Title: Web Security
1CSC 382/582 Computer Security
2Topics
- HTTP
- Web Input
- Canonicalization
- Authentication
- SQL Injection
- Cross-Site Scripting
- Client-side Attacks
- Finding Web Vulnerabilities
3Web Transactions
Web Server
HTTP Request
Web Browser
Network
OS
HTTP Response
4HTTP HyperText Transfer Protocol
- Simple request/respond protocol
- Request methods GET, POST, HEAD, etc.
- Protocol versions 1.0, 1.1
- Stateless
- Each request independent of previous requests,
i.e. request 2 doesnt know you authd in 1. - Applications responsible for handling state.
5HTTP Request
Method
URL
Protocol Version
Headers
- GET http//www.google.com/ HTTP/1.1
- Host www.google.com
- User-Agent Mozilla/5.0 (Windows NT 5.1)
Gecko/20060909 Firefox/1.5.0.7 - Accept text/html, image/png, /
- Accept-Language en-us,enq0.5
- Cookie remembermetrue PREFID21039ab4bbc49153
FF4
Blank Line
No Data for GET method
6HTTP Response
Protocol Version
HTTP Response Code
- HTTP/1.1 200 OK
- Cache-Control private
- Content-Type text/html
- Server GWS/2.1
- Date Fri, 13 Oct 2006 031630 GMT
- ltHTMLgt ... (page data) ... lt/HTMLgt
Headers
Blank Line
Web Page Data
7Different Perspectives
- Client Side
- HTTP requests may reveal private info.
- HTTP responses may reveal private info.
- HTTP responses may include malicious code (Java,
ActiveX, Javascript)
- Server Side
- HTTP requests may contain malicious input.
- HTTP requests may have forged authentication.
- HTTP responses may be intercepted.
8Web-based Input
- Client and Server Perspectives
- Types of Input
- URL parameters
- HTML
- Cookies
- Javascript
- Cross-Site Scripting
9URL Format
- ltprotogt//ltusergt_at_lthostgtltportgt/ltpathgt?ltqstrgt
- Whitespace marks end of URL
- _at_ separates userinfo from host
- ? marks beginning of query string
- separates query parameters
- HH represents character with hex values
- ex 20 represents a space
http//usernamepassword_at_www.auth.com8001/a20spa
ced20path
10URL Parameters
- Client controls query-string
- Cannot limit values to those specified in form
- Any character can be URL-encoded
- Even if it doesnt need to be.
- Any valid format may be used to disguise true
destination of URL
11URL Obfuscation
- IP address representations
- Dotted quad (decimal, octal, hexadecimal)
- Hexadecimal without dots (with left padding)
- dword (32-bit int)
- Examples www.eecs.utoledo.edu
- 131.183.19.14 (dotted quad)
- 0xDEDA83B7130E (hexadecimal padding)
- 2209813262 (dword)
12HTML Special Characters
- lt begins a tag
- gt ends a tag
- some browsers will auto-insert matching lt
- begins a character entity
- ex lt represents literal lt character
- Quotes( and ) used to enclose attribute values
13Character Set Encoding
- Default ISO-8859-1 (Latin-1)
- Char sets dictate which chars are special
- UTF-8 allows multiple representations
- Force Latin-1 encoding of web page with
- ltMETA http-equivContent-Type
contenttext/html charsetISO-8859-1gt
14Hidden Fields
- ltinput typehidden nameuser valuejamesgt
- Used to propagate data between HTTP requests
since protocol is stateless - Clearly visible in HTML source
- Form can be copied, modified to change hidden
fields, then used to invoke script
15Cookies
- Parameters
- Name
- Value
- Expiration Date
- Domain
- Path
- Secure Connections Only
16Cookies
- Server to Client
- Content-type text/html
- Set-Cookie foobar path/ expires Fri,
20-Feb-2004 235900 GMT - Client to Server
- Content-type text/html
- Cookie foobar
17Javascript Input Validation
- User-friendly
- convenient, immediate feedback
- Not secure
- Client can turn off Javascript
- Client may not use your form
- User input may be altered btw browser server.
18SSL
- Secure Sockets Layer (SSL)
- Standard for HTTP encryption.
- New version Transport Layer Security (TLS)
- SSL Phases
- Cipher negotiation
- Public-key authentication key exchange
- Symmetric encryption of traffic
- Authentication
- Both client and server can use digital
certificates
19Web Input Summary
- Client Side
- URLs may not lead where they seem to.
- Cookies can be used to track your browsing.
- Pages may include malicious code (Java, ActiveX,
Javascript)
- Server Side
- Cookies arent confidential.
- Hidden fields arent secret.
- Client may use own forms.
- URLs can have any format.
- POST data can have any format.
- Cookies can have any format.
20Win/Apache Directory Traversal
- Apache 2.0.39 and earlier
- To view the file winnt\win.ini
http//127.0.0.1/error/5c2e2e5c2e2e5c2e2e
5c2e2e5cwinnt5cwin.ini - which is the escaped form of
- http//127.0.0.1/error/\..\..\..\..\winnt\win.ini
21Naïve Solution to Name Issues
- Remove or check for known insecure elements in
original pathname, i.e. - ..
- /cgi-bin or other protected directories
- .exe or other special filename extensions
- Trailing . or \
- URI-escaped characters
22IIS Directory Traversal
- MS Internet Information Server 4 5
- Execute shell command http//127.0.0.1/scripts/..
c0af../winnt/system32/cmd.exewhere c0af is
2-byte UTF-8 encoding / - Problem Too many ways to encode paths.
23Canonicalization
- Resolve all names to canonical name using
operating system functions. - Use standard OS function where available.
- Do access control using canonical name.
24Web Authentication
- Initial authentication by password.
- How does web app remember authentication?
- Cookies
- Hidden form fields
- URL paths
- Problem client can tamper with all three.
25Secure Web Authentication
- Encrypt and MAC auth data
- User cannot read data to learn how to tamper.
- MAC with secret key deters tampering attempts.
- What about replay attacks?
- Include expiration time inside cookie.
- Include client IP address.
- Use dynamic session IDs, different on each page.
26(No Transcript)
27SQL Injection
- use DBI
- dbh DBI-gtconnect(conn, dbusername,
dbpassword) or - die Database connection
failed.\n - sql SELECT count() from users where username
username and password password - sth dbh-gtprepare(sql) or die Prepare
failed.\n - sth-gtexecute() or die Execute failed.\n
- What if user gives SQL code as name or password?
28SQL Injection Attack 1
- Unauthorized Access Attempt
- password or 11 --
- SQL statement becomes
- select count() from users where username
user and password or 11 -- - Checks if password is empty OR 11, which is
always true, permitting access.
29SQL Injection Attack 2
- Database Modification Attack
- password foo delete from table users where
username like - Database executes two SQL statements
- select count() from users where username
user and password foo - delete from table users where username like
30Beyond the Database
- ODBC allows shell injection via
- shell(cmd /c echo chr(124) format
c) - MS SQL Server Extended Stored Procs
- Shell exec master..xp_cmdshell format c
- Create new DB accounts xp_grantlogin
- Read any file bulk insert foo from c\d.txt
31The Problem String Building
- Building a SQL command string with user
- input in any language is dangerous.
-
- Variable interpolation.
- String concatentation with variables.
- String format functions like sprintf().
- String templating with variable replacement.
32Bad Solution Blacklist
- Attempted solution Blacklist SQL
- metacharacters, especially single quotes.
- Problems
- Numeric parameters dont use quotes.
- Database-escaped quotes \
- URL escaped metacharacters.
- Unicode encoded metacharacters.
- Did you miss any metacharacters?
- 2nd Order SQL Injection.
33Numeric Parameters
- Solution Escape single quotes
- Problem 1 What if you use stored user data?
- Q select count() from users where uiduid
- User enters uid 1 or 11
- Query becomes
- select count() from users where uid1 or 11
- Once again, this query is always true.
34Solution Prepared Queries
- use DBI
- dbh DBI-gtconnect(conn(), db_username,
db_password) or - die Database connection
failed.\n - sql SELECT count() from users where username
? and password ? - sth dbh-gtprepare(sql) or die Prepare
failed.\n - sth-gtbind_param(1, username)
- sth-gtbind_param(2, password)
- sth-gtexecute() or die Execute failed.\n
35Cross-Site Scripting (XSS)
- 1 vulnerability in 2005 (16), 2006 (21.5)
- Attacker causes a legitimate web server to send
user executable content (Javascript, Flash
ActiveScript) of attackers choosing. - Typical Goal obtain user auth cookies for
- Bank site (transfer money to attacker)
- Shopping site (buy goods for attacker)
- E-mail
36XSS Attacks
- MySpace worm (October 2005)
- When someone viewed Samys profile
- Set him as friend of viewer.
- Incorporated code in viewers profile.
- Paypal (2006)
- XSS redirect used to steal money from Paypal
users in a phishing scam. - BBC, CBS (2006)
- By following XSS link from securitylab.ru, you
could read an apparently valid story on the BBC
or CBS site claiming that Bush appointed a 9-year
old as head of the Information Security
department.
37Stored vs Reflected XSS
- Stored XSS
- Injected script stored in comment, message, etc.
- Requires ability to insert malicious code into
web documents (comments, reviews, etc.) - Persistent until message deleted.
- Reflected XSS
- Injected script returned by one-time message.
- Requires tricking user to click on link.
- Non-persistent. Only works when user clicks.
38Why does XSS Work?
- Same-Origin Policy
- Browser only allows Javascript from site X to
access cookies and other data from site X. - Attacker needs to make attack come from site X.
- Vulnerable Server Program
- Any program that returns user input without
filtering out dangerous code.
39Anatomy of an XSS Attack
Web Server
8. Attacker uses stolen cookie to hijack user
session.
1. Login
2. Cookie
User
Attacker
5. XSS URL
3. XSS Attack
6. Page with injected code.
7. Browser runs injected code.
4. User clicks on XSS link.
Evil Site saves cookie.
40Anatomy of an XSS Attack
- User logs into legitimate site.
- Site sends user authentication cookie.
- Attacker sends user XSS attack containing
injected code. - User clicks on XSS link in email, web, IM.
- Browser contacts vulnerable URL at legitimate
site with cookie in URL. - Legitimate site returns injected code in web
page. - Browser runs injected code, which accesses evil
site with cookie in URL. - Evil site records user cookie.
- Attacker uses cookie to authenticate to
legitimate site as user.
41XSS URL Examples
- http//www.microsoft.com/education/?IDMCTNtarget
http//www.microsoft.com/education/?IDMCTNtarge
t"gtltscriptgtalert(document.cookie)lt/scriptgt - http//hotwired.lycos.com/webmonkey/00/18/index3a_
page2.html?twltscriptgtalert(Test)lt/scriptgt - http//www.shopnbc.com/listing.asp?qultscriptgtaler
t(document.cookie)lt/scriptgtfrompage4page1ctV
VTVmh0sh0RN1 - http//www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_sea
rch_exe?search_text_223E3Cscript3Ealert28doc
ument.cookie293C2Fscript3E
42Preventing XSS
- Client Disable scripting
- Use NoScript to permit some sites to use scripts.
- Server Disallow HTML input
- Reject any input with HTML
- Replace HTML special characters
- ex replace lt with lt and gt with gt
- also replace (, ), ,
- Server Allow only safe HTML tags
- Escape all HTML tags except whitelisted ones
- Server tagged cookies
- Include IP address in cookie and only allow
access to original IP address that cookie was
created for.
43Client-side Attacks
- Buffer Overflow
- 2004 iframe
- 2004-05 jpeg
- Remote Code
- ActiveX
- Flash
- Java
- Javascript
44ActiveX
- Executable code downloaded from server
- Activated by HTML object tag.
- Native code binary format.
- Security model
- Digital signature authentication
- Zone-based access control
- No control once execution starts
45Java
- Digital signature authentication
- Sandbox
- Sandbox Limits
- Cannot read/write files.
- Cannot start programs.
- Network access limited to originating host.
- Sandbox Components
- Byte-code verifier
- Class loader
- Security manager
46Client Protection
- Disable ActiveX and Java.
- Run browser with least privilege.
- Use a browser sandbox
- VMWare Virtual Browser Appliance
- Protected Mode IE (Windows Vista)
- Goto sites directly instead of using links.
- Use plain text e-mail instead of HTML.
- Patch your browser regularly.
- Use a personal firewall.
47Web Reconnaissance
- Google Hacking
- Index of passwd
- Index of password.txt
- filetypehtaccess user
- allinurl_vti_bin shtml.exe
- Web Crawling
- wget --mirror http//www.w3.org/ -o /mirror/w3
Santy Worm used Google to find vulnerable servers.
48Proxies and Vulnerability Scanners
- Achilles
- OWASP Web Scarab
- Paros Proxy
- SPI Dynamics WebInspect
- Edit Web Data
- URL
- Cookies
- Form Data
Web Server
Web Proxy
Web Browser
49Achilles Proxy Screenshot
50Key Points
- All input can be dangerous
- URLs, Cookies, Executable content
- Consider both client and server security.
- SSL is not a panacea
- Confidentiality integrity of data in transit.
- Input-based attacks can be delivered via SSL.
- Top Vulnerabilities
- Cross-Site Scripting
- SQL Injection
51References
- Chris Anley, Advanced SQL Injection In SQL
Server Applications, http//www.nextgenss.com/pap
ers/advanced_sql_injection.pdf, 2002. - CERT, Understanding Malicious Content Mitigation
for Web Developers, http//www.cert.org/tech_tips
/malicious_code_mitigation.html, Feb. 2000 - David Endler, The Evolution of Cross-Site
Scripting Attacks, http//www.cgisecurity.com/dev
elopment/xss.shtml, 2002. - Joris Evers, Paypal fixes Phishing hole,
http//news.com.com/PayPalfixesphishinghole/210
0-7349_3-6084974.html, 2006. - Stephen J. Friedl, SQL Injection Attacks by
Example, http//www.unixwiz.net/techtips/sql-inje
ction.html, 2005. - Michael Howard, David LeBlanc, and John Viega, 19
Deadly Sins of Software Security, McGraw-Hill
Osborne, 2005. - Johnny Long, Google Hacking for Penetration
Testers, Syngress, 2004. - Johnny Long, Google Hacking Database,
http//johnny.ihackstuff.com, 2006. - Nate Mook, Cross-Site Scripting Worm Hits
MySpace, http//www.betanews.com/article/CrossSit
e_Scripting_Worm_Hits_MySpace/1129232391, 2005. - Gunter Ollman, HTML Code Injection and
Cross-Site Scripting, http//www.technicalinfo.ne
t/papers/CSS.html, 2002. - Samy, MySpace Worm Explanation,
http//namb.la/popular/tech.html, 2005. - Stuart McClure, Joel Scambray, and George Kurtz,
Hacking Exposed, 5/e, McGraw-Hill, 2005. - Stuart McClure, Saumil Shah and Shreeraj Shah,
Web Hacking Attacks and Defense, Addison-Wesley,
2002. - Joel Scambray, Mike Shema, Caleb Sima, Hacking
Exposed Web Applications, Second Edition,
McGraw-Hill, 2006. - Ed Skoudis, Counter Hack Reloaded, Prentice Hall,
2006. - SK, SQL Injection Walkthrough,
http//www.securiteam.com/securityreviews/5DP0N1P7
6E.html, 2002.