SlideShare ist ein Scribd-Unternehmen logo
1 von 26
Downloaden Sie, um offline zu lesen
FINAL PROJECT
SAN JOSE STATE UNIVERSITY
CS166 SPRING 2017
KAYA OTA
CONTENT
1. Behind the scene
tour of this site.
2. SQL Injection
3. XSS (Cross Site
Scripting)
4. Cookie Stealing
5. Protocol
1. Authentication
6. CSRF
BEHIND THE SCENE TOUR OF THIS SITE
ENTRY URL FOR CS166 BLOG
• Prevented codes are running at:
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code
/prevented/index.html
• The given codes are running at:
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code
/attackable/index.html
HOW TO BUILD THIS SITE
• Download source code from the git hub:
https://github.com/28kayak/CS166_Final_Project.git
• Set up AWS windows server with the following security group.
HOW TO BUILD THIS SITE
• Set up XAMPP with Tomcat and
Maria DB.
• Check Windows server side of fire
wall's setting. (image on the left)
• Tomcat entry is on port 8080.
SQL TABLE – LOGIN –
• Use Maria DB
• Login table contains user information
• Fullname – user’s name
• User – user ID
• Pass – password
• Random – salt for the password
Fullname User pass role Random
SQL TABLE –BLOG–
• Blog table contains posts for the blog.
• Title is title of the post
• Content is the articles in the post
• ID is the post id and is the primary key
title content id
SQL INJECTION
SQL INJECTION – OVERVIEW –
• A type of injection attack
• A SQL injection attack is by “injection” of SQL query via input
data from the client to the application.
• When SQL succeed the followings could happen
• Read sensitive data
• Modify DB data
• Run administrative operation
SQL INJECTION – THREAD MODELING –
• SQL Injection lets attackers to spoof identity, and temper data in
database.
• SQL Injection lets cause repudiation issues
• Voiding transaction
• Changing balance
• SQL injection is common with PHP and ASP
• Because these older functional interfaces are widely used.
• Nature of programmatic interface available
• J2EE and ASP.NET application are less likely to have easily
exploited SQL injection.
SQL INJECTION – PREVENTION –
I. Use prepared statement / parameterized queries
I. Prepared statement force the developers to first define all SQL code
and then pass the required parameters later to the query.
II. This allows DB to distinguish between code and data, independent
from user-input.
SQL INJECTION – PREVENTION –
String user = request.getParameter( "user" );
String pass = request.getParameter( "pass" );
String sqlStr = "SELECT fullname FROM login WHERE user='" + user + "' and pass = sha2('"+
pass + "', 256)";
String sqlStr = "SELECT count(*) FROM login WHERE user=? and pass = sha2(?, 256)";
PreparedStatement stmt = con.prepareStatement(sqlStr);
stmt.setString(1,name);
stmt.setString(2,pwd);
ResultSet rs = stmt.executeQuery();
No Use of Prepared
Statement
Use of Prepared
Statement
SQL INJECTION – PREVENTION –
II. Use Stored Procedure
I. Not always safe from SQL Injection
II. Certain Stored Procedures have the similar effect as use of
parameterized query
III. It requires to build SQL query with parameters that are automatically
parametrized unless the developer does something out of norm.
SQL INJECTION – DEMONSTRATION –
• Not Preventing Site
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att
ackable/login_form.html
• Preventing Site
• Running here
XSS – CROSS SITE SCRIPTING –
XSS – OVERVIEW –
• A type of injection attack
• Injects malicious script into benign and trusted website.
• Occurs when an attacker users a web application to send
malicious code
• Generally in the form of a browser side script to different end
user.
XSS – THREAD MODELING –
• XSS lets attackers do the followings
• Identity Thrift (fraud)
• Redirect traffic by altering URL
• Session Hijacking
• Storing sensitive information in JavaScript variables
XSS – PREVENTION –
• Never accepts to insert untrusted data except in allowed location
• Deny all – do not put untrusted data into your html document unless it is
within one of the slot of defined in rule #1
• Most importantly, never accept actual JavaScript code
from an untrusted data and then run it.
•Escape XML sequences
• Using Escape sequences
• http://www.avajava.com/tutorials/lessons/how-do-i-
escape-a-string-for-xml.html
SCREEN SHOT FOR XSS
ATTACKED PREVENTED
XSS –DEMONSTRATION–
• Demonstration running at
• http://ec2-34-208-99-244.us-west-
2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att
ackable/login_form.html
CSRF (CROSS SITE REQUEST FORGERY)
CSRF –OVERVIEW–
• CSRF is a type of attacks
• Force user to run unwelcome action on web-applications where
he/she is authorized currently.
• Whereby, HTTP requests are transmitted from a user that the web
site trusts or has
authenticated (e.g., via HTTP redirects or HTML forms).
• CSRF can be caused by:
• Building an exploit URL or Script
http://bank.com/transfer.do?acct=MARIA&amount=100000
Attacker can monaurally change
values to request the service.
CSRF –THREAD MODEL–
• Impact: user may access resource on behalf of the attacker.
• User may upload private image to attacker’s server.
• When using 3rd party login, the user may associate with his
client account with attacker’s identity at an identity provider.
CSRF –PREVENTION–
• Use synchronized token pattern
• Never use get method in html form
REFERENCE
• https://www.owasp.org/index.php/SQL_Injection
• https://tools.ietf.org/html/rfc6819#section-4.4.1.8

Weitere ähnliche Inhalte

Was ist angesagt?

Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Icinga
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Yassine Aboukir
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)OWASP Khartoum
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionNazar Tymoshyk, CEH, Ph.D.
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSAnant Shrivastava
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detailOWASP
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAnant Shrivastava
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automationOWASP
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into ClickjackingMarco Balduzzi
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private tokenOWASP
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveGreenD0g
 

Was ist angesagt? (20)

Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
Mod Security
Mod SecurityMod Security
Mod Security
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
Why you should use true single-sign-on in Icinga Web 2 - Icinga Camp Stockhol...
 
Cross site scripting XSS
Cross site scripting XSSCross site scripting XSS
Cross site scripting XSS
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Cross Site Scripting (XSS)
Cross Site Scripting (XSS)Cross Site Scripting (XSS)
Cross Site Scripting (XSS)
 
Black magic of web attacks Detection and Prevention
Black magic of web attacks Detection and PreventionBlack magic of web attacks Detection and Prevention
Black magic of web attacks Detection and Prevention
 
SSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOSSSL Pinning and Bypasses: Android and iOS
SSL Pinning and Bypasses: Android and iOS
 
[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail[Wroclaw #7] AWS (in)security - the devil is in the detail
[Wroclaw #7] AWS (in)security - the devil is in the detail
 
Android Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) ProfessionalsAndroid Tamer: Virtual Machine for Android (Security) Professionals
Android Tamer: Virtual Machine for Android (Security) Professionals
 
[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation[Wroclaw #7] Security test automation
[Wroclaw #7] Security test automation
 
Xssya
XssyaXssya
Xssya
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 
New Insights into Clickjacking
New Insights into ClickjackingNew Insights into Clickjacking
New Insights into Clickjacking
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token[OWASP Poland Day] Saving private token
[OWASP Poland Day] Saving private token
 
MITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another PerspectiveMITM Attacks on HTTPS: Another Perspective
MITM Attacks on HTTPS: Another Perspective
 

Ähnlich wie CS166 Final project

Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...LogeekNightUkraine
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy AntonDevSecCon
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?Ksenia Peguero
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Jim Manico
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!Lewis Ardern
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013tmd800
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levelsbeched
 

Ähnlich wie CS166 Final project (20)

Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsers
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
Dmytro Kochergin - "The OWASP TOP 10 - Typical Attacks on Web Applications an...
 
Web vulnerabilities
Web vulnerabilitiesWeb vulnerabilities
Web vulnerabilities
 
The path of secure software by Katy Anton
The path of secure software by Katy AntonThe path of secure software by Katy Anton
The path of secure software by Katy Anton
 
API SECURITY
API SECURITYAPI SECURITY
API SECURITY
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?How do JavaScript frameworks impact the security of applications?
How do JavaScript frameworks impact the security of applications?
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
a
aa
a
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
SQL Injection
SQL InjectionSQL Injection
SQL Injection
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!OWASP London - So you thought you were safe using AngularJS.. Think again!
OWASP London - So you thought you were safe using AngularJS.. Think again!
 
OWASP top 10-2013
OWASP top 10-2013OWASP top 10-2013
OWASP top 10-2013
 
Vulnerabilities in data processing levels
Vulnerabilities in data processing levelsVulnerabilities in data processing levels
Vulnerabilities in data processing levels
 

Mehr von Kaya Ota

Solr 勉強会 20191028
Solr 勉強会 20191028Solr 勉強会 20191028
Solr 勉強会 20191028Kaya Ota
 
Privacy statement
Privacy statementPrivacy statement
Privacy statementKaya Ota
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynoteKaya Ota
 
Edited keeping happiness
Edited keeping happinessEdited keeping happiness
Edited keeping happinessKaya Ota
 
Database Management System Review
Database Management System ReviewDatabase Management System Review
Database Management System ReviewKaya Ota
 
javascript
javascript javascript
javascript Kaya Ota
 
Math178 hw7
Math178 hw7Math178 hw7
Math178 hw7Kaya Ota
 
CS152 Programming Paradigm
CS152 Programming Paradigm CS152 Programming Paradigm
CS152 Programming Paradigm Kaya Ota
 
Umap traversabilityin graph
Umap traversabilityin graphUmap traversabilityin graph
Umap traversabilityin graphKaya Ota
 
Price Distribution and Consumer Surplus
Price Distribution and Consumer Surplus Price Distribution and Consumer Surplus
Price Distribution and Consumer Surplus Kaya Ota
 
Midterm review for CS156
Midterm review for CS156Midterm review for CS156
Midterm review for CS156Kaya Ota
 
Jit complier
Jit complierJit complier
Jit complierKaya Ota
 
Methodologies of Software Engineering
Methodologies of Software EngineeringMethodologies of Software Engineering
Methodologies of Software EngineeringKaya Ota
 

Mehr von Kaya Ota (14)

Solr 勉強会 20191028
Solr 勉強会 20191028Solr 勉強会 20191028
Solr 勉強会 20191028
 
Privacy statement
Privacy statementPrivacy statement
Privacy statement
 
Cs166 mynote
Cs166 mynoteCs166 mynote
Cs166 mynote
 
Cs166 hw1
Cs166 hw1Cs166 hw1
Cs166 hw1
 
Edited keeping happiness
Edited keeping happinessEdited keeping happiness
Edited keeping happiness
 
Database Management System Review
Database Management System ReviewDatabase Management System Review
Database Management System Review
 
javascript
javascript javascript
javascript
 
Math178 hw7
Math178 hw7Math178 hw7
Math178 hw7
 
CS152 Programming Paradigm
CS152 Programming Paradigm CS152 Programming Paradigm
CS152 Programming Paradigm
 
Umap traversabilityin graph
Umap traversabilityin graphUmap traversabilityin graph
Umap traversabilityin graph
 
Price Distribution and Consumer Surplus
Price Distribution and Consumer Surplus Price Distribution and Consumer Surplus
Price Distribution and Consumer Surplus
 
Midterm review for CS156
Midterm review for CS156Midterm review for CS156
Midterm review for CS156
 
Jit complier
Jit complierJit complier
Jit complier
 
Methodologies of Software Engineering
Methodologies of Software EngineeringMethodologies of Software Engineering
Methodologies of Software Engineering
 

Kürzlich hochgeladen

IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesSoftwareMill
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxPrakarsh -
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIIvo Andreev
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxAutus Cyber Tech
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example ProjectMastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example Projectwajrcs
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorShane Coughlan
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 

Kürzlich hochgeladen (20)

IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Growing Oxen: channel operators and retries
Growing Oxen: channel operators and retriesGrowing Oxen: channel operators and retries
Growing Oxen: channel operators and retries
 
Kubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptxKubernetes go-live checklist for your microservices.pptx
Kubernetes go-live checklist for your microservices.pptx
 
JS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AIJS-Experts - Cybersecurity for Generative AI
JS-Experts - Cybersecurity for Generative AI
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
ERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptxERP For Electrical and Electronics manufecturing.pptx
ERP For Electrical and Electronics manufecturing.pptx
 
Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example ProjectMastering Kubernetes - Basics and Advanced Concepts using Example Project
Mastering Kubernetes - Basics and Advanced Concepts using Example Project
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
OpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS CalculatorOpenChain Webinar: Universal CVSS Calculator
OpenChain Webinar: Universal CVSS Calculator
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 

CS166 Final project

  • 1. FINAL PROJECT SAN JOSE STATE UNIVERSITY CS166 SPRING 2017 KAYA OTA
  • 2. CONTENT 1. Behind the scene tour of this site. 2. SQL Injection 3. XSS (Cross Site Scripting) 4. Cookie Stealing 5. Protocol 1. Authentication 6. CSRF
  • 3. BEHIND THE SCENE TOUR OF THIS SITE
  • 4. ENTRY URL FOR CS166 BLOG • Prevented codes are running at: • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code /prevented/index.html • The given codes are running at: • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code /attackable/index.html
  • 5. HOW TO BUILD THIS SITE • Download source code from the git hub: https://github.com/28kayak/CS166_Final_Project.git • Set up AWS windows server with the following security group.
  • 6. HOW TO BUILD THIS SITE • Set up XAMPP with Tomcat and Maria DB. • Check Windows server side of fire wall's setting. (image on the left) • Tomcat entry is on port 8080.
  • 7. SQL TABLE – LOGIN – • Use Maria DB • Login table contains user information • Fullname – user’s name • User – user ID • Pass – password • Random – salt for the password Fullname User pass role Random
  • 8. SQL TABLE –BLOG– • Blog table contains posts for the blog. • Title is title of the post • Content is the articles in the post • ID is the post id and is the primary key title content id
  • 10. SQL INJECTION – OVERVIEW – • A type of injection attack • A SQL injection attack is by “injection” of SQL query via input data from the client to the application. • When SQL succeed the followings could happen • Read sensitive data • Modify DB data • Run administrative operation
  • 11. SQL INJECTION – THREAD MODELING – • SQL Injection lets attackers to spoof identity, and temper data in database. • SQL Injection lets cause repudiation issues • Voiding transaction • Changing balance • SQL injection is common with PHP and ASP • Because these older functional interfaces are widely used. • Nature of programmatic interface available • J2EE and ASP.NET application are less likely to have easily exploited SQL injection.
  • 12. SQL INJECTION – PREVENTION – I. Use prepared statement / parameterized queries I. Prepared statement force the developers to first define all SQL code and then pass the required parameters later to the query. II. This allows DB to distinguish between code and data, independent from user-input.
  • 13. SQL INJECTION – PREVENTION – String user = request.getParameter( "user" ); String pass = request.getParameter( "pass" ); String sqlStr = "SELECT fullname FROM login WHERE user='" + user + "' and pass = sha2('"+ pass + "', 256)"; String sqlStr = "SELECT count(*) FROM login WHERE user=? and pass = sha2(?, 256)"; PreparedStatement stmt = con.prepareStatement(sqlStr); stmt.setString(1,name); stmt.setString(2,pwd); ResultSet rs = stmt.executeQuery(); No Use of Prepared Statement Use of Prepared Statement
  • 14. SQL INJECTION – PREVENTION – II. Use Stored Procedure I. Not always safe from SQL Injection II. Certain Stored Procedures have the similar effect as use of parameterized query III. It requires to build SQL query with parameters that are automatically parametrized unless the developer does something out of norm.
  • 15. SQL INJECTION – DEMONSTRATION – • Not Preventing Site • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att ackable/login_form.html • Preventing Site • Running here
  • 16. XSS – CROSS SITE SCRIPTING –
  • 17. XSS – OVERVIEW – • A type of injection attack • Injects malicious script into benign and trusted website. • Occurs when an attacker users a web application to send malicious code • Generally in the form of a browser side script to different end user.
  • 18. XSS – THREAD MODELING – • XSS lets attackers do the followings • Identity Thrift (fraud) • Redirect traffic by altering URL • Session Hijacking • Storing sensitive information in JavaScript variables
  • 19. XSS – PREVENTION – • Never accepts to insert untrusted data except in allowed location • Deny all – do not put untrusted data into your html document unless it is within one of the slot of defined in rule #1 • Most importantly, never accept actual JavaScript code from an untrusted data and then run it. •Escape XML sequences • Using Escape sequences • http://www.avajava.com/tutorials/lessons/how-do-i- escape-a-string-for-xml.html
  • 20. SCREEN SHOT FOR XSS ATTACKED PREVENTED
  • 21. XSS –DEMONSTRATION– • Demonstration running at • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att ackable/login_form.html
  • 22. CSRF (CROSS SITE REQUEST FORGERY)
  • 23. CSRF –OVERVIEW– • CSRF is a type of attacks • Force user to run unwelcome action on web-applications where he/she is authorized currently. • Whereby, HTTP requests are transmitted from a user that the web site trusts or has authenticated (e.g., via HTTP redirects or HTML forms). • CSRF can be caused by: • Building an exploit URL or Script http://bank.com/transfer.do?acct=MARIA&amount=100000 Attacker can monaurally change values to request the service.
  • 24. CSRF –THREAD MODEL– • Impact: user may access resource on behalf of the attacker. • User may upload private image to attacker’s server. • When using 3rd party login, the user may associate with his client account with attacker’s identity at an identity provider.
  • 25. CSRF –PREVENTION– • Use synchronized token pattern • Never use get method in html form