Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview Custom software or Commercial/Open software Authentication Cross-Site Scripting SQL Injection Tips References.

Published byThomas Baxter Modified over 9 years ago

Similar presentations

Presentation on theme: "Overview Custom software or Commercial/Open software Authentication Cross-Site Scripting SQL Injection Tips References."— Presentation transcript:

1 Overview Custom software or Commercial/Open software Authentication Cross-Site Scripting SQL Injection Tips References

2 Playtime! Cracking/hacking is against University policy, state law, and federal law and can carry severe penalties Exception to University policy for the duration of this presentation for the site below: http://demo.testfire.net

3 Considerations Commercial Off the Shelf Software Used for expected purpose? Vendor is responsible for patches and vulnerabilities You are responsible for configuration and maintenance Open Source Software Used for expected purpose? Community is responsible for patches and vulnerabilities You are responsible for configuration and maintenance Custom Software You are responsible for patches and vulnerabilities Should have security requirements documented Should have test cases and security risks documented You are responsible for configuration and maintenance

4 Internet Reachable? Then you were, are, and will be attacked.

5 Authentication LDAP Supports anonymous and unauthenticated binding LDAP injection can be used to alter query SQL Database SQL Injection can allow for authentication bypass Null/Blank Surprising number of occurrences Default Password Tomcat/tomcat, admin/password Weak Passwords Password Recovery What is my favorite color?

6 If Authentication!=null SELECT * FROM customers WHERE username=‘$varUser’ AND password=‘$varPass’ SELECT * FROM customers WHERE username=‘bob’ OR 1=1--’ AND password=‘asdf’;

7 Authentication

8 Recommendations: Use campus Shibboleth Use 3 rd party package Must use Secure Sockets Layer/Transport Layer Security Change all default passwords for applications Create test cases and test username/password combinations Secure administrative section Use a vulnerability assessment product Must audit authentication success and failure Authorization is not authentication

9 Cross-Site Scripting [XSS] Leads to client side execution of code, typically Javascript Consequences Attacker may steal cookies or execute transactions Internet worms Redirect clients to malware Non-Persistent/Reflected Caused by user interaction, such as clicking on a link Persistent/Stored Caused by limited user interaction, such as visiting a webpage

10 XSS in Visio!

11 Cross-Site Scripting Identify attacks in your logs 192.168.0.252 – - [05/Aug/2009:15:16:42 -0400] “GET /%27%27;!– %22%3CXSS%3E=&{()} HTTP/1.1″ 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en- US; rv:1.9.0.12) Gecko/2009070812 Ubuntu/8.04 (hardy) Firefox/3.0.12″ 192.168.0.252 – - [05/Aug/2009:15:16:42 -0400] “GET /cal/search.php?q=%22%3E%3Cimg%20src=%22http://i55.tinypic.com/witu7d.png% 22%20height=%22650%22%20width=%221000%22%3E HTTP/1.1″ 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.12) Gecko/2009070812 Ubuntu/8.04 (hardy) Firefox/3″ 192.168.0.252 – - [05/Aug/2009:15:16:42 -0400] “GET /appdir/ajax/addAvail.php?counter=1216%3cscript%3ealert(0)%3c%2fscript%3e&fro m=1216%3cscript%3ealert(0)%3c%2fscript%3e&to=1216%3cscript%3ealert(0)%3c%2 fscript%3e&day=1216%3cscript%3ealert(0)%3c%2fscript%3e&parentDiv=1216%3cscr ipt%3ealert(0)%3c%2fscript%3e&type=1216%3cscript%3ealert(0)%3c%2fscript%3e& date=1216%3cscript%3ealert(0)%3c%2fscript%3e&showdate=1216%3cscript%3ealer t(0)%3c%2fscript%3e HTTP/1.1″ 404 310 “-” “Mozilla/5.0 (X11; U; Linux x86_64; en- US; rv:1.9.0.12) Gecko/2009070812 Ubuntu/8.04 (hardy) Firefox/3.0.12″

12 Cross-Site Scripting [XSS]

13 Search Results No results were found for the query: alert('XSS')

14 Cross-Site Scripting [%58%53%53] Prevention Sanitize user-supplied input and output Use 3 rd party data validation libraries HTML entities encoding < > Try test cases alert(1) http://ha.ckers.org/xss.html Tamper Data add-on Vulnerability assessment Web Application Firewall

15 GET /page.asp?id=0;shutdown;-- Remote SQL Execution Uses permissions given to web server Goal of attack is to retrieve or post database content Blind SQL Injection Results of SQL are not displayed, no errors or warnings Leveraged by Bots ASProx botnet used Google search to find Active Server Pages, then execute obfuscated attacks Lizamoon updated databases to include a javascript file for rendered pages

16 SQL Injection in Visio!

17 Recognizing SQL Injection GET /author.asp?authornumber=1);insert%20into%20SubjectTable(Sub_i d,%20SubjectName,%20display)%20values%20(666,%20’blah',%201) ;%20— GET /details.php?id=999999.9+UNION+ALL+SELECT+0x31303235343830 303536– GET /index.php?id=99999 union select 1, (load_file('/etc/passwd')),1,1,1 GET form/?’;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x44454 34C415245204054207661726368617228323535292C404320766172 63686172283430303029204445434C415245205461626C655F43757 2736F7220435552534F5220464F52207………..6C655F437572736F72 20494E544F2040542C404320454E4420434C4F5345205461626C655 F437572736F72204445414C4C4F43415445205461626C655F437572 736F72%20AS%20CHAR(4000));EXEC(@S);

18 SHOW TABLES; SELECT * FROM users userIDusernamepasswordFirst_nameLast_name 0admin AdminUser 1bobtestBobHandles

19 SQL Injection Demo 1' UNION SELECT 1,2,username,password,5 FROM users;--

20 LIKE ‘%SQL Inject%

21 An Error Has Occurred!!!

22 WHERE Goal=‘Prevention’ Prevention Sanitize user-supplied input Escape meta-characters like single quote, semi-colon Use stored procedures or parameterized queries $stmt = $dbh->prepare("SELECT * FROM tbl WHERE custid = :custid "); Try test cases 999999 OR 1=1 http://ha.ckers.org/sqlinjection/ Web Application Firewall Vulnerability Assessment

23 Tips, in a particular order Think like an attacker! Verify all applications are up-to-date and regularly patched Harden default installations Restrict access by way of software firewall rules Run services with least permissions Never trust user-supplied data, always sanitize it Submit Remedy ticket to ITS-Security for web assessment Review your logs*

24 References / Sources Secunia search: http://secunia.com/advisories/search/http://secunia.com/advisories/search/ OWASP Cheat Sheet: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet OWASP Authentication Attacks: http://www.owasp.org/index.php/Category:Authentication_Vulnerability http://www.owasp.org/index.php/Category:Authentication_Vulnerability OWASP Cross Site Scripting Attacks:http://www.owasp.org/index.php/Category:Authentication_Vulnerabilityhttp://www.owasp.org/index.php/Category:Authentication_Vulnerability XSS Examples: http://www.tcnj.edu/~it/security/DetectingCross- SiteScriptingAttacks.htm http://thehackernews.com/2011/09/20-famous-websites- vulnerable-to-cross.html http://security.stackexchange.com/questions/1344/get-with- additional-parameters-leads-to-code-injection-in-html-displayedhttp://www.tcnj.edu/~it/security/DetectingCross- SiteScriptingAttacks.htmhttp://thehackernews.com/2011/09/20-famous-websites- vulnerable-to-cross.htmlhttp://security.stackexchange.com/questions/1344/get-with- additional-parameters-leads-to-code-injection-in-html-displayed OWASP SQL Injection Attacks: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet LizaMoon Worm: http://blog.spiderlabs.com/2011/04/analysis-of-lizamoon-stored- xss-via-sql-injection.htmlhttp://blog.spiderlabs.com/2011/04/analysis-of-lizamoon-stored- xss-via-sql-injection.html SQL Injection Examples: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt http://securitystreetknowledge.com/?p=193 Parameterized SQL: http://www.phpro.org/tutorials/Introduction-to-PHP-PDO.htmlhttp://www.phpro.org/tutorials/Introduction-to-PHP-PDO.html

Download ppt "Overview Custom software or Commercial/Open software Authentication Cross-Site Scripting SQL Injection Tips References."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.

Authenticating Users in an ASP.NET Application. Web Site Administration Tool From VS 2008, click Website/ ASP.Net Configuration to open Web Site Administration.
Introduction to Web Application Security

Introduction to Web Application Security
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.

Similar presentations

Ads by Google