Computer Security - Tutorial Sheet 3: Network & Programming Security



Similar documents
VIDEO intypedia007en LESSON 7: WEB APPLICATION SECURITY - INTRODUCTION TO SQL INJECTION TECHNIQUES. AUTHOR: Chema Alonso

How I hacked PacketStorm ( )

External Network & Web Application Assessment. For The XXX Group LLC October 2012

An Introduction to Application Security in J2EE Environments

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Secure Authentication and Session. State Management for Web Services

How To Protect A Web Application From Attack From A Trusted Environment

Application Design and Development

Configuring CQ Security

Web Application Guidelines

Database Programming. Week *Some of the slides in this lecture are created by Prof. Ian Horrocks from University of Oxford

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Using Foundstone CookieDigger to Analyze Web Session Management

Application Security

Java and Databases. COMP514 Distributed Information Systems. Java Database Connectivity. Standards and utilities. Java and Databases

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

SECURING APACHE : THE BASICS - III

SQL injection: Not only AND 1=1. The OWASP Foundation. Bernardo Damele A. G. Penetration Tester Portcullis Computer Security Ltd

Web Application Security

What is Web Security? Motivation

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

SQL Injection. Slides thanks to Prof. Shmatikov at UT Austin

Security Assessment of Waratek AppSecurity for Java. Executive Summary

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

HP WebInspect Tutorial

Where every interaction matters.

Security Awareness For Website Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Two Factor Zero Knowledge Proof Authentication System

Supplement IV.C: Tutorial for Oracle. For Introduction to Java Programming By Y. Daniel Liang

How To Fix A Web Application Security Vulnerability

CSCI110 Exercise 4: Database - MySQL

Web Applications Security: SQL Injection Attack

Why Web Applications are making a hackers life easy. Presented by Jon Grew BT SBS

Windows Operating Systems. Basic Security

How To Perform An External Security Vulnerability Assessment Of An External Computer System

Implementation of Web Application Firewall

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Mingyu Web Application Firewall (DAS- WAF) All transparent deployment for Web application gateway

APWG. (n.d.). Unifying the global response to cybecrime. Retrieved from

Last update: February 23, 2004

Using ilove SharePoint Web Services Workflow Action

Pentests more than just using the proper tools

elearning for Secure Application Development

Using JML to protect Java code against SQL injection. Johan Janssen June 26, 2007

Network Security Course Specifications

The Art of Exploiting Logical Flaws in Web Apps. Sumit sid Siddharth Richard deanx Dean

Use of The Information Services Active Directory Service (AD) Code of Practice

Secure Web Application Coding Team Introductory Meeting December 1, :00 2:00PM Bits & Pieces Room, Sansom West Room 306 Agenda

Solution of Exercise Sheet 5

Agenda. SQL Injection Impact in the Real World Attack Scenario (1) CHAPTER 8 SQL Injection

THE OPEN UNIVERSITY OF TANZANIA

Name: 1. CSE331: Introduction to Networks and Security Fall 2003 Dec. 12, /14 2 /16 3 /16 4 /10 5 /14 6 /5 7 /5 8 /20 9 /35.

Version of this tutorial: 1.06a (this tutorial will going to evolve with versions of NWNX4)

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Single Sign-On for the Internet: A Security Story. Eugene Tsyrklevich eugene@tsyrklevich.name Vlad Tsyrklevich vlad902@gmail.com

The Roles of Software Testing & QA in Security Testing

Multiple vulnerabilities in Apache Foundation Struts 2 framework. Csaba Barta and László Tóth

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Security Module: SQL Injection

CHAPTER 5 INTELLIGENT TECHNIQUES TO PREVENT SQL INJECTION ATTACKS

JDBC (Java / SQL Programming) CS 377: Database Systems

INTRUSION PROTECTION AGAINST SQL INJECTION ATTACKS USING REVERSE PROXY

SchoolBooking LDAP Integration Guide

Brazil + JDBC Juin 2001, douin@cnam.fr

Cross-Site Scripting

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Securing Your Web Application against security vulnerabilities. Ong Khai Wei, IT Specialist, Development Tools (Rational) IBM Software Group

SQL Injection 2.0: Bigger, Badder, Faster and More Dangerous Than Ever. Dana Tamir, Product Marketing Manager, Imperva

CS5490/6490: Network Security- Lecture Notes - November 9 th 2015

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Cyber Security Workshop Ethical Web Hacking

Web Plus Security Features and Recommendations

Graduate Assessment Test (Sample)

TECHNICAL AUDITS FOR CERTIFYING EUROPEAN CITIZEN COLLECTION SYSTEMS

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert

Aircloak Analytics: Anonymized User Data without Data Loss

Getting Started with Dynamic Web Sites

Criteria for web application security check. Version

Securing ios Applications. Dr. Bruce Sams, OPTIMAbit GmbH

A Decision Maker s Guide to Securing an IT Infrastructure

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Protecting Your Organisation from Targeted Cyber Intrusion

WEB SERVICES VULNERABILITIES

Some Notes on Web Application Firewalls

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Web application security

HP IMC Firewall Manager

HireDesk API V1.0 Developer s Guide

Transcription:

Computer Security - Tutorial Sheet 3: Network & Programming Security School of Informatics 27th February 2014 This is the third problem sheet for the Computer Security course, covering topics in network security and programming securely. Tutorial sheets are provided to help guide your self-study on the course and measure your progress. The process for this tutorial sheet is as follows: 1. Read and try to answer these questions before your Week 7 tutorial. 2. The tutor will discuss some of the answers at the tutorial. 3. After the Week 7 tutorial, write down your answers to all questions. 4. In Week 9, a solution sheet will be issued. To measure your understanding of the material, use the solution sheet to assess your answers. 5. In the Week 9 tutorial, there will be an opportunity to discuss problem points in any of the tutorial questions, to give you personalised feedback on suggested areas to revise before the exam. You are free to discuss these questions and their solutions with fellow students also taking the course, and also to discuss in the course forum. Bear in mind that if other people simply tell you the answers directly, you may not learn as much as you would by solving the problems for yourself; also, it may be harder for you assess your progress with the course material. Part A: Network Security A security company GBHarry has been severely embarrassed by hacks on its web site that exploited flaws in commodity web applications, including a content management system and blogging software. GBHarry is considering deploying a Web Application Firewall (WAF) to help protect its web site in future. A WAF is a specialised kind of firewall designed to protect web sites from attack. It is deployed between a server running a web application and the Internet-facing router or firewall. Features of a WAF can include support for: protocols : parsing HTTP and HTML to validate and restrict them. attack detection : rejecting bad patterns or only accepting good ones. security : providing additional layers without modifying the web application. response : either inside the WAF, via the router, or via the web application. Answer the questions below, based on the above outline or by doing some additional investigation into currently available WAF products. 1 1 For links, visit the OWASP site here: https://www.owasp.org/index.php/web_ Application_Firewall 1

1. Suggest two ways that the HTTP protocol could be usefully restricted in the WAF and give two reasons why the WAF may be a better place than the web server. 2. Before running attack detection methods, input normalisation may be performed by the WAF. Explain why it might be useful for it to do this, and what it could do. 3. As suggested, WAF attack detection methods can be based on negative or positive security policies. Compare the two, giving an advantage and disadvantage of each and mentioning similar trade-offs elsewhere. 4. Suggest a response mechanism the WAF might employ in each of the three places suggested (via router, internally, and via application) and, in each case, an attack which would be best dealt by each. 5. Besides the feature categories given above, there are other highly desirable kinds of feature GBHarry (or any user) would probably expect from a WAF. Describe two of these with examples of the functionality you would want. 6. GBHarry finds some of the technical features of the WAF quite convincing, but has some reservations (other than the purchase price of the tool and hardware). Suggest what some of these other concerns with deploying a WAF might be, and suggest how GBHarry could make the decision whether to deploy a WAF. Part B: Secure Programming A group of talented graduates has recently developed a general purpose online store application for SMEs. They used Java and the MySQL database for their online store. Unfortunately none of them took a Computer Security course, so they have not thought much about the security of their code. You can see some parts of their Java source code on the following pages. 1. Identify 5 security issues as described in the lecture. Can you find another vulnerability? 2. Explain how to exploit the vulnerabilities and what an attacker can do in case of success. 3. Give a suggestion for how to fix each security flaw. 1 import java.unit.random; 3 import java.sql.*; 5 class DBConnect { 7 Connection conn=null; 9 private String Connect() { try{ 11 String url = "jdbc:mysql://129.23.45.77:3306/mydb"; 2

Class.forName ("com.mysql.jdbc.driver"); 13 conn = DriverManager.getConnection (url); String res = "Database connection established"; 15 return res; catch(sqlexception ex) { 17 19 21 class UserManagement { private void logincheck (String username, 23 String passwordhash) throws IOException { bool loginsuccessful = checkcredentialsvalidity(username, passwordhash); 25 if (loginsuccessful) { logger.severe("user login succeeded for: " + username); 27 /* the user is directed to her/his own pages */ else { 29 logger.severe("user login failed for: " + username); /* restricted access to public pages */ 31 33 /* A method that helps to generate a password for a new user 35 or reset the password of an existing user*/ private void resetpassword (String newpass){ 37 Random number = new random(123l); Character c; 39 newpass = null; for (int i = 0; i < 9; i++) { 41 // Generate another random integer in the range of [0, 255] int n = number.nextint(256); 43 c = (char) n; newpass = newpass + c.tostring() ; 45 47 49 51 class Purchase { 53 private Data pdate; 55 public Purchase(){ pdate = new Date(); 57 59 public Date getdate() { return pdate; 61 63 /* create an XML query from the user request. outstream = query for the database, 65 quantity = The user specifies the quantity of an item available for purchase */ private void createxmlquery (BufferedOutputStream outstream, 67 String quantity) throws IOException { 69 String xmlstring; xmlstring = "<item>\n<description>widget</description>\n" + 71 "<price>500.0</price>\n" + 3

"<quantity>" + quantity + "</quantity></item>"; 73 outstream.write(xmlstring.getbytes()); outstream.flush(); 75 77 public void checkallinventories() { for (int i=1; i<= DepartmentNum, i++) { 79 Inventory in = new Inventory(); in.checkinventory(i); 81 83 85 87 public class Inventory { static Vector vector = new Vector(); 89 public void checkinventory(int count) { 91 for (int n = 0; n < count; n++) { vector.add(integer.tostring(n)); 93 // ckeck any mismatch in the inventory list 95 checkmismatch(); 97 for (int n = count - 1; n > 0; n--) { // Free the memory vector.removeelementat(n); 99 101 Part C: Access Control Edinburgh University Informatics wants to have a combined discussion forum for the two courses Computer Security and Computability and Intractability. It should be used by the students, all tutors and the examiners. To ensure that no confidential information about the assignments and exercises is leaked different security levels are needed: Students can write and read with each other in their own threads, but should never be allowed to see the confidential information in the tutoror examiner-threads before the exam. Since Students know nothing confidential, they are allowed to post suggestions that might be considered in the assignments or the exams to the teaching-staff. Tutors are allowed to follow the student-threads to adept the tutorials, but since they know the answers for the assignments they are not allowed to write there. They do have their own threads where they can discuss important questions to prepare for the tutorials. Examiners are allowed to read everything to see how everybody is doing, but can not write except in their own threads, to minimize the risk of leakage. 4

Some students, tutors and examiners are involved with both lectures, some with only one and others are involved with none of those two. Furthermore assume we do have one discussion for each of the following topics concerning the lecture Computer Security: (students) Question about Exercise 1.2 (tutors) Clarification about last tutorial (examiners) Exam question ideas 1. This kind of security hierarchy can be represented in a lattice: (a) Use the construction discussed in the lecture (see Gollman) to write down the security levels and the security lattice for this particular problem. (b) To evaluate Computer Security an independent observer is assigned to watch the corresponding threads of the students and the tutors. On which security layer should this observer be set up? (c) The results of the student-evaluation of both curses are collected. It is necessary to post a two important results to the tutors of Computer Security and the examiners of Computability and Intractability. Which security clearance is necessary and sufficient to make both posts. (d) Dorothy E. Denning postulated the need for a security lattice by establishing 4 axioms about security levels. Her 2nd axiom states The can flow relation is a partial order on the security classes Explain the meaning and the need for this axiom in a security structure. 2. Write down the permission matrix for the three threads mentioned above and the Computer Security student Bob, the tutor Luke and the examiner David. Assume none of the tree subjects are involved in Computability and Intractability. One of the student threads Problem-Thread get very controversial about a method presented in the lecture and Luke (a tutor) as well as Dave (an examiner) have to interfere. The Bell-LaPadula model allows them to temporary adjust their security level to be allowed to answer to this thread. 3. Write down the whole BLP-state for this situation. Is the transition made here secure? Daniel Franzen and David Aspinall 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information