Teamwork: famous security threats
Each team spends about 10 minutes investigating one of the following:
In each case, the two main questions are:
What was the threat about?
What was the main attack strategy used in the threat?
Client-side security
- Officially, any computer is only identified by an IP address on the web.
But all browsers send additional information (check out
Browserspy). Check with some
other students in this class whether your browser and their browser has different
settings and therefore you and the other students could be identified and tracked
by the remote website.
- The Javascript history object can display the previous URL visited. Is
that a security problem?
- Javascript can change the content of a non-active tab in the browser.
How could this be abused by a malicious website?
- Which information should be kept/deleted when a browser is in private
mode: history, downloaded files, passwords, cache, cookies, bookmarks?
Injection
In each of the following, $data contains user-submitted code.
In each case, determine how the user can disrupt the system.
- echo $data;
(Can the user execute Javascript or place an image on the website?)
- system('ls $variable');
(Can the user print the system password file?)
- $query = "select $data from test";
(Can the user print the database system tables?)
Server-side security
In order to make scripts secure, all user input must be carefully checked.
The best way to check user input is by writing regular expressions
which specify the exact pattern of the expected input.
This tutorial focusses on understanding
the risks and applying simple checks.
Exercises
1.1 Directory indexing and path traversal:
Create a new directory on your webserver. Create a file in that directory.
Depending on whether or not your indexes are turned on, you may be able
to see a directory listing. Check out some websites you know and try
what happens if you delete the last part of the URL. Can you find any
websites with unprotected directories?
1.2 HTML injection:
Create a simple web form with a textfield and
a simple script that prints the user input from the textfield. (You
can use a script from Week 3 for this exercise if you still have it.)
Apply no security at this stage. Try entering text with html tags
into the textfield (for example "<i>hello</i>") and see what happens.
1.3 Defacing:
Continuing from the previous exercise, enter an image tag
(<img src='...' >)
with a valid URL into the textfield. See what happens.
In order to fix these basic security risks: if you are using PHP, apply
functions, such as htmlspecialchars() and strip_tags(),
and observe what they do.
1.4 System commands:
Add a system command to your script (something like system('ls $variable')
where $variable contains user-supplied data. Determine how a hacker can
obtain shell access via your script. Use escapeshellarg() or escapeshellcmd()
in order to protect your code.