Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues."— Presentation transcript:

1 © 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues

2 2 SY32 Secure Computing, Lecture 14 Outline Some background Some background Handling malicious input Handling malicious input System architecture System architecture How to check data validity How to check data validity Examples of validation problems Examples of validation problems

3 3 SY32 Secure Computing, Lecture 14 Background Two fundamental rules: Two fundamental rules: All input is evil until proven otherwise All input is evil until proven otherwise Data must be validated as it crosses boundary between untrusted & trusted environments Data must be validated as it crosses boundary between untrusted & trusted environments Developers are not good at input validation! Developers are not good at input validation! Tedium of coding Tedium of coding Fear of performance hit Fear of performance hit

4 4 SY32 Secure Computing, Lecture 14 Misplaced Trust Why do buffer overruns succeed? Why do buffer overruns succeed? Data come from an untrusted source (attacker) Data come from an untrusted source (attacker) Too much trust is placed in data format; we assume that input won’t exceed buffer capacity Too much trust is placed in data format; we assume that input won’t exceed buffer capacity Data are written into memory Data are written into memory Remove any of these conditions and danger of an overrun is eliminated Remove any of these conditions and danger of an overrun is eliminated

5 5 SY32 Secure Computing, Lecture 14 Handling Malicious Input Define a trust boundary around the application Define a trust boundary around the application Inside boundary, we can trust data—assuming that validation is done correctly Inside boundary, we can trust data—assuming that validation is done correctly Create as few input chokepoints as possible Create as few input chokepoints as possible All input must pass through a designated chokepoint All input must pass through a designated chokepoint Chokepoints must be implemented carefully to perform thorough validation of input data Chokepoints must be implemented carefully to perform thorough validation of input data

6 6 SY32 Secure Computing, Lecture 14 Trust Boundary and Chokepoints Service DB Trust boundary Internet Implicit trust Environment variables Config data Chokepoint

7 7 SY32 Secure Computing, Lecture 14 Ways of Checking Data Validity ‘Blacklisting’ ‘Blacklisting’ Specify the various forms that invalid data can take; anything that matches is rejected Specify the various forms that invalid data can take; anything that matches is rejected Bad idea; you might miss an invalid data pattern! Bad idea; you might miss an invalid data pattern! ‘Whitelisting’ ‘Whitelisting’ Allow input that conforms to ‘valid’ pattern Allow input that conforms to ‘valid’ pattern Reject everything else Reject everything else

8 8 SY32 Secure Computing, Lecture 14 Examples of Validation Problems URI obfuscation in Mozilla URI obfuscation in Mozilla Canonicalisation issues Canonicalisation issues Case sensitivity Case sensitivity “Dot-free IP address” bug “Dot-free IP address” bug Homograph attacks Homograph attacks Attacking databases via SQL injection Attacking databases via SQL injection Cross-site scripting (XSS) Cross-site scripting (XSS)

9 9 SY32 Secure Computing, Lecture 14 URI Obfuscation in Mozilla user@location URI can be formatted with a null byte between user part and @ symbol user@location URI can be formatted with a null byte between user part and @ symbol Mozilla status bar displays only user part when cursor hovers over link Mozilla status bar displays only user part when cursor hovers over link See http://www.securityfocus.com/bid/9203/ See http://www.securityfocus.com/bid/9203/ http://www.securityfocus.com/bid/9203/

10 10 SY32 Secure Computing, Lecture 14 Canonicalisation Issues Canonical = “In its simplest or standard form” Canonical = “In its simplest or standard form” Canonicalisation = process of converting the various equivalent forms of a name into a single, standard name Canonicalisation = process of converting the various equivalent forms of a name into a single, standard name Applications often make wrong decisions based on non-canonical representation of a name… Applications often make wrong decisions based on non-canonical representation of a name…

11 11 SY32 Secure Computing, Lecture 14 Example: Case Sensitivity Version of Apache web server shipping with first release of Mac OS X was case-sensitive Version of Apache web server shipping with first release of Mac OS X was case-sensitive Hierarchical File System of Mac OS X is not Hierarchical File System of Mac OS X is not Apache configuration might deny access to /private directory of www.foo.org... Apache configuration might deny access to /private directory of www.foo.org... … but http://www.foo.org/PRIVATE/index.html would work! … but http://www.foo.org/PRIVATE/index.html would work!

12 12 SY32 Secure Computing, Lecture 14 Example: ‘Dot-free’ IP Addresses Bug in Internet Explorer, version 4 Bug in Internet Explorer, version 4 Website domain names containing >= 1 dot were assumed to be in Internet zone Website domain names containing >= 1 dot were assumed to be in Internet zone Website domain names with no dots were assumed to be in the more trusted Local Intranet zone Website domain names with no dots were assumed to be in the more trusted Local Intranet zone Problem: IP address can be represented as a dot-free, 32-bit integer Problem: IP address can be represented as a dot-free, 32-bit integer http://3232286052 = http://192.168.197.100 http://3232286052 = http://192.168.197.100 http://3232286052http://192.168.197.100 http://3232286052http://192.168.197.100

13 13 SY32 Secure Computing, Lecture 14 Example: Homographs Obvious: micr0s0ft.com != microsoft.com Obvious: micr0s0ft.com != microsoft.com Subtle: MICR0S0FT.COM != MICROSOFT.COM Subtle: MICR0S0FT.COM != MICROSOFT.COM Very subtle: miсrоsоft.com != microsoft.com Very subtle: miсrоsоft.com != microsoft.com For further details, see Comm. ACM 45(2), page 128, or visit http://www.cs.technion.ac.il/~gabr/papers/homograph.html For further details, see Comm. ACM 45(2), page 128, or visit http://www.cs.technion.ac.il/~gabr/papers/homograph.html http://www.cs.technion.ac.il/~gabr/papers/homograph.html

14 14 SY32 Secure Computing, Lecture 14 SQL Injection Contents of name come from a web form… Contents of name come from a web form… …but no validation is done to ensure that name actually contains employee’s name! …but no validation is done to ensure that name actually contains employee’s name! String query = "SELECT * FROM employees WHERE name='" + name + "'"; ResultSet res = stmt.executeQuery(query);

15 15 SY32 Secure Computing, Lecture 14 Demo

16 16 SY32 Secure Computing, Lecture 14 SQL Injection Really bad guy might do this: Really bad guy might do this: Downright evil guy might do this (on Windows): Downright evil guy might do this (on Windows): SELECT * FROM employees WHERE name='Alan Smith' DROP TABLE budgets -- ' SELECT * FROM employees WHERE name='Alan Smith' exec xp_cmdshell('fdisk.exe') -- '

17 17 SY32 Secure Computing, Lecture 14 Remedies for SQL Injection Never connect with administrator privileges Never connect with administrator privileges Violates principle of least privilege Violates principle of least privilege Attacker can gain complete control of machine Attacker can gain complete control of machine Build SQL queries securely Build SQL queries securely Substitute values into prepared statements Substitute values into prepared statements

18 18 SY32 Secure Computing, Lecture 14 Cross-Site Scripting (XSS) Can be viewed as an output validation problem Can be viewed as an output validation problem Web server is tricked into presenting malicious content, typically Javascript, to browser Web server is tricked into presenting malicious content, typically Javascript, to browser Examples of XSS attacks: Examples of XSS attacks: Session hijacking Session hijacking Modification of web page contents Modification of web page contents Theft of passwords Theft of passwords

19 19 SY32 Secure Computing, Lecture 14 What Happens When You Click? idForm.cookie.value=document.cookie; idForm.submit(); > Click here to win £10,000! Cookie for this domain… …is sent here!

20 20 SY32 Secure Computing, Lecture 14 Summary Remember the fundamental rules: Remember the fundamental rules: All input is evil… All input is evil… …therefore all input data must be validated before passing within the trust boundary …therefore all input data must be validated before passing within the trust boundary Match to the valid pattern, rejecting anything that isn’t a perfect match Match to the valid pattern, rejecting anything that isn’t a perfect match Be aware of canonicalisation issues Be aware of canonicalisation issues Watch out for code injection (SQL, XSS, etc) Watch out for code injection (SQL, XSS, etc)

Download ppt "© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues."

Similar presentations

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.

Web Application Security An Introduction. OWASP Top Ten Exploits *Unvalidated Input Broken Access Control Broken Authentication and Session Management.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.

Dec 13 th CS555 presentation1 Yiwen Wang --“Securing the DB may be the single biggest action an organization can take to protect its assets” David C. Knox.
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
PHP Security.

PHP Security.
Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.

Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.

Similar presentations

Ads by Google