Foundations of Network and Computer Security

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
COMP9321 Web Application Engineering Semester 2, 2017
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Module: Software Engineering of Web Applications
Building Secure ColdFusion Applications
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities
NodeJS Security Using PassportJS and HelmetJS:
Module: Software Engineering of Web Applications
TOPIC: Web Security (Part-4)
Security: Exploits & Countermeasures
World Wide Web policy.
Cross-Site Scripting Travis Deyarmin.
Static Detection of Cross-Site Scripting Vulnerabilities
Sessions and cookies (part 2)
SQL Injection Attacks Many web servers have backing databases
Cross-Site Forgery
Cross-Site Request Forgeries: Exploitation and Prevention
Security.
CSC 495/583 Topics of Software Security Intro to Web Security
Web Security Advanced Network Security Peter Reiher August, 2014
Security.
Security: Exploits & Countermeasures
Active Man in the Middle Attacks
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Foundations of Network and Computer Security John Black CSCI 6268/TLEN 5550, Spring 2013

Session-Based Attacks HTTP is connectionless But many/most apps want to maintain state Using IP addresses is an imperfect solution Why? Cookies were invented to solve exactly this problem

Using Cookies for Session Management The server wants to maintain information about the current client Encode state into an alphanumeric string Use Set-cookie=string and send to browser Optionally set expires, domain, path, secure, httponly values as well Now each time the browser wishes to connect to a given domain and path, it checks its cookie store and transmits all matching cookies

Using Cookies for Session Management They are essentially a temporary password Difficult to guess, not short enough to brute-force, unique These are often violated by using insufficient randomness, being too short, using counters, etc Many apps that lock-out password attempts fail to guard against brute force attacks on session ids So short session ids are very vulnerable Demo stateful.php on moxie

Bad Random Number Generators Netscape Session Keys – 1996 RNG_CreateContext() /* time since Jan 1, 1970 */ (seconds, microseconds) = time of day; pid = process ID; ppid = parent process ID; a = mklcpr(microseconds); b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); mklcpr(x) /* not cryptographically significant */ return ((0xDEECE66D * x + 0x2BBB62DC) >> 1);

Cross-Site Scripting (XSS) XSS is a very common vulnerability Would be vulnerability of the decade except SQL injections are often far more serious XSS is used for a client to attack another client, not to attack a server An XSS vulnerability is as simple as echoing back user-input without sanitizing Ex: You submit: “XYZ!!(2” to a search engine and it replies with “XYZ!!(2 no results found”

“Security Context” We define a security context to be the set of rules that govern how cookies are handled between domains Users might have several contexts active at the same time Ex: An unexpired session token with a bank sitting in another browser window (logout or browser death usually purges these tokens, but users will often neglect to do either)

XSS The idea of XSS is for an attacker to inject malicious javascript into a security context that it does not own And, as we know, this means things like session tokens can be sent anywhere we like

user connects to evil site javascript executes as if from bank; tokens stolen Link to bank with malicious javascript given as parameter malicious javascript reflected back to user with bank’s security context Typically called “reflected” XSS

Demo on moxie Visit stateful.php to establish highly valuable session ID View xss.php behavior Look at ~drevil on moxie Note the warm innocent feel of the page View source on this page (note the encodings) Examine steal.php Click on link on drevil’s homepage Look in /tmp/stolen.txt

Stored XSS Stored XSS is very similar Instead of using a reflection bug, the attacker stores javascript in a place where the victim is likely to read it (and thereby execute it) It’s usually the server’s responsibility to sanitize user input before storing it Consider a public forum where various users post their thoughts And their exploit code… Stored XSS is usually considered more serious No need to induce the user to establish a session then visit drevil’s site, which can be hard some times

Note proper domain name SSL would be enabled, if this were an SSL site

Samy XSS worm Oct, 2005: myspace had an XSS vulnerability They used <script> filters, but 19-yr old Samy Kamkar found a way to bypass all of them He built an AJAX app so that every view of his profile added him as a friend and posted “…and most of all, Samy is my hero” to their page He also had the worm install itself so that any viewer of the page would propagate the worm

Three years probation, 90 days community service, and a book-deal

Finding XSS Vulnerabilities Try entering ><script>alert(document.cookie)</script> in every user-input vector and monitor for appearance of this string from the site If string comes back unmodified, jackpot This is automatable Some XSS vulns will not be found by this technique, however, since <script> is often filtered out (as are < > /) Some XSS filters will miss ><script >, ><ScRiPt>, %3e%3cscript%3e, ><scr<script>ipt>, %00><script>

Good Practices (for security) Create a session token on first visit When performing authentication, destroy the old session and create a new one Expire sessions after a short period (30-60 mins) Destroy sessions after logout Use SSL and mark session cookies as secure Monitor User-Agent header; it shouldn’t change during a session