Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Published byElla Johnston Modified over 9 years ago

Similar presentations

Presentation on theme: "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security."— Presentation transcript:

1 CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security

2 CIT 380: Securing Computer SystemsSlide #2 Topics 1.HTTP 2.Web Input 3.Web Application Vulnerabilities 4.Client-side Attacks 5.Finding Web Vulnerabilities

3 CIT 380: Securing Computer SystemsSlide #3 Web Transactions Web Browser OS Web Server Network HTTP Request HTTP Response

4 CIT 380: Securing Computer SystemsSlide #4 HTTP: HyperText Transfer Protocol Simple request/respond protocol –Request methods: GET, POST, HEAD, etc. –Protocol versions: 1.0, 1.1 Stateless –Each request independent of previous requests, i.e. request #2 doesn’t know you auth’d in #1. –Applications responsible for handling state.

5 CIT 380: Securing Computer SystemsSlide #5 HTTP Request GET http://www.google.com/ HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/20060909 Firefox/1.5.0.7 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 MethodURL Protocol Version Headers Blank Line No Data for GET method

6 CIT 380: Securing Computer SystemsSlide #6 HTTP Response HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct 2006 03:16:30 GMT... (page data)... Protocol VersionHTTP Response Code Headers Blank Line Web Page Data

7 CIT 380: Securing Computer SystemsSlide #7 Different Perspectives Client Side HTTP requests may reveal private info. HTTP responses may reveal private info. HTTP responses may include malicious code (Java, ActiveX, Javascript) Server Side HTTP requests may contain malicious input. HTTP requests may have forged authentication. HTTP responses may be intercepted.

8 CIT 380: Securing Computer SystemsSlide #8 Web-based Input Client and Server Perspectives Types of Input –URL parameters –HTML –Cookies –Javascript Cross-Site Scripting

9 CIT 380: Securing Computer SystemsSlide #9 URL Format :// @ : / ? –Whitespace marks end of URL –“@” separates userinfo from host –“?” marks beginning of query string –“&” separates query parameters –%HH represents character with hex values –ex: %20 represents a space http://username:password@www.auth.com:8001/a%20spaced%20path

10 CIT 380: Securing Computer SystemsSlide #10 URL Parameters Client controls query-string –Cannot limit values to those specified in form Any character can be URL-encoded –Even if it doesn’t need to be. Any valid format may be used to disguise true destination of URL

11 CIT 380: Securing Computer SystemsSlide #11 URL Obfuscation IP address representations –Dotted quad (decimal, octal, hexadecimal) –Hexadecimal without dots (with left padding) –dword (32-bit int) Examples: www.eecs.utoledo.edu –131.183.19.14 (dotted quad) –0xDEDA83B7130E (hexadecimal + padding) –2209813262 (dword)

12 CIT 380: Securing Computer SystemsSlide #12 HTML Special Characters “<“ begins a tag “>” ends a tag –some browsers will auto-insert matching “<“ “&” begins a character entity –ex: < represents literal “<“ character Quotes(‘ and “) used to enclose attribute values

13 CIT 380: Securing Computer SystemsSlide #13 Character Set Encoding Default: ISO-8859-1 (Latin-1) Char sets dictate which chars are special UTF-8 allows multiple representations Force Latin-1 encoding of web page with: –

14 CIT 380: Securing Computer SystemsSlide #14 Hidden Fields Used to propagate data between HTTP requests since protocol is stateless Clearly visible in HTML source Form can be copied, modified to change hidden fields, then used to invoke script

15 CIT 380: Securing Computer SystemsSlide #15 Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb- 2004 23:59:00 GMT Client to Server Content-type: text/html Cookie: foo=bar

16 CIT 380: Securing Computer SystemsSlide #16 Web Input Summary Client Side URLs may not lead where they seem to. Cookies can be used to track your browsing. Pages may include malicious code (Java, ActiveX, Javascript) Server Side Cookies aren’t confidential. Hidden fields aren’t secret. Client may use own forms. URLs can have any format. POST data can have any format. Cookies can have any format.

17 CIT 380: Securing Computer SystemsSlide #17 Web Application Vulnerabilities Input-based Security Problems –Injection Flaws –Insecure Remote File Inclusion –Unvalidated Input Authentication and Authorization –Authentication –Access Control –Cross-Site Scripting Other Bugs –Error Handling and Information Leakage –Insecure Storage –Insecure Communications

18 CIT 380: Securing Computer SystemsSlide #18 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters –Interpret strings as commands. –Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea –Input data from the application is executed as code by the interpreter.

19 CIT 380: Securing Computer SystemsSlide #19 SQL Injection 1.App sends form to user. 2.Attacker submits form with SQL exploit data. 3.Application builds string with exploit data. 4.Application sends SQL query to DB. 5.DB executes query, including exploit, sends data back to application. 6.Application returns data to user. Attacker Web Server DB Server Firewall User Pass ‘ or 1=1--

20 CIT 380: Securing Computer SystemsSlide #20 SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: ". mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query);

21 CIT 380: Securing Computer SystemsSlide #21 SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access.

22 CIT 380: Securing Computer SystemsSlide #22 SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from table users where username like ‘% Database executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from table users where username like ‘%’

23 CIT 380: Securing Computer SystemsSlide #23 Impact of SQL Injection SELECT SSN FROM USERS WHERE UID=‘$UID’ INPUTRESULT 5Returns info for user with UID 5. ‘ OR 1=1--Returns info for all users. ‘ UNION SELECT Field FROM Table WHERE 1=1-- Returns all rows from another table. ‘;DROP TABLE USERS-- Deletes the users table. ‘;master.dbo.xp_cmd shell ‘cmd.exe format c: /q /yes’ -- Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.

24 CIT 380: Securing Computer SystemsSlide #24 Mitigation: Prepared Queries require_once 'MDB2.php'; $mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) { die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password = ?”; $types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data);

Download ppt "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security."

Similar presentations

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Multiple Tiers in Action

Multiple Tiers in Action
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.

HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Secure Software Engineering James Walden Northern Kentucky University.

Secure Software Engineering James Walden Northern Kentucky University.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.

Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
Computer Science 101 Web Access to Databases Overview of Web Access to Databases.

Computer Science 101 Web Access to Databases Overview of Web Access to Databases.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.

Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.

Web Hacking 1. Overview Why web HTTP Protocol HTTP Attacks 2.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Similar presentations

Ads by Google