Web security with Eng Ahmed Galal and Eng Ramy saeid


Published on

web security presentation for Cryptography course faculty of computers and information Cairo university

Published in: Education, Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • http://testfire.net/bank/login.aspx
  • Web security with Eng Ahmed Galal and Eng Ramy saeid

    1. 1. Web Security
    2. 2. I. SQL injection
    3. 3. OVERVIEW  Introduction  SQL Injection  SQL Injection mitigation  Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART)  Conclusion
    4. 4. Web Applications  In computing, a web application is any application that uses a web browser as a client  With the rapid development of Internet, web applications involving database component become more and more popular.  Structured Query Language (SQL)is the major language to interact with database systems , such as MS SQL Server, Oracle, Access, MySQL, etc.
    5. 5. SQL injection  SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution  SQL injection must exploit a security vulnerability in an application's software
    6. 6. SQL injection  Ex: Suppose that a specific web application uses the following code for user authentication: String query = "SELECT accounts FROM users WHERE login = ' " + login + "' AND pass= ' " + pass + " ''';
    7. 7. Normal behavior  If the login and pass fields are filled with “Ali” and ”33214” the resulted query will be SELECT accounts FROM users WHERE login = „Ali' AND pass= „33214„  This query will return true only if the login name “Ali” and the password “33214” exists in the DB
    8. 8. Injected SQL statement  If the login and pass fields are filled with “admin” and ” ' or '1'='1 ” the resulted query will be SELECT accounts FROM users WHERE login='admin„ AND pass = „‟ or „1‟=„1‟  In this situation, the WHERE clause always has a true value, and contributes to a query result of all the accounts in table users  If the web application takes the first record to be the authenticated user, the user authentication mechanism would be broken by SQL injection
    9. 9. Injected SQL statement cont.  Imagine If we filled the pass field with the following SQL statement a„ ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't SELECT accounts FROM users WHERE login='admin„ AND pass = „a‟ ; DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't‟
    10. 10. SQL injection in URL  Ex: Suppose that a specific website have the following URL for showing books review depending on book ID Original URL: http://books.example.com/showReview.php?ID= 5 Injected URL: http://books.example.com/showReview.php?ID=5 AN D 1=1 Resulted SQL query : SELECT * FROM bookreviews WHERE ID = 5 AND 1=1;
    11. 11. Mitigation 1- Prepared statement 2- Escaping Franks's Oracle site => Franks„‟s Oracle site A ''double quoted'' word => A “”double quoted”” word
    12. 12. Test SQL Injection Vulnerabilities (SQLIVs) in Web Applications Based on Structure Matching (SMART) Related Applications:  Paros : is an open-source security scanner for testing web application vulnerabilities. It is a traditional penetration test which automatically scans web applications with injected HTTP request. By analyzing the response page,  JDBC checker : checks the type correctness of generated SQL queries, in order to find SQLIVs caused by improper type checking.  Sania : proposes syntactic and semantic analysis of the parse tree of intended SQL queries. After filling attack codes in leaf nodes, Sania checks the differences between initially parse tree and modified parse tree, and reports SQLIVs
    13. 13. Test SQLIVs in Web Applications Based on Structure Matching (SMART) A. Structure definition ( According to the ANSI SQL standard) B. Structure extraction C. Structure matching D. Validation
    14. 14. Test SQLIVs in Web Applications Based on Structure Matching (SMART) A. Structure definition ( According to the ANSI SQL standard) 1. Blank, includes space characters, tabs, carriage returns, line feeds, 2. 3. 4. 5. 6. 7. etc. Single-line comment, often lead by comment symbol "-Multiple-line comment, often cited by a pair of comment symbol "/*" and "*/". Keyword, pre-defined by SQL standard, which makes the SQL query meaningful, such as "SELECT", "INSERT","GRANT", “OR” etc. Punctuation, often used to separate SQL queries, or used in some mathematical operations, such as "=", "(", ";", etc. Identifier, often used to specify database name, table name, variable name, etc. Data, includes all kinds of data used in SQL standard,such as integers, real numbers, strings, dates, times, etc.
    15. 15. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. B. Structure extraction 1. 2. 3. To describe the structure of SQL queries, SMART defines the SQL structure features of SQL query Q as a string array S: S=‘a1,a2,a3.. am’ (m≥1) where ai (1≤i≤m) is the ith keyword or punctuation in query Q, and m is the total number of keywords and punctuations. Regular expressions analysis is used on the SQL query to extract its structure features For example, the structure features of query "SELECT accounts FROM users WHERE login= 'admin' AND pass= 'admin ' " is: 'SELECT FROM WHERE = AND ='
    16. 16. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. C. Structure matching 1. 2. For a given structure features array S, we define three kinds of operation to modify it: "add" an element into it, "delete" an element from it, and "change" one of its elements into another Given SQL structure features SI=A[1..m], S2=B[1..n], we define d(i, j)=δ (A[1..i], B[1..j]) as the least number of modification operations required to transfer A[1..i] into B[1..j].
    17. 17. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. D. Validation Web applications are usually composed by many web pages where each web page has zero or more input parameters. For example, the following HTTP request shows that the "Login.jsp" page has two input parameters "login" and "pass", and their default values are "admin" and "admin": HTTP://www.bookstore.com/Login.jsp?login=admin&pass=admin 1. 2. we test the two input parameters in turn. If "login" parameter is the current parameter being tested, we first send the above original request over HTTP, and get all the SQL queries generated by it, denoted as Q=Q1,Q2..Qm. Then we get all the SQL queries generated by the injected request, denoted as Q'=Q‘1Q‘2 .. Q’n.
    18. 18. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont.  If m does not equal n, we cannot determine whether SQL injection succeeds, because the SQL queries are probably generated by different code branches  if m equals n, then we examine each pair of Qi, and Q„i and extract their structure features, denoted as S1 and S2 1. 2. 3. 4. If the extraction of S1 and S2 are both failed, we cannot determine whether SQLIV exists. If the extraction of S1 is failed and S2 is successful, we believe that the injection has broken some authentication mechanism, and alert it as a SQLIV If the extraction of S1 is successful and S2 is failed, we believe that the injection has broken the structure of the generated SQL query, and also alert it as a SQLIV If the extraction of S1and S2 are both successful, we
    19. 19. Test SQLIVs in Web Applications Based on Structure Matching (SMART) cont. If matching_value(S1,S2) equal zero, we believe that the structure of the SQL query doesn't change so the SQL injection doesn't succeed 2. If matching_value(S1,S2) is larger than zero and not larger than a given upper bound specified, we believe that the SQL injection appears and changes the structure of the SQL query, and alert it as a SQLIV 3. if matching_value(S1,S2) is larger than the upper bound, we believe that the change of the structure is caused by executing different code branches 4. If we still cannot determine whether SQL injection succeeds when finishing all the test cases, we believe that the tested input parameter is probably safe against SQL injection. Then we continue to test next input parameter, until all the input parameters are tested 1.
    20. 20. CONCLUSION We presented SMART, a new method to automatically test SQL injection vulnerabilities in web applications. SMART tests each input parameter of web applications, matches the SQL queries generated by both original HTTP request and injected HTTP request, and determines whether it has SQL injection vulnerability.
    23. 23. CROSS-SITE SCRIPTING (XSS)  Cross-site scripting or XSS is a defined as a computer security vulnerability found in web applications.  XSS allows for code injection by malicious web users into Internet pages viewed by other users.  In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification.
    24. 24. XSS VULNERABILITIES  There are Two types of XSS vulnerabilities: Reflected (Non-Persistent) Stored (Persistent)
    25. 25. Reflected (NON-PERSISTENT)  It occurs when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user  An example could be when an attacker convinces a user to follow a malicious URL that injects code into the results page; thus giving the attacker full access to that page's content.
    26. 26. Reflected (NON-PERSISTENT)  Malicious content dose not get stored in the server
    27. 27. Stored (PERSISTENT)  It occurs when the data provided by the attacker is saved by the server (database, file system, other location).  Then permanently displayed on "normal" pages returned to other users in the course of regular browsing,
    28. 28. Stored (PERSISTENT)  The server stores the malicious content
    29. 29. A solution to block Cross Site Scripting Vulnerabilities
    30. 30. A solution to block Cross Site Scripting Vulnerabilities Cont.
    31. 31. Components interaction  The schema for each web page, where an input control is present, is generated and stored offline by the developer in a folder structure or in a database.  When a request is received, the HTTP request is passed on to the converter.  Converter converts the input to an XML object and sends it to the validator.
    32. 32. Components interaction Cont.  Validator retrieves the corresponding schema for the request and maps the XML object with the schema document.  If the input maps with the schema then the status is returned to the converter as „yes‟, otherwise the status „no‟ is returned.  If the status „yes‟ then the request is forwarded to the web application. Otherwise, the request is forwarded to an error page.
    33. 33. AVOIDING XSS VULNERABILITIES  Eliminating scripts  Cookie security  Input validation
    34. 34. ELIMINATING SCRIPTS  Some web applications are written to function without the need for client-side scripts.  In this way users would not be susceptible to XSS attacks.
    35. 35. COOKIE SECURITY  Because client-side scripts have access to cookies, XSS exploits are able steal these cookies and hinder business functions.  Web applications tie session cookies to the IP address of the user who originally logged in; only that IP address is permitted to use the particular cookie.
    36. 36. INPUT VALIDATION  It helps decipher other injection attacks such as SQL injection.  Effective for most types of input, yet when an application by design must be able to accept special HTML characters, HTML entity encoding is the desired choice.
    37. 37. AVOIDING XSS VULNERABILITIES  Do not follow links from sites that navigate to security-sensitive pages referencing personal or business information.  Always practice obtaining a list of attacks that have occurred on particular sites or messages boards.
    38. 38. AVOIDING XSS VULNERABILITIES  User‟s can disable scripting when not required in order to reduce an XSS-style attack.  Do not trust links given on other sites such as e-mail or message boards.  Always access any site with sensitive information through its address and not third party sites
    39. 39. CONCLUISON  Always practice using testing tools during the design phase to eliminate XSS holes in the application.  Input validation and HTML escaping are essential, yet that must be applied at all application points accepting data.
    40. 40. III. Denial of Service attacks (DOS)
    41. 41. Outlines  Abstract  Introduction  Motivation.  General Attack scenario.  Classification of DOS and DDOS attacks.     General attack classification Definition for DOS and DDOS Dos attack classification From DOS to DDOS  How to protect.  Example of DOS using LOIC.
    42. 42. Abstract  Recently many prominent web sites face so called Distributed Denial of Service Attacks (DDoS). While former security threats could be faced by a tight security policy and active measures like using firewalls, vendor patches etc. these DDoS are new in such way that there is no completely satisfying protection yet, in this part of presentation we will cover this topic carefully.  We will classify types of attacks.  Explore different DDOS tools.
    43. 43. Introduction  Motivation  Security threats is as old as the internet it self, In fact the first connection between computers in the ARPAnet between SRI and UCLA resulted in a crash of the receiving system due to some bugs in the communication software a classical Denial-of-Service attack.
    44. 44. General attack scenario  big web sites usually use more than one system running their web server. The clients access these servers via a load balancing server which redirects the HTTP requests to one of the servers. Todays web servers don't work as stand alone systems but need the support of a number of backend systems (like database or le-servers) to fulll their tasks. The whole LAN network where the site is hosted is typically protected by a firewall system. On the way the IP datagrams have to pass a num-ber of routers. On each of these systems there is at least the hardware, the operating system and (as part of the OS) aTCP/IP protocol stack that can fall victim to attacks.
    45. 45. Classification of DOS and DDOS attacks.  a possible classification of IT attacks according to the intention of the cracker could be  Denial of Service attack  The main goal of the attack is the disruption of service, this can be reached by a variety of ways.  Intrusion  Get access to a system and to circumvent certain barriers .  Information Theft  Access to otherwise restricted, sensitive information.  Modification  Attacker try to alter information, the type of attack increased lately
    46. 46. DOS definition according to W3C  What is a Denial of Service attack? Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests.
    47. 47. DDOS definition according to W3C  A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands
    48. 48. Definition of DOS and DOSS  Denial-Of-Service Attack = DOS Attack is a malicious attempt by a single person or a group of people to cause the victim, site or node to deny service to it customers.  DoS = when a single host attacks  DDoS = when simultaneously multiple hosts attack
    49. 49. DOS attack classification  DOS and DDOS usually used limited number of well known attacks with names like Smurf, teardrop, or SYN-Flood.  We will try to provide a classification in categories according to specified criteria.  System attacked.  Part of the system attacked.  Bug or overload.
    50. 50. System attacked  According to general attack scenario we will identify a number of attack points :  Attack clients themselves ( useless number of users     or large ) Attack the router that connects the site hosting the webserver to its ISP ( Internet Service Provider ) this will effectively cut off all access to the websites. Attack the firewall system although firewalls should be quite immune to direct attacks , firewalls is a bottle nick all in and out bound connection go through it, so if an attack with a high load will stop them. Attack the load balancer. attack the servers it self ( will be hard )
    51. 51. Part of the system is attacked  Attacks forms can be further divided by the part of the system that is attacked.  Attack depends on the hardware (rare), theoretically CPU and network card could fail to work due to some data in net work packages.  Attack based on the limitation of the hardware.  Attacks targeting the Operating systems or the TCP/IP stacks of host.  For this type of attack some are bugs that can be fixed some are fundamental limitation. What to do ?!!!
    52. 52. Bug or overload  In general one has to distinguish whether a DoS is a cause of a specific bug or just an overload of components that function according to their specification. Although bugs are often more severe in their effects, most of the time the vendors quickly provide fixes. All the administrators have to do is to apply them to their system in order to avoid further attacks. Attacks that are based on an overload are typically harder to cope with. Of course you can buy new hardware, but as long as an attacker finds enough resources to use as relays in the Internet he will always bring your system to a halt. Changing the specification or protocols in order to fix the hole that allows the DoS is nearly impossible as this would often mean changing the software in millions of computers
    53. 53. Examples  Jolt2 is an attack targeting most of Microsoft windows systems , jolt2 sends a continuous stream of ICMP ECHO-REPLy fragment with specially tuned fragmentation which almost cause consumption of CPU and Memory 100% which render the system to unusable.  SYN-Flooding attack is to generate many half open TCP connections .  Smurf Attack so called amplifier sites in order to multiply the amount of traffic that hits the destination, this attack ends ICMP_ECHO_REQUEST packets with spoofed sender address to one or more subnet, subnet broadcast addresses, the packets received and replied by as many stations as are connected to the subnet.
    54. 54. From DOS to DDOS  Major Internet websites like amazon or Yahoo tend to have Internet connections with very large bandwidth an server farms with lots of components. Furthermore they are typically protected by firewall systems that block the known attacks that are based on malformed packets .  Their fears about large-scale attacks were proved soon later in February 2000 when major Internet sites –ebay amazon…etc where under attack. There are currently a few
    55. 55. How the attack happens ?  The actual attack is carried out by so called daemons – hidden programs – a number of the daemon is controlled by handlers and finally this handlers are activated by the attacker using clients tools.
    56. 56. How the intrusion to clients computers happen ? (|)  Stolen account is setup as a repository for a daemons program and attack tools .  Sniffers are used scan large ranges of network blocks to identify potential targets . Targets will include (overflow , security bugs,…etc. ).  A list of vulnerable systems is then used to create a script that perform exploit, set up command running under the root account , that listen to TCP port and connects to this port to confirm the success of the exploit .  From the list select one with the desired architecture ,Pre- compiled binaries of the DDoS daemons and handlers programs are created and stored on a stolen account somewhere on the Interne.
    57. 57. How the intrusion to clients computers happen ?( ||)  A script is then run which takes this list of "owned“ systems and produces yet another script to automate the installation process, running each installation in the background for maximum multitasking. The result of this automation is the ability for attackers to set up the denial of service network in a very short time frame and on widely dispersed systems whose true owners often don't even realize the attack.
    58. 58. Protection from DDOS  General protection  Basic security measures are mandatory.  If a running system is hacked into, no more network attacks are necessary, since local attacks ( processes consuming , memory consuming or simply shutting down )  A set of firewall should be used to separate the interior net from the internet , the firewall rules should include some sanity check for source and destination addresses.  Intrusion detection systems should be used to notify administrators of unusual activities.
    59. 59. Protection  IP verify unicast reverse-path( Smurf)  Use the IP verify unicast reverse-path interface command on the input interface on the router at the upstream end of the connection.  This feature examines each packet received as input on that interface. If the source IP address does not have a route in the CEF tables that points back to the same interface on which the packet arrived, the router drops the packet.  Configure rate limiting for SYN packets  Limit response time.  Apply ingress and egress filtering  Egress filtering helps ensure that unauthorized or malicious traffic never leaves the internal network.  ingress filtering is a technique used to make sure that incoming packets are actually from the networks that they claim to be from.