Evil Code and how to defend against it CSCI 4300

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

DEV333. Describe each main attack Demo how the attack works Fix our poor vulnerable application! Why Script Kiddies, Why? Click to Hack.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

EECS 354 Network Security Cross Site Scripting (XSS)

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

1 A Privacy-Preserving Defense Mechanism Against Request Forgery Attacks Ben S. Y. Fung and Patrick P. C. Lee The Chinese University of Hong Kong TrustCom’11.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

AppSec USA 2014 Denver, Colorado CSRF 101 Introduction to Cross-Site Request Forgery.

Exploits: XSS, SQLI, Buffer Overflow

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Beyond DDoS: Case Studies on Attack Mitigation for Financial Services Mike Kun and Patrick Laverty, Akamai CSIRT.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

OWASP Zed Attack Proxy Project Lead

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Security Testing Case Study 360logica Software Testing Services.

Security+ Guide to Network Security Fundamentals, Fourth Edition

Cross-Site Attacks James Walden Northern Kentucky University.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.

Security Problems at Colleges All materials posted at samsclass.info and free to use.

COMPUTER SECURITY MIDTERM REVIEW CS161 University of California BerkeleyApril 4, 2012.

All Input is Evil (Part 1) Introduction Will not cover everything Healthy level of paranoia Use my DVD Swap Shop application (week 2)

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Security (Keep your site secure at extension level) Sergey Gorstka Fastw3b.

Web system security issues: A developer's perspective Morrison, P. Jason 9 December 2004 BAD Information Security Web system security issues:

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

CSC 2720 Building Web Applications Basic Frameworks for Building Dynamic Web Sites / Web Applications.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.

Building Secure ColdFusion Applications

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Cross-Site Forgery

Yii - For the Future - Gen Web Development Platform

Network Security Payton Turnage, Evan French, Austin Barnett, Zane Womack, Tristan Leavitt, Andrew Hubeli.

امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری

Network Security: DNS Spoofing, SQL Injection, ARP Poisoning

CSC 495/583 Topics of Software Security Intro to Web Security

Cross-Site Request Forgery (CSRF) Attack Lab

Chapter 13 Security Methods Part 3.

Cross Site Request Forgery New Attacks and Defenses

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems

Cross Site Request Forgery (CSRF)

Presentation transcript:

Evil Code and how to defend against it CSCI

Defense against form input attacks: data filtering

Dispatch method

Dispatch script example

Spoofed form input

Whitelist Input Verification

Whitelist address verification

Simple message board

Message Board Attack

Message Board defense Security tip: use pre-existing PHP functions; they are more efficient and less likely to contain security holes.

Cross-Site Request forgeries Victim has authenticated to target site T Evil site E forges a privileged request to T Forged request succeeds by virtue of victim’s authentication tokens.

Cross-Site Request Forgery example Target site, stox.com: Evil site, evil-hackers.org

CSRF defense: form tokens

Database Credentials Place db.inc outside of document root, so it cannot be accessed via a URL!

SQL injection attack <?php //get $uname and $passwd... mysql_query (“select * from user where uname=‘$uname’ and password=‘$passwd’”) Evil input: Uname = my_uname Passwd= mypassd’; delete from user where ‘a’=‘a’