Presentation is loading. Please wait.

Presentation is loading. Please wait.

Module: Software Engineering of Web Applications

Published byGervase Stephens Modified over 6 years ago

Similar presentations

Presentation on theme: "Module: Software Engineering of Web Applications"— Presentation transcript:

1 Module: Software Engineering of Web Applications
Chapter 3 (Cont.): user-input-validation testing of web applications

2 Vulnerabilities in web applications
Existing technologies such as anti-virus software and network firewall offer comparatively secure protection at host and network levels, but not at the application level (Huang et al., 2004). Application-level attacks are more difficult to detect than attacks at host and network levels. These attacks can come from any online user — even authenticated ones. As UIV checks inputs from any on-line user, UIV is an effective means to protect a web application from application-level attacks. These slides are designed to accompany module: Software Engineering of Web Applications

3 Vulnerabilities in web applications
Here, we give a brief introduction of several vulnerabilities in web applications to show how attacks can happen at the application level because of defective UIV. These slides are designed to accompany module: Software Engineering of Web Applications

4 1- Hidden fields Hidden fields refer to hidden HTML form fields, such as (input type=hidden name=hl value=“en”). In many web applications, developers use these fields to transfer values instead of presenting these values to users. Unfortunately, these fields are actually visible and manipulable to users. Malicious users could easily change the values of these fields in HTML source code and send the changed values back to the web application. These slides are designed to accompany module: Software Engineering of Web Applications

5 Hidden fields If a web application uses a hidden field to hold merchandise prices, malicious users could purchase items at little or no cost. These attacks could be successful because a web application may not validate whether the returning value of a hidden field is the same as its outgoing value, and accepts the illegally changed value. These slides are designed to accompany module: Software Engineering of Web Applications

6 2- Cross-Site Scripting
Cross-Site Scripting (XSS) flaws occur when a web application accepts user-supplied inputs that contain browser-executable scripts, and posts the inputs in an HTML page without validating or encoding. When another user accesses the HTML page, the web browser executes scripts posted in that HTML page. Through XSS, attackers could send an executable script to a victim’s browser, and then possibly hijack user sessions, deface websites, introduce worms, etc. These slides are designed to accompany module: Software Engineering of Web Applications

7 Cross-Site Scripting Fig. 1 shows a typical XSS example, which is borrowed from the “Writing Secure Code” book (Howard and LeBlanc, 2003). Suppose that an attacker sends the code shown in Fig. 1 to a bulletin board, and then an innocent user opens that bulletin board and clicks the hyper link of “Click here!”. As a result, this user’s cookie would be stolen. Such attacks could be successful when the web application does not filter out or transform scripts included in users’ inputs. These slides are designed to accompany module: Software Engineering of Web Applications

8 Cross-Site Scripting These slides are designed to accompany module: Software Engineering of Web Applications

9 3- SQL injection SQL injection flaws occur when user-supplied inputs are sent to an interpreter as part of a command or query. Attackers trick the interpreter to execute unintended commands via supplying specially crafted data For example, consider a web application that authenticates a user by checking a database in this way: These slides are designed to accompany module: Software Engineering of Web Applications

10 SQL injection SQLQuery = “SELECT * FROM Users WHERE (UserName=’
“+ strUserName +”’) AND (Password=’ “+ strPassword +”’);”; if GetQueryResult(SQLQuery) == 0 then authenticated = false; else authenticated = true; If an attacker enters X’ OR ‘A’ =’A for UserName and X’ OR ‘A’ =’A for Password and the web application executes the query on the database directly, the SQL statement at runtime becomes: SELECT ∗ FROM Users WHERE(UserName = ‘X’ OR‘A’ = ‘A’) AND(Password = ‘X’ OR‘A’ = ‘A’); These slides are designed to accompany module: Software Engineering of Web Applications

11 SQL injection In this way, the attacker bypasses the authentication and accesses all the user information in the Users table. Similar to XSS attacks, SQL-injection attacks could be successful if the web application does not filter or transform SQL commands included in users’ inputs. These slides are designed to accompany module: Software Engineering of Web Applications

12 4- Unconscious mistakes
Besides the preceding malicious attacks, many users can enter invalid inputs unconsciously. For example, users may enter invalid characters, such as multiple blanks, &, and null accidentally. These characters may lead to a failure or even crash when they are used for database operations. These slides are designed to accompany module: Software Engineering of Web Applications

13 Unconscious mistakes Even though such inputs may not crash a web application, there can be a negative user experience. For example, when a user signs up for a service, a web application requires the user’s address, and sends an automatically generated password to that address. If the user enters an invalid address, the user does not get the password and the service sign up fails. These slides are designed to accompany module: Software Engineering of Web Applications

14 Reference Li, N., Xie, T., Jin, M. & Liu, C., Perturbation-based user-input-validation testing of web applications. The Journal of Systems and Software, 83(11), pp These slides are designed to accompany module: Software Engineering of Web Applications

15 Solution To avoid these vulnerabilities, a web application should validate a user input before using the input for further processing. However, web-application developers often forget validating users’ inputs, and UIV is often not correctly developed. These slides are designed to accompany module: Software Engineering of Web Applications

Download ppt "Module: Software Engineering of Web Applications"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Similar presentations

Ads by Google