hello so this is the 2024 CMU Jin cyber uh Workshop all about web exploitation and web attacks in general um So within this Workshop you're going to learn a little bit about web exploitation what it is how it's done and how we prevent it and some things we should think about while we're still roaming the internet and why this we should be think about it while roaming the internet so let's get started so in order to start with web exploitation we need to understand what it is what is a web exploitation why should I know what an exploitation should be so web exploitations can actually be further divided there actually needs to be further background information in order to understand the full uh definition one of the background information we need to know is understanding what a website is a website is essentially a set of pages that a person can interact with um so let's think back to like google.com or cmu.edu or pf.com and other websites like those whenever we think of the very basics of this website we can think of that coding languages those things that are actually made building the website putting things on the screen making things move around making us go to different pages on on the website and these coding languages are normally HTML some version of JavaScript and CSS and each of them have a basic function in order to complete for our website but even the basic and most basic of websites it's not enough um whenever we think of youtube.com for instance and we want to upload a video or download a video or play a video or comment and so on and so forth there's a lot of things that has to go on in the backend that uh coding languages yes like HTML JavaScript and CSS can help but there needs to be more code and more code means more complexity and some of this uh code can be made by us uh our developers our in-house developers from scratch obviously um some of this code actually helps us maintain database systems um this database houses information about the user like login information your username or password uh your credit card information if you're paying for a streaming service like Netflix or YouTube premium or uh some websites actually incorporate third-party services in order to make that code work and that complexity not in house or not on a separate server but actually to someone else because they know how to do it so now we understand okay so a website can get pretty complicated we can utilize a lot of different features and we can um actually incorporate uh so many things about a website and make it a lot very complex but with complexity comes vulnerabilities or weaknesses within the code and these weaknesses can come from ourselves the people that made the code from the thirdparty services from the way we set up our databases and how we interact with them so all of these can be weaknesses at one point a weakness within our code and web exploitation is that we are going to exploit these vulnerabilities or these weaknesses within our website in order to accomplish usually one of these three things which is one taking control of the application in general to take information from the application like login information for instance or three use the application in order to take advantage of other systems on the internet and all three of them as I've said uh well now I'm saying are very bad and we don't want this whatsoever but knowing helps us understand sort of uh the security measures that we try to incorporate within our website and also help us have more of a realistic understand understanding of the internet and websites in general so now okay so we know what web exploitation is we know like the general like what happens when there is a web exploitation what is the outcome of someone doing a web exploitation but still like why do I need to know that it shouldn't be that important right well since going on the internet and interacting with website have become such an integral a part of our society it's not only us that use these websites for good uh or for just general purposes know that but also attackers or malicious users actually realize that and also take advantage are the ones that usually start doing this web exploitation in order to take advantage of our unrealized amount of trust we have Within These websites and give you some perspective and some numbers essentially of why this is super important is that 20 uh 26% of breaches or uh leaks of information from uh of information of critical information usually are from web application Based Services so youtube.com for instance or um your insurance company or your baking system 26% of breaches entirely come from web application based ones so this becomes the second most common attack pattern that we see on the internet or in general in real life whenever okay so there's a lot of breaches lot of leak of information so what it's only 26% it should not like be big in the grand scheme of things well no uh websites actually have 94 attacks a day 94 so when when we think about it that that's a lot of work that people are doing in order to exploit these websites in order to do to achieve a common purpose um and then okay so websites have 94 attacks a day well not all of them work why should I care well since the internet has become such an integral part of our day-to-day lives let's think about the websites we interact 12.8 million websites are infected with malware and when I say infected with malware it's with negative uh um negative uh it's negative in the sense of malware is actually something infectious something like a disease it's not really great it's not really safe for us for our web for our uh computers for the website in general and usually search engines do a very a a job one of the search engines job is to make sure that these infected malware websites are actually not viewable to users that are just looking to get a service done or to accomplish a goal within our websites but there are leaks um it's not 100% uh preventable as we can see here 88% of these websites that are infected with malware are not blacklisted by our search engines and that's 12.8 million websites we have here and 88% of them we are able to still interact with and go on the page and be infected with malware so that gives some importance to why web exploitation needs to be uh learned and understood so okay we understand what web exploitation is okay we understand the gravity of the situation but what does exploitation mean what does it violate within our system within our website well now we can go back to the basics we think of our CIA Triad our confidentiality our integrity our availability and we add web exploitation all on those three and web exploitations um actually can affect all three of them it can take away confidentiality so information you wish to not disclose to other parties on the internet well um attackers that use web web exploits can actually get that information now Integrity that accuracy the completeness of that website to make sure that website only does one thing and one thing only well now we can't trust that anymore these web exploits can actually alter websites and alter the purpose of the website so now it doesn't it's not Integrity anymore well that availability some web attacks that we can do um actually limits our access to those Services which is something that within um computer science and within our systems these that Triad we try to maintain these pillars to make sure that when a user goes on a website they can be confident that these CIA Triads is held true with our websites but web exploits sort of do the opposite and takes away these pillars so I'm going to go into a couple of attacks you can do um this page is basically me saying don't do these attacks unless you're allowed to do these attacks don't go on a random website and try them because that's not nice one and two um that can lead to a lot of uh very horrible outcomes which we will not get into so this is my warning for you don't do this at home so we're going to go into a couple of attacks a couple of web exploits that we can actually do that is actually very common practice um that uh attackers do do or malicious people do do on the we on the uh internet one of these attacks is called an idor attack which is the insecure direct object reference so a lot of fancy terms I'm about to say here but essentially what happens is that this web exploit is actually modifying or accessing URLs or parameters within our URLs um in order to access a page or information that they're not originally supposed to so what does it mean that they're accessing information or a page that they're not supposed to well it means a couple things one the website doesn't have a correct correctly implemented Access Control checks basically these checks uh are is the website thinking to itself hm is this user allowed to do this are they allowed to access this information and if the user is not allowed to do this but still is able to do this that means that these checks are either not implemented within the website it doesn't exist or it does exist within the website but doesn't do what it's supposed to do so this is either misconfigure configuration or mis implementation so an example of this is as you can see on the right of the slideshow is we have a website called user uh example.org and we see within the URL that they have a way to load your homepage your user homepage which is back slash users Black slash an ID so what if I change the ID from one to three which could me could be another user to 124 does that allow me EXA actually um access the homepage of another user and if it is well now that's a little concerning because I'm not that user anymore and now I'm ruining that confidentiality that information that one homepage has for that certain user can be now viewable to another person and some ways that we can prevent this idor attack is usually incorporating that access control or making sure that access control actually works another attack or web exploit we can do are called injection attacks and this is a very large large large attack um when I say ingestion attacks we can get more specific as you can see here into what kind of injection we're doing is it to a specific element on the web page like a username password is it to a certain uh protocol that that website use and by protocol I mean um interactions that the website has to do with the user can we take advantage of it these like required interactions in order to do a injection attack so to Define injection attacks we can think of it like this our body the largest organ on our body is our skin and our skin is supposed to help us protect us against the outdoor elements and the injection attack essentially taking a needle and injecting all of the Badness from the outdoor elements into directly into our body and inside our body is very soft and very vulnerable has so many weaknesses um to diseases for instance that if we take just a random disease that usually we can't counteract um because of our skin from the outside and we just inject it in well there you go you have the disease now and this would be an injection an example of like um a figurative injection attack so essentially what we're doing is we're injecting or putting in untrusted or malicious input from a user um that can be filled out in a form or in uh a login page without any validation we're not making sure that these uh the information that the users are putting in can be trustworthy we're just automatically trusting it which is not really bra so let's go a little more in depth about uh injection attacks so again we're injecting information within this website we're taking actually advantage of a couple things about this website we're taking advantage of the coding language with of this website that HTML that JavaScript that CSS and other um other coding languages or other third-party services or other network protocols we're taking advantage of them and actually uh trying to inject something malicious something bad into the website and these coding languages and network protocols wouldn't reject it and a good example of this um is called an SQL injection so we're gonna ignore what it means I will explain it very simply take for instance when you want to log in to a website you're usually encountering a login page which basically a field that says username and a field that says password these in uh SQL injection attacks actually is going to inject something malicious within the username or a password in order to recover login information for instance or information that's usually uh stored within databases so this could be not only login information but credit card information Social Security numbers things like that we are trying to trick the website trick the protocol of the website into thinking that what we're inputting is what a user should be inputting but in actuality we're taking information from this website and inputting our own so that's essentially it another specific injection attack that I wanted to um talk about is called cross-site scripting um or xss if you want the abbreviated version this is again another injection attack however this is a little different instead of trying to take information like the SQL injection is doing trying to take information from databases in order to read it now we're adding information to the website we're tricking the website into thinking oh I need to add more code to the website and by adding more code these attackers these malicious users are actually laying a trap for other users that don't really know what's going on to step on and to trigger and these triggering mechanisms can be as simple as just going onto the website and as complicated as clicking onto something on the website and what happens by laying this trap uh these attackers or these malicious users is able to take information from the unbeknown you user that just wanted something to get done with the uh with the internet with this website could take information from them but also Force these users to get information so making something be downloaded onto your onto your uh computer make something actually altered onto your computer and so on and so forth and that's basically the basic overview of cross-site scripting another version of an injection attack another thing another web exploits um or vulnerabilities we should think about is browser extensions which is something that uh a lot of us use daytoday I have the extension for grammarly to make sure that whenever I send an email everything is great um not sponsored or anything but um and other people uh actually download or attach uh browser extension ions to their browser in order to have a third party service to elevate the already pre-existing browser in order for it to do something extra well sometimes developers of these third-party services uh they're not really they don't know about web exploitation they don't understand that there are attackers in the world that would take advantage of their non-secure unsecure code or unsecured browser extension and add something on top of it in order to do something extra that's not usually fair and sometimes developers are the malicious person and they do release browser extensions in hoping that unboned user would attach this service but instead uh the malicious uh developer or the malicious attacker can do something extra and to give you some context or some reasoning as to why um I'm mentioning browser extensions is that there was a research conducted where out of the 300,000 brow Chrome extensions so not even Edge extensions or even um Firefox extensions so on and so forth we're thinking of just Google Chrome out of the 300,000 that they were looking at they found that 51 1% were of high risk meaning that this extension had more access control or more authorization or more um capabilities on your uh browser or computer than what is needed or acceptable um also they found a part of the high risk is actually these extensions having malicious intent trying to do something other than providing that service which obviously that's not what any user or anybody that goes on the internet wants so what are we talking about more Access Control more malicious intent what are we talking about specifically well again it's taking information like your login information like your credit card information and taking that information either to keep or sell or giving you more information than what is needed and what you wanted so now like I've asked the question in person I would have asked this in person and asked and be like well what do you use but let's take a moment pause the video and think about it what kind of extensions do you use are these trustworthy extensions do you know how to recognize a trustworthy extension and so on and so forth this is very important to ask ourselves especially while browsing the internet another type of attack uh that we need to think of is called a denial of service attack or a distributed denial service attack which is an elevated version of denial of service but what does it mean that we're doing a denial of service attack what does this mean well let's think about it the attack name is a denial of service we're denying service we are trying to overwhelm the machine hosting the website or host hting parts of the website to the point that it cannot perform its necessary functions which is could be just as simple as host the website and give everyone access to this website it's denying that function so how do we overwhelm this website get to the point that the machine or the the hosting of the website is actually unable to do this well usually it's done through sending so much traffic to the website that the website or the host um hosting site can't even perform anymore it's like I already have so many people in line I can't uh also take over uh not only people in line but also another cash register for example you have one road one set of traffic that you can deal with you can't do more traffic and a good like example is uh the photo right there where you see the red is our malicious uh extra traffic that doesn't really that they don't care whether or not that traffic gets served but now it prevents the blue traffic the good traffic from actually accessing the website there's a blockade in order to do something and of course this is a very very very minimal subset of many exploits that can happen on the web there can be so many more that can happen and I haven't even gone over every one of them and you can learn a little more um by going to website like oos or um burp sweep website and so many there's so many resources out there that you can learn so many more um so I'll leave you to that and we'll go to the second part of this video which talks about how to recognize the tax and how to recogn and prevent uh web exploits so thank you