A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Team Members: Brad Stancel,
Data-Centric Security Dawn Song UC Berkeley Collaboration with Lorenzo Martignoni, Stephen McCamant, Pongsin Poosankam, Matei Zaharia, Scott Shenker, Ion.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Project 7 Discussion Section XSS and SQL Injection in Rails.
ReferencesReferences DiscussionDiscussion Vulnerability Example: SQL injection Auditing Tool for Eclipse LAPSE: a Security Auditing Tool for Eclipse IntroductionIntroductionResultsResults.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Aaron Blankstein and Michael J. Freedman Princeton University Tuan Tran.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
SQL Injection Timmothy Boyd CSE 7330.
Workshop 3 Web Application Security Li Weichao March
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Automatically Hardening Web Applications Using Precise Tainting Anh Nguyen-Tuong Salvatore Guarnieri Doug Greene Jeff Shirley David Evans University of.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa.
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
1.NET Web Forms Security Issues © 2002 by Jerry Post.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.
Building Secure Web Applications With ASP.Net MVC.
Web Application Security Raymond Camden
Crash Course in Web Hacking
Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.
CSC 2720 Building Web Applications Basic Frameworks for Building Dynamic Web Sites / Web Applications.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ADVANCED SQL.  The SQL ORDER BY Keyword  The ORDER BY keyword is used to sort the result-set by one or more columns.  The ORDER BY keyword sorts the.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
SQL Injection.
Example – SQL Injection
Unix System Administration
Computer Security Fundamentals
Chapter 13 Security Methods Part 3.
Automatically Hardening Web Applications Using Precise Tainting
Presentation transcript:

A Data-Centric Web Application Security Framework Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans University of Virginia GuardRails

2 Web applications are easier to create than ever!

3 Securing web applications is not nearly as easy!

4

5

6

7 “> alert(document.cookie);

8

9

10

11 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read

12 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

13 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

14 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Proxy that Enforces Security Policies

15 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object Proxy that Enforces Security Policies

Our Philosophy 16 Security policies should be attached to the data Security policies should be enforced automatically

17 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint- Tracking

Design Goals Top Priority: Automatically enforce security policies Other Objectives: Preserve application functionality Easy for developers to use Lesser Goals: Minimize performance cost 18

19 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint-Tracking

20 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Prevent Bugs and Security Vulnerabilities Improve Readability Easy to Use Access Control Policies Fine Grained Taint-Tracking

21

if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] 22

if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')})"] 23

if include_subprojects && !active_children.empty? ids = [id] + active_children.collect {|c| c.id} conditions = ["#{Project.table_name}.id IN (#{ids.join(',')}) AND #{Project.visible_by}"] 24

25 application_helper.rb 4 Checks project.rb 2 Checks projects_controller.rb 3 Checks acts_as_searchable.rb 1 Checks :read, :self, lambda{|user|self.is_public or user.memberships.include? self.id} :read, lambda{|user| self.is_public or user.memberships.include? self.id} class Project < ActiveRecord::Base # Project statuses STATUS_ACTIVE = 1… 1 GuardRails Annotation In Project model file:

Access Control Policy Annotations (policy_type, [target], [handler], mediator) :delete, :self, :admin :write, :password, lambda{|user|user.id == self.id } :append, :members, lambda{|user| user.belongs_to?(self)} 26

27 Annotated Ruby on Rails Code Secure Ruby on Rails Code GuardRails Access Control Policies Fine Grained Taint-Tracking

Dynamic Taint Tracking Protects against injection attacks 28 “SELECT profile FROM users WHERE username=‘” + user_name + “’” “User: ” + user_name + “ ” Good: user_name = “jazzFan26” Bad: user_name = “’; DROP TABLE users--” Good: user_name = “DrKevinPhillips” Bad: user_name = “ alert(‘document.cookie’); ” SQL Injection: Cross-Site Scripting:

29

30 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read

31 Application Page A Page B Page C Page D Data Object Write Append Read Write Read Delete Read Output HTML Data Object

Taint Propagation 32 Model Controller Database Data Taint Status View URL Parameters Form Data Other User Input Tainted HTML Sanitization Safe HTML

Expressive Taint Status “ SoccerFan1985 ” String Value: Taint: Character Index Different Chunks 33

Transformers {:HTML => { “//script” => NoDisplay, :default => NoHTMLAllowed }, :SQL => SQLSanitize, :Ruby_eval => NoDisplay} The Default Transformer Use Context Appropriate Sanitization Routine 34

Transformers Raw String Chunk 1 Transformer 1 Raw String Chunk 2 Transformer 2 Raw String Chunk 3 Transformer 3 Use Context Sanitized Chunk Sanitized String 35

Transformer Annotations 36 Different sanitization policies in different contexts Context specified with XPath :taint, :username, {:HTML => AlphaNumericOnly} :taint, :full_name, {:HTML => {TitleTag => LettersAndSpacesOnly, :default => NoHTML}} :taint, :profile, {:HTML => {"//script” => Invisible, :default => BoldItalicUnderlineOnly}} taint, target, transformer

37

38

39

Test ApplicationApplication Type Image Gallery (680 lines) E-Commerce (5556 lines) Project Management (30747 lines) E-Commerce (11561 lines) 40

Performance Notes 41

Try GuardRails Alpha Release Now Available! Our Web Page: Full source code can be downloaded from GitHub Contact Info: 42

Questions? Alpha Release Now Available! Our Web Page: Full source code can be downloaded from GitHub Contact Info: 43

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.