© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

Slides:

Advertisements

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

Introduction The concept of “SQL Injection”

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Secure Software Engineering: Input Vulnerabilities

Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Prevent Cross-Site Scripting (XSS) attack

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

JavaScript, Fourth Edition

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Sofia, Bulgaria | 9-10 October Writing Secure Code for ASP.NET Stephen Forte CTO, Corzen Inc Microsoft Regional Director NY/NJ (USA) Stephen Forte CTO,

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.

1 Welcome to CSC 301 Web Programming Charles Frank.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Database Security Lesson Introduction ●Understand the importance of securing data stored in databases ●Learn how the structured nature of data in databases.

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Databases Kevin Wright Ben Bruckner Group 40. Outline Background Vulnerabilities Log File Cleaning This Lab.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Application Security

Module: Software Engineering of Web Applications

Unit 20 - Client Side Customisation of Web Pages

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

SQL Injection Attacks Many web servers have backing databases

Cross-Site Forgery

A Security Review Process for Existing Software Applications

CSE 154 Lecture 26: web security.

PHP: Security issues FdSc Module 109 Server side scripting and

Chapter 13 Security Methods Part 3.

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

CS5123 Software Validation and Quality Assurance

Presentation transcript:

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues

2 SY32 Secure Computing, Lecture 14 Outline Some background Some background Handling malicious input Handling malicious input System architecture System architecture How to check data validity How to check data validity Examples of validation problems Examples of validation problems

3 SY32 Secure Computing, Lecture 14 Background Two fundamental rules: Two fundamental rules: All input is evil until proven otherwise All input is evil until proven otherwise Data must be validated as it crosses boundary between untrusted & trusted environments Data must be validated as it crosses boundary between untrusted & trusted environments Developers are not good at input validation! Developers are not good at input validation! Tedium of coding Tedium of coding Fear of performance hit Fear of performance hit

4 SY32 Secure Computing, Lecture 14 Misplaced Trust Why do buffer overruns succeed? Why do buffer overruns succeed? Data come from an untrusted source (attacker) Data come from an untrusted source (attacker) Too much trust is placed in data format; we assume that input won’t exceed buffer capacity Too much trust is placed in data format; we assume that input won’t exceed buffer capacity Data are written into memory Data are written into memory Remove any of these conditions and danger of an overrun is eliminated Remove any of these conditions and danger of an overrun is eliminated

5 SY32 Secure Computing, Lecture 14 Handling Malicious Input Define a trust boundary around the application Define a trust boundary around the application Inside boundary, we can trust data—assuming that validation is done correctly Inside boundary, we can trust data—assuming that validation is done correctly Create as few input chokepoints as possible Create as few input chokepoints as possible All input must pass through a designated chokepoint All input must pass through a designated chokepoint Chokepoints must be implemented carefully to perform thorough validation of input data Chokepoints must be implemented carefully to perform thorough validation of input data

6 SY32 Secure Computing, Lecture 14 Trust Boundary and Chokepoints Service DB Trust boundary Internet Implicit trust Environment variables Config data Chokepoint

7 SY32 Secure Computing, Lecture 14 Ways of Checking Data Validity ‘Blacklisting’ ‘Blacklisting’ Specify the various forms that invalid data can take; anything that matches is rejected Specify the various forms that invalid data can take; anything that matches is rejected Bad idea; you might miss an invalid data pattern! Bad idea; you might miss an invalid data pattern! ‘Whitelisting’ ‘Whitelisting’ Allow input that conforms to ‘valid’ pattern Allow input that conforms to ‘valid’ pattern Reject everything else Reject everything else

8 SY32 Secure Computing, Lecture 14 Examples of Validation Problems URI obfuscation in Mozilla URI obfuscation in Mozilla Canonicalisation issues Canonicalisation issues Case sensitivity Case sensitivity “Dot-free IP address” bug “Dot-free IP address” bug Homograph attacks Homograph attacks Attacking databases via SQL injection Attacking databases via SQL injection Cross-site scripting (XSS) Cross-site scripting (XSS)

9 SY32 Secure Computing, Lecture 14 URI Obfuscation in Mozilla URI can be formatted with a null byte between user part symbol URI can be formatted with a null byte between user part symbol Mozilla status bar displays only user part when cursor hovers over link Mozilla status bar displays only user part when cursor hovers over link See See

10 SY32 Secure Computing, Lecture 14 Canonicalisation Issues Canonical = “In its simplest or standard form” Canonical = “In its simplest or standard form” Canonicalisation = process of converting the various equivalent forms of a name into a single, standard name Canonicalisation = process of converting the various equivalent forms of a name into a single, standard name Applications often make wrong decisions based on non-canonical representation of a name… Applications often make wrong decisions based on non-canonical representation of a name…

11 SY32 Secure Computing, Lecture 14 Example: Case Sensitivity Version of Apache web server shipping with first release of Mac OS X was case-sensitive Version of Apache web server shipping with first release of Mac OS X was case-sensitive Hierarchical File System of Mac OS X is not Hierarchical File System of Mac OS X is not Apache configuration might deny access to /private directory of Apache configuration might deny access to /private directory of … but would work! … but would work!

12 SY32 Secure Computing, Lecture 14 Example: ‘Dot-free’ IP Addresses Bug in Internet Explorer, version 4 Bug in Internet Explorer, version 4 Website domain names containing >= 1 dot were assumed to be in Internet zone Website domain names containing >= 1 dot were assumed to be in Internet zone Website domain names with no dots were assumed to be in the more trusted Local Intranet zone Website domain names with no dots were assumed to be in the more trusted Local Intranet zone Problem: IP address can be represented as a dot-free, 32-bit integer Problem: IP address can be represented as a dot-free, 32-bit integer = =

13 SY32 Secure Computing, Lecture 14 Example: Homographs Obvious: micr0s0ft.com != microsoft.com Obvious: micr0s0ft.com != microsoft.com Subtle: MICR0S0FT.COM != MICROSOFT.COM Subtle: MICR0S0FT.COM != MICROSOFT.COM Very subtle: miсrоsоft.com != microsoft.com Very subtle: miсrоsоft.com != microsoft.com For further details, see Comm. ACM 45(2), page 128, or visit For further details, see Comm. ACM 45(2), page 128, or visit

14 SY32 Secure Computing, Lecture 14 SQL Injection Contents of name come from a web form… Contents of name come from a web form… …but no validation is done to ensure that name actually contains employee’s name! …but no validation is done to ensure that name actually contains employee’s name! String query = "SELECT * FROM employees WHERE name='" + name + "'"; ResultSet res = stmt.executeQuery(query);

15 SY32 Secure Computing, Lecture 14 Demo

16 SY32 Secure Computing, Lecture 14 SQL Injection Really bad guy might do this: Really bad guy might do this: Downright evil guy might do this (on Windows): Downright evil guy might do this (on Windows): SELECT * FROM employees WHERE name='Alan Smith' DROP TABLE budgets -- ' SELECT * FROM employees WHERE name='Alan Smith' exec xp_cmdshell('fdisk.exe') -- '

17 SY32 Secure Computing, Lecture 14 Remedies for SQL Injection Never connect with administrator privileges Never connect with administrator privileges Violates principle of least privilege Violates principle of least privilege Attacker can gain complete control of machine Attacker can gain complete control of machine Build SQL queries securely Build SQL queries securely Substitute values into prepared statements Substitute values into prepared statements

18 SY32 Secure Computing, Lecture 14 Cross-Site Scripting (XSS) Can be viewed as an output validation problem Can be viewed as an output validation problem Web server is tricked into presenting malicious content, typically Javascript, to browser Web server is tricked into presenting malicious content, typically Javascript, to browser Examples of XSS attacks: Examples of XSS attacks: Session hijacking Session hijacking Modification of web page contents Modification of web page contents Theft of passwords Theft of passwords

19 SY32 Secure Computing, Lecture 14 What Happens When You Click? idForm.cookie.value=document.cookie; idForm.submit(); > Click here to win £10,000! Cookie for this domain… …is sent here!

20 SY32 Secure Computing, Lecture 14 Summary Remember the fundamental rules: Remember the fundamental rules: All input is evil… All input is evil… …therefore all input data must be validated before passing within the trust boundary …therefore all input data must be validated before passing within the trust boundary Match to the valid pattern, rejecting anything that isn’t a perfect match Match to the valid pattern, rejecting anything that isn’t a perfect match Be aware of canonicalisation issues Be aware of canonicalisation issues Watch out for code injection (SQL, XSS, etc) Watch out for code injection (SQL, XSS, etc)