Web Security

1
CSC 382/582 Computer Security

• Web Security

2
Topics

• HTTP
• Web Input
• Canonicalization
• Authentication
• SQL Injection
• Cross-Site Scripting
• Client-side Attacks
• Finding Web Vulnerabilities

3
Web Transactions
Web Server
HTTP Request
Web Browser
Network
OS
HTTP Response
4
HTTP HyperText Transfer Protocol

• Simple request/respond protocol
• Request methods GET, POST, HEAD, etc.
• Protocol versions 1.0, 1.1
• Stateless
• Each request independent of previous requests,
  i.e. request 2 doesnt know you authd in 1.
• Applications responsible for handling state.

5
HTTP Request
Method
URL
Protocol Version
Headers

• GET http//www.google.com/ HTTP/1.1
• Host www.google.com
• User-Agent Mozilla/5.0 (Windows NT 5.1)
  Gecko/20060909 Firefox/1.5.0.7
• Accept text/html, image/png, /
• Accept-Language en-us,enq0.5
• Cookie remembermetrue PREFID21039ab4bbc49153
  FF4

Blank Line
No Data for GET method
6
HTTP Response
Protocol Version
HTTP Response Code

• HTTP/1.1 200 OK
• Cache-Control private
• Content-Type text/html
• Server GWS/2.1
• Date Fri, 13 Oct 2006 031630 GMT
• ltHTMLgt ... (page data) ... lt/HTMLgt

Headers
Blank Line
Web Page Data
7
Different Perspectives

• Client Side
• HTTP requests may reveal private info.
• HTTP responses may reveal private info.
• HTTP responses may include malicious code (Java,
  ActiveX, Javascript)

• Server Side
• HTTP requests may contain malicious input.
• HTTP requests may have forged authentication.
• HTTP responses may be intercepted.

8
Web-based Input

• Client and Server Perspectives
• Types of Input
• URL parameters
• HTML
• Cookies
• Javascript
• Cross-Site Scripting

9
URL Format

• ltprotogt//ltusergt_at_lthostgtltportgt/ltpathgt?ltqstrgt
• Whitespace marks end of URL
• _at_ separates userinfo from host
• ? marks beginning of query string
• separates query parameters
• HH represents character with hex values
• ex 20 represents a space

http//usernamepassword_at_www.auth.com8001/a20spa
ced20path
10
URL Parameters

• Client controls query-string
• Cannot limit values to those specified in form
• Any character can be URL-encoded
• Even if it doesnt need to be.
• Any valid format may be used to disguise true
  destination of URL

11
URL Obfuscation

• IP address representations
• Dotted quad (decimal, octal, hexadecimal)
• Hexadecimal without dots (with left padding)
• dword (32-bit int)
• Examples www.eecs.utoledo.edu
• 131.183.19.14 (dotted quad)
• 0xDEDA83B7130E (hexadecimal padding)
• 2209813262 (dword)

12
HTML Special Characters

• lt begins a tag
• gt ends a tag
• some browsers will auto-insert matching lt
• begins a character entity
• ex lt represents literal lt character
• Quotes( and ) used to enclose attribute values

13
Character Set Encoding

• Default ISO-8859-1 (Latin-1)
• Char sets dictate which chars are special
• UTF-8 allows multiple representations
• Force Latin-1 encoding of web page with
• ltMETA http-equivContent-Type
  contenttext/html charsetISO-8859-1gt

14
Hidden Fields

• ltinput typehidden nameuser valuejamesgt
• Used to propagate data between HTTP requests
  since protocol is stateless
• Clearly visible in HTML source
• Form can be copied, modified to change hidden
  fields, then used to invoke script

15
Cookies

• Parameters
• Name
• Value
• Expiration Date
• Domain
• Path
• Secure Connections Only

16
Cookies

• Server to Client
• Content-type text/html
• Set-Cookie foobar path/ expires Fri,
  20-Feb-2004 235900 GMT
• Client to Server
• Content-type text/html
• Cookie foobar

17
Javascript Input Validation

• User-friendly
• convenient, immediate feedback
• Not secure
• Client can turn off Javascript
• Client may not use your form
• User input may be altered btw browser server.

18
SSL

• Secure Sockets Layer (SSL)
• Standard for HTTP encryption.
• New version Transport Layer Security (TLS)
• SSL Phases
• Cipher negotiation
• Public-key authentication key exchange
• Symmetric encryption of traffic
• Authentication
• Both client and server can use digital
  certificates

19
Web Input Summary

• Client Side
• URLs may not lead where they seem to.
• Cookies can be used to track your browsing.
• Pages may include malicious code (Java, ActiveX,
  Javascript)

• Server Side
• Cookies arent confidential.
• Hidden fields arent secret.
• Client may use own forms.
• URLs can have any format.
• POST data can have any format.
• Cookies can have any format.

20
Win/Apache Directory Traversal

• Apache 2.0.39 and earlier
• To view the file winnt\win.ini
  http//127.0.0.1/error/5c2e2e5c2e2e5c2e2e
  5c2e2e5cwinnt5cwin.ini
• which is the escaped form of
• http//127.0.0.1/error/\..\..\..\..\winnt\win.ini

21
Naïve Solution to Name Issues

• Remove or check for known insecure elements in
  original pathname, i.e.
• ..
• /cgi-bin or other protected directories
• .exe or other special filename extensions
• Trailing . or \
• URI-escaped characters

22
IIS Directory Traversal

• MS Internet Information Server 4 5
• Execute shell command http//127.0.0.1/scripts/..
  c0af../winnt/system32/cmd.exewhere c0af is
  2-byte UTF-8 encoding /
• Problem Too many ways to encode paths.

23
Canonicalization

• Resolve all names to canonical name using
  operating system functions.
• Use standard OS function where available.
• Do access control using canonical name.

24
Web Authentication

• Initial authentication by password.
• How does web app remember authentication?
• Cookies
• Hidden form fields
• URL paths
• Problem client can tamper with all three.

25
Secure Web Authentication

• Encrypt and MAC auth data
• User cannot read data to learn how to tamper.
• MAC with secret key deters tampering attempts.
• What about replay attacks?
• Include expiration time inside cookie.
• Include client IP address.
• Use dynamic session IDs, different on each page.

26
(No Transcript)
27
SQL Injection

• use DBI
• dbh DBI-gtconnect(conn, dbusername,
  dbpassword) or
• die Database connection
  failed.\n
• sql SELECT count() from users where username
  username and password password
• sth dbh-gtprepare(sql) or die Prepare
  failed.\n
• sth-gtexecute() or die Execute failed.\n
• What if user gives SQL code as name or password?

28
SQL Injection Attack 1

• Unauthorized Access Attempt
• password or 11 --
• SQL statement becomes
• select count() from users where username
  user and password or 11 --
• Checks if password is empty OR 11, which is
  always true, permitting access.

29
SQL Injection Attack 2

• Database Modification Attack
• password foo delete from table users where
  username like
• Database executes two SQL statements
• select count() from users where username
  user and password foo
• delete from table users where username like

30
Beyond the Database

• ODBC allows shell injection via
• shell(cmd /c echo chr(124) format
  c)
• MS SQL Server Extended Stored Procs
• Shell exec master..xp_cmdshell format c
• Create new DB accounts xp_grantlogin
• Read any file bulk insert foo from c\d.txt

31
The Problem String Building

• Building a SQL command string with user
• input in any language is dangerous.
• Variable interpolation.
• String concatentation with variables.
• String format functions like sprintf().
• String templating with variable replacement.

32
Bad Solution Blacklist

• Attempted solution Blacklist SQL
• metacharacters, especially single quotes.
• Problems
• Numeric parameters dont use quotes.
• Database-escaped quotes \
• URL escaped metacharacters.
• Unicode encoded metacharacters.
• Did you miss any metacharacters?
• 2nd Order SQL Injection.

33
Numeric Parameters

• Solution Escape single quotes
• Problem 1 What if you use stored user data?
• Q select count() from users where uiduid
• User enters uid 1 or 11
• Query becomes
• select count() from users where uid1 or 11
• Once again, this query is always true.

34
Solution Prepared Queries

• use DBI
• dbh DBI-gtconnect(conn(), db_username,
  db_password) or
• die Database connection
  failed.\n
• sql SELECT count() from users where username
  ? and password ?
• sth dbh-gtprepare(sql) or die Prepare
  failed.\n
• sth-gtbind_param(1, username)
• sth-gtbind_param(2, password)
• sth-gtexecute() or die Execute failed.\n

35
Cross-Site Scripting (XSS)

• 1 vulnerability in 2005 (16), 2006 (21.5)
• Attacker causes a legitimate web server to send
  user executable content (Javascript, Flash
  ActiveScript) of attackers choosing.
• Typical Goal obtain user auth cookies for
• Bank site (transfer money to attacker)
• Shopping site (buy goods for attacker)
• E-mail

36
XSS Attacks

• MySpace worm (October 2005)
• When someone viewed Samys profile
• Set him as friend of viewer.
• Incorporated code in viewers profile.
• Paypal (2006)
• XSS redirect used to steal money from Paypal
  users in a phishing scam.
• BBC, CBS (2006)
• By following XSS link from securitylab.ru, you
  could read an apparently valid story on the BBC
  or CBS site claiming that Bush appointed a 9-year
  old as head of the Information Security
  department.

37
Stored vs Reflected XSS

• Stored XSS
• Injected script stored in comment, message, etc.
• Requires ability to insert malicious code into
  web documents (comments, reviews, etc.)
• Persistent until message deleted.
• Reflected XSS
• Injected script returned by one-time message.
• Requires tricking user to click on link.
• Non-persistent. Only works when user clicks.

38
Why does XSS Work?

• Same-Origin Policy
• Browser only allows Javascript from site X to
  access cookies and other data from site X.
• Attacker needs to make attack come from site X.
• Vulnerable Server Program
• Any program that returns user input without
  filtering out dangerous code.

39
Anatomy of an XSS Attack
Web Server
8. Attacker uses stolen cookie to hijack user
session.
1. Login
2. Cookie
User
Attacker
5. XSS URL
3. XSS Attack
6. Page with injected code.
7. Browser runs injected code.
4. User clicks on XSS link.
Evil Site saves cookie.
40
Anatomy of an XSS Attack

• User logs into legitimate site.
• Site sends user authentication cookie.
• Attacker sends user XSS attack containing
  injected code.
• User clicks on XSS link in email, web, IM.
• Browser contacts vulnerable URL at legitimate
  site with cookie in URL.
• Legitimate site returns injected code in web
  page.
• Browser runs injected code, which accesses evil
  site with cookie in URL.
• Evil site records user cookie.
• Attacker uses cookie to authenticate to
  legitimate site as user.

41
XSS URL Examples

• http//www.microsoft.com/education/?IDMCTNtarget
  http//www.microsoft.com/education/?IDMCTNtarge
  t"gtltscriptgtalert(document.cookie)lt/scriptgt
• http//hotwired.lycos.com/webmonkey/00/18/index3a_
  page2.html?twltscriptgtalert(Test)lt/scriptgt
• http//www.shopnbc.com/listing.asp?qultscriptgtaler
  t(document.cookie)lt/scriptgtfrompage4page1ctV
  VTVmh0sh0RN1
• http//www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_sea
  rch_exe?search_text_223E3Cscript3Ealert28doc
  ument.cookie293C2Fscript3E

42
Preventing XSS

• Client Disable scripting
• Use NoScript to permit some sites to use scripts.
• Server Disallow HTML input
• Reject any input with HTML
• Replace HTML special characters
• ex replace lt with lt and gt with gt
• also replace (, ), ,
• Server Allow only safe HTML tags
• Escape all HTML tags except whitelisted ones
• Server tagged cookies
• Include IP address in cookie and only allow
  access to original IP address that cookie was
  created for.

43
Client-side Attacks

• Buffer Overflow
• 2004 iframe
• 2004-05 jpeg
• Remote Code
• ActiveX
• Flash
• Java
• Javascript

44
ActiveX

• Executable code downloaded from server
• Activated by HTML object tag.
• Native code binary format.

• Security model
• Digital signature authentication
• Zone-based access control
• No control once execution starts

45
Java

• Digital signature authentication
• Sandbox

• Sandbox Limits
• Cannot read/write files.
• Cannot start programs.
• Network access limited to originating host.

• Sandbox Components
• Byte-code verifier
• Class loader
• Security manager

46
Client Protection

• Disable ActiveX and Java.
• Run browser with least privilege.
• Use a browser sandbox
• VMWare Virtual Browser Appliance
• Protected Mode IE (Windows Vista)
• Goto sites directly instead of using links.
• Use plain text e-mail instead of HTML.
• Patch your browser regularly.
• Use a personal firewall.

47
Web Reconnaissance

• Google Hacking
• Index of passwd
• Index of password.txt
• filetypehtaccess user
• allinurl_vti_bin shtml.exe
• Web Crawling
• wget --mirror http//www.w3.org/ -o /mirror/w3

Santy Worm used Google to find vulnerable servers.
48
Proxies and Vulnerability Scanners

• Achilles
• OWASP Web Scarab
• Paros Proxy
• SPI Dynamics WebInspect

• Edit Web Data
• URL
• Cookies
• Form Data

Web Server
Web Proxy
Web Browser
49
Achilles Proxy Screenshot
50
Key Points

• All input can be dangerous
• URLs, Cookies, Executable content
• Consider both client and server security.
• SSL is not a panacea
• Confidentiality integrity of data in transit.
• Input-based attacks can be delivered via SSL.
• Top Vulnerabilities
• Cross-Site Scripting
• SQL Injection

51
References

• Chris Anley, Advanced SQL Injection In SQL
  Server Applications, http//www.nextgenss.com/pap
  ers/advanced_sql_injection.pdf, 2002.
• CERT, Understanding Malicious Content Mitigation
  for Web Developers, http//www.cert.org/tech_tips
  /malicious_code_mitigation.html, Feb. 2000
• David Endler, The Evolution of Cross-Site
  Scripting Attacks, http//www.cgisecurity.com/dev
  elopment/xss.shtml, 2002.
• Joris Evers, Paypal fixes Phishing hole,
  http//news.com.com/PayPalfixesphishinghole/210
  0-7349_3-6084974.html, 2006.
• Stephen J. Friedl, SQL Injection Attacks by
  Example, http//www.unixwiz.net/techtips/sql-inje
  ction.html, 2005.
• Michael Howard, David LeBlanc, and John Viega, 19
  Deadly Sins of Software Security, McGraw-Hill
  Osborne, 2005.
• Johnny Long, Google Hacking for Penetration
  Testers, Syngress, 2004.
• Johnny Long, Google Hacking Database,
  http//johnny.ihackstuff.com, 2006.
• Nate Mook, Cross-Site Scripting Worm Hits
  MySpace, http//www.betanews.com/article/CrossSit
  e_Scripting_Worm_Hits_MySpace/1129232391, 2005.
• Gunter Ollman, HTML Code Injection and
  Cross-Site Scripting, http//www.technicalinfo.ne
  t/papers/CSS.html, 2002.
• Samy, MySpace Worm Explanation,
  http//namb.la/popular/tech.html, 2005.
• Stuart McClure, Joel Scambray, and George Kurtz,
  Hacking Exposed, 5/e, McGraw-Hill, 2005.
• Stuart McClure, Saumil Shah and Shreeraj Shah,
  Web Hacking Attacks and Defense, Addison-Wesley,
  2002.
• Joel Scambray, Mike Shema, Caleb Sima, Hacking
  Exposed Web Applications, Second Edition,
  McGraw-Hill, 2006.
• Ed Skoudis, Counter Hack Reloaded, Prentice Hall,
  2006.
• SK, SQL Injection Walkthrough,
  http//www.securiteam.com/securityreviews/5DP0N1P7
  6E.html, 2002.