Middleware Vulnerabilities Damian Tamayo Kansas State University MSE 2 nd Semester.
16
Middleware Vulnerabilities Damian Tamayo Kansas State University MSE 2 nd Semester
-
Upload
adela-brooks -
Category
Documents
-
view
212 -
download
0
Transcript of Middleware Vulnerabilities Damian Tamayo Kansas State University MSE 2 nd Semester.
Middleware Vulnerabilities
Damian TamayoKansas State University
MSE 2nd Semester
Overview
• Common Attacks
• Examples
• Possible Solutions
Common Attacks
• Overflows
• String Format/Validation
• Race Conditions - permissions
• Cross Site Scripting
Attacks Defined
• Buffer Overflow – overwriting allocated buffer
• String Format/Validation – send commands through user input
• Race Conditions – interrupt handling
• Cross Site Scripting – script injection on client side applications
Examples - Overflow
returnaddress
Top ofstack
variable
variable
filename
Overflow Continued
returnaddress
Top ofstack
variable
variable
\XFERS\AAA.
Overflow Continued
AAAA
Top ofstack
variable
variable
\XFERS\A..AAAA
Possible Solutions
• Check for buffer/string lengths• Use operations that are safe– C/C++• strncpy• strncat
– Java/EJB’s• Technically “No”• Theoretically possible
String Format/User Validation
• External Commands to the system– URL– Form Control Commands • “:”
– “god” like query ability
Possible Solutions
• Perform checks on user input
• Don’t use shortcuts to format strings
• Filters
Race Condition
• Interrupts are not handled correctly– System raises privilege level to perform operation– System handles interrupt – Attacker sends command at higher privilege than
user
Possible Solutions
• Handle interrupts appropriately– System raises privileges– Attacker sends interrupt– System catches interrupt– System finishes operation and lowers privileges – System handles Attacker’s interrupt
Cross Site Scripting
http://testasp.acunetix.com/Search.asp
<br><br>Please login with the form below before proceeding:<form action="destination.asp"><table><tr><td>Login:</td><td><input type=text length=20 name=login></td></tr><tr><td>Password:</td><td><input type=text length=20 name=password></td></tr></table><input type=submit value=LOGIN></form>
Cross Site Scripting
• http://testasp.acunetix.com/Search.asp?tfSearch=%3Cbr%3E%3Cbr%3EPlease+login+with+the+form+below+before+proceeding%3A%3Cform+action%3D%22test.asp%22%3E%3Ctable%3E%3Ctr%3E%3Ctd%3ELogin%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+length%3D20+name%3Dlogin%3E%3C%2Ftd%3E%3C%2Ftr%3E%3Ctr%3E%3Ctd%3EPassword%3A%3C%2Ftd%3E%3Ctd%3E%3Cinput+type%3Dtext+length%3D20+name%3Dpassword%3E%3C%2Ftd%3E%3C%2Ftr%3E%3C%2Ftable%3E%3Cinput+type%3Dsubmit+value%3DLOGIN%3E%3C%2Fform%3E
Possible Solutions
• Form Controls
• User input Control
• Filters
References• “Buffer Overflow” http://www.faqs.org/docs/javap/c9/s1.html, visited
11/19/2008• “J2EE-Security” http://www.pankaj-k.net/sd/west/2003/j2ee_security.pdf, visited
11/19/2008• “SecureProgramingTutorial”
www.cinnabar.ca/library/SecureProgramingTutorial.ppt, visited 11/19/2008• “XSS” Window Security 11 pp., http://www.windowsecurity.com/articles/Cross-
Site-Scripting-Underestimated-Exploit.html, visited 11/19/2008
