web security
play

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer - PowerPoint PPT Presentation

Jun 27, 2023 •269 likes •854 views

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web Security for the World-Wide Web (WWW) New vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), Session Hijacking, and Cross-site

  1. Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1

  2. The Web • Security for the World-Wide Web (WWW) • New vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), Session Hijacking, and Cross-site Request Forgery (CSRF) • These share some common causes with memory safety vulnerabilities; like confusion of code and data • Defense also similar: validate untrusted input • New wrinkle: Web 2.0’s use of mobile code • Mobile code, such as a Java Applet, is code that is transmitted across a network and executed on a remote machine. • How to protect your applications and other web resources? SUSTech CS 315 Computer Security 2

  3. Web Security Outline • Web 1.0: the basics • Attack : SQL (“sequel”) injection • The Web with state • Attack : Session Hijacking • Attack : Cross-site Request Forgery (CSRF) • Web 2.0: The advent of Javascript • Attack : Cross-site Scripting (XSS) • Defenses throughout • Theme : validate or sanitize input , then trust it SUSTech CS 315 Computer Security 3

  4. Web Basics SUSTech CS 315 Computer Security 4

  5. The Web, Basically Server Client Browser Web server HTTP (Private) Database Data DB is a separate entity, (Much) user data is logically (and often physically) part of the browser SUSTech CS 315 Computer Security 5

  6. Basic structure of web traffic Client Server HTTP Request Browser Web server User clicks • Requests contain : • The URL of the resource the client wishes to obtain • Headers describing what the browser can do • Request types can be GET or POST • GET : all data is in the URL itself (no server side effects) • POST : includes the data as separate fields (can have side effects) SUSTech CS 315 Computer Security 6

  7. HTTP GET requests http://www.reddit.com/r/security User-Agent is typically a browser but it can be wget , JDK, etc. SUSTech CS 315 Computer Security 7

  8. Referrer URL: the site from which this request was issued. SUSTech CS 315 Computer Security 8

  9. HTTP POST requests Posting on Piazza Implicitly includes data as a part of the URL Explicitly includes data as a part of the request’s content SUSTech CS 315 Computer Security 9

  10. SQL injection SUSTech CS 315 Computer Security 10

  11. Server-side data Client Server Browser Web server (Private) Database Long-lived state, stored Data in a separate database Need to protect this state from illicit access and tampering SUSTech CS 315 Computer Security 11

  12. Server-side data • Typically want ACID transactions • Atomicity • Transactions complete entirely or not at all • Consistency • The database is always in a valid state • Isolation • Results from a transaction aren’t visible until it is complete • Durability • Once a transaction is committed, its effects persist despite, e.g., power failures • Database Management Systems (DBMSes) provide these properties (and then some) SUSTech CS 315 Computer Security 12

  13. Server-side code Website “Login code” (PHP) $result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”); Suppose you successfully log in as $user if this returns any results How could you exploit this? SUSTech CS 315 Computer Security 13

  14. SQL injection frank’ OR 1=1); -- $result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”); $result = mysql_query(“select * from Users where(name=‘frank’ OR 1=1); -- and password=‘whocares’);”); SUSTech CS 315 Computer Security 14

  15. SQL injection frank’ OR 1=1); DROP TABLE Users; -- $result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”); $result = mysql_query(“select * from Users where(name=‘frank’ OR 1=1); DROP TABLE Users; -- and password=‘whocares’);”); Can chain together statements with semicolon: STATEMENT 1 ; STATEMENT 2 SUSTech CS 315 Computer Security 15

  16. http://xkcd.com/327/ SUSTech CS 315 Computer Security 16

  17. SQL injection countermeasures SUSTech CS 315 Computer Security 17

  18. The underlying issue $result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”); Should be data , select / from / where not code * Users and = = $user name $user password $pass When the boundary between code and data blurs, we open ourselves up to vulnerabilities SUSTech CS 315 Computer Security 18

  19. Prevention : Input Validation • Since we require input of a certain form, but we cannot guarantee it has that form, we must validate it before we trust it • Just like we do to avoid buffer overflows • Making input trustworthy • Check it has the expected form, and reject it if not • Sanitize it by modifying it or using it it in such a way that the result is correctly formed by construction SUSTech CS 315 Computer Security 19

  20. Also: Mitigation • For defense in depth , you might also attempt to mitigate the effects of an attack • But should always do input validation in any case! • Limit privileges ; reduces power of exploitation • Can limit commands and/or tables a user can access • Allow SELECT queries on Orders_Table but not on Creditcards_Table • Encrypt sensitive data stored in the database; less useful if stolen • May not need to encrypt Orders_Table • But certainly encrypt Creditcards_Table.cc_numbers SUSTech CS 315 Computer Security 20

  21. Web-based State using Cookies SUSTech CS 315 Computer Security 21

  22. HTTP is stateless • The lifetime of an HTTP session is typically: • Client connects to the server • Client issues a request • Server responds • Client issues a request for something in the response • …. repeat …. • Client disconnects • HTTP has no means of noting “oh this is the same client from that previous session” • How is it you don’t have to log in at every page load? SUSTech CS 315 Computer Security 22

  23. Statefulness with Cookies Server Client HTTP Request Cookie Server Cookie Browser Web server HTTP Response State Cookie • Server maintains trusted state • Server indexes/denotes state with a cookie • Sends cookie to the client, which stores it • Client returns it with subsequent queries to that same server SUSTech CS 315 Computer Security 23

  24. Cookies are key-value pairs Set-Cookie:key=value; options; …. Headers Data <html> …… </html> SUSTech CS 315 Computer Security 24

  25. Why use cookies? • Session identifier • After a user has authenticated, subsequent actions provide a cookie • So the user does not have to authenticate each time • Personalization • Let an anonymous user customize your site • Store font choice, etc., in the cookie • Tracking users • Advertisers want to know your behavior • Ideally build a profile across different websites • Visit the Apple Store, then see iPad ads on Amazon?! SUSTech CS 315 Computer Security 25

  26. Session Hijacking SUSTech CS 315 Computer Security 26

  27. Cookies and web authentication • An extremely common use of cookies is to track users who have already authenticated • If the user already visited http://website.com/login.html?user=alice&pass=secret with the correct password, then the server associates a “session cookie” with the logged-in user’s info • Subsequent requests include the cookie in the request headers and/or as one of the fields: http://website.com/doStuff.html?sid=81asf98as8eak • The idea is to be able to say “I am talking to the same browser that authenticated Alice earlier.” SUSTech CS 315 Computer Security 27

  28. Cookie Theft • The holder of a session cookie gives access to a site with the privileges of the user that established that session • Thus, stealing a cookie may allow an attacker to impersonate a legitimate user • Actions that will seem to be due to that user • Permitting theft or corruption of sensitive data SUSTech CS 315 Computer Security 28

  29. Stealing Session Cookies • Compromise the server or user’s machine/browser • Predict it based on other information you know • Sniff the network • DNS cache poisoning • Trick the user into thinking you are Facebook • The user will send you the cookie SUSTech CS 315 Computer Security 29

  30. Defense: Unpredictability • Avoid theft by guessing ; cookies should be • Randomly chosen, • Sufficiently long • Can also require separate, correlating information • Only accept requests due to legitimate interactions with web site (e.g., from clicking links) • Defenses for CSRF , discussed shortly, can do this SUSTech CS 315 Computer Security 30

  31. Cross-Site Request Forgery (CSRF) SUSTech CS 315 Computer Security 31

  32. URLs with side effects • GET requests often have side effects on server state • Even though they are not supposed to • What happens if • the user is logged in with an active session cookie • a request is issued for the following link? • How could you get a user to visit a link? http://bank.com/transfer.cgi?amt=9999&to=attacker SUSTech CS 315 Computer Security 32

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security

Effective Security for the Post-compliance Era Security Awareness and Training for Security Specialists M. ANGELA SASSE, RUHR UNIVERSITY BOCHUM &amp; UCL The problem MENSCHLICH WELTOFFEN LEISTUNGSSTARK 2 ENISA Report December 2018

362 views • 33 slides
Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security:

Material and some slide content from: - Software Architecture: Foundations, Theory, and Practice - Krzysztof Czarnecki Security as a Architectural Concern Reid Holmes [TAILOR ET AL.] NFP: Security Security: The protection a ff orded a

160 views • 4 slides
Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too

Defining Encryption (ctd.) Lecture 3 CPA/CCA security Computational Indistinguishability Pseudo-randomness, One-Way Functions Security of Encryption Security of Encryption Perfect secrecy (IND-Onetime security) is too strong (though too

1.36k views • 113 slides
Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security

Outline Security Principles and Policies Security terms and concepts CS 239 Security policies Computer Security Basic concepts Peter Reiher Security policies for real systems January 13, 2005 Lecture 2 Lecture 2 Page 1

347 views • 9 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election

Election Security and Integrity What is election security? What is election integrity? Election Security = Physical Security + Cybersecurity Physical Security Security plans Secure storage of voting machines and electronic pollbooks

341 views • 13 slides
Computer Security environment, without compromising functionality or security? Three parts

Computer Security environment, without compromising functionality or security? Three parts

9/7/2013 Some topics Im working on Computing on encrypted data Information flow: Dynamic IFC in Haskell, web Sandboxing Untrusted JavaScript Third party web tracking and other web security stories Practical web security

572 views • 21 slides
Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon

Network Security Where we are in the Course Security crosses all layers Applicatjon Transport Network Link Physical CSE 461 University of Washington 2 Security Threats Security is like performance Means many things

1.12k views • 92 slides

More recommend