CS166 Final project
Download as PPTX, PDF1 like209 views
This document describes a final project for a computer science course involving various cybersecurity vulnerabilities and techniques for preventing them. It discusses SQL injection and demonstrates how to prevent it using prepared statements. It also covers cross-site scripting (XSS), cross-site request forgery (CSRF), and ways to mitigate these risks, such as input validation and using synchronized tokens. The project code repository and demo sites for vulnerable and secure code are provided.
![[Wroclaw #2] Web Application Security Headers](https://cdn.slidesharecdn.com/ss_thumbnails/owaspwebapplicationsecurityheaders1-160429210343-thumbnail.jpg?width=560&fit=bounds)
![[Wroclaw #7] AWS (in)security - the devil is in the detail](https://cdn.slidesharecdn.com/ss_thumbnails/awsinsecurityowasp1-171206113942-thumbnail.jpg?width=560&fit=bounds)
![[Wroclaw #7] Security test automation](https://cdn.slidesharecdn.com/ss_thumbnails/owaspsecuritytestautomation-171206113544-thumbnail.jpg?width=560&fit=bounds)
![[OWASP Poland Day] Saving private token](https://cdn.slidesharecdn.com/ss_thumbnails/pawelbochenskisecuretoken2-171003211501-thumbnail.jpg?width=560&fit=bounds)
Ad
More Related Content
What's hot (20)
Similar to CS166 Final project (20)
Ad
More from Kaya Ota (14)
Ad
Recently uploaded (20)
![Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version](https://cdn.slidesharecdn.com/ss_thumbnails/fashionevolution2-250322112409-f76abaa7-250428124909-b51264ff-250504160528-fc2bb1c5-thumbnail.jpg?width=560&fit=bounds)
![Download Wondershare Filmora Crack [2025] With Latest](https://cdn.slidesharecdn.com/ss_thumbnails/neo4j-howkgsareshapingthefutureofgenerativeaiatawssummitlondonapril2024-240426125209-2d9db05d-250419-250428115407-a04afffa-thumbnail.jpg?width=560&fit=bounds)
CS166 Final project
- 1. FINAL PROJECT SAN JOSE STATE UNIVERSITY CS166 SPRING 2017 KAYA OTA
- 2. CONTENT 1. Behind the scene tour of this site. 2. SQL Injection 3. XSS (Cross Site Scripting) 4. Cookie Stealing 5. Protocol 1. Authentication 6. CSRF
- 3. BEHIND THE SCENE TOUR OF THIS SITE
- 4. ENTRY URL FOR CS166 BLOG • Prevented codes are running at: • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code /prevented/index.html • The given codes are running at: • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code /attackable/index.html
- 5. HOW TO BUILD THIS SITE • Download source code from the git hub: https://github.com/28kayak/CS166_Final_Project.git • Set up AWS windows server with the following security group.
- 6. HOW TO BUILD THIS SITE • Set up XAMPP with Tomcat and Maria DB. • Check Windows server side of fire wall's setting. (image on the left) • Tomcat entry is on port 8080.
- 7. SQL TABLE – LOGIN – • Use Maria DB • Login table contains user information • Fullname – user’s name • User – user ID • Pass – password • Random – salt for the password Fullname User pass role Random
- 8. SQL TABLE –BLOG– • Blog table contains posts for the blog. • Title is title of the post • Content is the articles in the post • ID is the post id and is the primary key title content id
- 10. SQL INJECTION – OVERVIEW – • A type of injection attack • A SQL injection attack is by “injection” of SQL query via input data from the client to the application. • When SQL succeed the followings could happen • Read sensitive data • Modify DB data • Run administrative operation
- 11. SQL INJECTION – THREAD MODELING – • SQL Injection lets attackers to spoof identity, and temper data in database. • SQL Injection lets cause repudiation issues • Voiding transaction • Changing balance • SQL injection is common with PHP and ASP • Because these older functional interfaces are widely used. • Nature of programmatic interface available • J2EE and ASP.NET application are less likely to have easily exploited SQL injection.
- 12. SQL INJECTION – PREVENTION – I. Use prepared statement / parameterized queries I. Prepared statement force the developers to first define all SQL code and then pass the required parameters later to the query. II. This allows DB to distinguish between code and data, independent from user-input.
- 13. SQL INJECTION – PREVENTION – String user = request.getParameter( "user" ); String pass = request.getParameter( "pass" ); String sqlStr = "SELECT fullname FROM login WHERE user='" + user + "' and pass = sha2('"+ pass + "', 256)"; String sqlStr = "SELECT count(*) FROM login WHERE user=? and pass = sha2(?, 256)"; PreparedStatement stmt = con.prepareStatement(sqlStr); stmt.setString(1,name); stmt.setString(2,pwd); ResultSet rs = stmt.executeQuery(); No Use of Prepared Statement Use of Prepared Statement
- 14. SQL INJECTION – PREVENTION – II. Use Stored Procedure I. Not always safe from SQL Injection II. Certain Stored Procedures have the similar effect as use of parameterized query III. It requires to build SQL query with parameters that are automatically parametrized unless the developer does something out of norm.
- 15. SQL INJECTION – DEMONSTRATION – • Not Preventing Site • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att ackable/login_form.html • Preventing Site • Running here
- 16. XSS – CROSS SITE SCRIPTING –
- 17. XSS – OVERVIEW – • A type of injection attack • Injects malicious script into benign and trusted website. • Occurs when an attacker users a web application to send malicious code • Generally in the form of a browser side script to different end user.
- 18. XSS – THREAD MODELING – • XSS lets attackers do the followings • Identity Thrift (fraud) • Redirect traffic by altering URL • Session Hijacking • Storing sensitive information in JavaScript variables
- 19. XSS – PREVENTION – • Never accepts to insert untrusted data except in allowed location • Deny all – do not put untrusted data into your html document unless it is within one of the slot of defined in rule #1 • Most importantly, never accept actual JavaScript code from an untrusted data and then run it. •Escape XML sequences • Using Escape sequences • http://www.avajava.com/tutorials/lessons/how-do-i- escape-a-string-for-xml.html
- 20. SCREEN SHOT FOR XSS ATTACKED PREVENTED
- 21. XSS –DEMONSTRATION– • Demonstration running at • http://ec2-34-208-99-244.us-west- 2.compute.amazonaws.com:8080/CS166_Final_Project/Project_Code/att ackable/login_form.html
- 22. CSRF (CROSS SITE REQUEST FORGERY)
- 23. CSRF –OVERVIEW– • CSRF is a type of attacks • Force user to run unwelcome action on web-applications where he/she is authorized currently. • Whereby, HTTP requests are transmitted from a user that the web site trusts or has authenticated (e.g., via HTTP redirects or HTML forms). • CSRF can be caused by: • Building an exploit URL or Script http://bank.com/transfer.do?acct=MARIA&amount=100000 Attacker can monaurally change values to request the service.
- 24. CSRF –THREAD MODEL– • Impact: user may access resource on behalf of the attacker. • User may upload private image to attacker’s server. • When using 3rd party login, the user may associate with his client account with attacker’s identity at an identity provider.
- 25. CSRF –PREVENTION– • Use synchronized token pattern • Never use get method in html form