Advanced Web Technology 10) XSS, CSRF and SQL Injection · Cross Site Request Forgery INot a new attack, but simple and devastating ICSRF attack forces a logged-on victim’s browser

Berner Fachhochschule, Technik und Informatik

Advanced Web Technology10) XSS, CSRF and SQL Injection

Dr. E. Benoist

Fall Semester 2010/2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection

1

Table of Contents

� Cross Site Request Forgery - CSRFPresentationVulnerabilityCSRF allows to access the intranetProtectionConclusion

� Injection FlowsPresentationVulnerabilityProtectionExamplesConclusion


2

Cross Site Request Forgery

I Not a new attack, but simple and devastating

I CSRF attack forces a logged-on victim’s browser to senda request to a vulnerable web application

I Target: Perform the chosen action on behalf of thevictim


Cross Site Request Forgery - CSRF 3

Sending a request without theconsent of the victim?

I Insert an image in a HTML file

<img src=”http://www.benoist.ch/image/test.gif”>

Browser: Downloads an image

GET /image/test.gif HTTP/1.1...

I An image can be generated by a PHP program (or anyprogram)

<img src=”http://www.benoist.ch/image/test.php”>



Cross Site Request Forgery - CSRF: Presentation 4

Sending a request? (Cont.)

I An image can be generated according to someparameters

<img src=”/barcode.php?number=12345678901”>


I An image tag can contain something else

<img src=”http://www.benoist.ch/index.php?action=↘

→logout”>

Browser ?????



Very widespread vulnerabilityTouches any web application that

I has no authorization checks for vulnerable actions

I will process an action if a default login is able to begiven in the request

<img src=”http://www.benoist.ch/doSomething?user=admin&↘→pwd=123”>

I Authorizes requests based only on credentials that areautomatically submitted• cookies if currently logged into the application• or “Remember me” functionality if not logged into the

application• or a Kerberos token if part of an Intranet participating in

integrated logon with Active Directory.



State of the art

I Most of web applications rely solely on automaticallysubmitted credentials• cookies• basic authentication credentials• source IP addresses• SSL certificates• or windows domain credentials

I Vulnerability also known as• Session Riding, One-Click Attacks, Cross Site Reference

Forgery, Hostile Linking, and Automation Attack• Acronym XSRF is also used together with CSRF



VulnerabilityI A typical CSRF attack directs the user to invoke some

function• for instance application’s logout page

I The following tag can be inserted in any page viewed bythe victim

<img src=”http://www.benoist.ch/logout.php”>

it generates the same request as clicking on a link containingthis address!

I Example: Online banking transfer

<img src=”http://www.mybank.de/transfer.do?frmAcct=document.form.frmAcct&toAcct=4567890&amt↘→=3434.43”>

Could transfer the money from the account of the user, to agiven account.


Cross Site Request Forgery - CSRF: Vulnerability 8

Vulnerability (Cont.)I Jeremiah Grossman1 Succeeded in making changes in

victims DSL routers

I Even if the user doesn’t know that he can configure hisrouter ;-)

I He used the router’s default account name to performhis attack Example

<img src=”http://admin:[email protected]/”>

Then you just have to reconfigure the system

<img src=”http://192.168.1.1/changeDNS?newDNS↘→=143.23.45.1”>

I Once DNS changed, user will never be able to access asite securely!

1Talk in Blackhat 2006 : “Hacking Intranet Sites from the outside”



How such a link could reach a victim

I Web-site Owner embedded JavaScript malware

I Web page defaced with embedded JavaScript malware

I JavaScript Malware injected into a public area of awebsite. (persistent XSS)

I Clicked on, a specially-crafted link causing the websiteto echo JavaScript malware. (non-persistent XSS)



CSRF allows to access the intranet

I The attacker sends requests from inside the Intranet• Doesn’t have to go throw the firewall, the victim is already

I CSRF combined with javascript allows to send manyrequests sequentially• javascript adds an image in the DOM (possibly invisible).• when the request is sent, another image is added• and so on


Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 11

Internet is protected, but Intranet?

You would never dare doing this on Internet! But whatabout Intranet?I Leaving hosts unpatched

• Servers are always patched regularly, but local PC’s?

I Using default passwords• What the use of changing the password, the IP address can

only be reached from inside my network• 192.168.x.y

I Do not putting a firewall in front of a hostI Everything seams OK because the perimeter firewalls

black external access• So CSRF attacks can be very fruitful



Why do CSRF attacks work?

I User authorization credential is automatically included inany request by the browse• Typical: Session Cookie

I The Attacker doesn’t need to supply that credential• It belongs to the victim’s browser

I Success of CSRF belongs on the probability that thevictim is logged in the attacked system• Idea: attack the site the victim visits• Mean : XSS



CSRF and XSS

I Combine CSRF and XSS• The tag is already posted inside the vulnerable application

I Risk is increased by that combination• Probability to find a logged in user is higher

I CSRF does not require XSS• One can attack a site from another one

I Any application with XSS flaws is susceptible to CSRF• CSRF attacks can exploit the XSS flaw to steal any

non-automatically submitted credential

I When building defenses against CSRF attacks, you musteliminate XSS vulnerabilities



Protection

I Application must ensure that they are not only relyingon credentials or tokens that are automaticallysubmitted by browsers• Session Cookies• Certificates• Remember me• . . .

I Application should use a custom token that the browserwill not “Remember”• So it can not be included in the Requests sent automatically


Cross Site Request Forgery - CSRF: Protection 15

StrategiesI Ensure that there are no XSS vulnerabilities in your

application• Otherwise, any protection is useless, since javascript could

access the hidden data.I Insert custom random tokens into every form and URL

• It will not be automatically submitted by the browser• Example:

<form action=”/transfer.do” method=”POST”><input type=”hidden” name=”383838” value=”↘→1234323433”>...

</form>

• Then you have to verify that token• Token can be unique for a session or even for each page• The more focused the token is, the higher the security is, but

the application is then much more complicated to write



Strategies (Cont.)

I For sensitive data or value transactions, re-authenticateor use transaction signing• to ensure that the request is genuine.• Set up external mechanism to verify requests (phone, e-mail)• Notify the user of the request using an e-mail

I Do not use GET requests for sensitive data or toperform value transactions• Use only POST methods when processing sensitive data from

the user.• However the URL may contain the random token as this

creates a unique URL, which makes CSRF almost impossibleto perform

I POST alone is an insufficient protection• You must also combine it with random tokens



Verifying Security

I Goal: Verify that the application generates and requiressome authorization token that is not resentautomatically by the browser

I Automated approaches:• Automated approach: few automated scanners can detect

CSRF vulnerabilities.• Manual Approach: Penetration testing and verification of the

code



Conclusion - CSRF

I Cross Site Scripting - XSS• Exploits the trust a user has in a website

I Cross Site Request Forgery - CSRF• Exploits the trust the site has in a user• by forging the enactor and making a request appear to come

from a trusted user2

2wikipedia


Cross Site Request Forgery - CSRF: Conclusion 19

Injection Flows

I Principle:• Occurs when user supplied data is sent to an interpreter as

part of a command or a query.

I Injection Flows may be done on:• SQL (most common)• LDAP• XPath• XSLT• HTML• OS Command injection• . . .

I This vulnerability is very common on Web Application


Injection Flows: Presentation 20

How does it work?

I Attacker tricks the interpreter into executing unintendedcommand

I Attacker supplies unexpected content to a site• Data is especially designed to fool the site

I Attacker may take control of the interpreter, forinstance SQL:• Read data (unintended, of course)• update, delete or create any arbitrary data

I For the Operating System interpreter• Attacker may have the opportunity to execute any command


Injection Flows: Presentation 21

Vulnerability

I Environments affected• Any framework using an interpreter or invoke process• SQL• Command line• . . .

I System is vulnerable when user input is passed withouttestsPHP

$query = ”select ∗ from guestbook”;$query .= ” where title like ’”.$ REQUEST[’search’];$result = mysql query($query , $conn);

Java

String query = ”select ∗ from user where username=’”;query += req.getParameter(”userID”);query += ”’ and password = ’”+req.getParameter(”pwd”)↘→+”’”;Advanced Web Technology 10) XSS, CSRF and SQL Injection

Injection Flows: Vulnerability 22

Protection

I Avoid the use of interpreter if possibleI Otherwise: Use safe APIs

• Strongly typed parameterized queries• Object Relational Mapping (ORM)

They handle data escapingI Validation is still recommended

• in order to detect attacks


Injection Flows: Protection 23

Take Extra Care when usinginterpreters

I Input Validation• Validate all input data: length, type, syntax, business rules• validation is done before displaying or storing any data• Validation must be done server-side• Javascript validation doesn’t bring any security

I Use strongly typed parameterized query APIs• with placeholder substitution markers,

I Enforce least privilege• Configure your DB such that the web account can’t do more

than what is expected• restrict the rights of your user when executing an OS command



Take Extra Care (Cont.)

I Avoid detailed error messages• Give access to versions numbers• Give access to parts of the code• Give access to configurations

I Use stored procedures• They are generally safe from SQL injection• Can however be injected (for instance using exec())

I Do not use dynamic query interfaces (such asmysql query())



Take Extra Care (Cont.)

I Do not use simple escaping functionssuch as

• addslashes() in PHP• str replace("’","’’")• it is weak and has been successfully exploited

I Prefer following methods• use mysql real escape string()• or preferably PDO which does not require escaping



Language Specific recommendations

I Java EE• use strongly typed PreparedStatement• or use an ORM (Object Relational Manager) such as

Hibernate or Spring

I PHP• Use PDO with strongly typed parameterized queries (usingbindParam()).



Which site is subject to SQLinjection?

I Such a site must access a DB• The parameter should be given by the user• This parameter is then used to select data in the DB• Example www.mysite.com/index.php?id=100• Means there exists a request for the page number 100

I If the site does not test its input• You can test it by typing something like:www.mysite.com/index.php?id=%2710

I If the site lets the user see error messages• Test the output of your input

I Examples• Search form (SELECT with LIKE)• Login form (SELECT with two =)• Insertion of new entries• . . .


Injection Flows: Examples 28

www.mysite.com/index.php?id=100

www.mysite.com/index.php?id=%2710

Example: Presentation

I Suppose we have the following HTML Form

<form method=”POST”><input type=”text” name=”username”><br><input type=”password” name=”password”><br><input type=”submit” value=”Login”>

</form>

I and the following PHP line defining a SQL command:

$query = ”SELECT ∗ FROM user WHERE username=’↘→$user’”;$query .= ” AND password=’$pwd’”;

I For our examples, we disable a security feature from thephp.ini file(normally this option is on, and it quotes all GET, POST andCOOKIES parameters, means chars like: ” and ’ are escapedand become \” and \’): magic_quotes_gpc = offAdvanced Web Technology 10) XSS, CSRF and SQL Injection


Example: Select user and password

I We want the select to work in any case

I Following expressions are always true

SELECT ∗ FROM table WHERE 1=1;SELECT ∗ FROM table WHERE 1;SELECT ∗ FROM table WHERE ISNULL(NULL)SELECT ∗ FROM table WHERE 1 IS NOT NULLSELECT ∗ FROM table WHERE NULL IS NULL...



Example: Select user and password(Cont.)

I So we do not need a valid username and passwordif $user="’ OR ’a’=’a" and $password remains empty thenthe previous expression becomes:

SELECT ∗ FROM user WHERE username=’’ OR ’a’=’a’ ↘→AND \password=’’”;

• Returns the list of all users• So we are logged in with the first provided



Login on a specific account

I We can specify the right username and change thepassword• If we give $user="Emmanuel"• And $password="’ OR ’b’ BETWEEN ’a’ AND ’c"

I The previous SQL statement becomes

SELECT ∗ FROM user WHERE username=’Emmanuel’ ↘→AND \password=’’ OR ’b’ BETWEEN ’a’ AND ’c’”;

I So username is OK, but password is not checked!



Example, using Comments

I Another great principle in SQL injection is CommentsIt is also very common in all the other injections

I If we inject a #, the rest of the SQL expression is notevaluatedif $user="John’ #" the request becomes

SELECT ∗ FROM user WHERE username=’John’#’ AND ↘

→password=’’

which is equal to

SELECT ∗ FROM user WHERE username=’John’

I If we use the comments /* comments */ we may escapesome tests



More injection in SELECTI Suppose we have the following query, for displaying the

content of one single comment in our guestbook:

$query = ”select ∗ from guestbook where guestbookID=↘

→$number”;

I We can copy the content in a file• suppose we define$number="11 or 1=1 INTO OUTFILE’/tmp/test.security.txt’"

• The total content of the table is sent to a file.I Suppose the Attacker has an account on the system

(e.g. foobar).• It is possible to change the password of foobar• If we can write the following query:

SELECT password FROM user WHERE login=’foobar’ INTO ↘

→OUTFILE\’/opt/lampp/htdocs/test.php’

I Attacker could create any php file inside the system!!Advanced Web Technology 10) XSS, CSRF and SQL Injection


Attacks compatible with magicquotes

I Since most of the server have magic quotes gpc = on• Attackers can not use ’ or ”

I Use MySQL char() function• Returns the character denoted by the number,• For instance char(104,111,112) returns the string hop

I Previous attack becomes

• The following query is used to count one vote:

UPDATE news SET votes=votes+1, score=score+$note ↘→WHERE\newsID=’$id’

,• We have the following attack

$note=”3, title=char(104,111,112)



How to protect yourself

I From SQL injection in PHP

I Configure PHP such that ’ and ” are automaticallyescaped

magic quotes gpc = on

I Always quote input before sending query to aninterpreter• mysql real escape string()

I Do not use any interpreter at all• Use PDO



Conclusion (Injection Flows)I SQL Injection allows attacker to

• Read data: Access passwords, data stored• Change Data : Access security level• Delete data•

I SQL injection Vulnerabilities opens the door to:• Privacy breach : Data can be accessed without consent• Identity theft : idem + failure in authentication• Compromission of the system : write of new files (maybe PHP)• . . .

I Easy protection are already exploited• Adding one (or more) layers between presentation and

database layer is a must (also from the point of view of Design)• Even this has also been successfully exploited.

I Solution? test your inputs!


Injection Flows: Conclusion 37

Conclusion (Web Security)

I Infrastructure Security is Vital• Good Network Architecture (Firewals, DMZ, . . . )

I Application Security must not be forgotten• Test Inputs• Encode Outputs

I Teach your users• No security is efficient is users aren’t included• for instance if they never log-out

I Security is expensive• in Development time• or in Usability



References

I OWASP Top 10 - 2007http://www.owasp.org/index.php/Top_10_2007

I A Guide for Building Secure Web Applications and WebServiceshttp://www.lulu.com/content/1401012

I Advanced SQL Injection in SQL Server Applications - ChrisAnleyhttp://www.nextgenss.com/papers/advanced_sql_injection.pdf

I L’injection (My)SQL via PHP - leseulfroghttp://www.phpsecure.info/v2/article/InjSql.phpAdvanced version:http://www.phpsecure.info/v2/article/phpmysql.php

I SQLMAP (a SQL Injection Tool)http://sqlmap.sourceforge.net



http://www.owasp.org/index.php/Top_10_2007

http://www.lulu.com/content/1401012

http://www.nextgenss.com/papers/advanced_sql_injection.pdf

http://www.nextgenss.com/papers/advanced_sql_injection.pdf

http://www.phpsecure.info/v2/article/InjSql.php

http://www.phpsecure.info/v2/article/phpmysql.php

http://sqlmap.sourceforge.net

Documents

Advanced Web Technology 10) XSS, CSRF and SQL Injection · Cross Site Request Forgery INot a new attack, but simple and devastating ICSRF attack forces a logged-on victim’s browser