Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Published byKatherine Potter Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review."— Presentation transcript:

1 Web Application Access to Databases

2 Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review your final before final grades are submitted 2

3 3 Three-Tier Architecture 3 DB DB Server Application Server Web Server Clients Internet

4 4 4 Options 1.Code in a specialized language is stored in the database itself (e.g., PSM, PL/SQL). 2.SQL statements are embedded in a host language (e.g., C). 3.Connection tools are used to allow a conventional language to access a database (e.g., CLI, JDBC, PHP/DB).

5 Code Security Input validation! 5

6 Process Memory Organization Process memory: 3 regions  Text: fixed by the program, includes code, read-only (attempt to write: segmentation fault)  Data: initialized and uninitialized data  Stack: stores application data and control data Low-level languages: direct access to application memory 6

7 Buffer Overflow Inserting more data into the buffer than it can handle Stack-base attacks most common Most vulnerable languages: C, C++ 7

8 Exploitation of Buffer Overflow Lack of input validation Default case: mistrust input  Never allow input over the maximum length to be stored in a variable  Process input one character, word, or byte at a time  Never leave extra input on the incoming line 8

9 Cases and Effects Overwriting local variables  change the program’s behavior Overwriting a return address  execution will resume at the attacker’s specified address, executing the attacker’s code 9

10 Defensive Measures Canaries Pad buffers with a random, secret value determined at compile time or runtime Check to see if the secret value is the same before allowing transfer of control If you smash the boundaries of the array on the stack, how do you know what the values are? 10

11 Defensive Measures Randomize locations for loading of code Prevent data from being executed Stop using unsafe code! strcpy -> strlcpy, strncat -> strlcat, gets -> fgets Use a safer language Anything with bounds checking – Java, C#, VB.net, Python, Perl, Ruby, PHP, D… …but be careful when calling C/C++ libraries 11

12 Defensive Measures Input validation Allow only input that you expect Example: [a-zA-Z0-9]+ on usernames Prevent some shellcode Run static code analyzers Detects use of unsafe (unbounded) functions 12

13 SQL Injection  Attacker provides malformed data to application  Application uses data to create a SQL statement via string concatenation  Allows attacker to change the semantics of the SQL query  Why use concatenation?  Don’t know a safer way  Laziness 13

14 Spotting SQL Injection Takes user input Does not check user input validity Uses user-input data to query a database Uses string concatenation or string replacement to build the SQL query or uses SQL EXEC command 14

15 Redemption  Thou shalt never trust input to SQL statements  Always validate Use regular expressions to parse input  Use prepared or parameterized SQL statements Use placeholders or binding 15

16 Web Application Vulnerabilities 16

17 Biggest Threats to Web Applications Cross-site scripting (XSS) Cross-site request forgeries (CSRF) Remote file uploads, (buffer overflow, SQL injection, etc.) Trust between the client’s machine and the web applications. 17

18 XSS – Server trusts client Inject client-side script into Web pages Client views web page  download script Used for bypass access controls such as the same origin policy  Permits scripts running on pages originating from the same site ( scheme, hostname, and port number) to access each other's Document Object Model with no specific restrictions XMLHttpRequest and Robots.txt 18

19 How to avoid XSS? Scrub all input Escape output for display Use trusted solutions when available Use separate variables for scrubbed input 19

20 Cross-site request forgery – Client trusts server Exploits the trust between server and client machine Mostly http requests and responses Based on how web pages are delivered along with images and other web content 20

21 Prevent CSRF Require verification and stages for sensitive applications Use anti-CSRF tokens in your forms and processing Use post as the mean of taking form input  Get: encodes the data of the form into the url of the recipient, appending it to the query string of the request  Post: encodes it as a message 21

22 Unrestricted file upload Users may upload malicious files Uploaded files can be called by a url (if stored on the web server) Example: php  Embedded in image files  Compile php code 22

23 Avoid file upload problems System should determine file name Do not allow users to access the folders where content is uploaded Parse file extensions carefully or set your own file parser White list extensions Be secure with the.htaccess file (controls accesses to the files on the server 23

Download ppt "Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review."

Similar presentations

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.1 Nov 20, 2012 SQL Injection Cross-Site Scripting.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

Similar presentations

Ads by Google