SlideShare a Scribd company logo
1 of 63
Web Application Security
Part-01
Contents
• SQL Injection: Attacks and Defenses
• Cross Site request forgery: Attacks and Defenses
• Cross-site Scripting: Attacks and Defenses
• Generating and storing session tokens
Database
• Database = collection of data + set of rules that specify certain
relationships among the data.
• Data is stored in one or more files
• The database file consists of records, which in turn consists of fields or
elements.
• Data can be organized in tables. All columns are given names, which
are the attributes of the database.
• A relation is a set of columns
• Data is extracted from the database with the help of queries.
• SQL is a Structured query language that specifies the rules of queries.
One famous example is MySQL
SQL Injection: What is it?
• Many web applications take user input from a form
• Often this user input is used literally in the construction of a SQL
query submitted to a database:
• SELECT productdata FROM table WHERE productname = ‘user input
product name’;
• A SQL injection attack involves placing SQL statements in the user
input
SQL Injection Example
• An example Product Search input in a form: ‘something‘ OR ‘x’ = ‘x’
• This input is put directly into the SQL statement within the Web
application:
• $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” .
$_POST[‘prod_search’] . “’”;
• Creates the following SQL:
• SELECT prodinfo FROM prodtable WHERE prodname = ‘something‘ OR
‘x’ = ‘x’
• Attacker has now successfully caused the entire database to be returned.
SQL Injection Example
• What if the attacker had instead entered:
• something‘; DROP TABLE prodinfo; --
• Results in the following SQL:
• SELECT prodinfo FROM prodtable WHERE prodname = ‘something’;
DROP TABLE prodinfo; --’
• The comment symbol(--) consumes the final quote
• Causes the entire database to be deleted
• Depends on knowledge of table name
• This is sometimes exposed to the attacker in debug code called during a
database error event that is when the table name is not correctly specified
• Using non-obvious table names would be a good practice
SQL Injection Possibilities
• Using SQL injections, attackers can:
• Add new data to the database
• Could be destructive to find new records in a student database
• Perform an INSERT in the injected SQL
• Modify data currently in the database
• Could be very costly to have an expensive item suddenly be deeply ‘discounted’
• Perform an UPDATE in the injected SQL
• Often can gain access to other user’s system capabilities by obtaining their
password
SQL Injection: More Examples 1
• Unauthorized Access Attempt:
• password = ’ or 1=1 --
• SQL statement becomes:
• select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -
-
• Checks if password is empty OR 1=1, which is always true, permitting
access.
SQL Injection: More Examples 2
• Database Modification Attack:
• password = foo’; delete from table users where username like ‘%
• Database executes two SQL statements:
• select count(*) from users where username = ‘user’ and password = ‘foo’
• delete from table users where username like ‘%’
SQL Injection: Impact
• Yahoo! Voices was hacked in July. The attack acquired 453,000 user
email addresses and passwords. The perpetrators claimed to have used
union-based SQL injection to break in.
• LinkedIn.com leaked 6.5 million user credentials in June. A class
action lawsuit alleges that the attack was accomplished with SQL
injection.
• SQL injection was documented as a security threat in 1998, but new
incidents still occur every month. Making honest mistakes, developers
fail to defend against this means of attack, and the security of online
data is at risk due to this.
SQL Injection: Defense
• Use provided functions for escaping strings
• Many attacks can be thwarted by simply using the SQL string escaping
mechanism
• ‘  ’ and “  ”
• mysql_real_escape_string() is the preferred function for this
• Unfortunately this is not a complete solution. Consider:
• SELECT fields FROM table WHERE id = 23 OR 1=1
• No quotes are used here.
SQL Injection: Defense
• Check syntax of input for validity
• Many classes of input have fixed languages
• Email addresses, dates, part numbers, etc.
• Verify that the input is a valid string in the language
• Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may
decide to not allow these
• If we can exclude quotes and semicolons that’s good
• Not always possible: consider the name Bill O’Reilly
• Want to allow the use of single quotes in names
• Have length limits on input
• Many SQL injection attacks depend on entering long strings
SQL Injection: Defense
• Scan query string for undesirable word combinations that indicate
SQL statements
• INSERT, DROP, etc.
• If we catch these, it can be checked against SQL syntax to see if they represent
a statement or valid user input
• Limit database permissions and segregate users
• If we’re only reading the database, connect to database as a user that only has
read permissions
• Never connect as a database administrator in our web application
Cross-Site Request Forgery[1]
• Cross-Site Request Forgery (CSRF) is an attack where a malicious
website will send a request to a web application that a user is already
authenticated against from a different website. This way an attacker
can access functionality in a target web application via the victim's
already authenticated browser. Targets include web applications like
social media, in-browser email clients, online banking and web
interfaces for network devices.
CSRF: Key Concepts
• Malicious requests are sent from a site that a user visits to another site
that the attacker believes the victim is validated against.
• The malicious requests are routed to the target site via the victim’s
browser, which is authenticated against the target site.
• The vulnerability lies in the affected web application, not the victim’s
browser or the site hosting the CSRF.
CSRF: Example 1
• In a Cross-Site Request Forgery attack, the attacker is exploiting how
the target web application manages authentication. For CSRF to be
exploited, the victim must be authenticated against (logged into) the
target site.
• For instance, let’s say examplebank.com has online banking that is
vulnerable to CSRF. If we visit a page containing a CSRF attack on
examplebank.com but am not currently logged in, nothing happens. If
we are logged in, however, the requests in the attack will be executed
as if they were actions that we had intended to take.
CSRF: Example 1
• First, let’s assume that we are logged into our account on
examplebank.com, which allows for standard online banking features,
including transferring funds to another account.
• Now let’s say we happen to visit somemalicioussite.com.
• It just so happens that this site is trying to attack people who bank with
examplebank.com and has set up a CSRF attack on its site.
• The attack will transfer $1,500.00 to account number 123456789.
CSRF: Example 1
• Somewhere on somemalicioussite.com, attackers have added this line
of code:
• <iframe
src="//www.veracode.com/%3Ca%20href%3D"http://examplebank.com/app/tr
ansferFunds?amount=1500&destinationAccount=123456789">http://example
bank.com/app/transferFunds?amount=1500&destinationAccount=..." >
• Upon loading that iframe, my browser will send that request to
examplebank.com, which my browser has already logged in as me.
The request will be processed and send $1,500.00 to account
123456789.
CSRF: Example 2
• Let’s assume we bought a new home wireless router. Like most wifi
routers, it’s configured through a web interface. The router was
shipped to us with an internal IP address of 192.168.1.1.
• Lets assume we are having trouble configuring the router though, and
fortunately the attackers over at somemalicioussite.com have
published a guide that shows us exactly what buttons to click in the
router interface to get everything set up securely.
• The attackers have also set up a proxy server at 123.45.67.89 that will
log all traffic that goes through it and look for things like passwords
and session tokens.
CSRF: Example 2
• As we clicked through the configuration guide, lets assume we missed
the 1x1 pixel image that failed to load:
• <img
src=”http://192.168.1.1/admin/config/outsideInterface?nexthop=123.45.67.89”
alt=”pwned” height=”1” width=”1”/>
• The attackers knew that when we were reading their tutorial, we would
be logged into the router interface. So they had the CSRF attack set up
in the tutorial.
• With that request, our router would be reconfigured so that our traffic
will be routed to their proxy server where they can do all manner of
bad things with it.
CSRF: Defense
• The most common method to prevent Cross-Site Request Forgery
(CSRF) attacks is to append CSRF tokens to each request and
associate them with the user’s session.
• Such tokens should at a minimum be unique per user session, but can
also be unique per request.
• By including a challenge token with each request, the developer can
ensure that the request is valid and not coming from a source other
than the user.
CSRF: Defense
• The easiest way to check whether an application is vulnerable is to see
if each link and form contains an unpredictable token for each user.
• Without such an unpredictable token, attackers can forge malicious
requests.
• Focus on the links and forms that invoke state-changing functions,
since those are the most important CSRF targets.
Cross-Site Sctipting
• Cross Site Scripting (XSS) is a type of web application attack where
malicious client-side script is injected into the application output and
subsequently executed by the user’s browser.
• The objective is to trick the client browser to execute malicious
scripting commands
• Caused by insufficient input validation
• Javascript is the most popular scripting technology exploited
Javascript
• Starts and ends with <script> tag
• Javascript has access to cookies using document.cookie
• Javascript can send HTTP requests to any destination by using
XMLHttpRequest
• Javascript can make arbitrary modifications to the HTML of current
page by using DOM manipulation methods
Risks of Javascript (Malicious)
• Cookie theft
• Keylogging / Spying
• Phishing
Similarity: The attacker has injected code into a page served by the
website
Basic XSS Model
• Input: <script>….</script>
• Output:
• <html>Latest comment:
<script>...</script>
</html>
print "<html>"
print "Latest comment:"
print database.latestComment
print "</html>
Types of XSS
• Persistent
• Reflected
• DOM - Based
Persistent XSS [2]
• The attacker uses one of the website's forms to insert a malicious
string into the website's database
• The victim requests a page from the website
• The website includes the malicious string from the database in the
response and sends it to the victim
• The victim's browser executes the malicious script inside the
response, sending the victim's cookies to the attacker's server
Web application security part 01
Reflected XSS [2]
• The attacker crafts a URL containing a malicious string and sends it to
the victim
• The victim is tricked by the attacker into requesting the URL from the
website
• The website includes the malicious string from the URL in the
response
• The victim's browser executes the malicious script inside the
response, sending the victim's cookies to the attacker's server
Web application security part 01
DOM-based XSS [2]
• The attacker crafts a URL containing a malicious string and sends it to
the victim
• The victim is tricked by the attacker into requesting the URL from the
website
• The website receives the request, but does not include the malicious
string in the response
• The victim's browser executes the legitimate script inside the
response, causing the malicious script to be inserted into the page
• The victim's browser executes the malicious script inserted into the
page, sending the victim's cookies to the attacker's server
Web application security part 01
Some Statistics
• These statistics only include
media reported security
incidents that can be
associated with a web
application security
vulnerability
Other /
Unknown
39%
SQL Injection
9%
Credential /
Session
Prediction
9%
Cross-Site
Scripting
27%
Insufficient
Authorisation
and
Authenticatio
n
16%
ATTACK STATISTICS
Source: www.webappsec.org
Famous XSS Attacks
• Myspace Hack Spreading
Date: 16 July 2006
WASC Threat Classification: Cross-site Scripting, Worm
Myspace seemed to be a heaven for XSS worms. This one seems to
be even more interesting as it uses JavaScript embedded in a flash
file.
Famous XSS Attacks
• google XSS
Date: 04 July 2006
WASC Threat Classification: Cross-site Scripting
An XSS vulnerability in the feature allowing adding an arbitrary
RSS to personal web pages. Since this page resides on the main
www.google.com host, the executed JavaScript can access any
google resource
Famous XSS Attacks
• PayPal Flaw
Date: 16 June 2006
WASC Threat Classification: Cross-site Scripting
While XSS vulnerabilities in public web sites are found daily, this
one is of special interest. It was found in one of the sites most
targeted by Phishers, it is exploitable for Phishing and was exploited.
On top of that, it seems to have been discovered and reported to
PayPal already two years ago but ignored due to a communication
failure
XSS Attack Vectors
• Injecting through (html) form inputs
• URL injection (URL sent by e-mail or IM to the victim, or posted on
public sites)
Persistent XSS Example
• XAMPP server running apache. A PHP example site is loaded.
• Functionality to add comments is provided
• The comments are then stored in a mysql database and then
displayed at comments.php
Web application security part 01
Web application security part 01
Web application security part 01
Web application security part 01
Web application security part 01
Web application security part 01
Web application security part 01
Reflected XSS Example
• XAMPP server running apache. A PHP example site is loaded.
• An attractive link is shown which contains a script
• It gets bounced back from the server once the user clicks on the link
Web application security part 01
Web application security part 01
DOM Based XSS Example
• This runs when the interpreter cannot find the img tag and runs the
onerror script. There is no requirement of a server in this scenario
file:///C:/Users/Admin/Desktop/xss.html#<img src="blah"
onerror="alert('XSS!!');">
Web application security part 01
Defense Strategies
Almost all scripts use <> () {} “ ‘ ; / 
• Encoding: Escape user input so that the browser interprets it only as
data
• Validation: Filter input so that all malicious parts of it are removed
Ideas to Bypass Input Verification
• Even web applications which validate user inputs can be the target
of XSS
attacks. Some strategies to bypass such checks
• <div style="background:url('javascript:alert(1)')">
javascript is accepted in CSS
• <div style="background:url('javanscript:alert(1)')">
If the keyword “javascript” is filtered out, we can try to write it
as follows.
• alert(eval('document.body.inne' + 'rHTML'));
If keywords representing “useful” javascript methods are
filtered out, we can use the powerful eval() function to interpret
a concatenation of string.
Session Tokens
• A session identifier, session ID or session token is a piece of data that
is used in network communications (often over HTTP) to identify a
session, a series of related message exchanges.
• Session identifiers become necessary in cases where the
communications infrastructure uses a stateless protocol such as HTTP.
• A session ID is typically granted to a visitor on their first visit to a site.
• It is different from a user ID in that sessions are typically short-lived
and may become invalid after a certain goal has been met.
Cookies
• A cookie is a small text file that contains a small amount of
information about a user visiting a site and is stored on the site
visitor's computer by their browser.
• Because the cookie is stored on the user’s computer, it does not
require any server space no matter how many users you have.
• We can use cookies to save user preferences, customize data,
remember the last visit, or to keep track of items in an order while a
user browses.
Cookies
• Cookies can only be read by the site that created them, or a site
'underneath' the site that created them. This prevents other websites
from stealing cookies.
• The cookie specification introduced by Netscape also places limits on
cookies. These limits are:
• 310 total cookies.
• 4 kilobytes per cookie
• 20 cookies per server or domain.
Types of Cookies
• First Party Cookies are written by our site and can only be read by
our site.
• Third Party Cookies are created by advertising in our page that is
loaded from a third party site. These can only be read by the
advertising code on any site displaying the same ads.
• Session Cookies are not actually written to a file but are stored in the
browser itself. These cookies only last as long as the browser is open.
Sessions
• Sessions are a combination of a server-side cookie and a client-side
cookie.
• Client-side cookie simply holds a value (session token) that uniquely
identifies the client to the server, and corresponds to a data file on the
server.
• Thus, when the user visits the site, their browser sends the reference
code to the server, which loads the corresponding data.
HTTP session token
• A session token is a unique identifier that is generated and sent from a
server to a client to identify the current interaction session.
• The client usually stores and sends the token as an HTTP cookie
and/or sends it as a parameter in GET or POST queries.
• Session tokens are used so that the client only has to handle the
identifier—all session data is stored on the server (usually in a
database, to which the client does not have direct access) linked to
that identifier.
HTTP session token
• Examples of the names that some programming languages use when
naming their HTTP cookie include
• JSESSIONID (JSP)
• PHPSESSID (PHP)
• ASPSESSIONID (ASP)
Advantages of Sessions
• The server-side cookie can contain very large amounts of data with no
hassle - client-side cookies are limited in size
• The client-side cookie contains nothing other than a small reference
code - as this cookie is passed each time someone visits a page on our
site, we are saving a lot of bandwidth by not transferring large client-
side cookies around
• Session data is much more secure - only we are able to manipulate it,
as opposed to client-side cookies which are editable by all
Conclusion
• It is also important to note that sessions only last till the user closes
their browser, whereas cookies can be configured to last longer.
• However, other than the above, there is not much difference between
session data and cookie data for most purposes.
References
[1] https://www.veracode.com/security/csrf
[2] Jakolb Kallin, Irene Lobo Valbuena, Excess XSS, https://excess-
xss.com/

More Related Content

What's hot

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application VulnerabilitiesPreetish Panda
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...Lenur Dzhemiliev
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamMohammed Adam
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerAjit Dadresa
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threatsVishal Kumar
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessmentRavikumar Paghdal
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Daniel Tumser
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide Isabelle Mauny
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing BasicsRick Wanner
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Module 2 Foot Printing
Module 2   Foot PrintingModule 2   Foot Printing
Module 2 Foot Printingleminhvuong
 

What's hot (20)

Web Application Vulnerabilities
Web Application VulnerabilitiesWeb Application Vulnerabilities
Web Application Vulnerabilities
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
 
Demo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scannerDemo of security tool nessus - Network vulnerablity scanner
Demo of security tool nessus - Network vulnerablity scanner
 
Application Security
Application SecurityApplication Security
Application Security
 
Owasp top 10 security threats
Owasp top 10 security threatsOwasp top 10 security threats
Owasp top 10 security threats
 
Web application vulnerability assessment
Web application vulnerability assessmentWeb application vulnerability assessment
Web application vulnerability assessment
 
Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS)
 
Xss attack
Xss attackXss attack
Xss attack
 
APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide APISecurity_OWASP_MitigationGuide
APISecurity_OWASP_MitigationGuide
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Module 2 Foot Printing
Module 2   Foot PrintingModule 2   Foot Printing
Module 2 Foot Printing
 
Broken access control
Broken access controlBroken access control
Broken access control
 

Similar to Web application security part 01

SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTIONAnoop T
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
OWASP TOP 10 by Team xbios
OWASP TOP 10  by Team xbiosOWASP TOP 10  by Team xbios
OWASP TOP 10 by Team xbiosVi Vek
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities   2013Owasp top 10 vulnerabilities   2013
Owasp top 10 vulnerabilities 2013Vishrut Sharma
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5Aditya Kamat
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxprasadGade6
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSSam Bowne
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_NicoleNicole Bili?
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security ChampionsPetraVukmirovic
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive MeasuresShubham Takode
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Nilesh Sapariya
 

Similar to Web application security part 01 (20)

Vulnerabilities in Web Applications
Vulnerabilities in Web ApplicationsVulnerabilities in Web Applications
Vulnerabilities in Web Applications
 
SQL INJECTION
SQL INJECTIONSQL INJECTION
SQL INJECTION
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
Sql Injection
Sql InjectionSql Injection
Sql Injection
 
OWASP TOP 10 by Team xbios
OWASP TOP 10  by Team xbiosOWASP TOP 10  by Team xbios
OWASP TOP 10 by Team xbios
 
Owasp top 10 vulnerabilities 2013
Owasp top 10 vulnerabilities   2013Owasp top 10 vulnerabilities   2013
Owasp top 10 vulnerabilities 2013
 
Web Hacking Series Part 5
Web Hacking Series Part 5Web Hacking Series Part 5
Web Hacking Series Part 5
 
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptxcgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
cgbhjjjjjjjnmmmkmmmmmmkkkkkkTutorial5.pptx
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Codeinjection
CodeinjectionCodeinjection
Codeinjection
 
How to Test for The OWASP Top Ten
 How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 
Seminar2015Bilic_Nicole
Seminar2015Bilic_NicoleSeminar2015Bilic_Nicole
Seminar2015Bilic_Nicole
 
SQLi for Security Champions
SQLi for Security ChampionsSQLi for Security Champions
SQLi for Security Champions
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Website Hacking and Preventive Measures
Website Hacking and Preventive MeasuresWebsite Hacking and Preventive Measures
Website Hacking and Preventive Measures
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
 
Sql injection
Sql injectionSql injection
Sql injection
 

More from G Prachi

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architectureG Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Malicious software and software security
Malicious software and software  securityMalicious software and software  security
Malicious software and software securityG Prachi
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilitiesG Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Basic web security model
Basic web security modelBasic web security model
Basic web security modelG Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system securityG Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy codeG Prachi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzingG Prachi
 
Control hijacking
Control hijackingControl hijacking
Control hijackingG Prachi
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security conceptsG Prachi
 
Administering security
Administering securityAdministering security
Administering securityG Prachi
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networksG Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating systemG Prachi
 
Program security
Program securityProgram security
Program securityG Prachi
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptographyG Prachi
 
Information security introduction
Information security introductionInformation security introduction
Information security introductionG Prachi
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedomG Prachi
 

More from G Prachi (20)

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
 
Malicious software and software security
Malicious software and software  securityMalicious software and software  security
Malicious software and software security
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Administering security
Administering securityAdministering security
Administering security
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
Program security
Program securityProgram security
Program security
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
 

Recently uploaded

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Brian Pichman
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 

Recently uploaded (20)

Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )Building Your Own AI Instance (TBLC AI )
Building Your Own AI Instance (TBLC AI )
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 

Web application security part 01

  • 2. Contents • SQL Injection: Attacks and Defenses • Cross Site request forgery: Attacks and Defenses • Cross-site Scripting: Attacks and Defenses • Generating and storing session tokens
  • 3. Database • Database = collection of data + set of rules that specify certain relationships among the data. • Data is stored in one or more files • The database file consists of records, which in turn consists of fields or elements. • Data can be organized in tables. All columns are given names, which are the attributes of the database. • A relation is a set of columns • Data is extracted from the database with the help of queries. • SQL is a Structured query language that specifies the rules of queries. One famous example is MySQL
  • 4. SQL Injection: What is it? • Many web applications take user input from a form • Often this user input is used literally in the construction of a SQL query submitted to a database: • SELECT productdata FROM table WHERE productname = ‘user input product name’; • A SQL injection attack involves placing SQL statements in the user input
  • 5. SQL Injection Example • An example Product Search input in a form: ‘something‘ OR ‘x’ = ‘x’ • This input is put directly into the SQL statement within the Web application: • $query = “SELECT prodinfo FROM prodtable WHERE prodname = ‘” . $_POST[‘prod_search’] . “’”; • Creates the following SQL: • SELECT prodinfo FROM prodtable WHERE prodname = ‘something‘ OR ‘x’ = ‘x’ • Attacker has now successfully caused the entire database to be returned.
  • 6. SQL Injection Example • What if the attacker had instead entered: • something‘; DROP TABLE prodinfo; -- • Results in the following SQL: • SELECT prodinfo FROM prodtable WHERE prodname = ‘something’; DROP TABLE prodinfo; --’ • The comment symbol(--) consumes the final quote • Causes the entire database to be deleted • Depends on knowledge of table name • This is sometimes exposed to the attacker in debug code called during a database error event that is when the table name is not correctly specified • Using non-obvious table names would be a good practice
  • 7. SQL Injection Possibilities • Using SQL injections, attackers can: • Add new data to the database • Could be destructive to find new records in a student database • Perform an INSERT in the injected SQL • Modify data currently in the database • Could be very costly to have an expensive item suddenly be deeply ‘discounted’ • Perform an UPDATE in the injected SQL • Often can gain access to other user’s system capabilities by obtaining their password
  • 8. SQL Injection: More Examples 1 • Unauthorized Access Attempt: • password = ’ or 1=1 -- • SQL statement becomes: • select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 - - • Checks if password is empty OR 1=1, which is always true, permitting access.
  • 9. SQL Injection: More Examples 2 • Database Modification Attack: • password = foo’; delete from table users where username like ‘% • Database executes two SQL statements: • select count(*) from users where username = ‘user’ and password = ‘foo’ • delete from table users where username like ‘%’
  • 10. SQL Injection: Impact • Yahoo! Voices was hacked in July. The attack acquired 453,000 user email addresses and passwords. The perpetrators claimed to have used union-based SQL injection to break in. • LinkedIn.com leaked 6.5 million user credentials in June. A class action lawsuit alleges that the attack was accomplished with SQL injection. • SQL injection was documented as a security threat in 1998, but new incidents still occur every month. Making honest mistakes, developers fail to defend against this means of attack, and the security of online data is at risk due to this.
  • 11. SQL Injection: Defense • Use provided functions for escaping strings • Many attacks can be thwarted by simply using the SQL string escaping mechanism • ‘  ’ and “  ” • mysql_real_escape_string() is the preferred function for this • Unfortunately this is not a complete solution. Consider: • SELECT fields FROM table WHERE id = 23 OR 1=1 • No quotes are used here.
  • 12. SQL Injection: Defense • Check syntax of input for validity • Many classes of input have fixed languages • Email addresses, dates, part numbers, etc. • Verify that the input is a valid string in the language • Sometime languages allow problematic characters (e.g., ‘*’ in email addresses); may decide to not allow these • If we can exclude quotes and semicolons that’s good • Not always possible: consider the name Bill O’Reilly • Want to allow the use of single quotes in names • Have length limits on input • Many SQL injection attacks depend on entering long strings
  • 13. SQL Injection: Defense • Scan query string for undesirable word combinations that indicate SQL statements • INSERT, DROP, etc. • If we catch these, it can be checked against SQL syntax to see if they represent a statement or valid user input • Limit database permissions and segregate users • If we’re only reading the database, connect to database as a user that only has read permissions • Never connect as a database administrator in our web application
  • 14. Cross-Site Request Forgery[1] • Cross-Site Request Forgery (CSRF) is an attack where a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in-browser email clients, online banking and web interfaces for network devices.
  • 15. CSRF: Key Concepts • Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against. • The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site. • The vulnerability lies in the affected web application, not the victim’s browser or the site hosting the CSRF.
  • 16. CSRF: Example 1 • In a Cross-Site Request Forgery attack, the attacker is exploiting how the target web application manages authentication. For CSRF to be exploited, the victim must be authenticated against (logged into) the target site. • For instance, let’s say examplebank.com has online banking that is vulnerable to CSRF. If we visit a page containing a CSRF attack on examplebank.com but am not currently logged in, nothing happens. If we are logged in, however, the requests in the attack will be executed as if they were actions that we had intended to take.
  • 17. CSRF: Example 1 • First, let’s assume that we are logged into our account on examplebank.com, which allows for standard online banking features, including transferring funds to another account. • Now let’s say we happen to visit somemalicioussite.com. • It just so happens that this site is trying to attack people who bank with examplebank.com and has set up a CSRF attack on its site. • The attack will transfer $1,500.00 to account number 123456789.
  • 18. CSRF: Example 1 • Somewhere on somemalicioussite.com, attackers have added this line of code: • <iframe src="//www.veracode.com/%3Ca%20href%3D"http://examplebank.com/app/tr ansferFunds?amount=1500&destinationAccount=123456789">http://example bank.com/app/transferFunds?amount=1500&destinationAccount=..." > • Upon loading that iframe, my browser will send that request to examplebank.com, which my browser has already logged in as me. The request will be processed and send $1,500.00 to account 123456789.
  • 19. CSRF: Example 2 • Let’s assume we bought a new home wireless router. Like most wifi routers, it’s configured through a web interface. The router was shipped to us with an internal IP address of 192.168.1.1. • Lets assume we are having trouble configuring the router though, and fortunately the attackers over at somemalicioussite.com have published a guide that shows us exactly what buttons to click in the router interface to get everything set up securely. • The attackers have also set up a proxy server at 123.45.67.89 that will log all traffic that goes through it and look for things like passwords and session tokens.
  • 20. CSRF: Example 2 • As we clicked through the configuration guide, lets assume we missed the 1x1 pixel image that failed to load: • <img src=”http://192.168.1.1/admin/config/outsideInterface?nexthop=123.45.67.89” alt=”pwned” height=”1” width=”1”/> • The attackers knew that when we were reading their tutorial, we would be logged into the router interface. So they had the CSRF attack set up in the tutorial. • With that request, our router would be reconfigured so that our traffic will be routed to their proxy server where they can do all manner of bad things with it.
  • 21. CSRF: Defense • The most common method to prevent Cross-Site Request Forgery (CSRF) attacks is to append CSRF tokens to each request and associate them with the user’s session. • Such tokens should at a minimum be unique per user session, but can also be unique per request. • By including a challenge token with each request, the developer can ensure that the request is valid and not coming from a source other than the user.
  • 22. CSRF: Defense • The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. • Without such an unpredictable token, attackers can forge malicious requests. • Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.
  • 23. Cross-Site Sctipting • Cross Site Scripting (XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser. • The objective is to trick the client browser to execute malicious scripting commands • Caused by insufficient input validation • Javascript is the most popular scripting technology exploited
  • 24. Javascript • Starts and ends with <script> tag • Javascript has access to cookies using document.cookie • Javascript can send HTTP requests to any destination by using XMLHttpRequest • Javascript can make arbitrary modifications to the HTML of current page by using DOM manipulation methods
  • 25. Risks of Javascript (Malicious) • Cookie theft • Keylogging / Spying • Phishing Similarity: The attacker has injected code into a page served by the website
  • 26. Basic XSS Model • Input: <script>….</script> • Output: • <html>Latest comment: <script>...</script> </html> print "<html>" print "Latest comment:" print database.latestComment print "</html>
  • 27. Types of XSS • Persistent • Reflected • DOM - Based
  • 28. Persistent XSS [2] • The attacker uses one of the website's forms to insert a malicious string into the website's database • The victim requests a page from the website • The website includes the malicious string from the database in the response and sends it to the victim • The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server
  • 30. Reflected XSS [2] • The attacker crafts a URL containing a malicious string and sends it to the victim • The victim is tricked by the attacker into requesting the URL from the website • The website includes the malicious string from the URL in the response • The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server
  • 32. DOM-based XSS [2] • The attacker crafts a URL containing a malicious string and sends it to the victim • The victim is tricked by the attacker into requesting the URL from the website • The website receives the request, but does not include the malicious string in the response • The victim's browser executes the legitimate script inside the response, causing the malicious script to be inserted into the page • The victim's browser executes the malicious script inserted into the page, sending the victim's cookies to the attacker's server
  • 34. Some Statistics • These statistics only include media reported security incidents that can be associated with a web application security vulnerability Other / Unknown 39% SQL Injection 9% Credential / Session Prediction 9% Cross-Site Scripting 27% Insufficient Authorisation and Authenticatio n 16% ATTACK STATISTICS Source: www.webappsec.org
  • 35. Famous XSS Attacks • Myspace Hack Spreading Date: 16 July 2006 WASC Threat Classification: Cross-site Scripting, Worm Myspace seemed to be a heaven for XSS worms. This one seems to be even more interesting as it uses JavaScript embedded in a flash file.
  • 36. Famous XSS Attacks • google XSS Date: 04 July 2006 WASC Threat Classification: Cross-site Scripting An XSS vulnerability in the feature allowing adding an arbitrary RSS to personal web pages. Since this page resides on the main www.google.com host, the executed JavaScript can access any google resource
  • 37. Famous XSS Attacks • PayPal Flaw Date: 16 June 2006 WASC Threat Classification: Cross-site Scripting While XSS vulnerabilities in public web sites are found daily, this one is of special interest. It was found in one of the sites most targeted by Phishers, it is exploitable for Phishing and was exploited. On top of that, it seems to have been discovered and reported to PayPal already two years ago but ignored due to a communication failure
  • 38. XSS Attack Vectors • Injecting through (html) form inputs • URL injection (URL sent by e-mail or IM to the victim, or posted on public sites)
  • 39. Persistent XSS Example • XAMPP server running apache. A PHP example site is loaded. • Functionality to add comments is provided • The comments are then stored in a mysql database and then displayed at comments.php
  • 47. Reflected XSS Example • XAMPP server running apache. A PHP example site is loaded. • An attractive link is shown which contains a script • It gets bounced back from the server once the user clicks on the link
  • 50. DOM Based XSS Example • This runs when the interpreter cannot find the img tag and runs the onerror script. There is no requirement of a server in this scenario file:///C:/Users/Admin/Desktop/xss.html#<img src="blah" onerror="alert('XSS!!');">
  • 52. Defense Strategies Almost all scripts use <> () {} “ ‘ ; / • Encoding: Escape user input so that the browser interprets it only as data • Validation: Filter input so that all malicious parts of it are removed
  • 53. Ideas to Bypass Input Verification • Even web applications which validate user inputs can be the target of XSS attacks. Some strategies to bypass such checks • <div style="background:url('javascript:alert(1)')"> javascript is accepted in CSS • <div style="background:url('javanscript:alert(1)')"> If the keyword “javascript” is filtered out, we can try to write it as follows. • alert(eval('document.body.inne' + 'rHTML')); If keywords representing “useful” javascript methods are filtered out, we can use the powerful eval() function to interpret a concatenation of string.
  • 54. Session Tokens • A session identifier, session ID or session token is a piece of data that is used in network communications (often over HTTP) to identify a session, a series of related message exchanges. • Session identifiers become necessary in cases where the communications infrastructure uses a stateless protocol such as HTTP. • A session ID is typically granted to a visitor on their first visit to a site. • It is different from a user ID in that sessions are typically short-lived and may become invalid after a certain goal has been met.
  • 55. Cookies • A cookie is a small text file that contains a small amount of information about a user visiting a site and is stored on the site visitor's computer by their browser. • Because the cookie is stored on the user’s computer, it does not require any server space no matter how many users you have. • We can use cookies to save user preferences, customize data, remember the last visit, or to keep track of items in an order while a user browses.
  • 56. Cookies • Cookies can only be read by the site that created them, or a site 'underneath' the site that created them. This prevents other websites from stealing cookies. • The cookie specification introduced by Netscape also places limits on cookies. These limits are: • 310 total cookies. • 4 kilobytes per cookie • 20 cookies per server or domain.
  • 57. Types of Cookies • First Party Cookies are written by our site and can only be read by our site. • Third Party Cookies are created by advertising in our page that is loaded from a third party site. These can only be read by the advertising code on any site displaying the same ads. • Session Cookies are not actually written to a file but are stored in the browser itself. These cookies only last as long as the browser is open.
  • 58. Sessions • Sessions are a combination of a server-side cookie and a client-side cookie. • Client-side cookie simply holds a value (session token) that uniquely identifies the client to the server, and corresponds to a data file on the server. • Thus, when the user visits the site, their browser sends the reference code to the server, which loads the corresponding data.
  • 59. HTTP session token • A session token is a unique identifier that is generated and sent from a server to a client to identify the current interaction session. • The client usually stores and sends the token as an HTTP cookie and/or sends it as a parameter in GET or POST queries. • Session tokens are used so that the client only has to handle the identifier—all session data is stored on the server (usually in a database, to which the client does not have direct access) linked to that identifier.
  • 60. HTTP session token • Examples of the names that some programming languages use when naming their HTTP cookie include • JSESSIONID (JSP) • PHPSESSID (PHP) • ASPSESSIONID (ASP)
  • 61. Advantages of Sessions • The server-side cookie can contain very large amounts of data with no hassle - client-side cookies are limited in size • The client-side cookie contains nothing other than a small reference code - as this cookie is passed each time someone visits a page on our site, we are saving a lot of bandwidth by not transferring large client- side cookies around • Session data is much more secure - only we are able to manipulate it, as opposed to client-side cookies which are editable by all
  • 62. Conclusion • It is also important to note that sessions only last till the user closes their browser, whereas cookies can be configured to last longer. • However, other than the above, there is not much difference between session data and cookie data for most purposes.
  • 63. References [1] https://www.veracode.com/security/csrf [2] Jakolb Kallin, Irene Lobo Valbuena, Excess XSS, https://excess- xss.com/