Lecture 4 - University of Colorado Boulder | University of ...

Lecture 4 - University of Colorado Boulder | University of ...

Foundations of Network and Computer Security John Black CSCI 6268/TLEN 5550, Spring 2013 Session-Based Attacks HTTP is connectionless But many/most apps want to maintain state Using IP addresses is an imperfect solution Why?

Cookies were invented to solve exactly this problem Using Cookies for Session Management The server wants to maintain information about the current client Encode state into an alphanumeric string Use Set-cookie=string and send to browser Optionally set expires, domain, path, secure, httponly

values as well Now each time the browser wishes to connect to a given domain and path, it checks its cookie store and transmits all matching cookies Using Cookies for Session Management They are essentially a temporary password Difficult to guess, not short enough to brute-force, unique

These are often violated by using insufficient randomness, being too short, using counters, etc Many apps that lock-out password attempts fail to guard against brute force attacks on session ids So short session ids are very vulnerable Demo stateful.php on moxie Bad Random Number Generators

Netscape Session Keys 1996 RNG_CreateContext() /* time since Jan 1, 1970 */ (seconds, microseconds) = time of day; pid = process ID; ppid = parent process ID; a = mklcpr(microseconds);

b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); mklcpr(x) /* not cryptographically significant */ return ((0xDEECE66D * x + 0x2BBB62DC) >> 1); Cross-Site Scripting (XSS) XSS is a very common vulnerability Would be vulnerability of the decade except

SQL injections are often far more serious XSS is used for a client to attack another client, not to attack a server An XSS vulnerability is as simple as echoing back user-input without sanitizing Ex: You submit: XYZ!!(2 to a search engine and it replies with XYZ!!(2 no results found Security Context We define a security context to be the set

of rules that govern how cookies are handled between domains Users might have several contexts active at the same time Ex: An unexpired session token with a bank sitting in another browser window (logout or browser death usually purges these tokens, but users will often neglect to do either) XSS The idea of XSS is for an attacker to inject

malicious javascript into a security context that it does not own And, as we know, this means things like session tokens can be sent anywhere we like user connects to evil site javascript executes as if from bank; tokens stolen malicious javascript

reflected back to user with banks security context Link to bank with malicious javascript given as parameter Typically called reflected XSS Demo on moxie

Visit stateful.php to establish highly valuable session ID View xss.php behavior Look at ~drevil on moxie Note the warm innocent feel of the page View source on this page (note the encodings) Examine steal.php Click on link on drevils homepage Look in /tmp/stolen.txt

Stored XSS Stored XSS is very similar Instead of using a reflection bug, the attacker stores javascript in a place where the victim is likely to read it (and thereby execute it) Its usually the servers responsibility to sanitize user input before storing it Consider a public forum where various users post their thoughts And their exploit code

Stored XSS is usually considered more serious No need to induce the user to establish a session then visit drevils site, which can be hard some times Note proper domain name SSL would be enabled, if this were an SSL site

Samy XSS worm Oct, 2005: myspace had an XSS vulnerability They used in every user-input vector and monitor for appearance of this string from the site If string comes back unmodified, jackpot This is automatable

Some XSS vulns will not be found by this technique, however, since

Recently Viewed Presentations

  • St Vincents Healthcare Group How HR Technology &

    St Vincents Healthcare Group How HR Technology &

    Consider of all requirements Provides real benefits Accurate management reporting across all area Paperless payroll with automated rules Efficient HR processes designed for self service Provides strong and efficient HR operational processes which underpin how you will deliver a modern,...
  • Dual Credit Presented by Walter Pinder Special Admissions

    Dual Credit Presented by Walter Pinder Special Admissions

    What is CougarWeb? Add/Drop Class. Online Trainings. Cougarmail. Paying for Tuition . Access online courses (Canvas) Check Collin College class schedule . Grades - And MUCH MORE… Students will receive cougarweb login 3-5 business days after application has been submitted....
  • How to Complete your New York DECA SCC Registration

    How to Complete your New York DECA SCC Registration

    How to Complete your New York DECA 2019 SCC Registration. New York DECA. All information is required. Invoice # 2019-SCC. NEW YORK DECA STATE CAREER CONFERENCE. ROCHESTER, NEW YORK. March 6-8, 2019. State Career Conference. ... Number of Box Lunches:...
  • Signals and Systems Fall 2003 Lecture #1 Prof. Alan S ...

    Signals and Systems Fall 2003 Lecture #1 Prof. Alan S ...

    Inductive Bias Learning System Design Example - Play Checkers IES 511 Machine Learning Dr. Türker İnce (Lecture notes by Prof. T. M. Mitchell, Machine Learning course at CMU) Concept Learning General-to-Specific Ordering of Hypothesis Find-S and Candidate Elimination Algorithms Inductive...
  • PAGE 1 Your name: Company name: Application title:

    PAGE 1 Your name: Company name: Application title:

    A fault tolerant TeePipe connection is actually much more reliable than any of the single connections since *all* component lines must fail for an outage to happen. *multiple cable connections don't really help, but multiple DSL connections scale well up...
  • Physical Characteristics of Sub-Saharan Africa

    Physical Characteristics of Sub-Saharan Africa

    Bodies of Water. Several lakes are found along the Great Rift Valley: Lake Tanganyika and Lake Victoria (main source of the Nile River). Because of cliffs and waterfalls, the rivers cannot be used for transportation or trade.
  • Coppin State University

    Coppin State University

    The State Institute of Rehabilitation. Building Summary. Objectives. Mechanical Investigation. Electrical Investigation. Overall Evaluation. Conclusion
  • Ecology- Energy Flow - dps61.org

    Ecology- Energy Flow - dps61.org

    Ecology- Energy Flow ... Earthworms, snails, crabs Decomposers- break down organic matter Fungi and bacteria Objective: To trace flow of energy through living things Energy Flow Food chain and Food web track energy flow Webs are made up of several...