cit 380 securing computer systems
Download
Skip this Video
Download Presentation
CIT 380: Securing Computer Systems

Loading in 2 Seconds...

play fullscreen
1 / 10

CIT 380: Securing Computer Systems - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on

CIT 380: Securing Computer Systems. Web Security. Client-side Attacks. Buffer Overflow 2004 iframe 2004-05 jpeg Remote Code ActiveX Flash Java Javascript. ActiveX. Executable code downloaded from server Activated by HTML object tag. Native code binary format. Security model

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' CIT 380: Securing Computer Systems' - etoile


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
cit 380 securing computer systems

CIT 380: Securing Computer Systems

Web Security

CIT 380: Securing Computer Systems

client side attacks
Client-side Attacks
  • Buffer Overflow
    • 2004 iframe
    • 2004-05 jpeg
  • Remote Code
    • ActiveX
    • Flash
    • Java
    • Javascript

CIT 380: Securing Computer Systems

activex
ActiveX

Executable code downloaded from server

  • Activated by HTML object tag.
  • Native code binary format.
  • Security model
    • Digital signature authentication
    • Zone-based access control
    • No control once execution starts

CIT 380: Securing Computer Systems

slide4
Digital signature authentication

Sandbox

Java
  • Sandbox Limits
    • Cannot read/write files.
    • Cannot start programs.
    • Network access limited to originating host.
  • Sandbox Components
    • Byte-code verifier
    • Class loader
    • Security manager

CIT 380: Securing Computer Systems

mpack browser malware
MPack Browser Malware
  • User visits site.
  • Response contains iframe.
  • Iframe code causes browser to make request.
  • Request redirected to MPack server.
  • Server identifies OS and browser, sends exploit that will work for client configuration.
  • Exploit causes browser to send request for code.
  • Mpack downloader sent to user, begins d/ling other malware.

CIT 380: Securing Computer Systems

mpack
MPack

Commercial underground PHP software

  • Sold for $700-1000.
  • Comes with one year technical support.
  • Can purchase updated exploits for $50-150.

Infection Techniques

  • Hacking into websites and adding iframes.
  • Sending HTML mail with iframes.
  • Typo-squatting domains.
  • Use GoogleAds to draw traffic.

CIT 380: Securing Computer Systems

client protection
Client Protection
  • Disable ActiveX and Java.
  • Use NoScript to limit Javascript.
  • Run browser with least privilege.
  • Use a browser sandbox:
    • VMWare Virtual Browser Appliance
    • Protected Mode IE (Windows Vista)
  • Goto sites directly instead of using links.
  • Use plain text e-mail instead of HTML.
  • Patch your browser regularly.
  • Use a personal firewall.

CIT 380: Securing Computer Systems

web reconnaissance
Web Reconnaissance

Google Hacking

  • “Index of” +passwd
  • “Index of” +password.txt
  • filetype:htaccess user
  • allinurl:_vti_bin shtml.exe

Web Crawling

  • wget --mirror http://www.w3.org/ -o /mirror/w3

Santy Worm used Google

to find vulnerable servers.

CIT 380: Securing Computer Systems

key points
Key Points
  • All input can be dangerous
    • URLs, Cookies, Executable content
  • Consider both client and server security.
  • SSL is not a panacea
    • Confidentiality + integrity of data in transit.
    • Input-based attacks can be delivered via SSL.
  • Top Vulnerabilities
    • Cross-Site Scripting
    • SQL Injection
    • Remote File Inclusion

CIT 380: Securing Computer Systems

references
References
  • Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.
  • CERT, “Understanding Malicious Content Mitigation for Web Developers,” http://www.cert.org/tech_tips/malicious_code_mitigation.html, Feb. 2000
  • Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment, Addison-Wesley, 2007.
  • David Endler, “The Evolution of Cross-Site Scripting Attacks,” http://www.cgisecurity.com/development/xss.shtml, 2002.
  • Joris Evers, “Paypal fixes Phishing hole,” http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html, 2006.
  • Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql-injection.html, 2005.
  • Johnny Long, Google Hacking for Penetration Testers, Syngress, 2004.
  • Johnny Long, Google Hacking Database, http://johnny.ihackstuff.com, 2006.
  • J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006.
  • Mitre, Common Weaknesses – Vulnerability Trends, http://cwe.mitre.org/documents/vuln-trends.html, 2007.
  • Nate Mook, “Cross-Site Scripting Worm Hits MySpace,” http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391, 2005.
  • Gunter Ollman, “HTML Code Injection and Cross-Site Scripting,” http://www.technicalinfo.net/papers/CSS.html, 2002.
  • OWASP Top 10, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2007.
  • Neils Provos et. al., “The Ghost in the Browser: Analysis of Web-based Malware,” Hotbots 07, http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf, 2007.
  • Samy, “MySpace Worm Explanation,” http://namb.la/popular/tech.html, 2005.
  • Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5/e, McGraw-Hill, 2005.
  • Stuart McClure, Saumil Shah and Shreeraj Shah, Web Hacking: Attacks and Defense, Addison-Wesley, 2002.
  • Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006.
  • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.
  • SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002.
  • Symantec Weblog, “MPack: Packed full of badness,” http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html, 2007.

CIT 380: Securing Computer Systems

ad