web security vulnerabilities attacks
play

Web Security: Vulnerabilities & Attacks Slide credit: John - PowerPoint PPT Presentation

Sep 01, 2022 •181 likes •652 views

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities & Attacks Slide credit: John Mitchell Dawn Song Security User Interface Dawn Song Safe to type your password?

  1. Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities & Attacks Slide credit: John Mitchell Dawn Song

  2. Security User Interface Dawn Song

  3. Safe to type your password? https://www.safebank.com Bank of the Safe https://safebank.com Bank of the Safe (US) (US) SAFEBANK login password Accounts Bill Pay banking content Mail T ransfers https://www.safebank.c om 3 Dawn Song

  4. Safe to type your password? SAFEBANK 4 Dawn Song

  5. Safe to type your password? 5 Dawn Song

  6. Safe to type your password? Bank of the Safe https://www.safebank.com https://safebank.com Bank of the Safe (US) (US) SAFEBANK login password Accounts Bill Pay banking content Mail T ransfers https://www.safebank.c om 7 Dawn Song

  7. Mixed Content: HTTP and HTTPS Dawn Song

  8. Mixed content and network attacks • banks: after login all content over HTTPS – Developer error: Somewhere on bank site write <script src= http ://www.site.com/script.js> </script> – Active network attacker can now hijack any session • Better way to include content: <script src=//www.site.com/script.js> </script> – served over the same protocol as embedding page Dawn Song

  9. The Status Bar • Trivially spoofable <a href=“http://www.paypal.com/” onclick=“this.href = ‘http://www.evil.com/’;”> PayPal</a> Dawn Song

  10. Command Injection Dawn Song

  11. Background Web Server Client UID: Browser foo.php URI www Web Page PHP -> WEB PAGE Dawn Song

  12. Quick Background on PHP display.php: <? echo system("cat ".$_GET['file']); ?> IN THIS EXAMPLE <? php-code ?> executes php-code at this point in the document echo expr: evaluates expr and embeds in doc system(call, args) performs a system call in the working directory “ ….. ”, ‘ ….. ’ String literal. Double-quotes has more possible escaped characters. . (dot). Concatenates strings. _GET[‘key’] returns value corresponding to the key/value pair sent as extra data in the HTTP GET request LATER IN THIS LECTURE preg_match(Regex, Performs a regular expression match. Stiring) proc_open Executes a command and opens fjle pointers for input/output. escapeshellarg() Adds single quotes around a sring and quotes/escapes any existing single quotes. fjle_get_contents(fjle) Retrieves the contents of fjle. Dawn Song

  13. Background Web Server Client display.php?file=notes.txt UID: Browser URI www display.php Web Page system("cat ". $_GET['file']) display.php: <? echo system("cat ".$_GET['file']); ?> Shell Command cat notes.txt Dawn Song

  14. Background Web Server Client Browser UID: display.php?file=notes.txt URI www display.php system("cat ". $_GET['file']) Today we are learning about Web Security. Content of notes.txt Shell Command cat notes.txt display.php: <? echo system("cat ".$_GET['file']); ?> Dawn Song

  15. Command Injection display.php: <? echo system("cat ".$_GET['file']); ?> Q: Assuming the script we’ve been dealing with (reproduced above) for http://www.example.net/display.php . Which one of the following URIs is an attack URI? Hint: Search for a URI Decoder to fjgure out values seen by the PHP code. %3B -> “;” %20 -> “ “ %2F -> “/” a. http://www.example.net/display.php?get=rm b. http://www.example.net/display.php?file=rm%20-rf%20%2F%3B c. http://www.example.net/display.php?file=notes.txt%3B%20rm%20-rf%20%2F%3B%0A%0A d. http://www.example.net/display.php?file=%20%20%20%20%20 Dawn Song

  16. Command Injection display.php: <? echo system("cat ".$_GET['file']); ?> Q: Assuming the script we’ve been dealing with (reproduced above) for http://www.example.net/display.php . Which one of the following URIs is an attack URI? Hint: Search for a URI Decoder to fjgure out values seen by the PHP code. (URIs decoded) a. http://www.example.net/display.php?get=rm b. http://www.example.net/display.php?file=rm -rf /; c. http://www.example.net/display.php?file=notes.txt; rm -rf /; d. http://www.example.net/display.php?file= Dawn Song

  17. Command Injection display.php: <? echo system("cat ".$_GET['file']); ?> Q: Assuming the script we’ve been dealing with (reproduced above) for http://www.example.net/display.php . Which one of the following URIs is an attack URI? Hint: Search for a URI Decoder to fjgure out values seen by the PHP code. (Resulting php) a. <? echo system("cat rm"); ?> b. <? echo system("cat rm -rf /;"); ?> c. <? echo system("cat notes.txt; rm -rf /;"); ?> d. <? echo system("cat "); ?> Dawn Song

  18. Injection • Injection is a general problem: – T ypically, caused when data and code share the same channel. – For example, the code is “ cat ” and the fjlename the data. • But ‘ ; ’ allows attacker to start a new command. Dawn Song

  19. Input Validation • T wo forms: – Blacklisting: Block known attack values – Whitelisting: Only allow known-good values • Blacklists are easily bypassed – Set of ‘attack’ inputs is potentially infjnite – The set can change after you deploy your code – Only rely on blacklists as a part of a defense in depth strategy Dawn Song

  20. Blacklist Bypass Blacklist Bypass Use a pipe Disallow semi - colons Disallow pipes and semi colons Use the backtick operator to call commands in the arguments Disallow pipes, semi - colons, and backticks Use the $ operator which works similar to backtick Disallow rm Use unlink Disallow rm , unlink Use cat to overwrite existing fjles • Ad infjnitum • T omorrow, newer tricks might be discovered Dawn Song

  21. Input Validation: Whitelisting display.php: <? if (!preg_match("/^[a-z0-9A-Z.]*$/", $_GET['file'])) { echo “The file should be alphanumeric."; return ; } echo system("cat ".$_GET['file']); ?> GET INPUT PASSES? Yes notes.txt No notes.txt; rm –rf /; No security notes.txt Dawn Song

  22. Input Escaping display.php: <? #http://www.php.net/manual/en/function.escapeshellarg.php echo system("cat ".escapeshellarg($_GET['file'])); ?> escapeshellarg() adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument -- http://www.php.net/manual/en/function.escapeshellarg.php GET INPUT Command Executed notes.txt cat 'notes.txt' notes.txt; rm –rf /; cat 'notes.txt rm –rf /;' mary o'donnel cat 'mary o'\''donnel' Dawn Song

  23. Use less powerful API • The system command is too powerful – Executes the string argument in a new shell – If only need to read a fjle and output it, use simpler API display.php: <? echo file_get_contents($_GET['file']); ?> • Similarly, the proc_open (executes commands and opens fjles for I/O) API – Can only execute one command at a time. Dawn Song

  24. Recap • Command Injection: a case of injection, a general vulnerability • Defenses against injection include input validation, input escaping and use of a less powerful API • Next, we will discuss other examples of injection and apply similar defenses Dawn Song

  25. SQL Injection Dawn Song

  26. Background • SQL: A query language for database – E.g., SELECT statement, WHERE clauses • More info – E.g., http://en.wikipedia.org/wiki/SQL Dawn Song

  27. Running Example Consider a web page that logs in a user by seeing if a user exists with the given username and password. login.php: $result = pg_query ("SELECT * from users WHERE uid = '".$_GET['user']."' AND pwd = '".$_GET['pwd']."';"); if ( pg_query_num($result) > 0 ) { echo "Success"; user_control_panel_redirect(); It sees if results exist and if so logs the user in and redirects them to their user control panel. Dawn Song

  28. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Execute query with $_GET['user'] $_GET['pwd'] Dawn Song

  29. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Execute query with $_GET['user'] $_GET['pwd'] dbus SELECT * from users WHERE uid='pikachu' AND pwd = 'password123'; er Quer DB y Server Dawn Song

  30. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Execute query with $_GET['user'] $_GET['pwd'] dbus SELECT * from users WHERE uid='pikachu' AND pwd = 'password123'; er Quer DB y Server Results: 25 | pikachu | password123 | electric Resul Dawn Song ts

  31. Background Web Server Client Browser login.php?user=pikachu&pwd=password123 login.php URI connect to database using dbuser login. Success and redirect to user control Execute query with $_GET['user'] panel. $_GET['pwd'] dbus SELECT * from users WHERE uid='pikachu' AND pwd = 'password123'; er Quer DB y Server Results: 25 | pikachu | password123 | electric Resul Dawn Song ts

Recommend

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song

Computer Security Course. Dawn Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Request Forgery Dawn Song Example Application Consider a social networking site, GraceBook, that allows users to share happenings from

696 views • 54 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio

Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio

10/25/19 Outline A taxonomy of CR security threats Primary user emulation attacks Cognitive Radio Network Security Byzantine failures in distributed spectrum sensing Security vulnerabilities in IEEE 802.22 Yao Zheng 1 2

383 views • 7 slides
Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to

DAISY D ata A nalysis and I nformation S ecurit Y Lab Vulnerabilities of Voice Assistants at the Edge: From Defeating Hidden Voice Attacks to Audio-based Adversarial Attacks Yingying (Jennifer) Chen Professor, Electrical and Computer

1.05k views • 46 slides
ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

472 views • 21 slides
SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017

SQL Injection Attacks: A Quick Primer hassan.abudu@owasp.org OWASP Top 10 Vulnerabilities - 2017 Rank Name 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities 5 Broken Access Control 6 Security

682 views • 8 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is Cross-site Scripting (XSS)? Vulnerability in web application that

760 views • 53 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction

Database Security Threats and Vulnerabilities John Bissonette Aaron McClure Introduction Databases are the crown jewels of a business or organization Security is paramount Vulnerabilities grant attackers keys to the

600 views • 14 slides
802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and

802.11 Denial-of-Service Attacks Real Vulnerabilities and Practical Solutions John Bellardo and Stefan Savage Department of Computer Science and Engineering University of California, San Diego Motivation n 802.11-based networks have flourished

389 views • 25 slides
WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and

WISTP 07 A comparative analysis of common threats, vulnerabilities, attacks and countermeasures within smart card and wireless sensor network node technologies. Kevin Eagles, Konstantinos Markantonakis and Keith Mayes Smart Card Centre,

337 views • 22 slides
Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @

Hunting PBX For Vulnerabilities Sachin Wagh Security Analyst Security Intelligence Team @ Symantec Speaker at Hakon and Geek Street - Infosecurity Europe Bug Hunter | Penetration Tester Security Blogger @tiger_tigerboy

801 views • 38 slides
Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions Dr. Ricardo J. Rodr guez

Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions Dr. Ricardo J. Rodr guez

Contactless Payment Cards: Vulnerabilities, Attacks, and Solutions Dr. Ricardo J. Rodr guez All wrongs reversed rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Department of Computer Science and Systems Engineering

1.83k views • 137 slides
(IN)SECURITY , RISK &amp; THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK &amp; THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at

(IN)SECURITY , RISK &amp; THE LIFECYCLE OF VULNERABILITIES Dr. Stefan Frei Security Architect at Swisscom frei@techzoom.net Twitter @stefan_frei Cyber &amp; Networking Security Networking security has become critical issue for all types

788 views • 66 slides
Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing

Webapp security: SQL injection Network Security Lecture 9 Today We have finished analyzing the security of network protocols We will now focus on web applications and their vulnerabilities (and attacks) SQL injection Eike Ritter

815 views • 25 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses &amp; worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp;

15th USENIX Security Symposium | July 31st August 4th 2006 | Vancouver, B.C. - Canada Security vulnerabilities, exploits and attack patterns: 15 years of art, pseudo-science, fun &amp; profit Ivn Arce Core Security Technologies Humboldt

767 views • 41 slides
iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2

iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2

iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2 Security 2 3 Attacks 3 4 Defenses &amp; Mitigation 5 5 Reporting Vulnerabilities 7 1 WWW Basics reading mails chatting on facebook

177 views • 7 slides

More recommend