COMPUTER SECURITY

Kumbukani M.H. Nyambose

BSc
0888136149
 Learning Outcome 1:
Understand how programming
practices can introduce
vulnerabilities into software
 The meaning of computer security
 Computer security is security applied to computing devices
such as computers and smartphones, as well as computer
networks such as private and public networks, including the
whole Internet.
 The field covers all the processes and mechanisms by which
digital equipment, information and services are protected from
unintended or unauthorized access, change or destruction, and
are of growing importance in line with the increasing reliance on
computer systems of most societies worldwide.
 It includes physical security to prevent theft of equipment, and
information security to protect the data on that equipment.
Traditionally, computer facilities have been
physically protected for three reasons:
1.To prevent theft of or damage to the
hardware
2.To prevent theft of or damage to the
information
3.To prevent disruption of service
 CIA Triad
 Effective computer security measures
should meet the goals embodied within the
CIA Triad that is
1.Confidentiality
2.Integrity
3.Availability
 Confidentiality
 In basic terms, the Confidentiality of data
ensures that access is allowed only to
authorized individuals or groups.
 Generally speaking, security measures that
protect confidentiality are easy to explain to
management.
 Most companies already ensure that no one
other than company employees has access to
proprietary information.
 Integrity
 Data Integrity refers to the protection mechanisms
that are in place to ensure changes to data are
tracked and properly controlled.
 In relation to computer security, the idea of integrity
immediately brings to mind preventing abusers form
manipulating sensitive data.
 For example, a database applications performs data
integrity checks to ensure an end user does not enter
improper data into one of the database fields.
 Availability
 Availability refers to the concept of IT
resources should be available when needed.
 Generally speaking, most IT organizations
focus heavily on system and network
availability.
 After all, the IT departments main mission is to
ensure the network infrastructure and
computer systems are available to users when
and where needed.
Analysing security risks
posed by software
vulnerabilities
 Software vulnerabilities Definition
 Software Vulnerability is a weakness which allows an
attacker to reduce a system's information assurance.
 Vulnerability is the intersection of three elements: a system
susceptibility or flaw, attacker access to the flaw, and
attacker capability to exploit the flaw.
 To exploit vulnerability, an attacker must have at least one
applicable tool or technique that can connect to a system
weakness.
 In this frame, vulnerability is also known as the attack
surface.
Security risks posed by software
vulnerabilities includes
 Software ‘bug’
 A software bug is an error, flaw, failure or fault in
a computer program or system that causes it to
produce an incorrect or unexpected result, or to
behave in unintended ways.
 Software ‘bug’ may allow third party or program
to gain unauthorised access, leak information,
attack other systems and do damage.
 How a software bug might introduce
vulnerabilities into a user’s software
 Most bugs arise from mistakes and errors made in either a
program's source code or its design, or in components and
operating systems used by such programs.
 A few are caused by compilers producing incorrect code.
 Bugs may have subtle effects or cause the program to crash
or freeze the computer.
 Other bugs qualify as security bugs and might, for example,
enable a malicious user to bypass access controls in order to
obtain unauthorized privileges.
 Exploits
 An exploit is a piece of software, a chunk of data, or sequence of
commands that takes advantage of a software "bug" or "glitch" in order
to cause unintended or unanticipated behaviour to occur on computer
software, hardware, or something electronic (usually computerized).
 This frequently includes such things as gaining control of a computer
system or allowing privilege escalation or a denial of service attack.
 The term "exploit" generally refers to small programs designed to take
advantage of a software flaw that has been discovered, either remote
or local.
 The code from the exploit program is frequently reused in Trojan
horses and computer viruses.
 Types of attacks

1.On program code/data in memory,

2.Network-aware programs,
3.Website software and
4.Users’ privacy
Attacks on program code/data in
memory include

Buffer overflow
 Buffer overflow attacks
 To understand what a buffer overflow is, you must first understand what a buffer
is.
 A buffer is a section of memory that has been set aside by the writer of a program
so that the program can use that memory section for actions related to that
program.
 A buffer overflow attack is an exploit that intentionally forces the buffer to
overflow its memory range, or bounds, and deliberately causes interference with
other programs in memory.
 Buffer overflow attacks vary depending on what operating system is being
attacked, what memory address range the buffer is assigned to.
 The type of buffer overflow attack being carried out can also depend on the
programs that are currently running in memory.
 These and many other variables can affect what type of buffer overflow attack is
being used and what the goal of that attack is.
A buffer overflow vulnerability will typically
occur when code
1.Is reliant on external data to control its
behavior.
2.Is dependent on data properties that are
enforced beyond its immediate scope.
3.Is so complex that programmers are not able
to predict its behavior accurately.
Impact Buffer overflow attack
1.Unstable Program Behavior
2.System crash
3.Memory access errors
4.Code over-riding
5.Security exploitation threat
6.Un-authorized data access
7.Excursive privilege actions
8.Data theft and Data loss.
 To protect from Buffer Overflow
1.Programmers have to ensure software
boundaries, so that the program doesn’t
process improper data
2.Intrusion detection system can be
implemented to discover when a buffer
overflow attack is being performed.
3.Also, we can implement file system
encryption, access control and auditing.
Attacks on network-using programs
include
1. Denial of Service and Distributed Denial of
Service (DDoS).
2. Network sniffing/eavesdropping.
3. Password cracking. ‘
4. Man–in-the-middle’ attacks.
Denial-of-service (DoS) and
distributed denial-of-service
(DDoS) attacks
 Denial-of-service (DoS)
 Denial of service (DoS) attacks aim at denying or
degrading the quality of a legitimate user’s
access to a service or network resource.
 It also can bring down the server offering such
services itself.
 The techniques used in DoS attacks can be applied to
protocol-processing functions at different layers of the
communication architecture.
 DoS attacks can threaten the services offered to
mobile users (e.g., servers offering specific
information, or servers of specific companies)
and the communication infrastructure itself.
 Purpose is to temporarily or indefinitely interrupt
or suspend services of a host connected to the
Internet.
 DoS attacks are more dynamic and comes from
a broader range of attackers
 Examples: SYN flooding, Smurf attacks,
Starvation
Methods to carry out Dos attack may vary
1.Saturating the target with external
communications requests (such that it can’t
respond to legitimate traffic) – SERVER
OVERLOAD
2.May include malware to max out target
resources (such as CPU), trigger errors, or
crash the operating system
DoS attacks can be classified into two
categories:

1. The disabling services attacks:

2. Resource undermining:
 The disabling services attacks:
 A DoS attacker makes use of implementation
weaknesses to disable service provision.
 Weaknesses that are used with these attacks
include buffer overflow.
 Resource undermining:
 Undermining can be achieved by causing
expensive computations, storage of state
information, resource reservations, or high
traffic load.
 DoS attacks can target different
network layers as explained in the
following:
1.At the application layer:
2.At the transport layer:
3.At the network layer:
 At the application layer:
 DoS occurs when a large amount of legitimate
requests are sent.
 It aims to prevent other users from accessing
the service by forcing the server to respond to
a large number of request transactions.
 At the transport layer:
 DoS is performed when many connection
requests are sent.
 It targets the operating system of the victim’s
computer.
 The typical attack in this case is a SYN
flooding.
 At the network layer:
 If the network allows associating clients, an attacker can flood the
network with traffic to deny access to other devices.
 Typically, this attack is performed by allowing one among the
following three tasks:
1. The malicious node participates in a route but simply drops several
data packets. This causes the deterioration of the connection.
2. The malicious node transmits falsified route updates or replays
false updates. These might cause route failures, thereby
deteriorating performance.
3. The malicious node reduces the time-to-live field in the IP header
so that packets never reach destinations since they are dropped
by other nodes before destination.
 Distributed DoS Attacks
 DDoS attacks can be launched and coordinated from a large
number of sites, systems, and devices.
 A DDoS attack is distinguished from a common DoS attack
by its ability to launch its actions in a distributed manner
over the wireless communicating system and to aggregate
these forces to create dangerous traffic.
 According to different reports including the annual CSI
computer crime and security report, the DDoS attacks have
induced large financial costs to companies in recent years.
 The attacker, in a DDoS, first gains control of
several master computers connected to the
wireless network by hacking into them, for
example.
 Then the master computers gain control of
more computers (zombies) by different means.
 Finally, a message is sent by the attacker to
synchronize all zombies to send the required
traffic to the victim.
 Symptoms of a DoS & DDos attack

1. Unusually slow network performance

(opening files or accessing websites),
2. Unavailability of a particular website, or An
inability to access any website.
3. Systems crashes
Defending against DDoS Attacks
1. Use Strong Passwords
2. Secure your computer
3. Install the latest operating system updates
4. Secure your wireless network
5. Protect your e-identity
6. Avoid being scammed
7. Call the right person for help
 Use Strong Passwords
 Use different user ID / password combinations
for different accounts and avoid writing them
down.
 Make the passwords more complicated by
combining letters, numbers, special characters
(minimum 10 characters in total) and change
them on a regular basis.
 Secure your computer
1. Activate your firewall Firewalls are the first line of
cyber defence; they block connections to unknown or
bogus sites and will keep out some types of viruses
and hackers.
2. Use anti-virus/malware software Prevent viruses
from infecting your computer by installing and
regularly updating anti-virus software.
3. Block spyware attacks Prevent spyware from
infiltrating your computer by installing and updating
anti-spyware software.
Install the latest operating system
updates
 Keep your applications and operating system
(e.g. Windows, Mac, Linux) current with the
latest system updates.
 Turn on automatic updates to prevent
potential attacks on older software.
 Secure your wireless network
 Wi-Fi (wireless) networks at home are
vulnerable to intrusion if they are not properly
secured. Review and modify default settings.
 Public Wi-Fi, a.k.a. “Hot Spots”, are also
vulnerable.
 Avoid conducting financial or corporate
transactions on these networks.
 Protect your e-identity
 Be cautious when giving out personal
information such as your name, address,
phone number or financial information on the
Internet.
 Make sure that websites are secure (e.g.
when making online purchases) or that
you’ve enabled privacy settings (e.g. when
accessing/using social networking sites).
 Avoid being scammed

 Always think before you click on a link or file of

unknown origin.
 Don’t feel pressured by any emails.
 Check the source of the message.
 When in doubt, verify the source.
 Never reply to emails that ask you to verify your
information or confirm your user ID or password.
 Call the right person for help

 Don’t panic! If you are a victim, if you encounter

illegal Internet content (e.g. child exploitation) or
if you suspect a computer crime, identity theft or
a commercial scam, report this to your local
police.
 If you need help with maintenance or software
installation on your computer, consult with your
service provider or a certified computer
technician.
 Network sniffing/eavesdropping.
 Network sniffing/Eavesdropping involves an intruder who
obtains sensitive information such as passwords, data, and
procedures for performing functions by intercepting, listening
to, and analyzing network communications.
 An intruder can eavesdrop by wiretapping, using radio, or
using auxiliary ports on terminals.
 Intruders can also eavesdrop using software that monitors
packets sent over the network.
 In most cases, it is difficult to detect eavesdropping, making it
essential to ensure that sensitive data is not sent over the
network in clear text.
Eavesdropping can be passive or active:
 Passive eavesdropping — A hacker detects the
information by listening to the message
transmission in the network.
 Active eavesdropping — A hacker actively grabs
the information by disguising himself as friendly unit
and by sending queries to transmitters. This is
called probing, scanning or tampering.
 Password cracking
 A password cracker is a software program that
is designed to take a captured password hash
and decrypt it so that the plaintext of the
password can be seen.
 The hacker is then able to use this plaintext
password to break into a target computer or
network.
Main methods used by password crackers to break,
or crack, passwords.
1. Brute-force attack
2. Dictionary attack
3. Social Engineering
4. Dumpster Diving
5. Phishing and Pharming
 Brute-Force Attack
 Brute force attack is a way to obtain user’s password by force.
 Brute force attack tries every single combination possible.
 The number of characters on the passwords makes enormous
difference.
 Simple 4-character password effortless to crack with this
method.
 The amount of time, it takes to crack a password grows
exponentially, when characters are added to pass-words.
 Complicated password with 12-characters takes more than 100
million years.
 Dictionary Attack
 Dictionary attack is a method that uses a list of
words.
 These words are commonly used pass-words
by the users.
 If malicious entity has thousands of accounts
the probability of one ac-count having a
password from the most commonly used
passwords is high.
 Social Engineering
 Social engineering attacks happen in one or
more steps.
 A perpetrator first investigates the intended
victim to gather necessary background
information, such as potential points of entry
and weak security protocols, needed to
proceed with the attack.
 Social engineering is a used by malicious
entities in order to get employees’ passwords.
 Dumpster Diving
 Dumpster diving is a method, where malicious
entity looks thought trash in order to find
valuable information such as passwords.
 Most workplaces have a dumpster with a lock,
where employees are able to throw sensitive
paperwork.
 However, employees are often inconsiderable,
and throw their password notes into regular
trash.
 Phishing and Pharming
Phishing
 Phishing is attempt to gain knowledge and sensitive
information by disguising being someone else than
they truly are.
 Victims are redirected to a fake website that looks
genuine.
 When the victim supplies his account and password,
this can be used by the attacker to the target site
 Typically uses fraud emails with clickable links to fake
websites
Pharming
 Pharming is an attempt to redirect a website’s traffic to
another fake site by changing the victim’s DNS settings or
hosts file.
 Malicious site is similar to legitimate site.
 The site is in fact made by entity that wants to steal user’s
login credentials.
 User writes down their credentials thinking that they are
simply signing in.
 After signing in, the site steals the credentials, and reveals
them to malicious user.
 Man–in-the-middle’ attacks.
 A man-in-the-middle attack is exactly what its name implies. In a man-in-the-
middle attack a person positions him- or herself between two other people and
eavesdrops on them.
 The man in- the-middle also needs to be able to pass messages from each of the
people he is between in such a way that they do not know that they are being
eavesdropped on or their data is being retransmitted to their intended recipient.
 Man-in-the-middle attacks are referred to by a number of different names.
 The commonly recognized abbreviation for this kind of attack is MITM attack.
 A MITM attack can also be referred to as bucket-brigade attack, fire-brigade attack,
monkey-in-the-middle attack, session hijacking, TCP hijacking, TCP session
hijacking, and other names.
 These attacks are commonly used to intercept HTTP and HTTPS communications,
e-mail communications, encryption key exchanges, and many other things.
 The examples of Alice, Bob, and Trudy.
 Alice and Bob are regular computer users who are using their e-mail
to communicate with each other.
 Trudy is a malicious computer user who wants Bob and Alice.
 With this in mind, Trudy places a Trojan on Bob’s computer or uses
some other method that acts to relay any packets that originates on
Bob’s computer to Trudy instead of its intended recipient.
 Trudy is then able to read any data sent out from Bob’s computer and
then do several different things to that data before sending it on.
 One, she can send the data on to the intended recipient as it is.
 Two, she can choose not to send the data on at all.
 Third, she can send altered or even entirely different and/or false data
and make it look like it came from Bob.
 With this ability, Trudy can do any number of
things to make Bob’s life especially difficult,
such as sabotage Bob’s relationships, sabotage
his work, or even steal Bob’s personal
information and use it for her own purposes.
 Figure 9-3 illustrates how this can be done with
Bob being the primary victim of Trudy.
 In Figure 9-3, the hacker Trudy has managed to
insert herself between Bob and Alice’s
communications routes.
 From this point, Trudy is able to manipulate the
communications between Bob and Alice in all
the ways described earlier and more.
Two main forms of the MITM exist:
1.The eavesdropping MITM attacks
2.Manipulation MITM attacks.
 The eavesdropping MITM attacks
 Eavesdropping can be done by receiving
radio waves on the wireless network, which
may require sensitive antenna.
 Manipulation MITM attacks.
 Manipulation requires not only having the
ability to receive the victim’s data but then be
able to retransmit the data after changing it.
Preventions of Attacks on network-using
programs
1. Physical Security
2. Restricting Local And Remote Access
3. Passwords
4. Encryption
5. Certificates
6. Authentication
7. Public Key Infrastructure (PKI)
8. Kerberos
 Physical Security
 Physical security is the first area of device security we examine.
 Many people overlook the importance of physical security, but in reality, it is one
of the most important areas of network security.
 The truth of the matter is that if a hacker can get physical access to a computer,
there really is not much that can be done to protect the data stored on that
computer.
 This simple fact makes physical security a topic of utmost importance.
 There are a number of things that can be done to physically secure a computer.
 One thing to do is to make sure that all computers containing important data are
located in a locked location.
 This is especially true of servers.
 Beyond making sure that your servers are in a locked location, you should also
very strictly limit access to the locked location of your servers.
 Restricting Local and Remote Access
 Restricting access simply has to do with limiting who is able to gain entry
into a network or a computer.
 Local access refers to the ability to gain entry into a computer via the LAN.
 Remote access refers to the ability to gain entry into a computer via a WAN
connection.
 The most basic way to secure access to a network, either remotely or locally
is to use usernames and password.
 Depending on if a person is trying to access a computer remotely or locally,
different protocols are used.
 There are also different considerations from an administrative and security
point of view depending on if a person is logging on to a network locally or
remotely.
 Passwords
 Passwords are another way to secure a system against unauthorized
access.
 Passwords are used to verify that the person attempting to access a system
is the person they claim to be.
 There are only a few rules that need to be followed when using passwords.
 First, a password should be complex enough that it cannot be easily
guessed.
 Earlier in this lesson, we discussed methods that accomplish this.
 The second rule is that passwords should be renewed and changed
periodically.
 Forcing a password change periodically protects against the possibility that a
hacker may have compromised a previous password.
 The third rule to follow in regards to passwords is not to use the same
password for everything.
 Encryption
 Encryption is the process by which a mathematical algorithm
is run on a set of data to make it unreadable to someone
who does not know the mathematical algorithm used to
encode it.
 Encryption can be done on data before it is sent out on a
network or on data that is stored on a media of some sort.
 Either way, the process is intended to make the data that
has been encrypted readable only to someone who knows
how the data was encrypted in the first place.
 The reverse of encryption is decryption.
 The data that has been encrypted is called cipher text.
 Forms of encryption
There are two major forms of encryption
1.Private key encryption
2.Public key encryption.
 Private key encryption
 In private key encryption, a person has to have a
copy of the original encryption key in order to
decrypt a cipher text.
 This is the kind of encryption that was used in World
War II where countries had codebooks that were
used to create encrypted messages and to decrypt
encoded messages.
 In this environment, it became a high-priority
espionage goal to steal the enemy’s codebook
without them knowing it.
Figure 9-6 illustrates how private key encryption works.
 Step 1 in the figure takes an e-mail message and
encrypts it on the sending computer using a
stored private key.
 In step 2, the e-mail in an encrypted form is sent
across the network to the destination computer.
 In the final step, the e-mail is decrypted on the
destination computer using a copy of the same
key with which it was encrypted.
 Public key encryption
 With Public key encryption, you still start with a secret
private key.
 However, instead of using the private key to encrypt a
message, you use the private key to generate a public key
(step 1) that is then used to encrypt a message step 2).
 Once the public key is generated and used to encrypt a
message, the public key is sent to the destination computer
 (step 3) either before the encrypted message was sent or
along with the encrypted message (step 4).
 This public key is then used on the destination computer to
decrypt the message that was sent to it (step 5).
 The public key generated by the private key can be
used in one of several ways.
 First, it can be used as a single-use encryption key.
 This means that the key is used only to decrypt the
one message that it was used to encrypt.
 After this, the public key is no longer valid.
 The next two ways that a public key can be used are
related.
 The public key can be used for a set number of
messages before it is made invalid, or revoked.
 Certificates
 Certificates are basically certifications that a public key is valid.
 They are often called public key certificates or digital certificates.
 Generally, a certificate is a digital document that is added to a public key to certify
the origins of the public key and its validity.
 Digital certificates identify the person who is the owner of the public key
(generally referred to as the holder).
 It also contains the actual public key of the holder.
 Finally, the certificate contains information that identifies the issuer of the public
key and digital certificate in question.
 The computer (usually a server) that issued the certificate is referred to as a
certificate authority.
 The data security infrastructure that uses certificates is called the PKI, which
stands for Public Key Infrastructure.
 Authentication
 Before permitting access to the computer or
network being queried, a user or computer is
verified to be who or what they claim to be using
a process called authentication.
 There are many different protocols that are used
for authentication.
 However, they all have one thing in common,
they are designed to verify the identity of the
person or computer seeking access to whatever
is being queried.
Different authentication protocols

1.Multi-factor authentication
2.Two-factor authentication.
3.Single sign-on
 Multi-factor authentication
 Multi-factor authentication is a form of authentication that requires the
user to present more than one proof of who they are before they are
allowed access to whatever it is they are attempting to access.
 If you do have seen the animated movie The Incredibles, you have
seen a humorous example of multi-factor authentication.
 In that movie, to gain access to her lab where she created the
superhero’s suits Edna had to use multi-factor authentication.
 In the movie, Edna had to have a security card, a password, a hand
print, a retina scan, and a voice print recognition.
 The card was something Edna had, the password was something
Edna knew, and the hand print, retina scan, and voice print match
were all something Edna was.
 Two-factor Authentication.
 Two-factor authentication is a special case of
multifactor authentication.
 In two-factor authentication the user attempting
to gain access to
 whatever they are attempting to gain access to
needs two factors that prove they are who they
claim to be.
 The ATM example is in reality a two-factor
authentication system.
 Single sign-on
 Single sign-on is the practice of using a single password, username, or
authentication device such as a smartcard to sign-on to multiple
systems.
 The advantage of a single sign-on system is that the end user does
not have to remember multiple passwords and usernames or possess
multiple authentication devices.
 The disadvantage of the single sign-on system is that if the user
forgets their password and/or username they will not be able to access
the system.
 Even worse, if a single smartcard is being used, should that smartcard
fall into the wrong person’s hands, it can be used to access multiple
systems or locations.
 Public Key Infrastructure (PKI)
 PKI stands for Public Key Infrastructure, which is a set of
people, policies, software, and equipment needed to handle
digital certificates for various applications.
 Some of the main components in this infrastructure are as
follows.
 The end user is the person that wishes to make use of the
PKI to carry out some online activity.
 The registration authority (RA) is used to verify that a
specific public key belongs to a specific end user.
 The certificate authority (CA) is used to issue a digital
certificate to the end user
 Kerberos
 Kerberos is an authentication protocol that is commonly used to
authenticate clients over an unsecured network, most commonly LANs.
 Kerberos is the authentication protocol most commonly used by
Windows-based client/server networks.
 A Kerberos system is composed of an authentication service (AS), a
ticket granting service (TGS), and a network services (NS).
 In the case of a Windows domain network, the AS and the TGS are
usually located on the same computer, which is also a domain
controller.
 Network Services can be found on any server connected to the
domain that provides a service.
 These services can be anything from file services to e-mail services, or
anything in between.
Common attacks on website
software including

1. SQL injection,
2. Cross-Site Scripting (XSS) flaws
 SQL Injection
 SQL injection (SQLi) is a common technique used by
attackers to gain illicit access to databases, steal data, and
perform unwanted operations.
 It works by adding malicious code to a seemingly innocent
database query.
 SQL injection manipulates SQL code by adding special
characters to a user input that change the context of the
query.
 The database expects to process a user input, but instead
starts processing malicious code that advances the
attacker’s goals
 SQL injection can expose customer data, intellectual
property, or give attackers administrative access to a
database, which can have severe consequences.
 SQL injection vulnerabilities are typically the result of
insecure coding practices.
 It is relatively easy to prevent SQL injection if coders
use secure mechanisms for accepting user inputs,
which are available in all modern database systems.
Impact of SQL injection on your applications:
1. Steal credentials—attackers can obtain credentials via SQLi and
then impersonate users and use their privileges.
2. Access databases—attackers can gain access to the sensitive
data in database servers.
3. Alter data—attackers can alter or add new data to the accessed
database.
4. Delete data—attackers can delete database records or drop entire
tables.
5. Lateral movement—attackers can access database servers with
operating system privileges, and use these permissions to access
other sensitive systems.
 SQL Injection Prevention

1. Prepared Statements
2. Stored Procedures
3. Allow-list Input Validation
4. Escaping All User-Supplied Input
 Prepared Statements
 Prepared statements are easy to learn and use, and
eliminate the problem of SQL injection.
 They force you to define SQL code, and pass each parameter
to the query later, making a strong distinction between code
and data.
 Prepared statements are available in all programming
languages.
 Here is an example in Java.
 To be on the safe side, OWASP recommends validating the
input parameter just in case.
 Stored procedures
 Stored procedures are similar to prepared
statements, only the SQL code for the stored
procedure is defined and stored in the
database, rather than in the user’s code.
 In most cases, stored procedures can be as
secure as prepared statements, so you can
decide which one fits better with your
development processes.
 Allow-list Input Validation
 This is another strong measure that can defend
against SQL injection.
 The idea of allow-list validation is that user inputs
are validated against a closed list of known legal
values.
 For example, if a user input is used to select a
database table, you can use code like this to ensure
that it can only match one of several, known table
names:
 Escaping All User-Supplied Input
 Escaping means to add an escape character that instructs
the code to ignore certain control characters, evaluating
them as text and not as code.
 This option is the least secure of the four, and should only
be used as a last resort.
 This is because escaping user input is only effective if the
code escapes all possibilities of control characters, and
attackers come up with numerous creative ways to inject
them.
Cross-Site Scripting (XSS) flaws
 Cross-site scripting (XSS) attack is a code
injection security attack which delivers
malicious, client-side scripts to a user’s
web browser for execution.
 This happens when developers don’t
properly test their code for the possibility
of allowing scripts to be injected.
 The scripts can then be executed without
the site’s original functionality intending
them to be.
 These attacks can lead to your customers being
infected with malware, having their sensitive
information stolen, or even having their
computer be recruited into large botnets.
 If an XSS vulnerability is present on a website,
then an attacker can craft code that executes
when other users open the same website.
 This causes the new users to interact with the
malicious background entity created by the
attacker.
 Once a connection has been initiated, usually
via social-engineering tactics convincing a user
to do something they shouldn’t, the attacker is
Types of Cross-Site Scripting
Attacks
1. Reflected (non-persistent) and
2. Stored (persistent).
 Reflected XSS
 In a reflected XSS attack, the
attacker persuades a victim to click
on a specially crafted link that makes
a request to a vulnerable web server.
 This allows the attacker to run
arbitrary code in the victim’s web
browser.
 In reflected attacks, the attacker
must target each victim individually.
 Stored (Persistent
XSS)
 In a stored attack, the attacker embeds
code in a web page or other data stored
on a vulnerable server.
 The attacker’s code will then run in the
browser of everyone who visits the
compromised web page.
 Because of the potential to exploit
multiple victims with minimal effort,
stored attacks are generally considered to
be more dangerous than reflected
attacks.
How to Prevent Cross-Site
Scripting Attacks
Users should consider the following
measures.
1. Restrict Untrusted JavaScript:
2. Use Built-In Browser Protections:
3. Restrict External Websites from
Requesting Internal Resources:
4. Maintain Good System Hygiene:
 Restrict Untrusted JavaScript:
 Allowing all JavaScript to run opens a user up
to XSS attacks.
 The most effective (but not foolproof) method
for a user to prevent XSS attacks is to allow
JavaScript to run only if it comes from a
domain that the user explicitly trusts.
 Installing a browser plug-in that implements
domain whitelisting, such as No Script for
Firefox, is highly recommended.
 Internet Explorer users can achieve
whitelisting through the configuration of
Use Built-In Browser Protections:
 Some browsers have begun to
incorporate XSS protection
inherently.
 For example, as of version 8,
Internet Explorer includes an XSS
filter as well as a Smart Screen filter
that uses reputation to protect
against malicious websites.
 These extra security measures
 Restrict External Websites from
Requesting Internal Resources:
 Allowing external websites to force a
browser to request internal resources can
allow for an attacker to pivot an attack
onto a vulnerable internal website.
 The No Script plug-in has a feature called
the Application Boundary Enforcer (ABE)
that can be configured to disallow external
websites from requesting internal
resources.
Maintain Good System Hygiene:
 It is important to keep systems and
applications up-to-date with updates and
patches, protected from malware and
securely configured.
 Attacks on users’ privacy
including tracking cookies
and keystroke loggers
Tracking cookies attacks
 A cookie is a small data file that holds
information about the use of a particular Web
site.
 There are two different cookies:
□ Session cookies
Session cookies are temporary cookies that
are valid only for a single Web site session.
□ Persistent cookies
Persistent cookies are stored on a computer
indefinitely so that the site can identify the
 The intended use of a persistent cookie is to record user preferences for
a single Web site so that the site can automatically customize its
appearance or behavior for the user’s future visits.
 In this way, persistent cookies can help Web sites serve their users
more effectively.
 Unfortunately, persistent cookies also can be misused as spyware to
track a user’s Web browsing activities for questionable reasons without
the user’s knowledge or consent.
 For example, a marketing firm could place advertisements on many
Web sites and use a single cookie on a user’s machine to track the
user’s activity on all of those Web sites, creating a
 detailed profile of the user’s behavior.
 Cookies used in this way are known as tracking cookies. Information
collected by tracking cookies is often sold to other parties and used to
target advertisements and other directed content at the user.
 Most spyware detection and removal utilities specifically look for
tracking cookies on systems.
 Keystroke logger attacks
 Keystroke logger OR Key loggers are software programs or hardware
devices that can be loaded onto a computer or plugged into a computer to
record the keystrokes that are typed into the keyboard.
 In the case of a hardware key logger, a device is placed between the
keyboard and the keyboard interface on the computer.
 Key loggers are a tool that can be useful for finding out what an end user
is doing on their computer in order to troubleshoot what they are doing
wrong in a program.
 Hackers can also use key loggers to capture passwords without having to
crack them.
 Some key loggers, especially those of the software variety, can also
capture screen shots of what a person is doing on their computer making
them even more useful for both hackers and network administrators alike.
 Hackers use key loggers in the following way.
 A hacker slips a key logger onto a victim’s computer and sets it to activate
every time the victim starts up their computer.
 The key logger then makes a log of every keystroke the user types on
their computer during the day.
 The hacker later retrieves the log created by the key logger.
 The hacker can do this by either retrieving the actual log or retrieving the
device if it is hardware based.
 Once the log has been retrieved, the hacker sifts through the data
collected to determine any usernames and password the victim used
during the day.
 This tool also allows the hacker to circumvent other security measures
such as any security questions.
 Anything requiring a typed response can be captured by a key logger.
The End……