1. Conduct research on web security vulnerabilities. Select one vulnerability, y

Question

1.         Conduct research on web security vulnerabilities. Select one vulnerability, you consider important, and describe it in detail. Explain how the vulnerability you described can be overcome or prevented. In addition, briefly explain why you chose the vulnerability.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

2.       Part A) Give one good example of a covert storage channel. Explain how the covert storage channel you described can be mitigated or prevented.  

    Part B) Give one good example of a covert timing channel. Explain how the covert timing channel you described can be mitigated or prevented.

Explanation / Answer

1) Injection flaws

Injection happens whenever an attacker's data is

able to modify a query or command sent to a database, LDAP server,

operating system or other Interpreter. Types of injections are SQL,

LDAP, XPath, XSLT, HTML, XML, OS command... SQL injection

and Cross-Site

Scripting account for more than 80% of the vulnerabilities being

discovered against Web applications (SANS Top Cyber

Security Risks).

SQL Injection Example

use of string concantenation to build

query:

SQL Injection can happen with dynamic database queries concatenated

with user supplied input, for example with the following query:

"select * from MYTABLE where name=" + parameter

if the user supplies "name' OR 'a'='a' " as

the parameter it results in the following:

"select * from MYTABLE where name= 'name' OR 'a'='a';

the OR 'a'='a' causes the where clause to always be true which is

the equivalent of the following:

"select * from MYTABLE;

if the user supplies "name' OR 'a'='a' ;

delete from MYTABLE" as the parameter it results in the following:

"select * from MYTABLE where name= 'name' OR 'a'='a'; delete from MYTABLE;

the OR 'a'='a' causes the where clause to always be true which is

the equivalent of the following:

"select * from MYTABLE; delete from MYTABLE;

some database servers, allow multiple SQL

statements separated by semicolons to be executed at once.

Protecting against SQL Injection

Don't concatenate user input data to a query or command!

Use Query Parameter binding with typed parameters, this ensures

the input data can only be interpreted as the value for

the intended parameter so the attacker can not change the intent of a

query.

Validate all input data to the application using white list (what

is allowed) for type, format, length, range, reject if invalid. (see previous

blog entry)

don't provide too much information in error messages (like SQL

Exception Information, table names..) to the user.

2)a)

An excellent example of covert storage channels in a well known application is the ICMP error message echoing functionality. Due to ambiguities in the ICMP RFC, many IP implementations use the memory within the packet for storage or calculation. For this reason, certain fields of certain packets -- such as ICMP error packets which echo back parts of received messages -- may contain flaws or extra information which betrays information about the identity of the target operating system. This information is then used to build up evidence to decide the environment of the target.

Potential Mitigations:-

To prevent this sort of activity, protocol normalization is a must however given the subtly of legitimate header field use, false positives are a considerable challenge.

Ensure that all reserved fields are set to zero before messages are sent and that no unnecessary information is included.

the initial packets transmitted can have the leftmost bit of the sixth offset of the IP header set. reserved, or RFC-3514

Related Questions

Navigate

• Browse (All)
• Browse 1
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.