20s-2550: L24 Web Exploits

Materials

You can use the L24 slides (pdf) to take notes.

L24 annotated slides (pdf) from lecture have my drawings.

Please see piazza@439 for a link to the recorded video.

Summary

  1. Cross-site Request Forgery attack: In this attack, your first login to bank.com and store a cookie so that your session persists. Then you vist a malicious page at bad.com, which includes html that your browser evaluates using a different origin. This could cause your browser to send a post request to a site (like bank.com) that initiates a transfer, etc.

  2. Cross-site scripting: This attack is a classic failure to validate input. A victim site (like your bank) inadvertently creates a way for the attacker to inject javascript into their html page. When a user then visits an attacker’s page, the attacker can include an iframe for the victim site that injects javascript code, and causes your browser to evalute the victim site plus the attack code within the context (origin) of the victim site. There are two main ways to inject such code: reflection, or persisted storage.

  3. SQL Injection: This attack is another classic failure to validate. As sites use databases to store user information, their implementation often makes use of SQL to interface with the database. If the parameters used in SQL queries are directly copied from the http request, an attacker can craft malicious input that is then interpreted as SQL in the query. This allows the attacker to retrieve information from a database, update a database, etc., which enables bypassing security checks. There are several ways to defend against such attacks.

A high-level point is that validating input to an application is very important. We have only discussed a few types of attacks, but there are many others that rely on poor input validation. Conceptually, when given a new scenario, you should think very carefully about how maliciously-constructed inputs can subvert a security check in an application.