Lecture 27 Security I April 4, 2018 Open news web sites.

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Secure Software Engineering: Input Vulnerabilities
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Crash Course in Web Hacking
Lecture 19 Page 1 CS 236 Online Advanced Research Issues in Security: Web Security and Privacy CS 236 On-Line MS Program Networks and Systems Security.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
2440: 141 Web Site Administration Web Forms Instructor: Joseph Nattey.
Group 18: Chris Hood Brett Poche
Module: Software Engineering of Web Applications
Building Secure ColdFusion Applications
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Introduction to Dynamic Web Programming
TOPIC: Web Security (Part-4)
Creating Databases Local storage. join & split
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
World Wide Web policy.
SQL Injection.
CS 371 Web Application Programming
Example – SQL Injection
SE604: Software Testing and QA Secure SW Development for QA Lecture#3
SQL Injection Attacks Many web servers have backing databases
Cross-Site Forgery
AJAX.
Security in Moodle plugins
PHP: Security issues FdSc Module 109 Server side scripting and
Lecture 2 - SQL Injection
Web Security CS 136 Computer Security Peter Reiher March 11, 2010
Security: Exploits & Countermeasures
CS5123 Software Validation and Quality Assurance
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Mr. Justin “JET” Turner CSCI 3000 – Fall 2016 Section DA MW 4:05-5:20
Lecture 28 Security II April 7, 2017
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Advanced Research Issues in Security: Web Security and Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Presentation transcript:

Lecture 27 Security I April 4, 2018 Open news web sites. Fill in slide 4 based on input

Security is a big problem CS132 Lecture 25: Security I Security is a big problem 5/10/2019

Security and Privacy CS132 Lecture 25: Security I Many web sites are developed initially without taking these into account What are the consequences? We hear about security/privacy issues daily Most exploits use well-understood techniques Most exploits could be avoided with a little care Optimizations Need to think about security and privacy From the start Design the web site with this in mind Design the code with this in mind Change the code with this in mind 5/10/2019

Homework What news stories did you find CS132 Lecture 25: Security I Homework What news stories did you find Did they tell you what went wrong? 5/10/2019

Security & Privacy Problems CS132 Lecture 25: Security I Security & Privacy Problems Security Week securityweek.com SC Magazine scmagazine.com CNET on Security www.cnet.com/topics/security ThreatPost on Web Security https://threatpost.com/category/web-security 5/10/2019

Security is Fun Creative thinking – outside the box CS132 Lecture 25: Security I Security is Fun Creative thinking – outside the box Think of all the ways of breaking software Think of all ways of preventing such breakage 5/10/2019

Obvious Problems Not considering security in your application CS132 Lecture 25: Security I Obvious Problems Not considering security in your application Not requiring user authentication Allowing weak authentication Not encrypting sensitive communication Sessions that don’t time out Session ids that are guessable Not putting in the resources needed Yahoo 5/10/2019

Obvious Problems Having a vulnerable server CS132 Lecture 25: Security I Obvious Problems Having a vulnerable server Not being at the latest patch level Having bugs in the software Disclosing information inadvertently Exposing SQL and other errors Sending private information publically 5/10/2019

Obvious Problems Applications sharing a common back end CS132 Lecture 25: Security I Obvious Problems Applications sharing a common back end PHP, Tomcat, … have common code Applications can interfere with each other 5/10/2019

CS132 Lecture 25: Security I Non-Obvious Problems Assume we have secured our sever, validated our code, used best practices for data encoding, etc. Are there still things that can go wrong? 5/10/2019

Security Issues Application security attacks SQL injection attacks CS132 Lecture 25: Security I Security Issues Application security attacks SQL injection attacks Cross-site scripting attacks Cross-site request forgery Code insertion attacks File name attacks Buffer overflow attacks Timing attacks … Keeping information secret Passwords, Credit Cards, … From whom and when? Principle of minimum access Cross-site request forgery Code insertion attacks Timing attacks double submissions 5/10/2019

Security and Web Applications CS132 Lecture 25: Security I Security and Web Applications “All we can teach people about server-side programming in a few hours is how to create security holes, even if we use modern frameworks.” Think about security throughout the design 5/10/2019

Question A SQL injection attack involves CS132 Lecture 25: Security I Question A SQL injection attack involves A malicious user inputting text that is used in a prepared SQL query to do malicious things. A malicious user inputting text that is concatenated to form an unexpected SQL operation. A malicious user adding JavaScript code to the web page to create new SQL operations in the back end. A malicious user generating a XMLHttpRequest that cause the back end to add information to the database. A malicious user adding code to the web server to execute their own SQL commands. 5/10/2019

SQL Injection Attacks Let user = user_id from the web page CS132 Lecture 25: Security I SQL Injection Attacks Let user = user_id from the web page Authentication or just for information Code var q = “SELECT firstname FROM users WHERE name = ‘” + user + “’”; var rslt = db.query(q); var msg = “Hello “ + rslt[0].username; Use WHITEBOARD 5/10/2019

SQL Injection Attacks Input: user_id = spr CS132 Lecture 25: Security I SQL Injection Attacks Input: user_id = spr SELECT firstname FROM users WHERE name = ‘spr’ Put the result on the result page (Hello Steven) Input: user_id = x’ or ‘1’ = ‘1 SELECT firstname FROM users WHERE name = ‘x’ or ‘1’ = ‘1’ 5/10/2019

SQL Injection Attacks What if the user passes in CS132 Lecture 25: Security I SQL Injection Attacks What if the user passes in x’; DROP TABLE ‘users’; SELECT * from passwords WHERE ‘1’ = ‘1 SELECT firstname FROM users where User = ‘x’; DROP TABLE ‘users’; SELECT * FROM passwords WHERE ‘1’ = ‘1’ Pass in x’ /* Pass in a query that takes a long time 5/10/2019

SQL Injection Attacks The attacker needs to know CS132 Lecture 25: Security I SQL Injection Attacks The attacker needs to know What the queries look like (the code) The structure of the underlying database Can you determine this? Yes – might take some time, but easy to do Recipes are on the web Tools are available 5/10/2019

CS132 Lecture 25: Security I SQL Injection Attacks Can do different malicious things based on query and database system Used to email passwords to a different user Get field and table names for the database Find user names Password guessing Adding new users (super users) 5/10/2019

Avoiding SQL Attacks Validate all requests before sending to server CS132 Lecture 25: Security I Avoiding SQL Attacks Validate all requests before sending to server Understand what data should look like User ids, product ids, email, … have a given form Use JavaScript in the client to do the validation Is this sufficient? 5/10/2019

Avoiding SQL Attacks Validate the strings in the server CS132 Lecture 25: Security I Avoiding SQL Attacks Validate the strings in the server Most back end languages have a function for this Check there are no funny characters E.g. check that there are no quotes in the string Is this sufficient? Value is a number Name is O’Reilly Unicode Check each string is in a standard form 5/10/2019

Avoiding SQL Attacks Use prepared statements CS132 Lecture 25: Security I Avoiding SQL Attacks Use prepared statements SELECT firstname FROM USERS WHERE name = $; Pass in array of values separately The substitution is handled by the database Done correctly even with quotes, odd characters, etc. This is basically sufficient Done automatically in RUBY, DJANGO, FLASK This is what you should use 5/10/2019

Avoiding SQL Attacks Make sure your database is relatively secure CS132 Lecture 25: Security I Avoiding SQL Attacks Make sure your database is relatively secure Grant permissions to tables only as needed Have separate database users for different roles Limit access to the web application itself Encrypt the database Principle of least access 5/10/2019

Code Insertion Attacks CS132 Lecture 25: Security I Code Insertion Attacks SQL isn’t the only place where web apps run arbitrary code Php, JavaScript, Python have eval(…) statements Back end might run system commands (ls on a directory) These have the same vulnerabilities Solutions are similar (but no prepared statements) These should be avoided if at all possible 5/10/2019

File Naming Attacks Suppose your back end opens a particular file CS132 Lecture 25: Security I File Naming Attacks Suppose your back end opens a particular file Based on the user name Image for user is /web/html/site/user_images/$user What happens if I use the user name “../../../../etc/passwd” Solutions Validate the form of the name Don’t use names directly (look up image name in database) Restrict access to the file system chroot provides a virtual root (node.js accessible) php/java/tomcat/ruby security policies 5/10/2019

Question A cross-site scripting attack (XSS) can involve: CS132 Lecture 25: Security I Question A cross-site scripting attack (XSS) can involve: One web site using its cookies to infect another. A malicious user inserting text into a blog causing another user to run arbitrary JavaScript. An IFRAME from one page accessing data from another page being displayed in the browser. A malicious user redirecting traffic from one site to a look-alike, None of the above 5/10/2019

Cross Site Scripting Attacks CS132 Lecture 25: Security I Cross Site Scripting Attacks The attacker inserts arbitrary HTML on your web page How can this ever happen? XSS What can go wrong Disrupt the page or the portion where inserted Only got up to this slide. 5/10/2019

Cross Site Scripting What if the HTML include <script> tags? CS132 Lecture 25: Security I Cross Site Scripting What if the HTML include <script> tags? Replace the page with a new one Fake instance of a page to get passwords, accounts, etc. Pass information from the page to foreign page Cookies, passwords, credit card numbers, session ids Download user’s cookies (passwords) for other sites 5/10/2019

Cross Site Scripting: How CS132 Lecture 25: Security I Cross Site Scripting: How Suppose you allow user comments Guest book, ratings, wiki, postings, … Text from user is inserted into HTML Suppose instead of typing “I love this page” “I love this page<script language=‘javascript’>document.location=‘http://bad/’; </script>” What would happen? 5/10/2019

Cross Site Scripting What can go wrong CS132 Lecture 25: Security I Cross Site Scripting What can go wrong Reading data from URL (session id) Replace data in the URL Accessing/Replacing hidden form variables Loading foreign web page into a frame inside your page Using JavaScript to read and manipulate that frame Using code in the frame to monitor your activities Taking control of the browser 5/10/2019

Cross Site Scripting: Prevention CS132 Lecture 25: Security I Cross Site Scripting: Prevention Don’t allow any HTML to be inserted Back end libraries to strip out HTML tags Don’t allow malicious HTML to be inserted Back end libraries to sanitize HTML Limited set of allowed tags for formatting Use something other than HTML Mark-up languages Map to html on output 5/10/2019

Next Time Security II Pre-Lecture Homework CS132 Lecture 25: Security I Next Time Security II Pre-Lecture Homework List the security requirements for handling user registration and login 5/10/2019

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.