Day2.3b - ODU Computer Science

Download Report

Transcript Day2.3b - ODU Computer Science 

Security Attacks
CS 795
Buffer Overflow Problem
•
•
•
•
•
Buffer overflows can be triggered by inputs that are designed to execute code, or
alter the way the program operates. This may result in erratic program behavior,
including memory access errors, incorrect results, a crash, or a breach of system
security. Thus, they are the basis of many software vulnerabilities and can be
maliciously exploited.
Programming languages commonly associated with buffer overflows include C and
C++, which provide no built-in protection against accessing or overwriting data in any
part of memory and do not automatically check that data written to an array (the builtin buffer type) is within the boundaries of that array. Bounds checking can prevent
buffer overflows.
Video: https://www.youtube.com/watch?v=iZTilLGAcFQ
Buffer overflow
Analysis of Buffer Overflow Attacks
General Guidelines
For all user input, follow these guidelines:
• Use validation controls whenever possible to limit user input to
acceptable values.
• Always be sure that the value of the IsValid property is true
before running your server code. A value of false means that
one or more validation controls have failed a validation check.
• Always perform server-side validation even if the browser is
also performing client-side validation, to guard against users
bypassing client-side validation. Do not use only client-side
validation logic.
• Always re-validate user input in the business layer of your
application. Do not rely on the calling process to provide safe
data.
SQL Injection Attacks
A SQL injection attack attempts to compromise your database (and
potentially the computer on which the database is running) by
creating SQL commands that are executed instead of, or in
addition to, the commands that you have built into your application.
•
Stop SQL Injection Attacks Before They Stop You
•
SQL Injection attacks: Are you safe?
•
Manipulating Microsoft SQL Server Using SQL Injection
To avoid SQL injection attacks, follow these guidelines:
* Do not create SQL commands by concatenating strings
together, especially strings that include input from users.
Instead, use parameterized queries or stored procedures.
* If you are creating a parameterized query, use parameter
objects to establish the values for the parameters.
Script Injection Attack
• Script injection A script injection attack attempts to send executable
script to your application with the intent of having other users run it.
A typical script injection attack sends script to a page that stores the
script in a database, so that another user who views the data
inadvertently runs the code.
• http://www.asp.net/mvc/videos/mvc-2/how-do-i/preventingjavascript-injection-attacks
• Video: https://www.youtube.com/watch?v=dbcO97ZHy9Q
• Securing Data Access
Script Injection
To avoid script injection attacks, follow these guidelines:
* Encode user input with the HtmlEncode method, which turns HTML into its
text representation (for example, <b> becomes &ltb&gt;), and helps prevent the
markup from being executed in a browser.
* When using parameter objects to pass user input to a query, add handlers for
the data source control's pre-query events and perform the encoding in those
events. For example, handle the SqlDataSource control's Inserting event, and
in the event, encode the parameter value before the query is executed.
* If you are using the GridView control with bound fields, set the BoundField
object's HtmlEncode property to true. This causes the GridView control to
encode user input when the row is in edit mode.
* For controls that can be put into edit mode, it is recommended that you use
templates. For example, the GridView, DetailsView, FormView, DataList, and
Login controls can display editable text boxes. However, except for the
GridView control (see the previous point), the controls do not automatically
validate or HTML-encode the user input. Therefore, it is recommended that you
create templates for these controls, and in the template, include an input
control such as a TextBox control and add a validation control. In addition,
when extracting the value of the control, you should encode it.
Cross-site Scripting Attack
•
•
•
•
•
Video: https://www.youtube.com/watch?v=_Z9RQSnf8-g
Video: https://www.youtube.com/watch?v=r79ozjCL7DA
http://www.acunetix.com/websitesecurity/xss.htm
http://www.cgisecurity.com/xss-faq.html
http://www.imperva.com/resources/glossary/cross_site_scripti
ng.html
• Cross-Site Scripting Vulnerabilities
• Cross site scripting / XSS - How to find & fix it