Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Advanced Network Security Peter Reiher August, 2014

Published byAllen Powers Modified over 5 years ago

Similar presentations

Presentation on theme: "Web Security Advanced Network Security Peter Reiher August, 2014"— Presentation transcript:

1 Web Security Advanced Network Security Peter Reiher August, 2014

2 Outline The scope of the web security problem
Web browser compromise threats SQL injection attacks

3 Web Security Lots of Internet traffic is related to the web
Much of it is financial in nature Also lots of private information flow around web applications An obvious target for attackers

4 The Web Security Problem
Many users interact with many servers Most parties have little other relationship Increasingly complex things are moved via the web No central authority Many developers with little security experience Many critical elements originally designed with no thought to security Sort of a microcosm of the overall security problem

5 Aspects of the Web Problem

6 Who Are We Protecting? Everyone From the network The clients
From the server A client’s interaction with one server From the client From his interaction with another server The client The server From each other

7 What Are We Protecting? The client’s private data
The server’s private data The integrity (sometimes also secrecy) of their transactions The client and server’s machines Possibly server availability For particular clients?

8 Some Real Threats Buffer overflows and other compromises
Client attacks server SQL injection Malicious downloaded code Server attacks client

9 More Threats Cross-site scripting Clients attack each other
Threats based on non-transactional nature of communication Client attacks server Denial of service attacks Threats on server availability (usually)

10 Yet More Threats Browser security
Protecting interactions from one site from those with another One server attacks client’s interactions with another Data transport issues The network attacks everyone else Certificates and trust issues Varied, but mostly server attacks client

11 Compromising the Browser
Essentially, the browser is an operating system You can do almost anything through a browser It shares resources among different “processes” But it does not have most OS security features While having some of the more dangerous OS functionality Like arbitrary extensibility And supporting multiple simultaneous mutually untrusting processes

12 But My Browser Must Be OK . . .
After all, I see the little lock icon at the bottom of the page Doesn’t that mean I’m safe? Alas, no What does that icon mean, and what is the security implication?

13 The Lock Icon This icon is displayed by your browser when a digital certificate checks out A web site provided a certificate attesting to its identity The certificate was properly signed by someone your browser trusts That’s all it means

14 What Are the Implications?
All you know is that the web site is who it claims to be Which might not be who you think it is Maybe it’s amozon.com, not amazon.com Would you notice the difference? Only to the extent that a trusted signer hasn’t been careless or compromised Some have been, in the past

15 Another Browser Security Issue
What if you’re accessing your bank account in one browser tab And a site showing silly videos of cats in another? What if one of those videos contains an attack script? Can the evil cat script steal your bank account number?

16 Same Origin Policy Meant to foil such attacks
Built into many web scripting languages Basically, pages from a single origin can access each other’s stuff Pages from a different origin cannot Particularly relevant to cookies

17 Web Cookies Essentially, data a web site asks your browser to store
Sent back to that web site when you ask for another service from it Used to set up sessions and maintain state (e.g., authentication status) Lots of great information about your interactions with sites in the cookies

18 Same Origin Policy and Cookies
Script from one domain cannot get the cookies from another domain Prevents the evil cat video from sending authenticated request to empty your bank account Domain defined by DNS domain name, application protocol Sometimes also port

19 SQL Injection Attacks Many web servers have backing databases
Much of their information stored in a database Web pages are built (in part) based on queries to a database Possibly using some client input . . .

20 SQL Injection Mechanics
Server plans to build a SQL query Needs some data from client to build it E.g., client’s user name Server asks client for data Client, instead, provides a SQL fragment Server inserts it into planned query Leading to a “somewhat different” query

21 An Example Intent is that user fills in his ID and password
“select * from mysql.user where username = ‘ “ . $uid . “ ‘ and password=password(‘ “. $pwd “ ‘);” Intent is that user fills in his ID and password What if he fills in something else? ‘or 1=1; -- ‘

22 What Happens Then? $uid has the string substituted, yielding
“select * from mysql.user where username = ‘ ‘ or 1=1; -- ‘ ‘ and password=password(‘ “. $pwd “ ‘);” This evaluates to true Since 1 does indeed equal 1 And -- comments out rest of line If script uses truth of statement to determine valid login, attacker has logged in

23 Basis of SQL Injection Problem
Unvalidated input Server expected plain data Got back SQL commands Didn’t recognize the difference and went ahead Resulting in arbitrary SQL query being sent to its database With its privileges

24 Some Example Attacks 130 million credit card numbers stolen in 2009 with SQL injection attack Used to steal 1 million Sony passwords Yahoo lost 450,000 passwords to a SQL injection in 2012 Successful SQL injections on Bit9, British Royal Navy, PBS Ruby on Rails had built-in SQL injection vulnerability in 2012

25 Solution Approaches Carefully examine all input
Use database access controls Randomization of SQL keywords Avoid using SQL in web interfaces Parameterized variables

26 Examining Input for SQL
SQL is a well defined language Generally web input shouldn’t be SQL So look for it and filter it out Problem: proliferation of different input codings makes the problem hard Problem: some SQL control characters are widely used in real data E.g., apostrophe in names

27 Using Database Access Controls
SQL is used to access a database Most databases have decent access control mechanisms Proper use of them limits damage of SQL injections Problem: may be hard to set access controls to prohibit all dangerous queries

28 Randomization of SQL Keywords
Change all SQL keywords into something random Then translate all your internal queries to that new “language” Those trying SQL injection need to inject your language, not standard SQL Problem: security is based on a secret Problem: could cause unexpected errors from otherwise correct behavior

29 Avoid SQL in Web Interfaces
Never build a SQL query based on user input to web interface Instead, use predefined queries that users can’t influence Typically wrapped by query-specific application code Problem: may complicate development

30 Use Parameterized Variables
SQL allows you to set up code so variables are bound parameters Parameters of this kind aren’t interpreted as SQL Pretty much solves the problem, and is probably the best solution

31 Conclusions The World Wide Web is a vital element of the Internet
Provides the interface and underlying protocols for a lot of network services It has become ever more complex Making it harder and harder to secure

Download ppt "Web Security Advanced Network Security Peter Reiher August, 2014"

Similar presentations

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Secure Credential Manager Claes Nilsson - Sony Ericsson 2009-12-15.

Secure Credential Manager Claes Nilsson - Sony Ericsson
Feedback #2 (under assignments) Lecture Code:

Feedback #2 (under assignments) Lecture Code:
Chapter 10 Security and Encryption. Objectives Explain the nature of a threat model Be able to construct a threat model Be aware of common threats to.

Chapter 10 Security and Encryption. Objectives Explain the nature of a threat model Be able to construct a threat model Be aware of common threats to.
Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.

OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Lecture 15 Page 1 CS 136, Fall 2014 Web Security Computer Security Peter Reiher December 9, 2014.

Lecture 15 Page 1 CS 136, Fall 2014 Web Security Computer Security Peter Reiher December 9, 2014.

Similar presentations

Ads by Google