cs166 final project
TRANSCRIPT
![Page 1: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/1.jpg)
FINAL PROJECTSAN JOSE STATE UNIVERSITY
CS166 SPRING 2017
KAYA OTA
![Page 2: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/2.jpg)
CONTENT
1. Behind the scene
tour of this site.
2. SQL Injection
3. XSS (Cross Site
Scripting)
4. Cookie Stealing
5. Protocol
1. Authentication
6. CSRF
![Page 3: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/3.jpg)
BEHIND THE SCENE TOUR OF THIS SITE
![Page 4: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/4.jpg)
ENTRY URL FOR CS166 BLOG
• Prevented codes are running at:
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code
/prevented/index.html
• The given codes are running at:
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code
/attackable/index.html
![Page 5: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/5.jpg)
HOW TO BUILD THIS SITE
• Download source code from the git hub:
https://github.com/28kayak/CS166_Final_Project.git
• Set up AWS windows server with the following security group.
![Page 6: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/6.jpg)
HOW TO BUILD THIS SITE
• Set up XAMPP with Tomcat and
Maria DB.
• Check Windows server side of fire
wall's setting. (image on the left)
• Tomcat entry is on port 8080.
![Page 7: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/7.jpg)
SQL TABLE – LOGIN –
• Use Maria DB
• Login table contains user information
• Fullname – user’s name
• User – user ID
• Pass – password
• Random – salt for the password
Fullname User pass role Random
![Page 8: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/8.jpg)
SQL TABLE –BLOG–
• Blog table contains posts for the blog.
• Title is title of the post
• Content is the articles in the post
• ID is the post id and is the primary key
title content id
![Page 9: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/9.jpg)
SQL INJECTION
![Page 10: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/10.jpg)
SQL INJECTION – OVERVIEW –
• A type of injection attack
• A SQL injection attack is by “injection” of SQL query via input
data from the client to the application.
• When SQL succeed the followings could happen
• Read sensitive data
• Modify DB data
• Run administrative operation
![Page 11: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/11.jpg)
SQL INJECTION – THREAD MODELING –
• SQL Injection lets attackers to spoof identity, and temper data in
database.
• SQL Injection lets cause repudiation issues
• Voiding transaction
• Changing balance
• SQL injection is common with PHP and ASP
• Because these older functional interfaces are widely used.
• Nature of programmatic interface available
• J2EE and ASP.NET application are less likely to have easily
exploited SQL injection.
![Page 12: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/12.jpg)
SQL INJECTION – PREVENTION –
I. Use prepared statement / parameterized queries
I. Prepared statement force the developers to first define all SQL code
and then pass the required parameters later to the query.
II. This allows DB to distinguish between code and data, independent
from user-input.
![Page 13: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/13.jpg)
SQL INJECTION – PREVENTION –
String user = request.getParameter( "user" );String pass = request.getParameter( "pass" );String sqlStr = "SELECT fullname FROM login WHERE user='" + user + "' and pass = sha2('"+ pass + "', 256)";
String sqlStr = "SELECT count(*) FROM login WHERE user=? and pass = sha2(?, 256)";PreparedStatement stmt = con.prepareStatement(sqlStr);stmt.setString(1,name);stmt.setString(2,pwd);ResultSet rs = stmt.executeQuery();
No Use of Prepared Statement
Use of Prepared Statement
![Page 14: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/14.jpg)
SQL INJECTION – PREVENTION –
II. Use Stored Procedure
I. Not always safe from SQL Injection
II. Certain Stored Procedures have the similar effect as use of
parameterized query
III. It requires to build SQL query with parameters that are automatically
parametrized unless the developer does something out of norm.
![Page 15: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/15.jpg)
SQL INJECTION – DEMONSTRATION –
• Not Preventing Site
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att
ackable/login_form.html
• Preventing Site
• Running here
![Page 16: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/16.jpg)
XSS – CROSS SITE SCRIPTING –
![Page 17: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/17.jpg)
XSS – OVERVIEW –
• A type of injection attack
• Injects malicious script into benign and trusted website.
• Occurs when an attacker users a web application to send
malicious code
• Generally in the form of a browser side script to different end
user.
![Page 18: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/18.jpg)
XSS – THREAD MODELING –
• XSS lets attackers do the followings
• Identity Thrift (fraud)
• Redirect traffic by altering URL
• Session Hijacking
• Storing sensitive information in JavaScript variables
![Page 19: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/19.jpg)
XSS – PREVENTION –
• Never accepts to insert untrusted data except in allowed location
• Deny all – do not put untrusted data into your html document unless it is within one of the slot of defined in rule #1
• Most importantly, never accept actual JavaScript code from an untrusted data and then run it.
•Escape XML sequences • Using Escape sequences
• http://www.avajava.com/tutorials/lessons/how-do-i-escape-a-string-for-xml.html
![Page 20: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/20.jpg)
SCREEN SHOT FOR XSS
ATTACKED PREVENTED
![Page 21: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/21.jpg)
XSS –DEMONSTRATION–
• Demonstration running at
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att
ackable/login_form.html
![Page 22: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/22.jpg)
CSRF (CROSS SITE REQUEST FORGERY)
![Page 23: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/23.jpg)
CSRF –OVERVIEW–
• CSRF is a type of attacks
• Force user to run unwelcome action on web-applications where
he/she is authorized currently.
• Whereby, HTTP requests are transmitted from a user that the web
site trusts or has
authenticated (e.g., via HTTP redirects or HTML forms).
• CSRF can be caused by:
• Building an exploit URL or Script
http://bank.com/transfer.do?acct=MARIA&amount=100000
Attacker can monaurally change values to request the service.
![Page 24: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/24.jpg)
CSRF –THREAD MODEL–
• Impact: user may access resource on behalf of the attacker.
• User may upload private image to attacker’s server.
• When using 3rd party login, the user may associate with his
client account with attacker’s identity at an identity provider.
![Page 25: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/25.jpg)
CSRF –PREVENTION–
• Use synchronized token pattern
• Never use get method in html form
![Page 26: CS166 Final project](https://reader031.vdocuments.site/reader031/viewer/2022030401/5aad71e17f8b9a3a238b499d/html5/thumbnails/26.jpg)
REFERENCE
• https://www.owasp.org/index.php/SQL_Injection
• https://tools.ietf.org/html/rfc6819#section-4.4.1.8