Li Yang, Carson Woods (University of Tennessee at Chattanooga

Slides:



Advertisements
Similar presentations
JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)
Advertisements

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
Copyright © 2015 McGraw-Hill Education. All rights reserved. No reproduction or distribution without the prior written consent of McGraw-Hill Education.
1 Telstra in Confidence Managing Security for our Mobile Technology.
Application Security: What Does it Take to Build and Test a “Trusted” App? John Dickson, CISSP Denim Group.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Browser Exploitation Framework (BeEF) Lab
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Software Security Course Course Outline Course Overview Introduction to Software Security Common Attacks and Vulnerabilities Overview of Security.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
A First Course in Information Security
SOFTWARE SECURITY EDUCATION WHAT NEXT???? Submitted by Srinath Viswanathan Srinivas Gudisagar
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security Fundamentals Chuck Easttom Chapter 1 Introduction to to Computer Security.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
 Prototype for Course on Web Security ETEC 550.  Huge topic covering both system/network architecture and programming techniques.  Identified lack.
Computer & Network Security
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
“Stronger” Web Authentication: A Security Review Cory Scott.
10/14/2015 Introducing Worry-Free SecureSite. Copyright Trend Micro Inc. Agenda Problem –SQL injection –XSS Solution Market opportunity Target.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Building Secure Web Applications With ASP.Net MVC.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
New Techniques in Application Intrusion Detection Al Huizenga, Mykonos Product Manager May 2010.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 3 Network Security Threats Chapter 4.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.
Teaching Security of Internet of Things in Using RaspberryPi Oliver Nichols, Li Yang University of Tennessee at Chattanooga Xiaohong Yuan North Carolina.
COMP9321 Web Application Engineering Semester 2, 2017
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
Web Application Protection Against Hackers and Vulnerabilities
Securing Your Web Application in Azure with a WAF
TOPIC: Web Security (Part-4)
Modeling User Interactions for (Fun and) Profit Preventing Request Forgery Attacks in Web Applications Karthick Jayaraman, Grzegorz Lewandowski, Paul G.
Enterprise Network Security
Defeat Tomorrow’s Threats Today
E-commerce Application Security
Xiaohong (Dorothy) Yuan North Carolina A&T State University 11/16/2017
Myths About Web Application Security That You Need To Ignore.
Oklahoma City.
Cross-Site Request Forgery (CSRF) Attack Lab
Enterprise Network Security
Introduction to Systems Security
CSCD 434 Network Security Spring 2019 Lecture 1 Course Overview.
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Exploring DOM-Based Cross Site Attacks
Cross Site Request Forgery (CSRF)
Presentation transcript:

Developing Web Security Teaching Modules with Visualization and Hands-on Labs Li Yang, Carson Woods (University of Tennessee at Chattanooga Xiaohong Yuan (North Carolina A&T SU) Cyber Ed Curriculum Showcase April 23, 2018

Motivation The challenge of conveying complex and dynamic information security concepts to the students Engaging students in active learning in information security education Outline Project Overview Project Objectives Developed Modules Lessons Learned Future Work

Project Overview Web applications are profitable targets of cybercrimes. A successful attack on web applications could bypass traditional enterprise perimeters guarded by firewalls and intrusion detection systems, resulting in data loss or breach of privacy. Understanding web threats, vulnerabilities, and security is important for both users and developers. Developing visualization tools to understand web threats and security Developing hands-on labs to sharpen student skills in web security With the increased number of consumers and applications using web applications, they also become a profitable target of cybercrimes. A successful attack on web applications could bypass traditional enterprise perimeters guarded by firewalls and intrusion detection systems, resulting in data loss or breach of privacy. Understanding web threats, vulnerabilities, and security is important for both users and developers Developing visualization tools to understand web threats and security Developing hands-on labs to sharpen student skills in web security

Project Overview – Visualization Surveys suggest a widespread belief that visualization technology positively impacts learning [Naps03]. There has been growing evidence showing concept visualization systems are indeed effective when they engage learners in an active learning activity [Grissom03, Naps03]. Students will benefit from the interactive visualization as one of the active learning approaches, which involve students in the classroom in activities that are meaningful and make them think about what they are doing [Bonwell91].

Teaching Modules in Web Security IoT Bonet DNS Cache Poisoning and Pharming Attack and Defense Cross-Site Scripting (XSS) & Cross-site Request Forgery (CSRF) Web Security Visualization + Lab Logic Flaw Browser Extensions Ad Fraud Top Vulnerabilities, News, emerging, Complex, Abstract, Dynamic Time-constraints

Module 1 Cross-Site Scripting (XSS) & Cross-site Request Forgery (CSRF) Cross-site scripting (XSS) a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript programs) into the victim’s web browser. Using this malicious code, the attackers can steal the victim’s credentials, such as cookies, and bypass access control policies. Visualization: Normal web operation Vulnerabilities and attacks Defense strategies

Cross-Site Scripting (XSS) Visualization Samples Figure 1 (a) Mel Steals Cookies from Alice (b) Mel impersonates Alice with Alice’s Cookie

Module 2 DNS Cache Poisoning and Pharming Three players: a user, a DNS server, and an attacker Normal operation of DNS Several attack scenarios: Cache Poisoning and Pharming A defense solution such as HTTPS

Module 3 Logic Flaw Lecture Topics: API parameters in e-commerce Arguments in URLs Workflow of transactions   How to complete complete an expensive order using the payment intended for a cheap order Hands-on Labs Implement logic flaw

Logic Flaw Visualization

Module 4 Ad Fraud Lecture Topics: How online advertisement works Ad Replacement Attack Click Hijacking Attack Ad Fraud Mitigation Techniques: Serve Bluff Ads, Threshold based detection, Monitoring and Scrutinizing unexpected DNS resolvers Visualization Ad Replacement Click Hijacking Hands-on Labs: Students will simulate ad replacement fraud

Ad Replacement Visualization

Module 5 IoT Botnet Topics Visualization Hands-on Lab IoT, DoS, password Visualization Hands-on Lab Students emulate the Mirai Command & Control (C&C) server, infect devices, and perform a DoS on a local LAMP server hosting a website. Mirai Botnet

Module 6 Browser Extensions 1. 2. Topics: What is Browser extension? Security implication of browser extension Visualization (to come) Hands-on Lab Write browser extension 3.

User Study of Visualization Tools on XSS and CSRF Ten students participated in the survey. From North Carolina A&T State University in the Secure Software Engineering class On the average, students spent about 20 minutes on each tool.

Evaluate Hands-on Labs Fifteen (15) students were enrolled in the class, and thirteen (13) students participated in the survey. Students had 10 days to work on the hands-on lab of ad replacement attack. Most of the students consider themselves as having excellent and high knowledge in different learning outcomes after using the hands-on lab on ad fraud. Secure Software Engineering class at North Carolina A&T State University in spring 2016

Demo XSS: http://web2. utc. edu/~djy471/XSS/xss Demo XSS: http://web2.utc.edu/~djy471/XSS/xss.html Logic Flaw: http://web2.utc.edu/~djy471/logic-flaw/index.html

Lessons Learned Good developers are important (manpower) Recruit as early as possible (manpower) Develop compelling stories (expertise) Need a designer or experts in graphics (expertise/budget) Plan for course integration (expertise) User study and testing are important (budget/time)

Future Work Network Security Secure Coding Software Vulnerability: BoF, Race Condition Wireless Security Cryptography Emerging Incidents