Lecture 4 - University of Colorado Boulder | University of ...

Lecture 4 - University of Colorado Boulder | University of ...

Foundations of Network and Computer Security John Black CSCI 6268/TLEN 5550, Spring 2013 Session-Based Attacks HTTP is connectionless But many/most apps want to maintain state Using IP addresses is an imperfect solution Why?

Cookies were invented to solve exactly this problem Using Cookies for Session Management The server wants to maintain information about the current client Encode state into an alphanumeric string Use Set-cookie=string and send to browser Optionally set expires, domain, path, secure, httponly

values as well Now each time the browser wishes to connect to a given domain and path, it checks its cookie store and transmits all matching cookies Using Cookies for Session Management They are essentially a temporary password Difficult to guess, not short enough to brute-force, unique

These are often violated by using insufficient randomness, being too short, using counters, etc Many apps that lock-out password attempts fail to guard against brute force attacks on session ids So short session ids are very vulnerable Demo stateful.php on moxie Bad Random Number Generators

Netscape Session Keys 1996 RNG_CreateContext() /* time since Jan 1, 1970 */ (seconds, microseconds) = time of day; pid = process ID; ppid = parent process ID; a = mklcpr(microseconds);

b = mklcpr(pid + seconds + (ppid << 12)); seed = MD5(a, b); mklcpr(x) /* not cryptographically significant */ return ((0xDEECE66D * x + 0x2BBB62DC) >> 1); Cross-Site Scripting (XSS) XSS is a very common vulnerability Would be vulnerability of the decade except

SQL injections are often far more serious XSS is used for a client to attack another client, not to attack a server An XSS vulnerability is as simple as echoing back user-input without sanitizing Ex: You submit: XYZ!!(2 to a search engine and it replies with XYZ!!(2 no results found Security Context We define a security context to be the set

of rules that govern how cookies are handled between domains Users might have several contexts active at the same time Ex: An unexpired session token with a bank sitting in another browser window (logout or browser death usually purges these tokens, but users will often neglect to do either) XSS The idea of XSS is for an attacker to inject

malicious javascript into a security context that it does not own And, as we know, this means things like session tokens can be sent anywhere we like user connects to evil site javascript executes as if from bank; tokens stolen malicious javascript

reflected back to user with banks security context Link to bank with malicious javascript given as parameter Typically called reflected XSS Demo on moxie

Visit stateful.php to establish highly valuable session ID View xss.php behavior Look at ~drevil on moxie Note the warm innocent feel of the page View source on this page (note the encodings) Examine steal.php Click on link on drevils homepage Look in /tmp/stolen.txt

Stored XSS Stored XSS is very similar Instead of using a reflection bug, the attacker stores javascript in a place where the victim is likely to read it (and thereby execute it) Its usually the servers responsibility to sanitize user input before storing it Consider a public forum where various users post their thoughts And their exploit code

Stored XSS is usually considered more serious No need to induce the user to establish a session then visit drevils site, which can be hard some times Note proper domain name SSL would be enabled, if this were an SSL site

Samy XSS worm Oct, 2005: myspace had an XSS vulnerability They used in every user-input vector and monitor for appearance of this string from the site If string comes back unmodified, jackpot This is automatable

Some XSS vulns will not be found by this technique, however, since

Recently Viewed Presentations

  • Title

    Title

    cs160 Introduction David Kauchak adapted from: http://www.stanford.edu/class/cs276/handouts/lecture1-intro.ppt
  • Congregational Federation Independent Review

    Congregational Federation Independent Review

    Restructuring Congregational Fed. Technically not illegal - but open to challenge. Should have been done better. Reactive. Financial orientation (eg shift Nov'14-Mar'15), timing, limited risk and impact assessment
  • Code to Enhance Learning Lesson 1 Maze Objective:

    Code to Enhance Learning Lesson 1 Maze Objective:

    Code to Enhance Learning. Lesson . 1. Maze. Objective: We will be able to sequence instructions to create algorithmto move Papu out of the maze. Objective: We will be able to . sequence. instructions. to create . algorithm. to move...
  • L&#x27;Afrique, nouveaux programmes 5ème

    L'Afrique, nouveaux programmes 5ème

    l'empire Songhaï (XIIè-XVIè. siècle) le Monomotapa (XVè-XVIè. siècle) » « L'étude de la naissance et du développement des traites négrières est conduite à partir de l'étude au choix d'une route ou d'un trafic des esclaves vers l'Afrique du Nord ou...
  • Collaboration or Resistance to Colonial Rule

    Collaboration or Resistance to Colonial Rule

    He gives another example of Europeans who believed they could do as they wished Such as the Germans in Tanganyika which led to the bloody majimaji rebellion, John Iliffe shows that the resistance and rebellions indicate that if Africans are...
  • ghj - ttu.ee

    ghj - ttu.ee

    Füüsikalisteks suurusteks nimetatakse materiaalsete kehade omadusi anduritega mõõdetavad suurused on füüsikalised Füüsikalisi suurusi iseloomustatakse füüsikaliste mõõtühikutega Füüsikaliste suuruste mõõtühikute süsteemis (nt SI) on defineeritud üksteisest sõltumatud ühikud Meid huvitavad mitmesugused füüsikalised ...
  • 슬라이드 1 - Aki̇b

    슬라이드 1 - Aki̇b

    Establishment of pesticide MRLs in Foods. MRLs have been established for specific crops or crop groups, and processed foods in Korea. For example, a MRL for Tetraconazole was established for pome fruit (a crop group) and dried red pepper(a processed...
  • Cities & Urban Land Use Unit 5 I.

    Cities & Urban Land Use Unit 5 I.

    B. Clustered Rural Settlements. 1. Families live in close proximity and the fields surround the village. 2. Circular rural settlements. a. The houses and structures of the village surround the fields. 3. Linear rural settlements. a. Houses on the road....