CS 371 WebApplication Programming

CS 371 Web Application Programming

School of Computing and Information Systems


Security

Avoiding and Preventing Attacks



Overview

Internet

Internet

client

server

• executing malicious code• leaking information• access to server resources

Hey, what couldgo wrong?

• packet sniffing• spoofing• DOS attacks

• modifying client code• session hijacking



Points of Risk

data on server what data?

how is it at risk?

cookiessensitive data can be viewed or stolen

transmissionsniffing

losing packets



CGI Scripts

using both GET and POST allow intruders to view data

scripts running on server may have limited permissions but still enough to

send out password file

view the network information maps

create a login session



CGI Scripts (cont.)

hidden variables like text vars but not displayed on browser

tempting to use to maintain state

if used for things like price, can be altered

session variablesconvenient but sessions can be hijacked

provide for session time out to minimize risk

if possible encrypt session ID



Logins

keep track of sessionlegitimate user logs in, purchases, logs out

co-worker uses back button to purchase page and buys something else

is it possible to replay the login?erase id and password fields

create a random key for each login and use once



Security Attacks

injectionsql

command

code

tamperingparameters

cookies

XSS - cross site scripting

information gathering

password cracking

denial of service



SQL Injection

php script has the following query:"SELECT * FROM user WHERE name=' " + $_POST['userName'] +" '; "

what if user enters D'wan?…name = 'D'wan';

query will cause an error

what if user enters me';show tables; ?

what if user enters me';drop table user; ?

practice site:http://jmchilton.net/blog/?p=23



Command Injection

assume server has recipe files (ravioli.txt)

server script dumps requested recipes by shelling out the cat command:exec("cat ".$_POST['recipeName']."txt");

user enters tuna, it returns tuna.txt

what if user enters tuna.txt;ls;cat steak ?



Code Injection

server accepts text from users and displays it on page (like a guest book or comments)

user enters 'good job <script>window.location.href="bad.place.com"<script>'

In Google, when you enter a search string does that string show up on results page?hmmm



Variable Tampering

in an HTML form:<input type="hidden" name="id" value="12"/>

passed from one script to another

users can't see but hackers can easily change

in crawling web sites, they are easy to spot

session variables are safer (as long as the session isn't hijacked)



Cookie Poisoning

users can modify cookies

say a web site stores somethinglike a price or total of order

user can change the amountand pay much less

to combat this, many sites store only an encrypted session id in a cookie and everything else on the server



Cross Site Scripting (XSS)

injecting a link or malicious code into a web site to collect information on user

examples:http://www.bad.com/user.php?uname=<script>alert(document.cookie);</script>

C posts a link to site B (that has vulnerability). Then A clicks on link and it emails sensitive data back to C



Information Gathering

Almost every web site has info leakage

WHOIS – internet service registration

crawling the web for email and other info



Password Cracking

use of back button to reveal passwordusing known facts of user or common words (DOB, child name, maiden name, “123456”, city, college, “love”, “letmein”, …brute force attacks (onemansblog.com)

4 characters => 0.86 seconds6 characters => 8.51 days8 characters => 2.1 centuries

Do you use the same password for many websites?



Denial of Service

typical DOS attacks involve inundating servers with requests, but what about using client-side code to stymie user?

how would you writea simple javascript snippet to annoy and block a user’s attempt to send a request?

a javascript function to validate user input in a non-helpful and annoying way?



What to do

scripts:keep in one folderuse standard extensions (php, etc.)prefer compiled over interpretedbe wary of third party scriptsmake no assumptions about which client-side scripts are making calls to server-side scripts

shelling out or executing codedon’t do it or minimize it’s usebe cautious of commands to be shelled



What to do (cont)

variables consider all to be taintedescape them – magic quotes or addslashesuse javascript to validate variables but don’t rely on that alone – hackers can circumvent

phpmake sure register_globals is offinclude files – use .php not .inc

avoid XSS by escaping user inputobfuscate: jerry<at>myplace<dot>com



Transport Layer Security (TSL)

typical algorithms require a key that both parties know

so if Alice and Bob want to communicate, how do they agree on a key?

in public key encryption, a message encrypted with public key can only be decrypted by private key

encrypt decrypt



Transport Layer Security (TSL)

Simplified transmissionAlice sends Bob a message to initiate

Bob responds with public key

Alice encrypts a random number with public key that only Bob can decrypt

they agree on a key using random number

Server must have a digital certificate registered with a trusted authority



Web Crawling

web pages are … just documents (or scripts that produce documents)

a php script can open any url document, so it is only a matter of knowing the url

using the DOM in php, a list of the links can quickly be identified

start with one url, follow linksto other urls using a DFS orBFS

Documents

CS 371 WebApplication Programming