Reflected XSS Cross-Site Request Forgery Other Attacks

Size: px

Start display at page:

Download "Reflected XSS Cross-Site Request Forgery Other Attacks"

Dulcie Ford
5 years ago
Views:

1 Reflected XSS Cross-Site Request Forgery Other Attacks CS 166: Introduction to Computer Systems Security 2/21/18 XSS, CSRF, Other Attacks 1

2 Reflected XSS 2/21/18 XSS, CSRF, Other Attacks 2

3 Recap of Persistent XSS Attacker Victim submits malicious script into form requests page stores malicious script into page Server receives page with malicious script 2/21/18 XSS, CSRF, Other Attacks 3

4 Another XSS Attack Mallory (attacker) finds that Bob E.g., Bob embeds in the page a (web server) is vulnerable to XSS via a search term GET variable query=cs166 She crafts a URL that includes a Search results for CS166 malicious script in the variable?query= <script>doevil She tricks Alice (web client) to go to </script> this URL (e.g., phishing) The malicious script is executed by Alice 2/21/18 XSS, CSRF, Other Attacks 4

5 Attacker Reflected XSS sends URL with malicious script clicks on URL builds page that includes malicious script Victim Server receives page with malicious script 2/21/18 XSS, CSRF, Other Attacks 5

6 Cross-Site Request Forgery 2/21/18 XSS, CSRF, Other Attacks 6

7 Cross-Site Request Forgery (CSRF) Attacker s site has script that redirects and issues a request on target site E.g., document.location = ient=attacker&account=2567 If user is already logged in on target site Request is executed by target site on behalf of user E.g., funds are transferred from the user to the attacker 2/21/18 XSS, CSRF, Other Attacks 7

8 CSRF Trust Relationship Server trusts victim (login) Victim trusts attacker Attacker could be a hacked legitimate site Login Victim Server Legitimate Request Malicious Request Attacker 2/21/18 XSS, CSRF, Other Attacks 8

9 Login CSRF Attacker s site includes link or form that logs in victim on target site with attacker s account Subsequent victim s interaction with target site is shared with attacker Navigation in target site Data supplied to target site 2/22/18 XSS, CSRF, Other Attacks 9

10 CSRF Server-Side Defenses Synchronizer token Random token embedded by server in all HTML forms and verified by server CSRF request rejected because attacker cannot guess token Custom HTTP header Custom HTTP headers can be sent only via JavaScript JavaScript is subject to same-origin policy Site supports state-changing HTTP requests via JavaScript Server drops requests submitted without a custom HTTP header 2/21/18 XSS, CSRF, Other Attacks 10

11 Improper Path Sanitization 2/21/18 XSS, CSRF, Other Attacks 11

12 Improper Path Sanitization Problem: only some paths are valid; which ones? Improper path sanitization can lead to disallowed resources being accessed What sorts of resources/paths might we want to make off-limits? 2/21/18 XSS, CSRF, Other Attacks 12

13 Improper Path Sanitization What sorts of resources/paths might we want to make off-limits? Configuration files (e.g., Apache s.htaccess) Files outside the web root Files outside the upload directory Possibly more 2/21/18 XSS, CSRF, Other Attacks 13

14 Blacklists Attempt #1: Blacklists e.g., /foo/bar is off limits What s wrong with this? Multiple paths can refer to the same resource /foo/bar /foo//bar /foo/../foo/bar /foo/bar/baz/.. 2/21/18 XSS, CSRF, Other Attacks 14

15 Blacklists Attempt #1: Blacklists e.g., /foo/bar is off limits What s wrong with this? What about paths outside the web root? /../../etc/passwd Becomes /var/www/../../etc/passwd (e.g., /etc/passwd) 2/21/18 XSS, CSRF, Other Attacks 15

16 Whitelists Attempt #2: Whitelists e.g., only /foo/bar or /baz/blah are allowed What s wrong with this? How to keep the whitelist up to date? How to be nice to users e.g., /foo//bar is really /foo/bar 2/22/18 XSS, CSRF, Other Attacks 16

17 Parse Paths Attempt #3: Parse paths e.g., determine that foo.com/bar doesn t escape web root What s wrong with this? Correct parsing is hard 2/22/18 XSS, CSRF, Other Attacks 17

18 Solution Solution When possible, use existing implementations Apache does this correctly - use it For custom logic, don t use paths Store data in databases Don t use subfolders e.g., /var/uploads filter bad characters (/, \0) or bad path components (..,.) 2/21/18 XSS, CSRF, Other Attacks 18

19 File Upload 2/21/18 XSS, CSRF, Other Attacks 19

20 File Upload Several websites support file upload E.g., homework submission Apache s PHP plugin executes requested *.php files What the upload directory is inside the web root? e.g., /var/www/upload Upload evil.php Visit foo.com/upload/evil.php 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 20

21 Disallow PHP File Uploads Attempt #1: Disallow.php files What could go wrong? What if I want to upload a PHP file? Not sufficient for some configurations J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 21

22 Embedded PHP  <html> <head><title>my Page</title></head> <body> <p>date: <?php echo date();?></p> </body> </html> 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 22

23 Circumvention Upload foo.html: <html> <?php do_bad_thing();?> </html> 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 23

24 Disallow PHP and HTML File Uploads Attempt #2: Disallow.php and.html files For example, allow only.jpg and.pdf What could go wrong? JPEG supports comments, so embed PHP in JPEG comment field Even if it didn t, we could still craft the right pixel sequences: \x3c\x3f\x70\x68\x70 - <?php \x3f\x3e -?> 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 24

25 Solution Solution: don t serve files directly Bad: foo.com/upload/foo.pdf Good: foo.com/get.php?file=foo.pdf Implement custom logic in get.php Don t allow access to upload directory Store outside of web root If that s not possible, use.htaccess or similar 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 25

26 File Inclusion 2/21/18 XSS, CSRF, Other Attacks 26

27 File Inclusion PHP (and other languages) allow dynamic includes include( lib.php ); Imagine a site with dynamically-generated includes: lang = $_GET[ lang ]; include($lang..php ); What could go wrong? 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 27

28 File Inclusion Let s say there s an add-user.php Only included after authentication as admin Can t load directly foo.com/add-user.php Visit foo.com/blah.php?lang=add-user&user=mallory&pass=6666 Makes the include: include( add-user.php ); 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 28

29 File Inclusion Many PHP functions treat paths as being file paths or URLs What could go wrong? foo.com/blah.php?lang= Makes the include: include( ); 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 29

30 Solution If you need to dynamically include files, keep a pre-set list, e.g., lang_files = array( en-us => en-us.php, en-gb => en-gb.php, en-l337 => en-l337.php ); 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 30

31 Business Logic Flaws 2/21/18 XSS, CSRF, Other Attacks 31

32 Business Logic Flaws Business logic is the high-level logic behind a web application s functionality E.g., A user must pay before having an item shipped to them Flaws in the implementation of this logic (or flaws in the logic itself) can be serious Often come from a mismatch between developer assumptions and reality 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 32

33 Cheating on Bulk Discounts Site offers bulk discounts on group of items When a new item is added to the cart, if a bulk discount applies, the prices of all items are lowered appropriately What could go wrong? Add many items to the cart, lowering prices Delete most of them, check out with a cheap item 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 33

34 Proceeding to Checkout In a shopping cart application, when checking out, user is directed through a series of pages: From cart, click checkout button Redirected to page to enter payment details If payment verifies, redirected to shipping details After shipping details verified, order is complete What could go wrong? Go directly to shipping details, skip payment 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 34

35 What We Have Learned Reflected XSS, where the injected malicious script is placed in a dynamically generated page by the vulnerable server Cross-Site Request Forgery, which submits a GET or POST to vulnerable server where the victim is logged in Various other server vulnerabilities Improper path sanitization File upload File inclusion Business logicflaws 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 35

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection