Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Cross-site Request Forgery (CSRF) Attacks
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Attacking Session Management Juliette Lessing
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
A A E E D D C C B B # Symmetric Keys = n*(n-1)/2 # Public/Private Keys = 2 n.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
©2008 Gotham Digital Science Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.
Ram Santhanam Application Level Attacks - Session Hijacking & Defences
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
ICM – API Server & Forms Gary Ratcliffe.
1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Module: Software Engineering of Web Applications
CSCE 548 Student Presentation Ryan Labrador
World Wide Web policy.
Cross-Site Request Forgeries: Exploitation and Prevention
CSC 495/583 Topics of Software Security Intro to Web Security
Foundations of Network and Computer Security
Web Security Advanced Network Security Peter Reiher August, 2014
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013

Session-Based Attacks HTTP is connectionless –But many/most apps want to maintain state –Using IP addresses is an imperfect solution Why? –Cookies were invented to solve exactly this problem

Using Cookies for Session Management The server wants to maintain information about the current client –Encode state into an alphanumeric string –Use Set-cookie=string and send to browser Optionally set expires, domain, path, secure, httponly values as well –Now each time the browser wishes to connect to a given domain and path, it checks its cookie store and transmits all matching cookies

Using Cookies for Session Management They are essentially a temporary password –Difficult to guess, not short enough to brute-force, unique These are often violated by using insufficient randomness, being too short, using counters, etc Many apps that lock-out password attempts fail to guard against brute force attacks on session ids –So short session ids are very vulnerable –Demo stateful.php on moxie

Bad Random Number Generators Netscape Session Keys – 1996 –RNG_CreateContext() – /* time since Jan 1, 1970 */ – (seconds, microseconds) = time of day; – pid = process ID; ppid = parent process ID; – a = mklcpr(microseconds); – b = mklcpr(pid + seconds + (ppid << 12)); – seed = MD5(a, b); – mklcpr(x) /* not cryptographically significant */ – return ((0xDEECE66D * x + 0x2BBB62DC) >> 1);

Cross-Site Scripting (XSS) XSS is a very common vulnerability –Would be vulnerability of the decade except SQL injections are often far more serious –XSS is used for a client to attack another client, not to attack a server An XSS vulnerability is as simple as echoing back user-input without sanitizing –Ex: You submit: “ XYZ!!(2 ” to a search engine and it replies with “ XYZ!!(2 no results found ”

“Security Context” We define a security context to be the set of rules that govern how cookies are handled between domains Users might have several contexts active at the same time –Ex: An unexpired session token with a bank sitting in another browser window (logout or browser death usually purges these tokens, but users will often neglect to do either)

XSS The idea of XSS is for an attacker to inject malicious javascript into a security context that it does not own –And, as we know, this means things like session tokens can be sent anywhere we like

Typically called “reflected” XSS Link to bank with malicious javascript given as parameter user connects to evil site javascript executes as if from bank; tokens stolen malicious javascript reflected back to user with bank’s security context

Demo on moxie Visit stateful.php to establish highly valuable session ID View xss.php behavior Look at ~drevil on moxie –Note the warm innocent feel of the page –View source on this page (note the encodings) Examine steal.php Click on link on drevil’s homepage –Look in /tmp/stolen.txt

Stored XSS Stored XSS is very similar –Instead of using a reflection bug, the attacker stores javascript in a place where the victim is likely to read it (and thereby execute it) –It’s usually the server’s responsibility to sanitize user input before storing it Consider a public forum where various users post their thoughts –And their exploit code… –Stored XSS is usually considered more serious No need to induce the user to establish a session then visit drevil’s site, which can be hard some times

Note proper domain name SSL would be enabled, if this were an SSL site

Samy XSS worm Oct, 2005: myspace had an XSS vulnerability –They used filters, but 19-yr old Samy Kamkar found a way to bypass all of them –He built an AJAX app so that every view of his profile added him as a friend and posted “…and most of all, Samy is my hero” to their page –He also had the worm install itself so that any viewer of the page would propagate the worm

Three years probation, 90 days community service, and a book-deal

Finding XSS Vulnerabilities Try entering > alert(document.cookie) in every user-input vector and monitor for appearance of this string from the site –If string comes back unmodified, jackpot This is automatable Some XSS vulns will not be found by this technique, however, since is often filtered out (as are /) Some XSS filters will miss >, >, %3e%3cscript%3e, > ipt>, %00>

Good Practices (for security) Create a session token on first visit When performing authentication, destroy the old session and create a new one Expire sessions after a short period (30-60 mins) Destroy sessions after logout Use SSL and mark session cookies as secure Monitor User-Agent header; it shouldn’t change during a session

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.