Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

Published byStuart Ira Lane Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program."— Presentation transcript:

1 Security Attacks CS 795

2 Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. Thus, they are the basis of many software vulnerabilities and can be maliciously exploited. Programming languages commonly associated with buffer overflows include C and C++, which provide no built-in protection against accessing or overwriting data in any part of memory and do not automatically check that data written to an array (the built- in buffer type) is within the boundaries of that array. Bounds checking can prevent buffer overflows. Video: https://www.youtube.com/watch?v=iZTilLGAcFQ Buffer overflow Analysis of Buffer Overflow Attacks

3 General Guidelines For all user input, follow these guidelines: Use validation controls whenever possible to limit user input to acceptable values. Always be sure that the value of the IsValid property is true before running your server code. A value of false means that one or more validation controls have failed a validation check.IsValid Always perform server-side validation even if the browser is also performing client-side validation, to guard against users bypassing client-side validation. Do not use only client-side validation logic. Always re-validate user input in the business layer of your application. Do not rely on the calling process to provide safe data.

4 SQL Injection Attacks A SQL injection attack attempts to compromise your database (and potentially the computer on which the database is running) by creating SQL commands that are executed instead of, or in addition to, the commands that you have built into your application. Stop SQL Injection Attacks Before They Stop You SQL Injection attacks: Are you safe? Manipulating Microsoft SQL Server Using SQL InjectionManipulating Microsoft SQL Server Using SQL Injection To avoid SQL injection attacks, follow these guidelines: * Do not create SQL commands by concatenating strings together, especially strings that include input from users. Instead, use parameterized queries or stored procedures. * If you are creating a parameterized query, use parameter objects to establish the values for the parameters.

5 Script Injection Attack Script injection A script injection attack attempts to send executable script to your application with the intent of having other users run it. A typical script injection attack sends script to a page that stores the script in a database, so that another user who views the data inadvertently runs the code. http://www.asp.net/mvc/videos/mvc-2/how-do-i/preventing- javascript-injection-attacks Video: https://www.youtube.com/watch?v=dbcO97ZHy9Q Securing Data Access

6 Script Injection To avoid script injection attacks, follow these guidelines: * Encode user input with the HtmlEncode method, which turns HTML into its text representation (for example, becomes &ltb>), and helps prevent the markup from being executed in a browser.HtmlEncode * When using parameter objects to pass user input to a query, add handlers for the data source control's pre-query events and perform the encoding in those events. For example, handle the SqlDataSource control's Inserting event, and in the event, encode the parameter value before the query is executed.Inserting * If you are using the GridView control with bound fields, set the BoundField object's HtmlEncode property to true. This causes the GridView control to encode user input when the row is in edit mode.GridViewBoundFieldHtmlEncode * For controls that can be put into edit mode, it is recommended that you use templates. For example, the GridView, DetailsView, FormView, DataList, and Login controls can display editable text boxes. However, except for the GridView control (see the previous point), the controls do not automatically validate or HTML-encode the user input. Therefore, it is recommended that you create templates for these controls, and in the template, include an input control such as a TextBox control and add a validation control. In addition, when extracting the value of the control, you should encode it.DetailsViewFormViewDataList LoginTextBox

7 Cross-site Scripting Attack Video: https://www.youtube.com/watch?v=_Z9RQSnf8-g Video: https://www.youtube.com/watch?v=r79ozjCL7DA http://www.acunetix.com/websitesecurity/xss.htm http://www.cgisecurity.com/xss-faq.html http://www.imperva.com/resources/glossary/cross_site_scripti ng.htmlhttp://www.imperva.com/resources/glossary/cross_site_scripti ng.html Cross-Site Scripting Vulnerabilities Cross site scripting / XSS - How to find & fix it

8

Download ppt "Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program."

Similar presentations

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
Chapter 9 Customizing Data with Web Controls. ASP.NET 2.0, Third Edition2.

Chapter 9 Customizing Data with Web Controls. ASP.NET 2.0, Third Edition2.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.

1. What is SQL Injection 2. Different varieties of SQL Injection 3. How to prevent it.
Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.

Input Validation For Free Text Fields Project Members: Hagar Offer &Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav Attias.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.

8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Chapter 3 Using Validation Controls. What is a Validation Control? A control that validates the value in another control Renders as an HTML tag with an.

Chapter 3 Using Validation Controls. What is a Validation Control? A control that validates the value in another control Renders as an HTML tag with an.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
Chapter 10 Managing Data with ASP.NET. ASP.NET 2.0, Third Edition2.

Chapter 10 Managing Data with ASP.NET. ASP.NET 2.0, Third Edition2.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.

Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.

Hamdi Yesilyurt, MA Student in MSDF & PhD-Public Affaris SQL Riji Jacob MS Student in Computer Science.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google