Published on

Published in: Internet, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Common Vulnerabilities • Buffer Overflows • Incomplete Mediation • Command Injection Attack • Inference • Cross Site- Scripting
  2. 2. Buffer Overflows O Many languages require buffer size declaration O C language statement: char sample[10]; O Execute statement: sample[i] = ‘A’; where i=10 O Out of bounds (0-9) subscript – buffer overflow occurs O Some compilers don’t check for exceeding bounds O Similar problem caused by pointers. No reasonable way to define limits for pointers IFETCE/M.E CSE/NE7202-NIS/Unit 4 2
  3. 3. Buffer Overflows O Example char sample[10]; for (i=1; i<=10; i++) sample[i] = ‘A’; IFETCE/M.E CSE/NE7202-NIS/Unit 4 3
  4. 4. Buffer Overflows, cont. O Where does last ‘A’ go? Depends on what is adjacent to ‘sample[10]’ O Affects user’s data- overwrites user’s data O Affects users code- changes user’s instruction O Affects OS data - overwrites OS data O Affects OS code - changes OS instruction, unpredictable results O This is a case of aliasing IFETCE/M.E CSE/NE7202-NIS/Unit 4 4
  5. 5. Buffer Overflows Security Implication O Attacker replaces code in the system space and takes control back from the operating system O Suppose buffer overflow affects OS code area: O Attacker code executed as if it were OS code O Attacker might need to experiment to see what happens when he inserts A into OS code area O Can raise attacker’s privileges (to OS privilege level) when A is an appropriate instruction O Attacker can gain full control of OSIFETCE/M.E CSE/NE7202-NIS/Unit 4 5
  6. 6. Buffer Overflows Security Implication O Attacker uses the stack pointer or return register to execute other code O Parameter passing to web server O m1=(808)555-1212&parm2=2004Jan01 O What if one of the parameters is made longer? O Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary codeIFETCE/M.E CSE/NE7202-NIS/Unit 4 6
  7. 7. Summary OBuffer overflows still common O Used by attackers O to crash systems O to exploit systems by taking over control OLarge # of vulnerabilities due to buffer overflows IFETCE/M.E CSE/NE7202-NIS/Unit 4 7
  8. 8. Incomplete Mediation O Sensitive data are in exposed,uncontrolled condition O Example O URL to be generated by client’s browser to access server, e.g.: order/final&custID=101&part=555A&qy=20&pri ce=10&ship=boat&shipcost=5&total=205 O Instead, user edits URL directly, changing price and total cost as follows: /order/final&custID=101&part=555A&qy=20&pri ce=1&ship=boat&shipcost=5&total=25 O Security Implication O Easy to exploit – Things, Inc. example IFETCE/M.E CSE/NE7202-NIS/Unit 4 8
  9. 9. Incomplete Mediation, cont. O Unchecked data are a serious vulnerability! O Possible solution: anticipate problems O Don’t let client return a sensitive result (like total) that can be easily recomputed by server O Use drop-down boxes / choice lists for data input O Prevent user from editing input directly O Check validity of data values received from client IFETCE/M.E CSE/NE7202-NIS/Unit 4 9
  10. 10. Attacking the Web Application O Web application: O takes input strings from the user and interprets it. O Interacts with back-end database. O Retrieve data and dynamically generates new content. O Presents the output to the user. O The threat – Command Injection Attack: O Unexpected input may cause problems. 10IFETCE/M.E CSE/NE7202-NIS/Unit 4
  11. 11. What is code injection? • Code injection is the exploitation of a computer bug that is caused by processing invalid data. • Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution. • The results of a code injection attack can be disastrous
  12. 12. Code Injectio n
  13. 13. Code injection can do • Arbitrarily modify values in a database through a type of code injection called SQL injection. The impact of this can range from defacement of a web site to serious compromisation of sensitive data. • Install malware on a computer by exploiting code injection vulnerabilities in a web browser or its plugins when the user visits a malicious site.
  14. 14. • Install malware or execute malevolent code on a server, by PHP or ASP Injection. • Privilege escalation to root permissions by exploiting Shell Injection vulnerabilities in a setuid root binary on UNIX. • Privilege escalation to Local System permissions by exploiting Shell Injection vulnerabilities in a service on Windows. • Stealing sessions/cookies from web browsers using HTML/Script Injection (Cross-site scripting). Code injection can do
  15. 15. Different types of Code injection • SQL injection • LDAP Injection • OS Command Injection • Cross-Site Scripting (“XSS”)
  16. 16. SQL injection • SQL injection attack consists of injection of malicious SQL commands via input data from the client to the application • Affect the execution of predefined SQL commands.
  17. 17. SQL injection • SQL injection consists of direct insertion of code into user-input variables which are concatenated with SQL commands and executed. • A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. • When the stored strings are subsequently concatenated into a dynamic SQL commands, the malicious code is then executed.
  18. 18. Web Application Architecture Web browser Application Database Application generates query based on user input 18IFETCE/M.E CSE/NE7202-NIS/Unit 4
  19. 19. SQLCIAs - Example String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”; Expected input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2; Result: Returns John’s saved credit card number. 19IFETCE/M.E CSE/NE7202-NIS/Unit 4
  20. 20. Malicious input: SELECT cardnum FROM accounts WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1; SQLCIAs - Example Result: Returns all saved credit card numbers. ( () ) 20 String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND cardtype = ” + strCType + “;”; IFETCE/M.E CSE/NE7202-NIS/Unit 4
  21. 21. 4.Inference O Way to infer / derive sensitive data from nonsensitive data IFETCE/M.E CSE/NE7202-NIS/Unit 4 21
  22. 22. Direct Attack O A user tries to determine values of sensitive fields by seeking them O A sensitive query: O List NAME where SEX=M ^ DRUGS=1 O A less obvious query: O List NAME where (SEX=M ^ DRUGS=1) v (SEX#M ^ SEX#F) v (DORM=AYRES) IFETCE/M.E CSE/NE7202-NIS/Unit 4 22
  23. 23. Direct Attack(Cont…) O Do not reveal results when a small number of people make up a large proportion of a category. O The rule of "n items over k percent" means that data should be withheld if n items represent over k percent of the result reported. IFETCE/M.E CSE/NE7202-NIS/Unit 4 23
  24. 24. Indirect Attack O Sum - An attack by sum tries to infer a value from a reported sum. O Count - The count can be combined with the sum to produce some even more revealing results. O Mean - The arithmetic mean (average) allows exact disclosure if the attacker can manipulate the subject population. O Median O Tracker Attacks – using additional queries that produce small results IFETCE/M.E CSE/NE7202-NIS/Unit 4 24
  25. 25. Indirect Attack OSum O Show STUDENT-AID WHERE SEX=F ^ DORM=Grey OCount O Show Count, STUDENT-AID WHERE SEX=M ^ DORM=Holmes O List NAME where (SEX=M ^ DORM=Holmes) IFETCE/M.E CSE/NE7202-NIS/Unit 4 25
  26. 26. Indirect Attack IFETCE/M.E CSE/NE7202-NIS/Unit 4 26
  27. 27. Controls O Suppression – don’t provide sensitive data O Concealing – don’t provide actual values (“close to”) O Limited Response Suppression O n-item k-percent rule eliminates low frequency elements from being displayed (may need to suppress additional rows/columns) IFETCE/M.E CSE/NE7202-NIS/Unit 4 27
  28. 28. Controls O Combined Results O Sums O Ranges O Rounding O Random Sample O Random Data Perturbation O Query Analysis – “should the result be provided” IFETCE/M.E CSE/NE7202-NIS/Unit 4 28
  29. 29. Conclusion on the Inference Problem O No perfect solutions to the inference problem. O The approaches to controlling it: O Suppress obviously sensitive information O Track what the user knows O Disguise the data IFETCE/M.E CSE/NE7202-NIS/Unit 4 29
  30. 30. 30 Cross-Site Scripting (XSS) O Occurs any time… O Raw data from attacker is sent to an innocent user O Raw data… O Stored in database O Reflected from web input (form field, hidden field, url, etc…) O Sent directly into rich JavaScript client O Virtually every web application has this problem O Try this in your browser – javascript:alert(document.cookie) IFETCE/M.E CSE/NE7202-NIS/Unit 4
  31. 31. 31 XSS (Cont…) O Allows to embed malicious code: O JavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash O Threats: phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising , execution of code on the client, ... IFETCE/M.E CSE/NE7202-NIS/Unit 4
  32. 32. 32 XSS Types O Reflected O Link in other website / e-mail link O Stored O e.g. bulletin board, forum O DOM-Based IFETCE/M.E CSE/NE7202-NIS/Unit 4
  33. 33. 33 Cross-Site Scripting Illustrated Application with stored XSS vulnerability 3 2 Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the DOM and cookies Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus.Functions IFETCE/M.E CSE/NE7202-NIS/Unit 4
  34. 34. 34 Example IFETCE/M.E CSE/NE7202-NIS/Unit 4
  35. 35. 35 Protection OInput validation OOutput Encoding: O< &lt; > &gt; O( ( ) ) O# # & & ODo not use "blacklist" validation OSpecify the output encoding IFETCE/M.E CSE/NE7202-NIS/Unit 4