Upload
aravindh-ramanan
View
75
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Common Vulnerabilities
• Buffer Overflows• Incomplete Mediation• Command Injection Attack• Inference• Cross Site- Scripting
IFETCE/M.E CSE/NE7202-NIS/Unit 4 2
Buffer Overflows O Many languages require buffer size
declarationO C language statement: char sample[10];O Execute statement: sample[i] = ‘A’; where
i=10O Out of bounds (0-9) subscript – buffer
overflow occursO Some compilers don’t check for exceeding
boundsO Similar problem caused by pointers. No
reasonable way to define limits for pointers
IFETCE/M.E CSE/NE7202-NIS/Unit 4 3
Buffer OverflowsO Example
char sample[10];for (i=1; i<=10; i++) sample[i]
= ‘A’;
IFETCE/M.E CSE/NE7202-NIS/Unit 4 4
Buffer Overflows, cont.O Where does last ‘A’ go? Depends on what
is adjacent to ‘sample[10]’O Affects user’s data - overwrites user’s
dataO Affects users code - changes user’s
instructionO Affects OS data - overwrites OS dataO Affects OS code - changes OS instruction,
unpredictable results
O This is a case of aliasing
IFETCE/M.E CSE/NE7202-NIS/Unit 4 5
Buffer Overflows Security Implication
O Attacker replaces code in the system space and takes control back from the operating system
O Suppose buffer overflow affects OS code area:O Attacker code executed as if it were OS code
O Attacker might need to experiment to see what happens when he inserts A into OS code area
O Can raise attacker’s privileges (to OS privilege level) when A is an appropriate instruction
O Attacker can gain full control of OS
IFETCE/M.E CSE/NE7202-NIS/Unit 4 6
Buffer Overflows Security Implication
O Attacker uses the stack pointer or return register to execute other code
O Parameter passing to web serverO http://www.somesite.com/subpage/
data&parm1=(808)555-1212&parm2=2004Jan01
O What if one of the parameters is made longer?
O Microsoft's Phone Dialer contains a buffer overrun that allows execution of arbitary code
IFETCE/M.E CSE/NE7202-NIS/Unit 4 7
SummaryOBuffer overflows still common
O Used by attackersO to crash systemsO to exploit systems by taking over
control
OLarge # of vulnerabilities due to buffer overflows
IFETCE/M.E CSE/NE7202-NIS/Unit 4 8
Incomplete Mediation O Sensitive data are in exposed,uncontrolled
conditionO Example
O URL to be generated by client’s browser to access server, e.g.: http://www.things.com/ order/final&custID=101&part=555A&qy=20&price=10&ship=boat&shipcost=5&total=205
O Instead, user edits URL directly, changing price and total cost as follows: http://www.things.com /order/final&custID=101&part=555A&qy=20&price=1&ship=boat&shipcost=5&total=25
O Security ImplicationO Easy to exploit – Things, Inc. example
IFETCE/M.E CSE/NE7202-NIS/Unit 4 9
Incomplete Mediation, cont.
O Unchecked data are a serious vulnerability!
O Possible solution: anticipate problemsO Don’t let client return a sensitive result (like
total) that can be easily recomputed by server
O Use drop-down boxes / choice lists for data input
O Prevent user from editing input directlyO Check validity of data values received from
client
IFETCE/M.E CSE/NE7202-NIS/Unit 4
Attacking the Web Application
O Web application:O takes input strings from the user and interprets it.O Interacts with back-end database.O Retrieve data and dynamically generates new
content.O Presents the output to the user.
O The threat – Command Injection Attack:O Unexpected input may cause problems.
10
What is code injection?• Code injection is the
exploitation of a computer bug that is caused by processing invalid data.
• Code injection can be used by an attacker to introduce (or "inject") code into a computer program to change the course of execution.
• The results of a code injection attack can be disastrous
Code Injection
Code injection can do• Arbitrarily modify values in a
database through a type of code injection called SQL injection. The impact of this can range from defacement of a web site to serious compromisation of sensitive data.
• Install malware on a computer by exploiting code injection vulnerabilities in a web browser or its plugins when the user visits a malicious site.
• Install malware or execute malevolent code on a server, by PHP or ASP Injection.
• Privilege escalation to root permissions by exploiting Shell Injection vulnerabilities in a setuid root binary on UNIX.
• Privilege escalation to Local System permissions by exploiting Shell Injection vulnerabilities in a service on Windows.
• Stealing sessions/cookies from web browsers using HTML/Script Injection (Cross-site scripting).
Code injection can do
Different types of Code injection • SQL injection
• LDAP Injection
• OS Command Injection
• Cross-Site Scripting (“XSS”)
SQL injection• SQL injection attack consists of
injection of malicious SQL
commands via input data from the
client to the application
• Affect the execution of predefined
SQL commands.
SQL injection• SQL injection consists of direct
insertion of code into user-input variables which are concatenated with SQL commands and executed.
• A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata.
• When the stored strings are subsequently concatenated into a dynamic SQL commands, the malicious code is then executed.
Web Application Architecture
Web browser
Application
Database
User inputDatabase query
Application generates query based on user input
ResultWeb page
18IFETCE/M.E CSE/NE7202-NIS/Unit 4
IFETCE/M.E CSE/NE7202-NIS/Unit 4
SQLCIAs - Example
String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND
cardtype = ” + strCType + “;”;
Expected input: SELECT cardnum FROM accounts
WHERE username = ‘John’ AND cardtype = 2;
Result: Returns John’s saved credit card number.
19
IFETCE/M.E CSE/NE7202-NIS/Unit 4
Malicious input: SELECT cardnum FROM accounts
WHERE username = ‘John’ AND cardtype = 2 OR 1 = 1;
SQLCIAs - Example
Result: Returns all saved credit card numbers.
(() )
20
String query = “SELECT cardnum FROM accounts WHERE username = ‘” + strUName + “’ AND
cardtype = ” + strCType + “;”;
IFETCE/M.E CSE/NE7202-NIS/Unit 4 21
4.InferenceO Way to infer / derive sensitive data
from nonsensitive data
IFETCE/M.E CSE/NE7202-NIS/Unit 4 22
Direct Attack
O A user tries to determine values of sensitive fields by seeking them
O A sensitive query: O List NAME where SEX=M ^ DRUGS=1
O A less obvious query:O List NAME where (SEX=M ^
DRUGS=1) v (SEX#M ^ SEX#F) v (DORM=AYRES)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 23
Direct Attack(Cont…)
O Do not reveal results when a small number of people make up a large proportion of a category.
O The rule of "n items over k percent" means that data should be withheld if n items represent over k percent of the result reported.
IFETCE/M.E CSE/NE7202-NIS/Unit 4 24
Indirect AttackO Sum - An attack by sum tries to infer a
value from a reported sum.O Count - The count can be combined with
the sum to produce some even more revealing results.
O Mean - The arithmetic mean (average) allows exact disclosure if the attacker can manipulate the subject population.
O MedianO Tracker Attacks – using additional queries
that produce small results
IFETCE/M.E CSE/NE7202-NIS/Unit 4 25
Indirect Attack
OSumO Show STUDENT-AID WHERE SEX=F
^ DORM=Grey
OCountO Show Count, STUDENT-AID WHERE
SEX=M ^ DORM=HolmesO List NAME where (SEX=M ^
DORM=Holmes)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 26
Indirect Attack
IFETCE/M.E CSE/NE7202-NIS/Unit 4 27
ControlsO Suppression – don’t provide
sensitive dataO Concealing – don’t provide actual
values (“close to”)O Limited Response Suppression
O n-item k-percent rule eliminates low frequency elements from being displayed (may need to suppress additional rows/columns)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 28
ControlsO Combined Results
O SumsO RangesO Rounding
O Random SampleO Random Data PerturbationO Query Analysis – “should the result
be provided”
IFETCE/M.E CSE/NE7202-NIS/Unit 4 29
Conclusion on the Inference Problem
O No perfect solutions to the inference problem.
O The approaches to controlling it:O Suppress obviously sensitive
informationO Track what the user knowsO Disguise the data
IFETCE/M.E CSE/NE7202-NIS/Unit 4 30
Cross-Site Scripting (XSS)
O Occurs any time…O Raw data from attacker is sent to an innocent user
O Raw data…O Stored in databaseO Reflected from web input (form field, hidden field,
url, etc…)O Sent directly into rich JavaScript client
O Virtually every web application has this problemO Try this in your browser –
javascript:alert(document.cookie)
IFETCE/M.E CSE/NE7202-NIS/Unit 4 31
XSS (Cont…)
O Allows to embed malicious code: O JavaScript (AJAX!), VBScript, ActiveX,
HTML, or Flash
O Threats: phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising , execution of code on the client, ...
IFETCE/M.E CSE/NE7202-NIS/Unit 4 32
XSS TypesO Reflected
O Link in other website / e-mail linkO Stored
O e.g. bulletin board, forumO DOM-Based
IFETCE/M.E CSE/NE7202-NIS/Unit 4 33
Cross-Site Scripting Illustrated
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
1
Victim views page – sees attacker profile
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acc
ou
nts
Fin
ance
Ad
min
istr
atio
n
Tran
sact
ion
s
Co
mm
un
icat
ion
Kn
ow
led
ge
Mg
mt
E-C
om
mer
ce
Bu
s. F
un
ctio
ns
IFETCE/M.E CSE/NE7202-NIS/Unit 4 34
Example
IFETCE/M.E CSE/NE7202-NIS/Unit 4 35
Protection
OInput validationOOutput Encoding:
O< < > >O( ( ) )O# # & &
ODo not use "blacklist" validation
OSpecify the output encoding