CHAPTER 7 Unexpected Input. INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application.

Slides:

Advertisements

Similar presentations

Module XIV SQL Injection

Advertisements

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Tutorial 8: Developing an Excel Application

WebGoat & WebScarab “What is computer security for $1000 Alex?”

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Computer Security and Penetration Testing

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Chapter 6: Hostile Code Guide to Computer Network Security.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

1 Functional Testing Motivation Example Basic Methods Timing: 30 minutes.

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Exploitation: Buffer Overflow, SQL injection, Adobe files Source:

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

Computer Security and Penetration Testing

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Attacking Applications: SQL Injection & Buffer Overflows.

Chapter 2. Core Defense Mechanisms. Fundamental security problem All user input is untrusted.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

Attacking Data Stores Brad Stancel CSCE 813 Presentation 11/12/2012.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

1 Chapter Overview Performing Configuration Tasks Setting Up Additional Features Performing Maintenance Tasks.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

1 CHAPTER 7 UNEXPECTED INPUT. 2 Why Unexpected Data is Dangerous Three classes of attack can result from unexpected data: Three classes of attack can.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.

Design Principles and Common Security Related Programming Problems

Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.

Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.

Chapter 9 Using PHP with MySQL Part 2. view_users.php Script 9.4 on page 283 iew_users.php

Role Of Network IDS in Network Perimeter Defense.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

SQL Injection Josh Mann. What is SQL Injection  SQL injection is a technique for exploiting web applications that use client-supplied data in SQL queries.

1 Example security systems n Kerberos n Secure shell.

Advanced Accounting Information Systems Day 24 Application Security October 19, 2009.

SQL INJECTION Diwakar Kumar Dinkar M.Tech, CS&E Roll Diwakar Kumar Dinkar M.Tech, CS&E Roll

Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.

UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:

The Common Gateway Interface (CGI) Pat Morin COMP2405.

SQL Database Management

Database and Cloud Security

Module: Software Engineering of Web Applications

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

SQL Injection Attacks Many web servers have backing databases

Lecture 2 - SQL Injection

Topic 5: Communication and the Internet

CS5123 Software Validation and Quality Assurance

Presentation transcript:

CHAPTER 7 Unexpected Input

INTRODUCTION What is Unexpected Input? Something (normally user-supplied data) that is unexpected happen to an application to circumvent security restrictions. Why Unexpected Input is dangerous? It can be resulting three classes of attack: 1. Buffer Overflow If the data submitted more than the application expects, the application may not gracefully handle the surplus data. C and C++ are the examples.

INTRODUCTION 2. System Functions The data is directly used to modify how a system function behaves. System function include running other applications. 3. Logic Alteration The data is crafted in such a way as to modify how the application’s logic handles it. This type of situation include altering SQL queries.

COMMON SITUATIONS There are some common situations that involving unexpected input or data: HTTP/HTML The biggest mistake application make is relying on the HTTP referer header as a method of security. The referer header contains the address of referring page and supplied by the client at the client options, that means it is trivial to spoof. The second mistake is the dependency on HTML form limitations.

COMMON SITUATIONS SQL Queries In SQL Queries, including user submitted data within SQL queries make it possible for an attacker to include extra commands to be executed by the database. Disguising the Obvious In signature matching, an attacker take a known “bad” signature (an actual virus or an attack signature) and disguise it in such a manner that the application is fooled into not recognizing it.

FINDING VULNERABILITIES There are some techniques that can be used to determine an application vulnerabilities: Black-Boxing (try and error) A few tactics can be kept in mind: 1. Use intuition on what the application is doing, such as, is the application accepting e-commerce order? 2. Run the full interactive process from start to finish at least once. 3. Try to intentionally cause an error to see if the application alerts to an error.

FINDING VULNERABILITIES Use the Source Starting with system functions and trace back will allow us to efficiently audit the application in order to find a situation where the application can be exploited by unexpected data. Application Authentication The popular method is to give a large random session or authentication key whose key space is large enough to thwart brute-forcing efforts. The key must prove to be truly; any predictably will result in increased chances of an attacker guessing a valid session key.

PROTECTION Filtering Bad Data The best way to combat unexpected data is to filter the data to what is expected: 1. Deleting or removing unwanted characters from data. Every languages has their own way of filtering. 2. Protecting SQL Queries The common method used is called quoting - just making sure that submitted data is properly contained within a set of quotes and there are no renegades quotes contained within the data itself.

PROTECTION 3. Silently Removing versus Alerting on Bad Data Silently removing means delete automatically and alerting means delete manually. 4. Invalid Input Function Centralizing a common function to be used to report invalid data will make it easier to monitor unexpected data. 5. Token Substitution This is the trick where we substitute a token (typically a large random session key) which is used to correlate sensitive.

SAFETY FEATURES Available Safety Features Various programming languages and applications have features that allow us to reduce or minimize the risks of vulnerabilities. PHP PHP includes a “safe mode” configuration option that limits the uses of PHP’s system functions. Perl Perl has a “taint mode”. When running in taint mode, Perl will warn of situations where application directly pass user data into certain commands.