list their contents (indexing) can be disabled on web server guess the names of files, directories, resources see loginfail.php, try loginsuccess.php see user.php?id=123, try user.php?id=456 see /data/public, try /data/private

Man-in-the-middle attack when the attacker listens on your network and reads and/or modifies your data works if attacker can access and compromise any server/router between you and your server also works if you are on the same local area network as the attacker often, the attacker still sends your info back and forth to/from the real server, but he silently logs or modifies some of it along the way to his own benefit e.g. listens for you to send your user name / password / credit card number / ...

Secure HTTP (HTTPS) HTTPS: encrypted version of HTTP protocol all messages between client and server are encrypted so men in the middle cannot easily read them servers can have certificates that verify their identity

Session hijacking when the attacker gets a hold of your session ID and masquerades as you exploit sites that use HTTPS for only the initial login: HTTPS: browser → server (POST login.php) HTTPS: browser ← server (login.php + PHPSESSID cookie) HTTP: browser → server (GET whatever.php + PHPSESSID cookie) HTTP: browser ← server (whatever.php + PHPSESSID cookie) attacker can listen to the network, get your session ID cookie, and make requests to the same server with that same session ID cookie to masquerade as you! example: Firesheep

HTML injection a flaw where a user is able to inject arbitrary HTML content into your page This flaw often exists when a page accepts user input and inserts it bare into the page. example: magic 8-ball (8ball.html) What kinds of silly or malicious content can we inject into the page? Why is this bad?

Injecting HTML content 8ball.php?question=<em>lololol</em> injected content can lead to: annoyance / confusion damage to data on the server exposure of private data on the server financial gain/loss end of the human race as we know it why is HTML injection bad? It allows others to: disrupt the flow/layout of your site put words into your mouth possibly run malicious code on your users' computers

Cross-site scripting (XSS) a flaw where a user is able to inject and execute arbitrary JavaScript code in your page JavaScript is often able to be injected because of a previous HTML injection Try submitting this as the 8-ball's question in Firefox: <script type="text/javascript" src="http://panzi.github.com/Browser-Ponies/basecfg.js" id="browser-ponies-config"></script><script type="text/javascript" src="http://panzi.github.com/Browser-Ponies/browserponies.js" id="browser-ponies-script"></script><script type="text/javascript">/* <![CDATA[ */ (function (cfg) {BrowserPonies.setBaseUrl(cfg.baseurl);BrowserPonies.loadConfig(BrowserPoniesBaseConfig);BrowserPonies.loadConfig(cfg);})({"baseurl":"http://panzi.github.com/Browser-Ponies/","fadeDuration":500,"volume":1,"fps":25,"speed":3,"audioEnabled":false,"showFps":false,"showLoadProgress":true,"speakProbability":0.1,"spawn":{"applejack":1,"fluttershy":1,"pinkie pie":1,"rainbow dash":1,"rarity":1,"twilight sparkle":1},"autostart":true}); /* ]]> */</script> injected script code can: masquerade as the original page and trick the user into entering sensitive data steal the user's cookies masquerade as the user and submit data on their behalf (submit forms, click buttons, etc.) ... 8ball.php?question=<script type='text/javascript'>alert('pwned');</script>

Securing against HTML injection / XSS one idea: disallow harmful characters HTML injection is impossible without < > can strip those characters from input, or reject the entire request if they are present another idea: allow them, but escape them htmlspecialchars returns an HTML-escaped version of a string $text = "<p>hi 2 u & me</p>"; $text = htmlspecialchars($text); # "<p>hi 2 u & me</p>"

a flaw where the user is able to inject arbitrary SQL into your query SQL injection a flaw where the user is able to inject arbitrary SQL into your query This flaw often exists when a page accepts user input and inserts it bare into the query. example: simpsons grade lookup (start.php) What kinds of SQL can we inject into the query? Why is this bad?

A SQL injection attack The query in the Simpsons PHP code is: $query = "SELECT * FROM students WHERE username = '$username' AND password = '$password'"; SQL Are there malicious values for the user name and password that we could enter? Password:  This causes the query to be executed as:$query = "SELECT * FROM students WHERE username = '$username' AND password = '' OR '1'='1'"; What will the above query return? Why is this bad?

Too true... injected SQL can: change the query to output others' data (revealing private information) insert a query to modify existing data (increase bank account balance) delete existing data (; DROP TABLE students; -- ) bloat the query to slow down the server (JOIN a JOIN b JOIN c ...) ...

Securing against SQL injection similar to securing against HTML injection, escape the string before you include it in your query quote returns a SQL-escaped version of a string $username = $db->quote($_POST["username"]); $password = $db->quote($_POST["password"]); $query = "SELECT name, ssn, dob FROM users WHERE username = $username AND password = $password"; PHP replaces ' with \', etc., and surrounds with quotes