1 / 13

Announcements

Announcements. Extended office hours from now until the midterm Thursday 10-11:30am Tao, 8pm-9pm Jaebum Friday 10-11:30am Tao Saturday 7-8pm Tao Sunday 8-9pm Jaebum Monday 12:55-1:55pm Arash , 5-6pm Arash Tuesday 10-11am Jaebum , 12:55-1:55pm Arash Questions on the midterm?

ania
Download Presentation

Announcements

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Announcements Extended office hours from now until the midtermThursday 10-11:30am Tao, 8pm-9pm Jaebum Friday 10-11:30am Tao Saturday 7-8pm Tao Sunday 8-9pm Jaebum Monday12:55-1:55pm Arash, 5-6pm Arash Tuesday 10-11am Jaebum, 12:55-1:55pm Arash Questions on the midterm? SQL injection attack slides Other attacks

  2. Database Vulnerabilities on the Web SQL injection Cross-site scripting (XSS) Cross-site request forgeries (CSRF) Not just a DB vulnerability

  3. Is this funny yet? From xkcd.com

  4. How can you prevent SQL injection attacks? • Use “parameterized statements”, if your DBMS/host language supports them (shown in Sruthi’s slides) • Else validate data prior to using it within dynamic SQL queries, e.g., with PHP filtering functions, and remove all suspect characters • Use a testing tool that tries injection attacks before you release your code But these rules are intended for developers. How can you fix legacy code? [Bandhakavi et al., CCS07]

  5. Cross-site scripting (XSS): don’t trust any kind of input From http://shiflett.org/articles/foiling-cross-site-attacks <form action="/register.php" method="POST"> <p>Username: <input type="text" name="username" /> <p>Email: <input type="text" name="email" /> <p><input type="submit" value="Register" /></p> </form>

  6. Cross-site scripting (XSS): don’t trust any kind of input From http://shiflett.org/articles/foiling-cross-site-attacks <form action="/register.php" method="POST"> <p>Username: <input type="text" name="username" /> <p>Email: <input type="text" name="email" /> <p><input type="submit" value="Register" /></p> </form> … <?php $mysql = array(); $mysql['username'] =mysql_real_escape_string($_POST['username']); $mysql['email'] = mysql_real_escape_string($_POST['email']);   $sql = "INSERT INTO users (username, email) ” . “VALUES ('{$mysql['username']}', '{$mysql['email']}')"; > … Finds the special characters and puts \ in front of them

  7. Cross-site scripting (XSS): don’t trust any kind of input From http://shiflett.org/articles/foiling-cross-site-attacks <form action="/register.php" method="POST"> <p>Username: <input type="text" name="username" /> <p>Email: <input type="text" name="email" /> <p><input type="submit" value="Register" /></p> </form> <script>alert('XSS');</script> whatever@wherever.edu … <?php $mysql = array(); $mysql['username'] =mysql_real_escape_string($_POST['username']); $mysql['email'] = mysql_real_escape_string($_POST['email']);   $sql = "INSERT INTO users (username, email) ” . “VALUES ('{$mysql['username']}', '{$mysql['email']}')"; > …

  8. Now the DB contains malicious garbage <table> <tr> <th>Username</th> <th>Email</th> </tr>   <?php   if ($_SESSION['admin']) { $sql = 'SELECT username, email FROM users';   $result = mysql_query($sql);   while ($record = mysql_fetch_assoc($result)) { echo " <tr>\n"; echo " <td>{$record['username']}</td>\n"; echo " <td>{$record['email']}</td>\n"; echo " </tr>\n"; } }   ?>   </table> XSS ADMIN

  9. We can steal the admin’s cookies, hijack her session, impersonate her <table> <tr> <th>Username</th> <th>Email</th> </tr>   <?php   if ($_SESSION['admin']) { $sql = 'SELECT username, email FROM users';   $result = mysql_query($sql);   while ($record = mysql_fetch_assoc($result)) { echo " <tr>\n"; echo " <td>{$record['username']}</td>\n"; echo " <td>{$record['email']}</td>\n"; echo " </tr>\n"; } }   ?>   </table> ADMIN

  10. How to prevent XSS attacks • Carefully filter all input • Carefully escape all output (so that it cannot be interpreted as HTML commands)

  11. Cross-site request forgery (CSRF): user = unwitting accomplice http://shiflett.org/articles/foiling-cross-site-attacks An administrator requests http://attacksite.org/cuteKittens.html and receives: HTTP/1.1 200 OK Content-Length: 121   <html> <imgsrc=“http://cutecats.com/cat_of_the_week.gif”> <imgsrc="http://mycompany.org/admin/terminate_employee.php?employee_id=123" > </html> When the browser requests the second image: GET /admin/terminate_employee.php?employee_id=123 HTTP/1.1 Host: mycompany.org Cookie: PHPSESSID=123456789

  12. This works even if the target is only available on an intranet http://shiflett.org/articles/ foiling-cross-site-attacks

  13. Preventing CSRF • Use POST, not GET, for actions; and use $_POST, not $_REQUEST • Ask the user to confirm: “Do you really want to fire these people?” • Embed a fresh token in the legitimate form used to fire people, and require that this token be submitted with the form’s request, within a timeout interval What about legacy forms?

More Related