Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 27 Security I April 4, 2018 Open news web sites.

Published byTeréz Hegedűsné Modified over 5 years ago

Similar presentations

Presentation on theme: "Lecture 27 Security I April 4, 2018 Open news web sites."— Presentation transcript:

1 Lecture 27 Security I April 4, 2018 Open news web sites.
Fill in slide 4 based on input

2 Security is a big problem
CS132 Lecture 25: Security I Security is a big problem 5/10/2019

3 Security and Privacy CS132 Lecture 25: Security I
Many web sites are developed initially without taking these into account What are the consequences? We hear about security/privacy issues daily Most exploits use well-understood techniques Most exploits could be avoided with a little care Optimizations Need to think about security and privacy From the start Design the web site with this in mind Design the code with this in mind Change the code with this in mind 5/10/2019

4 Homework What news stories did you find
CS132 Lecture 25: Security I Homework What news stories did you find Did they tell you what went wrong? 5/10/2019

5 Security & Privacy Problems
CS132 Lecture 25: Security I Security & Privacy Problems Security Week securityweek.com SC Magazine scmagazine.com CNET on Security ThreatPost on Web Security 5/10/2019

6 Security is Fun Creative thinking – outside the box
CS132 Lecture 25: Security I Security is Fun Creative thinking – outside the box Think of all the ways of breaking software Think of all ways of preventing such breakage 5/10/2019

7 Obvious Problems Not considering security in your application
CS132 Lecture 25: Security I Obvious Problems Not considering security in your application Not requiring user authentication Allowing weak authentication Not encrypting sensitive communication Sessions that don’t time out Session ids that are guessable Not putting in the resources needed Yahoo 5/10/2019

8 Obvious Problems Having a vulnerable server
CS132 Lecture 25: Security I Obvious Problems Having a vulnerable server Not being at the latest patch level Having bugs in the software Disclosing information inadvertently Exposing SQL and other errors Sending private information publically 5/10/2019

9 Obvious Problems Applications sharing a common back end
CS132 Lecture 25: Security I Obvious Problems Applications sharing a common back end PHP, Tomcat, … have common code Applications can interfere with each other 5/10/2019

10 CS132 Lecture 25: Security I Non-Obvious Problems Assume we have secured our sever, validated our code, used best practices for data encoding, etc. Are there still things that can go wrong? 5/10/2019

11 Security Issues Application security attacks SQL injection attacks
CS132 Lecture 25: Security I Security Issues Application security attacks SQL injection attacks Cross-site scripting attacks Cross-site request forgery Code insertion attacks File name attacks Buffer overflow attacks Timing attacks … Keeping information secret Passwords, Credit Cards, … From whom and when? Principle of minimum access Cross-site request forgery Code insertion attacks Timing attacks double submissions 5/10/2019

12 Security and Web Applications
CS132 Lecture 25: Security I Security and Web Applications “All we can teach people about server-side programming in a few hours is how to create security holes, even if we use modern frameworks.” Think about security throughout the design 5/10/2019

13 Question A SQL injection attack involves
CS132 Lecture 25: Security I Question A SQL injection attack involves A malicious user inputting text that is used in a prepared SQL query to do malicious things. A malicious user inputting text that is concatenated to form an unexpected SQL operation. A malicious user adding JavaScript code to the web page to create new SQL operations in the back end. A malicious user generating a XMLHttpRequest that cause the back end to add information to the database. A malicious user adding code to the web server to execute their own SQL commands. 5/10/2019

14 SQL Injection Attacks Let user = user_id from the web page
CS132 Lecture 25: Security I SQL Injection Attacks Let user = user_id from the web page Authentication or just for information Code var q = “SELECT firstname FROM users WHERE name = ‘” + user + “’”; var rslt = db.query(q); var msg = “Hello “ + rslt[0].username; Use WHITEBOARD 5/10/2019

15 SQL Injection Attacks Input: user_id = spr
CS132 Lecture 25: Security I SQL Injection Attacks Input: user_id = spr SELECT firstname FROM users WHERE name = ‘spr’ Put the result on the result page (Hello Steven) Input: user_id = x’ or ‘1’ = ‘1 SELECT firstname FROM users WHERE name = ‘x’ or ‘1’ = ‘1’ 5/10/2019

16 SQL Injection Attacks What if the user passes in
CS132 Lecture 25: Security I SQL Injection Attacks What if the user passes in x’; DROP TABLE ‘users’; SELECT * from passwords WHERE ‘1’ = ‘1 SELECT firstname FROM users where User = ‘x’; DROP TABLE ‘users’; SELECT * FROM passwords WHERE ‘1’ = ‘1’ Pass in x’ /* Pass in a query that takes a long time 5/10/2019

17 SQL Injection Attacks The attacker needs to know
CS132 Lecture 25: Security I SQL Injection Attacks The attacker needs to know What the queries look like (the code) The structure of the underlying database Can you determine this? Yes – might take some time, but easy to do Recipes are on the web Tools are available 5/10/2019

18 CS132 Lecture 25: Security I SQL Injection Attacks Can do different malicious things based on query and database system Used to passwords to a different user Get field and table names for the database Find user names Password guessing Adding new users (super users) 5/10/2019

19 Avoiding SQL Attacks Validate all requests before sending to server
CS132 Lecture 25: Security I Avoiding SQL Attacks Validate all requests before sending to server Understand what data should look like User ids, product ids, , … have a given form Use JavaScript in the client to do the validation Is this sufficient? 5/10/2019

20 Avoiding SQL Attacks Validate the strings in the server
CS132 Lecture 25: Security I Avoiding SQL Attacks Validate the strings in the server Most back end languages have a function for this Check there are no funny characters E.g. check that there are no quotes in the string Is this sufficient? Value is a number Name is O’Reilly Unicode Check each string is in a standard form 5/10/2019

21 Avoiding SQL Attacks Use prepared statements
CS132 Lecture 25: Security I Avoiding SQL Attacks Use prepared statements SELECT firstname FROM USERS WHERE name = $; Pass in array of values separately The substitution is handled by the database Done correctly even with quotes, odd characters, etc. This is basically sufficient Done automatically in RUBY, DJANGO, FLASK This is what you should use 5/10/2019

22 Avoiding SQL Attacks Make sure your database is relatively secure
CS132 Lecture 25: Security I Avoiding SQL Attacks Make sure your database is relatively secure Grant permissions to tables only as needed Have separate database users for different roles Limit access to the web application itself Encrypt the database Principle of least access 5/10/2019

23 Code Insertion Attacks
CS132 Lecture 25: Security I Code Insertion Attacks SQL isn’t the only place where web apps run arbitrary code Php, JavaScript, Python have eval(…) statements Back end might run system commands (ls on a directory) These have the same vulnerabilities Solutions are similar (but no prepared statements) These should be avoided if at all possible 5/10/2019

24 File Naming Attacks Suppose your back end opens a particular file
CS132 Lecture 25: Security I File Naming Attacks Suppose your back end opens a particular file Based on the user name Image for user is /web/html/site/user_images/$user What happens if I use the user name “../../../../etc/passwd” Solutions Validate the form of the name Don’t use names directly (look up image name in database) Restrict access to the file system chroot provides a virtual root (node.js accessible) php/java/tomcat/ruby security policies 5/10/2019

25 Question A cross-site scripting attack (XSS) can involve:
CS132 Lecture 25: Security I Question A cross-site scripting attack (XSS) can involve: One web site using its cookies to infect another. A malicious user inserting text into a blog causing another user to run arbitrary JavaScript. An IFRAME from one page accessing data from another page being displayed in the browser. A malicious user redirecting traffic from one site to a look-alike, None of the above 5/10/2019

26 Cross Site Scripting Attacks
CS132 Lecture 25: Security I Cross Site Scripting Attacks The attacker inserts arbitrary HTML on your web page How can this ever happen? XSS What can go wrong Disrupt the page or the portion where inserted Only got up to this slide. 5/10/2019

27 Cross Site Scripting What if the HTML include <script> tags?
CS132 Lecture 25: Security I Cross Site Scripting What if the HTML include <script> tags? Replace the page with a new one Fake instance of a page to get passwords, accounts, etc. Pass information from the page to foreign page Cookies, passwords, credit card numbers, session ids Download user’s cookies (passwords) for other sites 5/10/2019

28 Cross Site Scripting: How
CS132 Lecture 25: Security I Cross Site Scripting: How Suppose you allow user comments Guest book, ratings, wiki, postings, … Text from user is inserted into HTML Suppose instead of typing “I love this page” “I love this page<script language=‘javascript’>document.location=‘ </script>” What would happen? 5/10/2019

29 Cross Site Scripting What can go wrong
CS132 Lecture 25: Security I Cross Site Scripting What can go wrong Reading data from URL (session id) Replace data in the URL Accessing/Replacing hidden form variables Loading foreign web page into a frame inside your page Using JavaScript to read and manipulate that frame Using code in the frame to monitor your activities Taking control of the browser 5/10/2019

30 Cross Site Scripting: Prevention
CS132 Lecture 25: Security I Cross Site Scripting: Prevention Don’t allow any HTML to be inserted Back end libraries to strip out HTML tags Don’t allow malicious HTML to be inserted Back end libraries to sanitize HTML Limited set of allowed tags for formatting Use something other than HTML Mark-up languages Map to html on output 5/10/2019

31 Next Time Security II Pre-Lecture Homework
CS132 Lecture 25: Security I Next Time Security II Pre-Lecture Homework List the security requirements for handling user registration and login 5/10/2019

Download ppt "Lecture 27 Security I April 4, 2018 Open news web sites."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.

1 SQL injection: attacks and defenses Dan Boneh CS 142 Winter 2009.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Similar presentations

Ads by Google