1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, 2007.

Slides:



Advertisements
Similar presentations
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
System and Network Security Practices COEN 351 E-Commerce Security.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web server security Dr Jim Briggs WEBP security1.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
COEN 252: Computer Forensics Router Investigation.
CSE 403 Lecture 20 Security Testing for Mobile and Web Apps Reading: Android Apps Security, Ch. 2-3 (Gunasekara) How to Break Web Software, Ch. 2-5 (Andrews/Whittaker)
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš by Martin Kruliš (v1.0)1.
Introduction to Application Penetration Testing
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Prevent Cross-Site Scripting (XSS) attack
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Lecture 10 Intrusion Detection modified from slides of Lawrie Brown.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Penetration Testing James Walden Northern Kentucky University.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
Software Security Testing Vinay Srinivasan cell:
Introduction to ITE Chapter 9 Computer Security. Why Study Security?  This is a huge area for computer technicians.  Security isn’t just anti-virus.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
Web Applications Testing By Jamie Rougvie Supported by.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
MIS Week 5 Site:
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Unit 2 Personal Cyber Security and Social Engineering Part 2.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
CSE 154 Lecture 25: web security.
Chapter 7: Identifying Advanced Attacks
SQL Injection.
Security.
CSE 154 Lecture 26: web security.
Lecture 2 - SQL Injection
Security.
Lecture 26: Regular Expressions and Security
Lecture 27 Security I April 4, 2018 Open news web sites.
Designing IIS Security (IIS – Internet Information Service)
6. Application Software Security
CSc 337 Lecture 24: Security.
Presentation transcript:

1 CSE 403 Web Security Testing Reading: Andrews/Whitaker, How to Break Web Software, Ch. 2-5 These lecture slides are copyright (C) Marty Stepp, They may not be rehosted, sold, or modified without expressed permission from the author. All rights reserved.

2 Big questions How much do I have to worry about security in my web application? What kinds of common attacks can be performed? What common bugs in my code lead to these flaws? What tools do attackers use? How can I prevent security problems in my code and (hopefully) ensure overall system security?

3 Denial-of-Service (DoS) Denial of Service (DoS) attack: Attacker causes web server to be unavailable. How attack is performed: Attacker frequently requests many pages from your web site. distributed DoS (DDoS): DoS using lots of computers Your server cannot handle this many requests at a time, so it turns into a smoldering pile of goo (or just becomes very slow). Problems that this attack can cause: Users cannot get to your site. Online store's server crashes -> store loses potential revenue. Server may crash and lose or corrupt important data. All the bandwidth used by the DoSers may cost you $$$.

4 Packet sniffing packet sniffing: Listening to traffic sent on a network. Many internet protocols (http, aim, ) are unsecure. If an attacker is on the same local network (LAN) as you, he may be able to listen to information your computer is sending. read your /IMs as you send them see what web sites you are viewing grab your password as it's being sent to the server solutions: Use secure protocols (https) Encryption Don't let creeps on your LAN

5 Password cracking password cracking: Guessing the passwords of privileged users of your system. How attack is performed: brute force attack: Attacker uses software that sequentially tries every possible password. dictionary attack: Attacker uses software that sequentially tries passwords based on words in a dictionary.software every word in the dictionary combinations of words, numbers, etc. What you can do about it: Force users to have secure passwords. Block an IP address from logging in after N failed attempts.

6 Phishing / social engineering phishing: Masqueraded mails or web sites. social engineering: Attempts to manipulate users, such as fraudulently acquiring passwords or credit card numbers. Problems: If trusted users of your system are tricked into giving out their personal information, attackers can use this to log in as those users and compromise your system.

7 Man-in-the-middle man-in-the-middle attack: Attacker sits between two communication endpoints and silently intercepts traffic between them. tricks user to go to attacker's site instead of real site intercepts sensitive information and/or modifies data before sending it from one endpoint to the other

8 Privilege escalation privilege escalation: Attacker becomes able to run code on your server as a privileged user. Example: Perhaps normal users aren't able to directly query your database. But an attacker may find a flaw in your security letting him run as an administrator and perform the query. Once you're running as root, you're God. You own the server. You can do anything you want...

9 Cross-site scripting (XSS) cross-site scripting: Causing one person's script code to be executed when a user browses to another site. Example: Visit google.com, but evil.com's JavaScript runs. How attack is performed: Attacker finds unsecure code on target site. Attacker uses hole to inject JavaScript into the page. User visits page, sees malicious script code.

10 SQL Injection SQL injection: An attacker causing undesired SQL queries to be run on a server's database. Often caused when untrusted input is pasted into a SQL query Example: Example query="SELECT * FROM Users WHERE name=' + name + "';"; specify a user name of "haha' OR 'a'='a" SELECT * FROM Users WHERE name='haha' OR 'a'='a'; Attacker can see, delete, modify your sensitive personal data!

11 Thinking like an attacker: Finding vulnerabilities

12 Panning for gold Looking through a target application for exploits: View Source, and look for: HTML comments script code other sensitive information in code: IP addresses, addresses, SQL queries, hidden fields,... watch HTTP requests/responses look for hidden pages, files, parameters to target error messages sent back to your browser by the app 200: OK 400: Invalid request 403: Forbidden 404: File not found 500: Internal server error

13 Input forms Forms let users pass parameters to the web server. Parameters are passed using GET or POST requests. GET: parameters are contained in the request URL. POST: parameters are contained in the HTTP packet header. harder for the user to see, but no more secure than GET Forms provide a rich ground for us to attack...

14 Form validation validation: Examining form parameters to make sure they are acceptable before they are submitted. nonempty, alphabetical, numeric, length,... client-side: HTML/JS checks values before request is sent. server-side: JSP/Ruby/PHP/etc. checks values received. Some validation is performed by restricting the choices available to the user. select boxes input text boxes with maxlength attribute key event listeners that erase certain key presses

15 User input attacks Bypassing client-side input restrictions and validation maxlength limits on input text fields choices not listed in a select boxes hidden input fields modifying or disabling client-side JavaScript validation code

16 Guessing files/directories Many sites have reachable files and resources that are hidden from attackers only by obscurity Try common file/folder/commands to see what happens /etc/passwd, /etc/shadow cat, ls, grep guess file names based on others page11.php --> page12.php loginfailure.jsp --> loginsuccess.jsp accounts/myaccount.html --> accounts/youraccount.html brute force / web spiders port scanners

17 Other attacks Attacking GET parameters Attacking hidden input fields Attacking cookies Injecting malicious script code (XSS) Injecting malicious SQL queries (SQL injection)

18 Designing for Security

19 Methods of security Security through obscurity: Relying on the fact that attackers don't know something needed to harm you. Example: "If an attacker pointed their browser to they'd get our passwords. But nobody knows that file is there, so we are safe." Example: "Our authentication database goes down for 2 minutes every night at 4am. During that time any user can log in without restrictions. But no one knows this, and the odds of a login at that time are miniscule."

20 Secure authentication Force users to log in to your system before performing sensitive operations Use secure protocols (https, etc.) to prevent sniffing Force users to use strong passwords not "password", "abc", same as user name, etc.

21 Principle of least privilege principle of least privilege: Having just enough authority to get the job done (and no more!). Examples: A web server should only be given access to the set of HTML files that the web server is supposed to serve. Code should not "run as root" or as a highly privileged user unless absolutely necessary. Turn off unnecessary services on your web server disable SSH, VNC, sendmail, etc. close all ports except 80, others needed for web traffic

22 Sanitizing inputs sanitizing inputs: Encoding and filtering untrusted user input before accepting it into a trusted system. Ensure that accepted data is the right type, format, length... Disallow entry of bad data into an HTML form. Remove any SQL code from submitted user names. HTML-encode any input text that is to be displayed back to the user as HTML or JavaScript.

23 Verifying that code is secure Before code is written: considering security in the design process As code is being written: code reviews pair programming After code has been written: walkthroughs security audits

24 Security audits security audit: Series of checks and questions to assess the security of your system can be done by an internal or external auditor best if done as a process, not an individual event penetration test: Targeted white-hat attempt to compromise your system's security not unlike our attempts to break CSE 144's turnin page risk analysis: Assessment of relative risks of what can go wrong when security is compromised

25 Security audit questions Does your system require secure authentication with passwords? Are passwords difficult to crack? Are there access control lists (ACLs) in place on network devices? Are there audit logs to record who accesses data? Are the audit logs reviewed? Are your OS security settings up to accepted industry levels? Have all unnecessary applications and services been eliminated? Are all operating systems and applications patched to current levels? How is backup media stored? Who has access to it? Is it up-to-date? Is there a disaster recovery plan? Has it ever been rehearsed? Are there good cryptographic tools in place to govern data encryption? Have custom-built applications been written with security in mind? How have these custom applications been tested for security flaws? How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.