SlideShare una empresa de Scribd logo

Isys20261 lecture 09

Descargar como PPT, PDF
Wiliam Ferraciolli
Wiliam Ferraciolli
1 de 17
Computer Security Management (ISYS20261) Lecture 9 - Web application attacks Module Leader: Dr Xiaoqi Ma School of Science and Technology
Today ... … we will discuss: • Session Hijacking • Code injection • Cross-site scripting (XSS) • Pharming • URL spoofing Computer Security Management Page 2
HTTP cookie (1) • An HTTP cookie is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. – When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity. • Introduces state into HTTP transactions, used by Web servers to differentiate users and to maintain data related to the user • Data in cookie might be random or meaningful • Server has to maintain a database of cookies • Specification: – four kilobytes of data each – Browser stores at least 300 cookies – at least 20 cookies per server or domain Computer Security Management Page 3
HTTP cookies (2) • Example Server Client1 Client2 Page Request() page data + cookie1() page request + cookie1() page data() page request + cookie2() page data() Computer Security Management Page 4
Session hijacking • Session IDs: – typically granted to a visitor on his first visit to a site – may become invalid after a certain goal has been met – often used to identify a user that has logged into a website – often long randomly-generated string • Session hijacking: – attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's session while that session is still in progress – often servers perform additional verification of the client, e.g. locking a session ID to the client's IP address – simple and effective measure as long as the attacker cannot connect to the server from the same address Computer Security Management Page 5
Session sidejacking • Attacker uses packet sniffing to read network traffic between two parties to steal the session cookie • Often web sites use SSL encryption for login pages but do not use encryption for the rest of the site once authenticated • Attackers then can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client • Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised • Unsecured WiFi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point Computer Security Management Page 6
Code injection • Breaking into applications by processing invalid data • Used by an attacker to introduce code into a computer program to change the course of execution • Examples – SQL injection – PHP injection – Etc. Computer Security Management Page 7
SQL injection example • Takes advantage of the syntax of SQL to inject commands that can compromise the meaning of the original query • Statement – SELECT * FROM users WHERE name = '" + name + "'; • If user enters a' or 't'='t for name statement changes to – SELECT * FROM users WHERE name = 'a' OR 't'='t'; • Forces the selection of all valid usernames because the evaluation of 't'='t' is always true! • Defence: – Input validation – Escaping dangerous characters – Etc. Computer Security Management Page 8
Cross site scripting (XSS) (1) • Possible in web applications which allow code injection by malicious web users into the web pages viewed by other users • Examples: – HTML code – client-side scripts – etc • Can be used by attackers to bypass access controls • 2007: cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities • Usually the end-user does not notice that he/she is subject to unauthorized access, theft of sensitive data, and financial loss Computer Security Management Page 9
Cross site scripting (XSS) (2) • Different Types: – Type 0: Document Object Model (DOM)-based – Type 1: Non-Persistent (reflective) – Type 2: Persistent • Type 1 most common, type 2 most dangerous Computer Security Management Page 10
Type 0 1. Ivan sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page 2. Alice clicks on the link 3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer 4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone 5. Ivan’s malicious script now may run commands with the privileges Alice holds on her own computer Computer Security Management Page 11
Type 1 (1) 1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, e.g. billing information 2. Ivan observes that Bob's website contains a reflected (type 1) XSS vulnerability 3. Ivan crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (spoofing) 4. Alice visits the URL provided by Ivan while logged into Bob's website 5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script steals sensitive information and sends this to Ivan’s web server without Alice's knowledge Computer Security Management Page 12
Type 1 (2) • Website that offers search functionality: http://website.com/?search=name • Website echoes (reflects) input without checking: <p>You were looking for: name</p> • If <script type="text/javascript">alert("XSS")</script> is used for name: • Server echoes script that is then executed locally: <p>You were looking for: <script type="text/javascript">alert("XSS") </script></p> Computer Security Management Page 13
Type 2 (1) 1. Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members 2. Ivan notices that Bob's website is vulnerable to a type 2 XSS attack 3. Ivan posts a message that contains a (hidden) script 4. By viewing the posted message, site users' session cookies or other credentials could be taken and sent to Ivan's web server without their knowledge 5. Later, Ivan logs in as other site users and posts messages on their behalf.... Computer Security Management Page 14
Type 2 (2) • If a web site offers a guest book facility: • Attacker enters for example: Nice web site!<script type="text/javascript">alert("XSS")</script> • Ever user who reads the guest book executes the attacker’s script! Computer Security Management Page 15
Pharming • Attempt to subvert DNS systems to redirect network traffic to a malicious system • Can be achieved by – attacking DNS servers, planting bogus data in their cache so that when a site's IP address is requested that of the attacker’s site is supplied instead – changing the hosts file on the local system so that certain sites will be redirected • Victim's attempts to access certain sites will be redirected silently and invisibly • Can be hard to detect locally Computer Security Management Page 16
URL spoofing • Common way to redirect a user to a web site that looks authentic • This web site might be a spoof with templates that look identical to the actual web site • User enter their login information to these fake web site: providing the attacker with data that can be used to enter the real web site • Example: www.google.com@members.aol.com looks like a URL to the google search engine but in reality it is a URL to the members.aol.com server! Computer Security Management Page 17

Recomendados

Web application security
Web application securityWeb application security
Web application securityJin Castor
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications SecureAryashree Pritikrishna
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 

Recomendados

Web application security
Web application securityWeb application security
Web application securityJin Castor
 
Hacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedHacking A Web Site And Secure Web Server Techniques Used
Hacking A Web Site And Secure Web Server Techniques UsedSiddharth Bhattacharya
 
Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Website hacking and prevention (All Tools,Topics & Technique )
Website hacking and prevention (All Tools,Topics & Technique )Jay Nagar
 
Browser Security
Browser SecurityBrowser Security
Browser SecurityRoberto Suggi Liverani
 
Lets Make our Web Applications Secure
Lets Make our Web Applications SecureLets Make our Web Applications Secure
Lets Make our Web Applications SecureAryashree Pritikrishna
 
Introduction to web security @ confess 2012
Introduction to web security @ confess 2012Introduction to web security @ confess 2012
Introduction to web security @ confess 2012jakobkorherr
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectorsShreeraj Shah
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Web Hacking
Web HackingWeb Hacking
Web HackingInformation Technology
 
Xssandcsrf
XssandcsrfXssandcsrf
XssandcsrfPrabhanshu Saraswat
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hackingBlueinfy Solutions
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
Xss frame work
Xss frame workXss frame work
Xss frame workNgọc Liệu Nguyễn
 
a
aa
aSandeep Kumar
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
Internet Security
Internet SecurityInternet Security
Internet SecurityMitesh Gupta
 
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxShivamBajaj36
 

Más contenido relacionado

La actualidad más candente

Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesAdwiteeya Agrawal
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWTTuyen Vuong
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5DefconRussia
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 

La actualidad más candente (20)

Post XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and RemediesPost XSS Exploitation : Advanced Attacks and Remedies
Post XSS Exploitation : Advanced Attacks and Remedies
 
Micro Web Service - Slim and JWT
Micro Web Service - Slim and JWTMicro Web Service - Slim and JWT
Micro Web Service - Slim and JWT
 
Secure Code Warrior - Local storage
Secure Code Warrior - Local storageSecure Code Warrior - Local storage
Secure Code Warrior - Local storage
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by Default
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Web Hacking
Web HackingWeb Hacking
Web Hacking
 
Xssandcsrf
XssandcsrfXssandcsrf
Xssandcsrf
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
HTML5 hacking
HTML5 hackingHTML5 hacking
HTML5 hacking
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
Xss frame work
Xss frame workXss frame work
Xss frame work
 
a
aa
a
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5Krzysztof Kotowicz - Hacking HTML5
Krzysztof Kotowicz - Hacking HTML5
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?
 

Similar a Isys20261 lecture 09

Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxShivamBajaj36
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Securitysandra sukarieh
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web securitynewbie2019
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer AttacksArun Modi
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITYyashwanthlavu
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 

Similar a Isys20261 lecture 09 (20)

Internet Security
Internet SecurityInternet Security
Internet Security
 
Computer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptxComputer Network Case Study - bajju.pptx
Computer Network Case Study - bajju.pptx
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
Database Threats - Information System Security
Database Threats - Information System SecurityDatabase Threats - Information System Security
Database Threats - Information System Security
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
Network And Application Layer Attacks
Network And Application Layer AttacksNetwork And Application Layer Attacks
Network And Application Layer Attacks
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Web Security
Web SecurityWeb Security
Web Security
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 

Más de Wiliam Ferraciolli

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the networkWiliam Ferraciolli
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the networkWiliam Ferraciolli
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experienceWiliam Ferraciolli
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Wiliam Ferraciolli
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsWiliam Ferraciolli
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architectureWiliam Ferraciolli
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and servicesWiliam Ferraciolli
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and servicesWiliam Ferraciolli
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingWiliam Ferraciolli
 

Más de Wiliam Ferraciolli (20)

Lecture 12 monitoring the network
Lecture 12 monitoring the networkLecture 12 monitoring the network
Lecture 12 monitoring the network
 
Lecture 11 managing the network
Lecture 11 managing the networkLecture 11 managing the network
Lecture 11 managing the network
 
Lecture 10 the user experience
Lecture 10 the user experienceLecture 10 the user experience
Lecture 10 the user experience
 
Lecture 10 the user experience (1)
Lecture 10 the user experience (1)Lecture 10 the user experience (1)
Lecture 10 the user experience (1)
 
Lecture 9 further permissions
Lecture 9 further permissionsLecture 9 further permissions
Lecture 9 further permissions
 
Lecture 8 permissions
Lecture 8 permissionsLecture 8 permissions
Lecture 8 permissions
 
Lecture 7 naming and structuring objects
Lecture 7 naming and structuring objectsLecture 7 naming and structuring objects
Lecture 7 naming and structuring objects
 
Lecture 5&6 corporate architecture
Lecture 5&6 corporate architectureLecture 5&6 corporate architecture
Lecture 5&6 corporate architecture
 
Lecture 4 client workstations
Lecture 4 client workstationsLecture 4 client workstations
Lecture 4 client workstations
 
Lecture 3 more on servers and services
Lecture 3 more on servers and servicesLecture 3 more on servers and services
Lecture 3 more on servers and services
 
Lecture 2 servers and services
Lecture 2 servers and servicesLecture 2 servers and services
Lecture 2 servers and services
 
Lecture 1 introduction
Lecture 1 introductionLecture 1 introduction
Lecture 1 introduction
 
Lecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scriptingLecture 13, 14 & 15 c# cmd let programming and scripting
Lecture 13, 14 & 15 c# cmd let programming and scripting
 
Isys20261 lecture 14
Isys20261 lecture 14Isys20261 lecture 14
Isys20261 lecture 14
 
Isys20261 lecture 12
Isys20261 lecture 12Isys20261 lecture 12
Isys20261 lecture 12
 
Isys20261 lecture 11
Isys20261 lecture 11Isys20261 lecture 11
Isys20261 lecture 11
 
Isys20261 lecture 10
Isys20261 lecture 10Isys20261 lecture 10
Isys20261 lecture 10
 
Isys20261 lecture 08
Isys20261 lecture 08Isys20261 lecture 08
Isys20261 lecture 08
 
Isys20261 lecture 07
Isys20261 lecture 07Isys20261 lecture 07
Isys20261 lecture 07
 
Isys20261 lecture 06
Isys20261 lecture 06Isys20261 lecture 06
Isys20261 lecture 06
 

Isys20261 lecture 09

  • 1. Computer Security Management (ISYS20261) Lecture 9 - Web application attacks Module Leader: Dr Xiaoqi Ma School of Science and Technology
  • 2. Today ... … we will discuss: • Session Hijacking • Code injection • Cross-site scripting (XSS) • Pharming • URL spoofing Computer Security Management Page 2
  • 3. HTTP cookie (1) • An HTTP cookie is usually a small piece of data sent from a website and stored in a user's web browser while a user is browsing a website. – When the user browses the same website in the future, the data stored in the cookie can be retrieved by the website to notify the website of the user's previous activity. • Introduces state into HTTP transactions, used by Web servers to differentiate users and to maintain data related to the user • Data in cookie might be random or meaningful • Server has to maintain a database of cookies • Specification: – four kilobytes of data each – Browser stores at least 300 cookies – at least 20 cookies per server or domain Computer Security Management Page 3
  • 4. HTTP cookies (2) • Example Server Client1 Client2 Page Request() page data + cookie1() page request + cookie1() page data() page request + cookie2() page data() Computer Security Management Page 4
  • 5. Session hijacking • Session IDs: – typically granted to a visitor on his first visit to a site – may become invalid after a certain goal has been met – often used to identify a user that has logged into a website – often long randomly-generated string • Session hijacking: – attacker using captured, brute forced or reverse-engineered session IDs to seize control of a legitimate user's session while that session is still in progress – often servers perform additional verification of the client, e.g. locking a session ID to the client's IP address – simple and effective measure as long as the attacker cannot connect to the server from the same address Computer Security Management Page 5
  • 6. Session sidejacking • Attacker uses packet sniffing to read network traffic between two parties to steal the session cookie • Often web sites use SSL encryption for login pages but do not use encryption for the rest of the site once authenticated • Attackers then can read the network traffic to intercept all the data that is submitted to the server or web pages viewed by the client • Since this data includes the session cookie, it allows him to impersonate the victim, even if the password itself is not compromised • Unsecured WiFi hotspots are particularly vulnerable, as anyone sharing the network will generally be able to read most of the web traffic between other nodes and the access point Computer Security Management Page 6
  • 7. Code injection • Breaking into applications by processing invalid data • Used by an attacker to introduce code into a computer program to change the course of execution • Examples – SQL injection – PHP injection – Etc. Computer Security Management Page 7
  • 8. SQL injection example • Takes advantage of the syntax of SQL to inject commands that can compromise the meaning of the original query • Statement – SELECT * FROM users WHERE name = '" + name + "'; • If user enters a' or 't'='t for name statement changes to – SELECT * FROM users WHERE name = 'a' OR 't'='t'; • Forces the selection of all valid usernames because the evaluation of 't'='t' is always true! • Defence: – Input validation – Escaping dangerous characters – Etc. Computer Security Management Page 8
  • 9. Cross site scripting (XSS) (1) • Possible in web applications which allow code injection by malicious web users into the web pages viewed by other users • Examples: – HTML code – client-side scripts – etc • Can be used by attackers to bypass access controls • 2007: cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities • Usually the end-user does not notice that he/she is subject to unauthorized access, theft of sensitive data, and financial loss Computer Security Management Page 9
  • 10. Cross site scripting (XSS) (2) • Different Types: – Type 0: Document Object Model (DOM)-based – Type 1: Non-Persistent (reflective) – Type 2: Persistent • Type 1 most common, type 2 most dangerous Computer Security Management Page 10
  • 11. Type 0 1. Ivan sends a URL to Alice (via email or another mechanism) of a maliciously constructed web page 2. Alice clicks on the link 3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer 4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone 5. Ivan’s malicious script now may run commands with the privileges Alice holds on her own computer Computer Security Management Page 11
  • 12. Type 1 (1) 1. Alice often visits a particular website, which is hosted by Bob. Bob's website allows Alice to log in with a username/password pair and store sensitive information, e.g. billing information 2. Ivan observes that Bob's website contains a reflected (type 1) XSS vulnerability 3. Ivan crafts a URL to exploit the vulnerability, and sends Alice an email, making it look as if it came from Bob (spoofing) 4. Alice visits the URL provided by Ivan while logged into Bob's website 5. The malicious script embedded in the URL executes in Alice's browser, as if it came directly from Bob's server. The script steals sensitive information and sends this to Ivan’s web server without Alice's knowledge Computer Security Management Page 12
  • 13. Type 1 (2) • Website that offers search functionality: http://website.com/?search=name • Website echoes (reflects) input without checking: <p>You were looking for: name</p> • If <script type="text/javascript">alert("XSS")</script> is used for name: • Server echoes script that is then executed locally: <p>You were looking for: <script type="text/javascript">alert("XSS") </script></p> Computer Security Management Page 13
  • 14. Type 2 (1) 1. Bob hosts a web site which allows users to post messages and other content to the site for later viewing by other members 2. Ivan notices that Bob's website is vulnerable to a type 2 XSS attack 3. Ivan posts a message that contains a (hidden) script 4. By viewing the posted message, site users' session cookies or other credentials could be taken and sent to Ivan's web server without their knowledge 5. Later, Ivan logs in as other site users and posts messages on their behalf.... Computer Security Management Page 14
  • 15. Type 2 (2) • If a web site offers a guest book facility: • Attacker enters for example: Nice web site!<script type="text/javascript">alert("XSS")</script> • Ever user who reads the guest book executes the attacker’s script! Computer Security Management Page 15
  • 16. Pharming • Attempt to subvert DNS systems to redirect network traffic to a malicious system • Can be achieved by – attacking DNS servers, planting bogus data in their cache so that when a site's IP address is requested that of the attacker’s site is supplied instead – changing the hosts file on the local system so that certain sites will be redirected • Victim's attempts to access certain sites will be redirected silently and invisibly • Can be hard to detect locally Computer Security Management Page 16
  • 17. URL spoofing • Common way to redirect a user to a web site that looks authentic • This web site might be a spoof with templates that look identical to the actual web site • User enter their login information to these fake web site: providing the attacker with data that can be used to enter the real web site • Example: www.google.com@members.aol.com looks like a URL to the google search engine but in reality it is a URL to the members.aol.com server! Computer Security Management Page 17