web application access to databases. logistics test 2: may 1 st (24 hours) extra office hours:...
TRANSCRIPT
Web Application Access to Databases
Logistics
Test 2: May 1st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5th – you can review your
final before final grades are submitted
2
3
Three-Tier Architecture
3
DB
DB Server DB Server
Application Server
Application Server
Application Server
Web Server
Web Server
Web Server
Web Server
Clients
Internet
4
4
Options
1. Code in a specialized language is stored in the database itself (e.g., PSM, PL/SQL).
2. SQL statements are embedded in a host language (e.g., C).
3. Connection tools are used to allow a conventional language to access a database (e.g., CLI, JDBC, PHP/DB).
Code Security
Input validation!
5
Process Memory Organization Process memory: 3 regions
Text: fixed by the program, includes code, read-only (attempt to write: segmentation fault)
Data: initialized and uninitialized dataStack: stores application data and control data
Low-level languages: direct access to application memory
6
Buffer Overflow
Inserting more data into the buffer than it can handle
Stack-base attacks most common Most vulnerable languages: C, C++
7
Exploitation of Buffer Overflow
Lack of input validation Default case: mistrust input
Never allow input over the maximum length to be stored in a variable
Process input one character, word, or byte at a time
Never leave extra input on the incoming line
8
Cases and Effects
Overwriting local variables change the program’s behavior
Overwriting a return address execution will resume at the attacker’s specified address, executing the attacker’s code
9
Defensive Measures
Canaries Pad buffers with a random, secret value
determined at compile time or runtime Check to see if the secret value is the
same before allowing transfer of control If you smash the boundaries of the array
on the stack, how do you know what the values are?
10
Defensive Measures
Randomize locations for loading of code Prevent data from being executedStop using unsafe code! strcpy -> strlcpy,
strncat -> strlcat, gets -> fgetsUse a safer language Anything with bounds checking – Java, C#,
VB.net, Python, Perl, Ruby, PHP, D… …but be careful when calling C/C++
libraries
11
Defensive Measures
Input validation Allow only input that you expect
Example: [a-zA-Z0-9]+ on usernames Prevent some shellcode
Run static code analyzers Detects use of unsafe (unbounded)
functions
12
SQL Injection
Attacker provides malformed data to application
Application uses data to create a SQL statement via string concatenation
Allows attacker to change the semantics of the SQL query
Why use concatenation? Don’t know a safer way Laziness
13
Spotting SQL Injection
Takes user inputDoes not check user input validityUses user-input data to query a databaseUses string concatenation or string replacement to build the SQL query or uses SQL EXEC command
14
Redemption
Thou shalt never trust input to SQL statements Always validate
Use regular expressions to parse input Use prepared or parameterized SQL
statements Use placeholders or binding
15
Web Application Vulnerabilities
16
Biggest Threats to Web Applications
Cross-site scripting (XSS) Cross-site request forgeries (CSRF) Remote file uploads, (buffer overflow, SQL
injection, etc.)
Trust between the client’s machine and the web applications.
17
XSS – Server trusts client
Inject client-side script into Web pages Client views web page download script Used for bypass access controls such as the same origin
policy Permits scripts running on pages originating from the
same site ( scheme, hostname, and port number) to access each other's Document Object Model with no specific restrictions
XMLHttpRequest and Robots.txt
18
How to avoid XSS?
Scrub all input Escape output for display Use trusted solutions when available Use separate variables for scrubbed input
19
Cross-site request forgery – Client trusts server Exploits the trust between server and
client machine Mostly http requests and responses Based on how web pages are delivered
along with images and other web content
20
Prevent CSRF
Require verification and stages for sensitive applications
Use anti-CSRF tokens in your forms and processing Use post as the mean of taking form input
Get: encodes the data of the form into the url of the recipient, appending it to the query string of the request
Post: encodes it as a message
21
Unrestricted file upload
Users may upload malicious files Uploaded files can be called by a url (if
stored on the web server) Example: php
Embedded in image filesCompile php code
22
Avoid file upload problems
System should determine file name Do not allow users to access the folders where
content is uploaded Parse file extensions carefully or set your own
file parser White list extensions Be secure with the .htaccess file (controls
accesses to the files on the server
23