2. Buffer Overflows
O Many languages require buffer size
declaration
O C language statement: char sample[10];
O Execute statement: sample[i] = ‘A’; where i=10
O Out of bounds (0-9) subscript – buffer overflow
occurs
O Some compilers don’t check for exceeding
bounds
O Similar problem caused by pointers. No
reasonable way to define limits for
pointers
IFETCE/M.E CSE/NE7202-NIS/Unit 4 2
4. Buffer Overflows, cont.
O Where does last ‘A’ go? Depends on what
is adjacent to ‘sample[10]’
O Affects user’s data- overwrites user’s data
O Affects users code- changes user’s instruction
O Affects OS data - overwrites OS data
O Affects OS code - changes OS instruction,
unpredictable results
O This is a case of aliasing
IFETCE/M.E CSE/NE7202-NIS/Unit 4 4
5. Buffer Overflows
Security Implication
O Attacker replaces code in the system
space and takes control back from the
operating system
O Suppose buffer overflow affects OS code
area:
O Attacker code executed as if it were OS
code
O Attacker might need to experiment to see what
happens when he inserts A into OS code area
O Can raise attacker’s privileges (to OS
privilege level) when A is an appropriate
instruction
O Attacker can gain full control of OSIFETCE/M.E CSE/NE7202-NIS/Unit 4 5
6. Buffer Overflows
Security Implication
O Attacker uses the stack pointer or return
register to execute other code
O Parameter passing to web server
O http://www.somesite.com/subpage/data&par
m1=(808)555-1212&parm2=2004Jan01
O What if one of the parameters is made
longer?
O Microsoft's Phone Dialer contains a buffer
overrun that allows execution of arbitary
codeIFETCE/M.E CSE/NE7202-NIS/Unit 4 6
7. Summary
OBuffer overflows still common
O Used by attackers
O to crash systems
O to exploit systems by taking over control
OLarge # of vulnerabilities due to
buffer overflows
IFETCE/M.E CSE/NE7202-NIS/Unit 4 7
8. Incomplete Mediation
O Sensitive data are in
exposed,uncontrolled condition
O Example
O URL to be generated by client’s browser to
access server, e.g.: http://www.things.com/
order/final&custID=101&part=555A&qy=20&pri
ce=10&ship=boat&shipcost=5&total=205
O Instead, user edits URL directly, changing price
and total cost as follows: http://www.things.com
/order/final&custID=101&part=555A&qy=20&pri
ce=1&ship=boat&shipcost=5&total=25
O Security Implication
O Easy to exploit – Things, Inc. example
IFETCE/M.E CSE/NE7202-NIS/Unit 4 8
9. Incomplete Mediation, cont.
O Unchecked data are a serious
vulnerability!
O Possible solution: anticipate problems
O Don’t let client return a sensitive result (like
total) that can be easily recomputed by
server
O Use drop-down boxes / choice lists for data
input
O Prevent user from editing input directly
O Check validity of data values received from
client
IFETCE/M.E CSE/NE7202-NIS/Unit 4 9
10. Attacking the Web Application
O Web application:
O takes input strings from the user and interprets it.
O Interacts with back-end database.
O Retrieve data and dynamically generates new content.
O Presents the output to the user.
O The threat – Command Injection Attack:
O Unexpected input may cause problems.
10IFETCE/M.E CSE/NE7202-NIS/Unit 4
11. What is code injection?
• Code injection is the exploitation of
a computer bug that is caused by
processing invalid data.
• Code injection can be used by an
attacker to introduce (or "inject")
code into a computer program to
change the course of execution.
• The results of a code injection
attack can be disastrous
13. Code injection can do
• Arbitrarily modify values in a database
through a type of code injection called SQL
injection. The impact of this can range from
defacement of a web site to serious
compromisation of sensitive data.
• Install malware on a computer by
exploiting code injection vulnerabilities in a
web browser or its plugins when the user
visits a malicious site.
14. • Install malware or execute malevolent code on
a server, by PHP or ASP Injection.
• Privilege escalation to root permissions by
exploiting Shell Injection vulnerabilities in a
setuid root binary on UNIX.
• Privilege escalation to Local System
permissions by exploiting Shell Injection
vulnerabilities in a service on Windows.
• Stealing sessions/cookies from web browsers
using HTML/Script Injection (Cross-site
scripting).
Code injection can do
15. Different types of Code
injection
• SQL injection
• LDAP Injection
• OS Command Injection
• Cross-Site Scripting (“XSS”)
16. SQL injection
• SQL injection attack consists of
injection of malicious SQL commands
via input data from the client to the
application
• Affect the execution of predefined SQL
commands.
17. SQL injection
• SQL injection consists of direct
insertion of code into user-input
variables which are concatenated with
SQL commands and executed.
• A less direct attack injects malicious
code into strings that are destined for
storage in a table or as metadata.
• When the stored strings are
subsequently concatenated into a
dynamic SQL commands, the
malicious code is then executed.
18. Web Application Architecture
Web browser
Application
Database
Application generates query based on user input
18IFETCE/M.E CSE/NE7202-NIS/Unit 4
19. SQLCIAs - Example
String query = “SELECT cardnum FROM accounts
WHERE username = ‘” + strUName +
“’ AND cardtype = ” + strCType + “;”;
Expected input:
SELECT cardnum FROM accounts
WHERE username = ‘John’
AND cardtype = 2;
Result: Returns John’s saved credit card number.
19IFETCE/M.E CSE/NE7202-NIS/Unit 4
20. Malicious input:
SELECT cardnum FROM accounts
WHERE username = ‘John’
AND cardtype = 2 OR 1 = 1;
SQLCIAs - Example
Result: Returns all saved credit card numbers.
(
() )
20
String query = “SELECT cardnum FROM accounts
WHERE username = ‘” + strUName +
“’ AND cardtype = ” + strCType + “;”;
IFETCE/M.E CSE/NE7202-NIS/Unit 4
21. 4.Inference
O Way to infer / derive sensitive data from
nonsensitive data
IFETCE/M.E CSE/NE7202-NIS/Unit 4 21
22. Direct Attack
O A user tries to determine values of
sensitive fields by seeking them
O A sensitive query:
O List NAME where SEX=M ^ DRUGS=1
O A less obvious query:
O List NAME where (SEX=M ^ DRUGS=1) v
(SEX#M ^ SEX#F) v (DORM=AYRES)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 22
23. Direct Attack(Cont…)
O Do not reveal results when a small
number of people make up a large
proportion of a category.
O The rule of "n items over k percent"
means that data should be withheld if n
items represent over k percent of the
result reported.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 23
24. Indirect Attack
O Sum - An attack by sum tries to infer a value
from a reported sum.
O Count - The count can be combined with the
sum to produce some even more revealing
results.
O Mean - The arithmetic mean (average) allows
exact disclosure if the attacker can manipulate
the subject population.
O Median
O Tracker Attacks – using additional queries
that produce small results
IFETCE/M.E CSE/NE7202-NIS/Unit 4 24
25. Indirect Attack
OSum
O Show STUDENT-AID WHERE SEX=F
^ DORM=Grey
OCount
O Show Count, STUDENT-AID WHERE
SEX=M ^ DORM=Holmes
O List NAME where (SEX=M ^
DORM=Holmes)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 25
27. Controls
O Suppression – don’t provide sensitive
data
O Concealing – don’t provide actual values
(“close to”)
O Limited Response Suppression
O n-item k-percent rule eliminates low
frequency elements from being displayed
(may need to suppress additional
rows/columns)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 27
28. Controls
O Combined Results
O Sums
O Ranges
O Rounding
O Random Sample
O Random Data Perturbation
O Query Analysis – “should the result be
provided”
IFETCE/M.E CSE/NE7202-NIS/Unit 4 28
29. Conclusion on the Inference
Problem
O No perfect solutions to the inference
problem.
O The approaches to controlling it:
O Suppress obviously sensitive information
O Track what the user knows
O Disguise the data
IFETCE/M.E CSE/NE7202-NIS/Unit 4 29
30. 30
Cross-Site Scripting (XSS)
O Occurs any time…
O Raw data from attacker is sent to an innocent
user
O Raw data…
O Stored in database
O Reflected from web input (form field, hidden field,
url, etc…)
O Sent directly into rich JavaScript client
O Virtually every web application has this problem
O Try this in your browser –
javascript:alert(document.cookie)
IFETCE/M.E CSE/NE7202-NIS/Unit 4
31. 31
XSS (Cont…)
O Allows to embed malicious code:
O JavaScript (AJAX!), VBScript, ActiveX,
HTML, or Flash
O Threats: phishing, hijacking, changing of
user settings, cookie theft/poisoning, false
advertising , execution of code on the
client, ...
IFETCE/M.E CSE/NE7202-NIS/Unit 4
32. 32
XSS Types
O Reflected
O Link in other website / e-mail link
O Stored
O e.g. bulletin board, forum
O DOM-Based
IFETCE/M.E CSE/NE7202-NIS/Unit 4
33. 33
Cross-Site Scripting Illustrated
Application with
stored XSS
vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious
script into a web page that
stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s
browser with full access to
the DOM and cookies
Custom Code
Accounts
Finance
Administration
Transactions
Communication
Knowledge
Mgmt
E-Commerce
Bus.Functions
IFETCE/M.E CSE/NE7202-NIS/Unit 4