1 / 10

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems. Web Security. Client-side Attacks. Buffer Overflow 2004 iframe 2004-05 jpeg Remote Code ActiveX Flash Java Javascript. ActiveX. Executable code downloaded from server Activated by HTML object tag. Native code binary format. Security model

etoile
Télécharger la présentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 380: Securing Computer Systems Web Security CIT 380: Securing Computer Systems

  2. Client-side Attacks • Buffer Overflow • 2004 iframe • 2004-05 jpeg • Remote Code • ActiveX • Flash • Java • Javascript CIT 380: Securing Computer Systems

  3. ActiveX Executable code downloaded from server • Activated by HTML object tag. • Native code binary format. • Security model • Digital signature authentication • Zone-based access control • No control once execution starts CIT 380: Securing Computer Systems

  4. Digital signature authentication Sandbox Java • Sandbox Limits • Cannot read/write files. • Cannot start programs. • Network access limited to originating host. • Sandbox Components • Byte-code verifier • Class loader • Security manager CIT 380: Securing Computer Systems

  5. MPack Browser Malware • User visits site. • Response contains iframe. • Iframe code causes browser to make request. • Request redirected to MPack server. • Server identifies OS and browser, sends exploit that will work for client configuration. • Exploit causes browser to send request for code. • Mpack downloader sent to user, begins d/ling other malware. CIT 380: Securing Computer Systems

  6. MPack Commercial underground PHP software • Sold for $700-1000. • Comes with one year technical support. • Can purchase updated exploits for $50-150. Infection Techniques • Hacking into websites and adding iframes. • Sending HTML mail with iframes. • Typo-squatting domains. • Use GoogleAds to draw traffic. CIT 380: Securing Computer Systems

  7. Client Protection • Disable ActiveX and Java. • Use NoScript to limit Javascript. • Run browser with least privilege. • Use a browser sandbox: • VMWare Virtual Browser Appliance • Protected Mode IE (Windows Vista) • Goto sites directly instead of using links. • Use plain text e-mail instead of HTML. • Patch your browser regularly. • Use a personal firewall. CIT 380: Securing Computer Systems

  8. Web Reconnaissance Google Hacking • “Index of” +passwd • “Index of” +password.txt • filetype:htaccess user • allinurl:_vti_bin shtml.exe Web Crawling • wget --mirror http://www.w3.org/ -o /mirror/w3 Santy Worm used Google to find vulnerable servers. CIT 380: Securing Computer Systems

  9. Key Points • All input can be dangerous • URLs, Cookies, Executable content • Consider both client and server security. • SSL is not a panacea • Confidentiality + integrity of data in transit. • Input-based attacks can be delivered via SSL. • Top Vulnerabilities • Cross-Site Scripting • SQL Injection • Remote File Inclusion CIT 380: Securing Computer Systems

  10. References • Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. • CERT, “Understanding Malicious Content Mitigation for Web Developers,” http://www.cert.org/tech_tips/malicious_code_mitigation.html, Feb. 2000 • Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment, Addison-Wesley, 2007. • David Endler, “The Evolution of Cross-Site Scripting Attacks,” http://www.cgisecurity.com/development/xss.shtml, 2002. • Joris Evers, “Paypal fixes Phishing hole,” http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html, 2006. • Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql-injection.html, 2005. • Johnny Long, Google Hacking for Penetration Testers, Syngress, 2004. • Johnny Long, Google Hacking Database, http://johnny.ihackstuff.com, 2006. • J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006. • Mitre, Common Weaknesses – Vulnerability Trends, http://cwe.mitre.org/documents/vuln-trends.html, 2007. • Nate Mook, “Cross-Site Scripting Worm Hits MySpace,” http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391, 2005. • Gunter Ollman, “HTML Code Injection and Cross-Site Scripting,” http://www.technicalinfo.net/papers/CSS.html, 2002. • OWASP Top 10, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2007. • Neils Provos et. al., “The Ghost in the Browser: Analysis of Web-based Malware,” Hotbots 07, http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf, 2007. • Samy, “MySpace Worm Explanation,” http://namb.la/popular/tech.html, 2005. • Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5/e, McGraw-Hill, 2005. • Stuart McClure, Saumil Shah and Shreeraj Shah, Web Hacking: Attacks and Defense, Addison-Wesley, 2002. • Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006. • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. • SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002. • Symantec Weblog, “MPack: Packed full of badness,” http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html, 2007. CIT 380: Securing Computer Systems

More Related