Common Vulnerabilities

Junghoo Cho

cho@cs.ucla.edu

Dangerous Software Errors

What We Will Discuss

Buffer Overflow

int main() {
    if (login()) start_session();
    return 0;
}

int login() {
    char passwd[10];
    gets(passwd);
    return (strcmp(passwd, "mypasswd") == 0);
}      

int start_session() {
    ...
}

Stack and Local Variable

Buffer Overflow Attack

Standard C Is Dangerous

Stackguard

SQL/Command Injection Attack

"SELECT price FROM Product WHERE prod_id = " + user_input + ";"
system("cp file1.dat $user_input");

SQL Injection: Protection

Command Injection: Protection

Mitigating Damage

Client State Manipulation

<form>
    <input type="hidden" name="price" value="5.50">
    ...
</form>

Client State Manipulation: Protection

Basic idea: NEVER trust user input

  1. Authoritative state stays at the server
  2. Send signed-states to client

Cross Site Scripting (XSS)

<body>
Welcome to {{user_name}}'s Profile!
</body>

XSS: Protection

Content-Security-Policy Header

Cross-Site Request Forgery (XSRF)

XSRF: Example

  1. A user visits http://victim.com and does not logged out
  2. The user visits the following page at http://evilsite.com
    <form action="http://victim.com/transfer" onload="submit()">
        <input type="hidden" name="amount" value="$1M">
        <input type="hidden" name="to" value="hacker">
    </form>
    

XSRF: Problem

XSRF: Protection

What We Learned

Thank You