Upload
others
View
12
Download
0
Embed Size (px)
Citation preview
Pattern Recognition and Applications Lab
Universityof Cagliari, Italy
Department ofElectrical and Electronic
Engineering
Integrity attacks (from data to code): Cross-site Scripting - XSS
Igino Coronaigino.corona (at) diee.unica.it
1
Computer Security April 12, 2018
http://pralab.diee.unica.it
• Very useful training application by OWASP
2
Let’s play with OWASP Mutillidae II
http://pralab.diee.unica.it
• Reflected XSS
3
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Reflected XSS– The input of parameter PathToDocument is present
in the web page output
4
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Reflected XSS– Put the “classical” test string as input for PathToDocument:• <script>alert('vulnerable')</script>• Such string is ”reflected” as is, in the page output where is
interpreted by the browser as HTML and then JavaScript code
5
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Reflected XSS– In a real-world attack, reflected XSS may be used to
• stealthily collect confidential information about a user of the vulnerable site
• perform impersonation,• execute an exploit on the victim’s browser …• the attacker can execute arbitrary JavaScript code with the
privileges given by the victim’s browser to the vulnerablewebsite
– To this end, a targeted phishing email may be craftedusing athe identity of the vulnerable site (es. Google) to induce the user to click on the malicious link, e.g.,• www.google.com/mutillidae/index.php?page=document-
viewer.php&PathToDocument=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%76%75%6c%6e%65%72%61%62%6c%65%27%29%3c%2f%73%63%72%69%70%74%3e
6
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Reflected XSS– https://www.google.com
/mutillidae/index.php?page=document-viewer.php&PathToDocument=%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%27%76%75%6c%6e%65%72%61%62%6c%65%27%29%3c%2f%73%63%72%69%70%74%3e
7
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Persistent (Stored) XSS
8
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Persistent (Stored) XSS– Test code tries to output document cookies in a
window
9
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Persistent (Stored) XSS– We inserted HTML code that executes JavaScript
code within a blog entry– Such code is
• stored “as is” within the database• outputted “as is” when blog entries are displayed (by any
user)
10
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Persistent XSS– In a real-world attack, persistent XSS may be used to
• stealthily collect confidential information about any user of the vulnerable site, including admin users
• perform impersonation,• execute an exploit on the victim’s browser …• the attacker can execute arbitrary JavaScript code with the
privileges given by the victim’s browser to the vulnerablewebsite
– More powerful than reflected XSS• Typically, no need for phishing emails• The attacker can add arbitrary code within the vulnerable site
11
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Persistent XSS– Vulnerable admin webpages are expecially useful for
cyber criminals• https://blog.sucuri.net/2016/01/security-advisory-stored-xss-
in-magento.html
12
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Client-side XSS – In this case, vulnerable code is @client-side
applications– Typically, leverages on vulnerabilities within
JavaScript code executed by web browsers– We experiment with a special case, using DOM
injection
13
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Client-side XSS – We see that a username input is outputted in the
page
14
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Client-side XSS – Let’s look @ the source code
• It seems that username input is appended (by the server application) to the string "This password is for ”
• The string is then put through JavaScript code into the DOM element with id idUsernameInput
<script> try{
document.getElementById("idUsernameInput").innerHTML = "This password is for anonymous"; } catch(e) { alert("Error: " + e.message); }// end catch
</script><tr style="text-align: center;">
<td id="idUsernameInput" HTMLEventReflectedXSSExecutionPoint="1" class="label"></td>
</tr>
15
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Server-side XSS– The attacker may try to directly inject (add) JavaScript code exploiting a
vulnerable routine @ server-side:• username=anonymous";alert(document.cookie);var a=”
<script> try{
document.getElementById("idUsernameInput").innerHTML = "This password is for anonymous";alert(document.cookie);var a="";} catch(e) { alert("Error: " + e.message); }// end catch
</script>
16
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Client-side XSS – HTML input is not filtered by JavaScript code– The attacker may also exploit such client-side vulnerability to inject
HTML code through the DOM:– username=google\<img src=\"https://www.google.it/logos/doodles/2016/antoni-van-
leeuwenhoeks-384th-birthday-5116176595156992-hp.gif\"/\>";var a="
<script> try{
document.getElementById("idUsernameInput").innerHTML = "This password is for username google\<img src=\"https://www.google.it/logos/doodles/2016/antoni-van-leeuwenhoeks-384th-birthday-5116176595156992-hp.gif\"/\>";var a="";} catch(e) { alert("Error: " + e.message); }// end catch
</script>
17
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
• Type:– Persistent (stored)
• Malicious input data is stored and comes from a database– Reflected
• Malicious input data comes directly from the client (user) and is reflected in the webpage output
• Location of vulnerable code:• Server-side
– Web application code (e.g., PHP) executed @ server-side• Client-side
– Web application code (typically JavaScript) executed @ client-side
18
A7:2017 Cross-site Scripting (XSS)
http://pralab.diee.unica.it
Targets: HTML/JavaScript code generation routines of client- and server-side applicationsInterpreter: JavaScript engine @ client-side (browser)An insecure handling of input data by web application HTML/JS generator routines, allowsthe attacker to convert input data into (arbitrary) JavaScript code
19
A7:2017 Cross-site Scripting (XSS)
HTTP(S) serverHTTP(S) Client
HTML
Application Database
CSSImages
JavaScript application
Flash Silverlight PDF ReaderClient-side XSS
Server-side XSS
HTML/JS code
generation
HTML/JS code
generation
http://pralab.diee.unica.it
Many TOP 10 attacks violate integrity
TOP 10 Threat Security ViolationA1:2017 – Injection Integrity (DataàCode)
A2:2017 - Broken Authentication Authentication
A3:2017 – Sensitive Data Exposure Confidentiality
A4:2017 - XML External Entities (XXE) Integrity (DataàCode)
A5:2017 - Broken Access Control Access Control
A6:2017 - Security Misconfiguration Any
A7:2017 - Cross-Site Scripting (XSS) Integrity (DataàCode)
A8:2017 - Insecure Deserialization Integrity (DataàCode)
A9:2017 - Using Components with Known Vulnerabilities Any
A10:2017 - Insufficient Logging & Monitoring Monitoring
http://pralab.diee.unica.it
• We have seen different data->code attackinstances that lead to (system) integrity violations– SQL Injection– Cross-site Scripting
• Protecting web applications against data->code attacks require one to:– Identify ALL involved interpreters in the web
application• From HTTP(S) level to DB interfaces and browser plugins
– For each interpreter use a safe API that• prevents data from becoming code• accurately determine the functioning of the application for
ANY data input (expected or unexpected)
Take aways
http://pralab.diee.unica.it
• Key security functionalities– Authentication
• https://www.owasp.org/index.php/Authentication_Cheat_Sheet
– Access Control• https://www.owasp.org/index.php/Access_Control_Cheat_Sheet
• Authentication and access control are the keycomponents to support– Availability– Integrity– Confidentiality (strictly coupled!)
• https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure
• Monitoring and response are necessary to mitigate (unavoidable) security violations
• self-monitoring and monitoring data protection
Take aways
http://pralab.diee.unica.it
• The Cybersecurity Market is HUGE
• Thesis proposals include– Botnet detection
• DNS traffic analysis @ ISP premises• http://pralab.diee.unica.it/en/FluxBuster
– Web intrusion detection systems• http://pralab.diee.unica.it/en/SuStorID
– Phishing detection• https://www.pluribus-one.it/?id=44
– Android malware detection• http://pralab.diee.unica.it/en/AndroidPRAGuardDataset
– Adversarial Machine Learning - for computer security• https://sec-ml.pluribus-one.it/
• Many successful stories, latest ones (with my supervision)– Simone Moro – Android Vulnware
• http://pralab.diee.unica.it/en/node/1198– Matteo Contini – Phishing Detection
• https://tesi.clusit.it/vincitori.php
Are you interested in cybersecurity?