“AVOIDING VULNERABILITIES IN WEB APPLICATIONS: CROSS SITE SCRIPTING AND SQL INJECTION”
Kenneth Ingham, Ph.D.
Secure Web Application Development
Web applications are essential to everything from embedded systems to e-commerce systems. This class looks at some of the problems common in web applications and shows how attackers target these systems, how easy the vulnerabilities are to exploit, and how to solve these problems. The class contains many examples, both of how systems or code have failed, as well as examples of how to avoid the problems. The class is approximately half lecture and half demonstrations. The demonstrations will show exploiting a vulnerable system (WebGoat from OWASP) to illustrate the ease with which attackers can subvert systems with bugs.
Students attending the class should be programmers or designers of web applications. While the class is language-neutral, knowledge of programming concepts is required. Code examples will be pulled from several common languages used for web application development. The examples will be explained, so detailed knowledge of the language is not required. Not required, but useful, is a basic knowledge of SQL and working with the Unix/Linux or Windows command line.
Kenneth Ingham recently completed his Ph.D. at the University of New Mexico with a focus on computer security. He has delivered technical short courses at conferences such as Usenix, UniForum, EurOpen (the European UNIX User's Group), and AUUG (The Australian UNIX User's group). Beyond these, for over 20 years, Kenneth has developed or co-developed and taught classes for industry. Some of these classes include: _Secure Programming in C/C++_, _Building Secure Systems_, _Linux OS Security_, and _Web Application Security_.
A CV for Kenneth is online at
http://www.i-pi.com/~ingham/cv.html
Course Outline
1. Introduction
1.1. Class logistics
1.2. Typographic conventions
1.3. What the class covers
2. The user controls the client: input validation
2.1. Introduction
2.2. Hidden forms are not hidden
2.3. Never trust other programmers
2.4. Alternate encodings to evade input validation
2.5. Solution: Whitelists
2.6. Solution: Canonicalization
2.7. Solution: Taint tracking
2.8. Demonstrations
3. Cross-site scripting (XSS)
3.1. Overview
3.2. A simple example
3.3. Example XSS attacks
3.4. Locations to place script references
3.5. Ways attackers try to obscure XSS
3.6. XSS is not just for HTML
3.7. XSS solutions
3.8. Cross-site request forgery
3.9. Demonstrations
4. Code injection
4.1. Overview
4.2. SQL injection
4.3. How to avoid it
4.4. Shell code injection
4.5. How to avoid it
5. Summary
6. Demonstrations
Duration: 3.5--4 hours