Berkeley COMPSCI 161 - Web Attacks - D2801609

Home> Schools> University of California, Berkeley> Computer Science (COMPSCI) > COMPSCI 161> Web Attacks

DOC PREVIEW

Berkeley COMPSCI 161 - Web Attacks

School name University of California, Berkeley

Course Compsci 161- Computer Security

Pages 72

This preview shows page 1-2-3-4-5-34-35-36-37-68-69-70-71-72 out of 72 pages.

Save

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

View full document

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Premium Document

Do you want full access? Go Premium and unlock all 72 pages.

Access to all documents

Download any document

Ad free experience

Subscribe for instant access Get instant access

Unformatted text preview:

Web Attacks, con’tCS 161: Computer SecurityProf. Vern PaxsonTAs: Devdatta Akhawe, Mobin Javed& Matthias Vallentinhttp://inst.eecs.berkeley.edu/~cs161/February 22, 2011Announcements• See “Still confused about question 4submission format” thread in Piazzza(@116)• Guest lecture a week from Thursday(March 3rd), Prof. David Wagner– My office hours the week of March 7th will beby appointment• I may move my office hours next Mondayto 1-2PM - if so, will announce on Piazzza– Let me know if this would be a hardshipDefending AgainstCommand Injection• In principle, can prevent injection attacksby properly sanitizing input sent to webservers– Remove or escape meta-characters– Easy to get wrong by overlooking a meta-character or escaping subtlety• Better: avoid using a feature-rich API– KISS + defensive programming– E.g., use execve() to invoke a desiredprogram, rather than system()Command Injection in the Real WorldCommand Injection in the Real WorldStructure of Modern Web ServicesBrowserWebserverURL / Formcommand.php?arg1=x&arg2=yStructure of Modern Web ServicesBrowserWebserverURL / Formcommand.php?arg1=x&arg2=yDatabaseserverSQL query builtfrom x and yStructure of Modern Web ServicesBrowserWebserverDatabaseserverCustom datacorresponding to x & yStructure of Modern Web ServicesBrowserWebserverWeb page builtusing custom dataDatabaseserverSQL• Widely used database query language• Fetch a set of recordsSELECT * FROM Person WHERE Username=‘oski’• Add data to the tableINSERT INTO Person (Username, Balance)VALUES (‘oski’, 10) -- oski has ten buckaroos• Modify dataUPDATE Person SET Balance=42 WHEREUsername=‘oski’• Query syntax (mostly) independent of vendorAn SQL commentSQL Injection Scenario• Suppose web server front end stores URLparameter “recipient” in variable $recipientand then builds up a string with the followingSQL query:$sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' ";• Query accesses recipient’s account if theirbalance is < 100.SQL Injection Scenario• Suppose web server front end stores URLparameter “recipient” in variable $recipientand then builds up a string with the followingSQL query:$sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' ";• So for “?recipient=Bob” the SQL query is:"SELECT PersonID FROM Person WHERE Balance < 100 AND Username='Bob' "SQL Injection Scenario• Suppose web server front end stores URLparameter “recipient” in variable $recipientand then builds up a string with the followingSQL query:$sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' ";• How can recipient cause trouble here?– How can we see anyone’s account?SQL Injection Scenario, con’tWHERE Balance < 100 AND Username='$recipient' "• $recipient = foo' OR 1=1 --WHERE Balance < 100 AND Username='foo' OR 1=1 --' "• Precedence & “--” (comment) makes this:WHERE (Balance < 100 AND Username='foo') OR 1=1• Always true!SQL Injection Scenario, con’tWHERE Balance < 100 AND Username='$recipient' ";• How about recipient = foo'; DROP TABLE Person; -- ?• Now there are two separate SQLcommands, thanks to ‘;’ command-separator.• Can change database however you wishDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:DefensesDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProﬁle(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(proﬁle(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}Defenses“Prepared Statement”Defenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProﬁle(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(proﬁle(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesUntrusted user inputDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProﬁle(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(proﬁle(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesInput is confined toa single SQL atomDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProﬁle(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(proﬁle(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesBinds the valueof uid to '?' atomDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProﬁle(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(proﬁle(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}DefensesNo matter what input user provides, Prepared Statementensures it will be treated as a single SQL datumDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProﬁle(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(proﬁle(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}<P>Hello8${username}!88Welcome8back.DefensesDefenses (work-in-progress)Language'support'for'construc/ng'que riesSpecify(query(structure(independent(of(user(input:ResultSet(getProﬁle(Connec9on(conn,(int(uid)(throws(SQLExcep9on{((((String(query(=("SELECT(proﬁle(FROM(Users(WHERE(uid(=(?;";((((PreparedStatement(p(=(conn.prepareStatement(query);((((p.setInt(1,(uid);((((return(p.executeQuery();}<P>Hello8${username}!88Welcome8back.DefensesTemplate languageensures variable fullyescaped5 Minute BreakQuestions Before We Proceed?5 Minute Break27Basic Structure of Web Traffic28Basic Structure of Web TrafficIncludes “resource” from URLHeaders describing browser

View Full Document