1 CHAPTER 7 UNEXPECTED INPUT. 2 Why Unexpected Data is Dangerous Three classes of attack can result from unexpected data: Three classes of attack can.

Slides:



Advertisements
Similar presentations
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Advertisements

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Creating Databases applications for the Web Reprise. Basic HTML review, forms Preview: Server side vs client side Classwork: create HTML forms and check.
 2004 Prentice Hall, Inc. All rights reserved. Chapter 25 – Perl and CGI (Common Gateway Interface) Outline 25.1 Introduction 25.2 Perl 25.3 String Processing.
15. User Authentication, Form Validation, Paging. M. Udin Harun Al Rasyid, S.Kom, Ph.D
PHP Security.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
A Security Review Process for Existing Software Applications
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
JavaScript, Fourth Edition
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
Computer Security and Penetration Testing
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Web Server Administration Chapter 7 Installing and Testing a Programming Environment.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.
School of Computing and Information Systems CS 371 Web Application Programming PHP – Forms, Cookies, Sessions and Database.
(Chapter 10 continued) Our examples feature MySQL as the database engine. It's open source and free. It's fully featured. And it's platform independent.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
ASP/ASP.NET: Tricks and Tips How to get Microsoft’s Programming Language to work for you By Wade Tripp Park University
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Website Development with PHP and MySQL Saving Data.
Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.
Accessing Your MySQL Database from the Web with PHP (Ch 11) 1.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
CHAPTER 7 Unexpected Input. INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application.
WebWatcher A Lightweight Tool for Analyzing Web Server Logs Hervé DEBAR IBM Zurich Research Laboratory Global Security Analysis Laboratory
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Chapter 29: Program Security Dr. Wayne Summers Department of Computer Science Columbus State University
M M Waseem Iqbal.  Cause: Unverified/unsanitized user input  Effect: the application runs unintended SQL code.  Attack is particularly effective if.
Database and Cloud Security
Building Secure ColdFusion Applications
Tonga Institute of Higher Education IT 141: Information Systems
SQL Injection Attacks Many web servers have backing databases
PHP / MySQL Introduction
Tonga Institute of Higher Education IT 141: Information Systems
Lecture 2 - SQL Injection
Tonga Institute of Higher Education IT 141: Information Systems
CS5123 Software Validation and Quality Assurance
Presentation transcript:

1 CHAPTER 7 UNEXPECTED INPUT

2 Why Unexpected Data is Dangerous Three classes of attack can result from unexpected data: Three classes of attack can result from unexpected data: –Buffer overflow »An attacker sent more data than the application expects »May not gracefully handle the surplus data »Example of language (do not properly handle surplus), C and C++ »Example of language (do properly handle surplus): Perl (Practical Extraction &Reporting Language) Perl (Practical Extraction &Reporting Language) PHP (PHP: Hypertext Preprocessor) PHP (PHP: Hypertext Preprocessor) By increasing the size for variable storage By increasing the size for variable storage

3 Why Unexpected Data is Dangerous Three classes of attack can result from unexpected data: Three classes of attack can result from unexpected data: –System Function »Data use in some form to interact with a resources that is not contained within the application »It’s including running other application, accessing or working with files

4 Why Unexpected Data is Dangerous Three classes of attack can result from unexpected data: Three classes of attack can result from unexpected data: –Logic alteration »Data is crafted as a way to modify how the application’s logic handles it »It’s include diverting mechanism, altering Structured Query Language (SQL) queries and gaining access to parts of the application the attacker wouldn’t normally have access to Unexpected data do not have any specific format, can be as simple as supplying normal value that modifies the application’s intended logical execution Unexpected data do not have any specific format, can be as simple as supplying normal value that modifies the application’s intended logical execution

5 Situations Involving Unexpected Data HTTP / HTML HTTP / HTML –Cause: lack of understanding of how they work –The biggest mistake applications rely on the HTTP referrer header –Referrer header contains the address of the referring page –The client supplies the referrer header, so any altering with the client, it’s trivial to spoof –Dependency on HTML form limitations –Client-side filtering, validation on the form –Cookies, method give data to client & return back

6 Situations Involving Unexpected Data Unexpected Data in SQL queries Unexpected Data in SQL queries –Cause: the attacker is to modify the command that is sending to your database server –The biggest threat within SQL is that it’s possible to include extra command to be executed –Example: SELECT * FROM table WHERE x=$data »The value ($data) will be fill by the user. But, imagine an attacker sending the 10; SELECT * FROM table WHERE y=5 »So, the result string sent SELECT* FROM table WHERE x=10; SELECT* FROM table WHERE y=5;

7 Situations Involving Unexpected Data Disguising the Obvious Disguising the Obvious –Nowadays, there are few of application rely on signature matching. Signature matching is one of the unexpected data attack –Basic signature-matching network IDS has a list of various values and situations to look for on a network. So, the IDS processes will alert when a particular scene is matches –IDS (Intrusion Detection System) –Web request, using various tactics and inventions –Encoded –Self-referenced directory notation

8 Finding Vulnerabilities Same techniques to determine if an application is vulnerable Same techniques to determine if an application is vulnerable Black-boxing tactics: Black-boxing tactics: –Use intuition on what the application is doing –Run through the full interactive process from start to finish at least once. Look for hidden elements. Have opportunity to undo the filtering –Try to intentionally cause an error. Goal to see if application alerts to an error –Methodically work through each parameter, inserting first a single quote(‘) and then a double quote(“). Checking for possibility of breaking-out of a data string in a SQL query

9 Finding Vulnerabilities Black-boxing tactics: Black-boxing tactics: –Try to determine the need and usefulness of each parameter. Looking for strings or members tend to be session keys –Take into account the overall posture presented by the web site and the application and use that to hypothesize possible application aspects. If not custom coded find the source –Keep an eye out of anything that looks like a filename

10 Finding Vulnerabilities Black-boxing tactics: Black-boxing tactics: –Research and understand the technological limitations of the different types of web servers / scripting applications languages and database servers –Look for anything that seems to look like equation, formula or actual snippets of programming code –Put yourself in the coder’s position

11 Finding Vulnerabilities Use the source (Luke): Use the source (Luke): –Application auditing on source code available –calls the system function and trace back where the data being given to the system function comes from –Use techniques such as diffing to find vulnerabilities / changes between function

12 Finding Vulnerabilities Application Authentication: Application Authentication: –method to give a range random session or authentication key (popular method bruteforcing) –There are two serious concerns with this approach: »The key must prove to be truly random; any predictability will result in increased chances of an attacker guessing a valid session key »The size of the key space in comparison to the more extreme number of keys needed at any time –common method to use a SQL query against a database of usernames and password

13 Protection: Filtering Bad Data To combat unexpected data is to filter the data to what is expected To combat unexpected data is to filter the data to what is expected Escaping characters is not always enough Escaping characters is not always enough –Remove offending data Perl Perl –Perl’s translation command with delete modifier (tr///d) works very well for removing characters –Perl’s substitution operator (s///) is more flexible Cold Fusion/Cold Fusion Markup Language (CFML) Cold Fusion/Cold Fusion Markup Language (CFML) »To remove unwanted characters from data »Has a regular replace function

14 Protection: Filtering Bad Data ASP ASP –Introduced a regex object into their newest scripting engine –Use the new engine to perform a regex replacement PHP PHP –Quotemeta-escape a small set of metacharacters –Addslashes-sanitize at used in SQL queries Protecting Your SQL Queries Protecting Your SQL Queries –method->quoting-to make sure that submitted data is properly contained within a set of quotes and that there are no renegades quotes contained within the data itself

15 Protection: Filtering Bad Data Silently Removing vs. Alerting on Bad Data Silently Removing vs. Alerting on Bad Data –Deal with incoming user data, two choices »Remove bad characters, save good & continue process »Stop immediately & alert to invalid input –Alerts can determine which characters by attacker –Silently filtering the data to any include safe characters yields some different problems »Integrity of data will be disturbed »Still can determine if apps prints the submitted data after changed –Better combine both approaches based on type and integrity of data

16 Protection: Filtering Bad Data Invalid Input Function Invalid Input Function –Function to report invalid data, especially can report when & how an attacker is trying to subvert your application logic –Suitable use for reporting unexpected data violations –Analysis, tuning filters with greater accuracy –Log character violations for above purpose –Can deal by alert & abort once hit

17 Protection: Filtering Bad Data Token Substitution Token Substitution –The trick where you substitute a token (typically a large, random session key) –To correlate sensitive database, reference to the data –Token values must be huge & random if not attacker possibly can guess

18 Available Safety Features Some features to reduce or minimize the risks of vulnerabilities: Some features to reduce or minimize the risks of vulnerabilities: –Perl »has a ‘taint’, enables with the-T command-line switch. It will warn when a user data pass into command( bind, chdir, chmod etc) »by passing tainted data, it will refusing to execute your script and appear a message »to ‘untaint’, use Perl’s matching regex (m///)

19 Available Safety Features Some features to reduce or minimize the risks of vulnerabilities: Some features to reduce or minimize the risks of vulnerabilities: –PHP »includes a ‘safe-mode’, that limit the uses of PHP’s system function »when safe mode is enables: PHP limits-only to access file owned by the UID or files in directory owned by PHP UID »he use of exec, system, passthru and popen only be able to run application contained in PHP_SAFE_MODE_EXEC_DIR directory »Mysql-Connect limits – only allow database connections(UID of the Web server / UID of the current running script)

20 Available Safety Features Some features to reduce or minimize the risks of vulnerabilities: Some features to reduce or minimize the risks of vulnerabilities: –Cold Fusion/Cold Fusion Markup Language »used to limits the scope of system functions –ASP (VBScript and JScript) »contain a configuration switch, disallows”../” notation. So, the attacker are possible to gain access to the file not found under the root Web directory –MySQL »contains the ability to read data in from or out to files during queries using this syntax: SELECT * INTO FILE ”/file/to/save.db” FROM table »limit this by not granting ‘file’ permission to any users(in MySQL)

21 End Of Chapter 7