Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Published byRandolph Morris Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCI 6962: Server-side Design and Programming Secure Web Programming."— Presentation transcript:

1 CSCI 6962: Server-side Design and Programming Secure Web Programming

2 Web server most vulnerable resource in organization – Must be accessible to anyone – Users can enter anything into text elements – Users can modify query string to send any value – Users can bypass any client-side security Goal: prevent malicious users from sending “dangerous” values – Attacks on your data – Attacks on other users who visit your site

3 SQL Injection Form inputs contain values used in database query Hacker enters values that modify SQL used in query – Access unauthorized privileges – Modify database in destructive ways – Access operating system…

4 SQL Injection Methods Comments: Anything after -- is ignored Quotes: Can confuse SQL parser about where strings start and end Example: – Normal login query of form SELECT * FROM users WHERE id=‘homer’ AND password=‘donut’ Fields passed from form elements on web page

5 SQL Injection Methods Attack: Comment out password check Enter admin’-- for username Query now of form SELECT * FROM users WHERE id=‘admin’--' AND password=‘’ Query succeeds if database contains user named admin – If admin has administrative privileges, now control database! Commented out!

6 SQL Injection Methods Disjunction with inherently true statement – … OR 1=1 always true – Can use to get all records Example: – Don’t know administrator account called admin – Do know administrator account often first in database

7 SQL Injection Methods Query now resolves to SELECT * FROM users WHERE id=‘’ OR 1=1--' AND password=‘’ Query matches all users in database Database probably uses first record matched – Probably administrator Commented out! Always true!

8 SQL Injection Methods Can use ; to end query and insert commands Some database servers even allow direct access to operating system – xp_cmdshell, xp_regwrite, …

9 Preventing SQL Injection Hard/unreliable way: Filter out all “dangerous” string values before use in SQL query Problem: Many such characters often part of legitimate input and should be accepted – O’Reilly – Smith-Jones… Difficult to create more complex rules for filtering without missing cases – Hackers always looking for new ways to exploit

10 Preventing SQL Injection Best/simpler way: Use prepared statements Prepared Statement p = connection.prepareStatement( “SELECT * FROM users WHERE id=? AND password=?”) p.setString(1, request.getParamter(“id”)); Form of query set in advance based on this Value of this treated as string rather than command

11 Session Hijacking Sessions commonly used for access control so user only has to log in once during session Usual structure: – User successfully logs in  value in bean set to true hasLoggedIn = true; – Any subsequent page request checks this value Redirects to login page if not true if (!hasLoggedIn) return “login.xhtml”

12 Session Hijacking Problem: Assumes SessionID can be uniquely associated with person who actually logged in! Attack: Server Bob’s SessionID: abc123 Bob’s browser Bob’s SessionID: abc123 Attacker Page request with SessionID = abc123 Server has no way of knowing request does not come from Bob!

13 Preventing Session Hijacking Server side: Make session identifiers difficult to guess – Random numbers – Very long Limit time attackers have to find session ID – Session timeout – Logout button destroys session Mostly built into modern web containers

14 Preventing Session Hijacking Client side: Same origin policy in browsers Cookies only accessible by same site that set them – Domain of web site is property of each cookie in browser Otherwise malicious web site could steal session ID set by other sites Bob’s browser ValueDomain jsessionid=2093hffpqe32Widgets.com jsessionid=oirtg04hnwre4gtrAmazon.com jsessionid=ifnvp9rnpa234rf4ysu.edu

15 Cross-site Scripting (XSS) Inserting malicious JavaScript onto trusted web site – User visits trusted site and goes to page containing malicious JavaScript – Malicious JavaScript downloaded to and run on user browser Server Bob’s browser Trusted.html Evil.js

16 Cross-site Scripting Can happen on any page where user can post text – User comments – Product reviews – Discussion pages (MySpace was first major victim) –…–…

17 Cross-site scripting Attacker can insert reference to JavaScript file on another site – Symbols such as, :, “, etc. escaped – Any browser that loads this comment downloads and executes JavaScript from that site

18 XSS and Session Hijacking Key idea: JavaScript downloaded from trusted site Has access to any cookies set by trusted site under same origin policy – JavaScript has commands for manipulating cookies Can be used for session hijacking

19 Attacker site XSS and Session Hijacking Bob’s browser Cookies: Evil.js Trusted site ValueDomain jsessionid=2093hffpqe32Trusted.com Evil.js

20 Preventing Cross-site Scripting Use html encoding to convert potentially executable symbols into non-executable symbols – All characters have numbers in html – Can force browser to render character instead of executing it by using &#number instead of actual character – Example: To display < in html must use &#60

21 Preventing Cross-site Scripting Safest to encode all characters posted by user – Not just those obviously dangerous (, etc.) Most web languages have tools for doing this – Server.HTMLEncode in ASP.NET – <h:outputLabel automatically converts all characters output (unless escape=false attribute added)

Download ppt "CSCI 6962: Server-side Design and Programming Secure Web Programming."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.

Preventing SQL Injection ~example of SQL injection $user = $_POST[‘user’]; $pass = $_POST[‘pass’]; $query = DELETE FROM Users WHERE user = ‘$user’ AND.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
PHP Security.

PHP Security.

Similar presentations

Ads by Google