Cit 380 securing computer systems
This presentation is the property of its rightful owner.
Sponsored Links
1 / 10

CIT 380: Securing Computer Systems PowerPoint PPT Presentation


  • 52 Views
  • Uploaded on
  • Presentation posted in: General

CIT 380: Securing Computer Systems. Web Security. Client-side Attacks. Buffer Overflow 2004 iframe 2004-05 jpeg Remote Code ActiveX Flash Java Javascript. ActiveX. Executable code downloaded from server Activated by HTML object tag. Native code binary format. Security model

Download Presentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Cit 380 securing computer systems

CIT 380: Securing Computer Systems

Web Security

CIT 380: Securing Computer Systems


Client side attacks

Client-side Attacks

  • Buffer Overflow

    • 2004 iframe

    • 2004-05 jpeg

  • Remote Code

    • ActiveX

    • Flash

    • Java

    • Javascript

CIT 380: Securing Computer Systems


Activex

ActiveX

Executable code downloaded from server

  • Activated by HTML object tag.

  • Native code binary format.

  • Security model

    • Digital signature authentication

    • Zone-based access control

    • No control once execution starts

CIT 380: Securing Computer Systems


Cit 380 securing computer systems

Digital signature authentication

Sandbox

Java

  • Sandbox Limits

    • Cannot read/write files.

    • Cannot start programs.

    • Network access limited to originating host.

  • Sandbox Components

    • Byte-code verifier

    • Class loader

    • Security manager

CIT 380: Securing Computer Systems


Mpack browser malware

MPack Browser Malware

  • User visits site.

  • Response contains iframe.

  • Iframe code causes browser to make request.

  • Request redirected to MPack server.

  • Server identifies OS and browser, sends exploit that will work for client configuration.

  • Exploit causes browser to send request for code.

  • Mpack downloader sent to user, begins d/ling other malware.

CIT 380: Securing Computer Systems


Mpack

MPack

Commercial underground PHP software

  • Sold for $700-1000.

  • Comes with one year technical support.

  • Can purchase updated exploits for $50-150.

    Infection Techniques

  • Hacking into websites and adding iframes.

  • Sending HTML mail with iframes.

  • Typo-squatting domains.

  • Use GoogleAds to draw traffic.

CIT 380: Securing Computer Systems


Client protection

Client Protection

  • Disable ActiveX and Java.

  • Use NoScript to limit Javascript.

  • Run browser with least privilege.

  • Use a browser sandbox:

    • VMWare Virtual Browser Appliance

    • Protected Mode IE (Windows Vista)

  • Goto sites directly instead of using links.

  • Use plain text e-mail instead of HTML.

  • Patch your browser regularly.

  • Use a personal firewall.

CIT 380: Securing Computer Systems


Web reconnaissance

Web Reconnaissance

Google Hacking

  • “Index of” +passwd

  • “Index of” +password.txt

  • filetype:htaccess user

  • allinurl:_vti_bin shtml.exe

    Web Crawling

  • wget --mirror http://www.w3.org/ -o /mirror/w3

Santy Worm used Google

to find vulnerable servers.

CIT 380: Securing Computer Systems


Key points

Key Points

  • All input can be dangerous

    • URLs, Cookies, Executable content

  • Consider both client and server security.

  • SSL is not a panacea

    • Confidentiality + integrity of data in transit.

    • Input-based attacks can be delivered via SSL.

  • Top Vulnerabilities

    • Cross-Site Scripting

    • SQL Injection

    • Remote File Inclusion

CIT 380: Securing Computer Systems


References

References

  • Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.

  • CERT, “Understanding Malicious Content Mitigation for Web Developers,” http://www.cert.org/tech_tips/malicious_code_mitigation.html, Feb. 2000

  • Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment, Addison-Wesley, 2007.

  • David Endler, “The Evolution of Cross-Site Scripting Attacks,” http://www.cgisecurity.com/development/xss.shtml, 2002.

  • Joris Evers, “Paypal fixes Phishing hole,” http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html, 2006.

  • Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql-injection.html, 2005.

  • Johnny Long, Google Hacking for Penetration Testers, Syngress, 2004.

  • Johnny Long, Google Hacking Database, http://johnny.ihackstuff.com, 2006.

  • J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006.

  • Mitre, Common Weaknesses – Vulnerability Trends, http://cwe.mitre.org/documents/vuln-trends.html, 2007.

  • Nate Mook, “Cross-Site Scripting Worm Hits MySpace,” http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391, 2005.

  • Gunter Ollman, “HTML Code Injection and Cross-Site Scripting,” http://www.technicalinfo.net/papers/CSS.html, 2002.

  • OWASP Top 10, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2007.

  • Neils Provos et. al., “The Ghost in the Browser: Analysis of Web-based Malware,” Hotbots 07, http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf, 2007.

  • Samy, “MySpace Worm Explanation,” http://namb.la/popular/tech.html, 2005.

  • Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5/e, McGraw-Hill, 2005.

  • Stuart McClure, Saumil Shah and Shreeraj Shah, Web Hacking: Attacks and Defense, Addison-Wesley, 2002.

  • Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006.

  • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.

  • SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002.

  • Symantec Weblog, “MPack: Packed full of badness,” http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html, 2007.

CIT 380: Securing Computer Systems


  • Login