CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Slides:



Advertisements
Similar presentations
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Advertisements

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
How the web works: HTTP and CGI explained
Multiple Tiers in Action
Definitions, Definitions, Definitions Lead to Understanding.
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Secure Software Engineering James Walden Northern Kentucky University.
Hypertext Transport Protocol CS Dick Steflik.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
FTP (File Transfer Protocol) & Telnet
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
March 4, 2008 ISACA Web Application Security James Walden Northern Kentucky University
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.
JavaScript, Fourth Edition
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
USING PERL FOR CGI PROGRAMMING
Chapter 8 Cookies And Security JavaScript, Third Edition.
School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.
Website Development with PHP and MySQL Saving Data.
1 Welcome to CSC 301 Web Programming Charles Frank.
1 © Netskills Quality Internet Training, University of Newcastle HTML Forms © Netskills, Quality Internet Training, University of Newcastle Netskills is.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
CSC 382/582: Computer SecuritySlide #1 CSC 382/582: Computer Security Web Security.
Injection CSC 482/582: Computer SecuritySlide #1.
HTTP1 Hypertext Transfer Protocol (HTTP) After this lecture, you should be able to:  Know how Web Browsers and Web Servers communicate via HTTP Protocol.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
June 14, 2007 Web Application Security Workshop James Walden.
WWW: an Internet application Bill Chu. © Bei-Tseng Chu Aug 2000 WWW Web and HTTP WWW web is an interconnected information servers each server maintains.
Appendix E: Overview of HTTP ©SoftMoore ConsultingSlide 1.
IS-907 Java EE World Wide Web - Overview. World Wide Web - History Tim Berners-Lee, CERN, 1990 Enable researchers to share information: Remote Access.
CITA 310 Section 2 HTTP (Selected Topics from Textbook Chapter 6)
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
CIT 383: Administrative ScriptingSlide #1 CIT 383: Administrative Scripting HTTP.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
Summer 2007 Florida Atlantic University Department of Computer Science & Engineering COP 4814 – Web Services Dr. Roy Levow Part 1 – Introducing Ajax.
5 th ed: Chapter 17 4 th ed: Chapter 21
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Overview of Servlets and JSP
CIT 383: Administrative Scripting
COMP2322 Lab 2 HTTP Steven Lee Jan. 29, HTTP Hypertext Transfer Protocol Web’s application layer protocol Client/server model – Client (browser):
The OWASP Foundation OWASP Education Computer based training The Basics Nishi Kumar IT Architect Specialist, FIS Chair, Software Security.
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
SQL INJECTION Lecturer: A.Prof.Dr. DANG TRAN KHANH Student :Le Nguyen Truong Giang.
© Janice Regan, CMPT 128, Jan 2007 CMPT 371 Data Communications and Networking HTTP 0.
CSC 482/582: Computer Security
World Wide Web policy.
SQL Injection.
COMP2322 Lab 2 HTTP Steven Lee Feb. 8, 2017.
19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.
Chapter 19 PHP Part III Credits: Parts of the slides are based on slides created by textbook authors, P.J. Deitel and H. M. Deitel by Prentice Hall ©
Hypertext Transport Protocol
Chapter 13 Security Methods Part 3.
The HTTP Protocol COSC 2206 Internet Tools The HTTP Protocol
Presentation transcript:

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security

CIT 380: Securing Computer SystemsSlide #2 Topics 1.HTTP 2.Web Input 3.Web Application Vulnerabilities 4.Client-side Attacks 5.Finding Web Vulnerabilities

CIT 380: Securing Computer SystemsSlide #3 Web Transactions Web Browser OS Web Server Network HTTP Request HTTP Response

CIT 380: Securing Computer SystemsSlide #4 HTTP: HyperText Transfer Protocol Simple request/respond protocol –Request methods: GET, POST, HEAD, etc. –Protocol versions: 1.0, 1.1 Stateless –Each request independent of previous requests, i.e. request #2 doesn’t know you auth’d in #1. –Applications responsible for handling state.

CIT 380: Securing Computer SystemsSlide #5 HTTP Request GET HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/ Firefox/ Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 MethodURL Protocol Version Headers Blank Line No Data for GET method

CIT 380: Securing Computer SystemsSlide #6 HTTP Response HTTP/ OK Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct :16:30 GMT... (page data)... Protocol VersionHTTP Response Code Headers Blank Line Web Page Data

CIT 380: Securing Computer SystemsSlide #7 Different Perspectives Client Side HTTP requests may reveal private info. HTTP responses may reveal private info. HTTP responses may include malicious code (Java, ActiveX, Javascript) Server Side HTTP requests may contain malicious input. HTTP requests may have forged authentication. HTTP responses may be intercepted.

CIT 380: Securing Computer SystemsSlide #8 Web-based Input Client and Server Perspectives Types of Input –URL parameters –HTML –Cookies –Javascript Cross-Site Scripting

CIT 380: Securing Computer SystemsSlide #9 URL Format : / ? –Whitespace marks end of URL separates userinfo from host –“?” marks beginning of query string –“&” separates query parameters –%HH represents character with hex values –ex: %20 represents a space

CIT 380: Securing Computer SystemsSlide #10 URL Parameters Client controls query-string –Cannot limit values to those specified in form Any character can be URL-encoded –Even if it doesn’t need to be. Any valid format may be used to disguise true destination of URL

CIT 380: Securing Computer SystemsSlide #11 URL Obfuscation IP address representations –Dotted quad (decimal, octal, hexadecimal) –Hexadecimal without dots (with left padding) –dword (32-bit int) Examples: – (dotted quad) –0xDEDA83B7130E (hexadecimal + padding) – (dword)

CIT 380: Securing Computer SystemsSlide #12 HTML Special Characters “<“ begins a tag “>” ends a tag –some browsers will auto-insert matching “<“ “&” begins a character entity –ex: < represents literal “<“ character Quotes(‘ and “) used to enclose attribute values

CIT 380: Securing Computer SystemsSlide #13 Character Set Encoding Default: ISO (Latin-1) Char sets dictate which chars are special UTF-8 allows multiple representations Force Latin-1 encoding of web page with: –

CIT 380: Securing Computer SystemsSlide #14 Hidden Fields Used to propagate data between HTTP requests since protocol is stateless Clearly visible in HTML source Form can be copied, modified to change hidden fields, then used to invoke script

CIT 380: Securing Computer SystemsSlide #15 Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb :59:00 GMT Client to Server Content-type: text/html Cookie: foo=bar

CIT 380: Securing Computer SystemsSlide #16 Web Input Summary Client Side URLs may not lead where they seem to. Cookies can be used to track your browsing. Pages may include malicious code (Java, ActiveX, Javascript) Server Side Cookies aren’t confidential. Hidden fields aren’t secret. Client may use own forms. URLs can have any format. POST data can have any format. Cookies can have any format.

CIT 380: Securing Computer SystemsSlide #17 Web Application Vulnerabilities Input-based Security Problems –Injection Flaws –Insecure Remote File Inclusion –Unvalidated Input Authentication and Authorization –Authentication –Access Control –Cross-Site Scripting Other Bugs –Error Handling and Information Leakage –Insecure Storage –Insecure Communications

CIT 380: Securing Computer SystemsSlide #18 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters –Interpret strings as commands. –Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea –Input data from the application is executed as code by the interpreter.

CIT 380: Securing Computer SystemsSlide #19 SQL Injection 1.App sends form to user. 2.Attacker submits form with SQL exploit data. 3.Application builds string with exploit data. 4.Application sends SQL query to DB. 5.DB executes query, including exploit, sends data back to application. 6.Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

CIT 380: Securing Computer SystemsSlide #20 SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query);

CIT 380: Securing Computer SystemsSlide #21 SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.

CIT 380: Securing Computer SystemsSlide #22 SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from table users where username like ‘% Database executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’

CIT 380: Securing Computer SystemsSlide #23 Impact of SQL Injection SELECT SSN FROM USERS WHERE UID=‘$UID’ INPUTRESULT 5Returns info for user with UID 5. ‘ OR 1=1--Returns info for all users. ‘ UNION SELECT Field FROM Table WHERE 1=1-- Returns all rows from another table. ‘;DROP TABLE USERS-- Deletes the users table. ‘;master.dbo.xp_cmd shell ‘cmd.exe format c: /q /yes’ -- Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.

CIT 380: Securing Computer SystemsSlide #24 Mitigation: Prepared Queries require_once 'MDB2.php'; $mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) { die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password = ?”; $types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data);

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.