Cyber Crime Defense. Web Security 3. Adrian Dabrowski. Cyber Crime Defense
|
|
- Myles Spencer
- 6 years ago
- Views:
Transcription
1 Web Security 3 Adrian Dabrowski 1
2 Overview More on session attacks continuation of last year's lecture (session highjacking) Cross Site Request Forgery Man-in-the-Middle attacks against HTTPS https cookie stealing SSL Stripping Cryptocalypse Browser history stealing (historical) 2
3 Session Attacks 3
4 What are Session IDs again? HTTP is a stateless protocol: it does not remember previous requests Web applications must create and manage sessions themselves Session data is stored at the server associated with a unique Session ID After session creation, the client is informed about the session ID The client attaches the session ID to each request 4
5 Session Attacks Targeted at "stealing" the session ID If I know the session ID of a currently logged in user I can impersonate him 5
6 Session Attacks Targeted at stealing the session ID Interception: intercept request or response and extract session ID Prediction: predict (or make a few good guesses about) the session ID Brute Force: make many guesses about the session ID Fixation: NEW! make the victim use a certain session ID The first three attacks can be grouped into Session Hijacking attacks we discussed them in Inetsec1 6
7 Session Hijacking Attacks Interception: based on sniffing traffic Prediction/Brute forcing possible if IDs are not random enough 7
8 Session Hijacking Attacks Interception: based on sniffing traffic Prediction/Brute forcing possible if IDs are not random enough Prevention: use SSL for each request/response that transports a session ID not only for login! 8
9 Session Hijacking Attacks Interception: based on sniffing traffic Prediction/Brute forcing possible if IDs are not random enough Prevention: use SSL for each request/response that transports a session ID not only for login! Prevention: use large enough, truly random session IDs 9
10 Session Fixation Attacks So far, we have focused on preventing the attacker from obtaining session credentials This approach, however, ignores the possibility of the attacker issuing a session ID to the user s browser The browser then uses a chosen session In a session fixation attack, the attacker fixes the user s session ID before the user even logs into the target server What does this mean? The session ID does not have to be stolen 10
11 Session Fixation Attacks Session management mechanisms can be classified as: permissive and strict Permissive are those that accept arbitrary session IDs from browser (e.g., Macromedia JRun Server, PHP) Strict are those that only accept sessions that they have created (e.g., MS IIS) 11
12 Simple Scenario (permissive session management) Suppose we have a bank online.worldbank.dom, that uses permissive session management When the web site is accessed, a session ID is transported via URL parameter sessionid Attacker picks a sessionid=1234 Attacker sends sessionid to victim and tricks him into clicking on it: The user clicks on the link and is taken to the banking application login page The web application sees that a session has been assigned and does not issue a new one. Session is bound to new user The user is prompted to log in and provides his credentials Attacker can access victim s account 12
13 Simple Scenario 1) sessionid=1234 ATTACKER online.worldbank.com VICTIM 13
14 Simple Scenario 1) sessionid=1234 ATTACKER 2) login.jsp?sessionid=1234 online.worldbank.com VICTIM 14
15 Simple Scenario 1) sessionid=1234 ATTACKER 2) login.jsp?sessionid=1234 3) GET /login.jsp?sessionid=1234 4) username and password VICTIM online.worldbank.com 15
16 Simple Scenario 1) sessionid=1234 ATTACKER 5) G ET /acc oun t.jsp? 2) login.jsp?sessionid=1234 ses sion id= ) GET /login.jsp?sessionid=1234 4) username and password VICTIM online.worldbank.com 16
17 Another Scenario (strict session managment) Strict session management: the server checks it generated the sessionid When the web site is accessed, a session ID is transported via URL parameter sessionid Attacker sends a request to server Server issues attacker a sessionid=1234 Attacker sends sessionid to victim and tricks him into clicking on it: sessionid=1234 The user clicks on the link and is taken to the banking application login page The web application sees that a session has been assigned and does not issue a new one. Session is bound to new user Attacker can access victim s account 17
18 Another Scenario 1) G ET ATTACKER /log in.js p 2) s ess ioni d= online.worldbank.com VICTIM 18
19 Another Scenario 1) G ET /log in.js p 2) s ess ioni d= ATTACKER 3) login.jsp?sessionid=1234 online.worldbank.com VICTIM 19
20 Another Scenario 1) G ET /log in.js p 2) s ess ioni d= ATTACKER 3) login.jsp?sessionid=1234 4) GET /login.jsp?sessionid=1234 5) username and password VICTIM online.worldbank.com 20
21 Another Scenario 1) G ET /log in.js p 2) s ess ioni d=1 6 ) GE ATTACKER 2 34 T /a cco unt. jsp? ses sion id=1 3) login.jsp?sessionid=1234 4) GET /login.jsp?sessionid=1234 5) username and password VICTIM online.worldbank.com 21
22 Session Fixation vs Hijacking Timing! Session Fixation: Victim s browser is attacked before she logs into the target server Session Hijacking: Victim s browser is attacked after she logs into the target server 22
23 Session Fixation Attacks Attacker needs to be able to get a session ID from the server attacker is a legitimate user of the service, OR server assigns session ID before authentication The victim needs to be tricked into clicking on link (before session times out) Generally, a session fixation attack is a three-step process 1) Session setup 2) Session fixation 3) Session entrance 23
24 Session Fixation Attacks In session startup, attacker sets up a socalled trap session. Session needs to be kept alive by sending requests Next, attacker needs to introduce her session ID to the victim s browser Attacker needs to wait until the victim logs in and then enter the victim s session. 24
25 Step 1: Session Setup Session management mechanisms can be classified as: permissive and strict Against permissive systems: attacker simply picks a session ID Against strict systems: attacker sends a request to the server to obtain a session ID Permissive systems are easy to attack because the session ID picked by the attacker can be sent to the server at any time; requires no trap session maintenance 25
26 Step 2: Session Fixation Attacker can use several methods to transport the trap session to the victim s browser One way is to trick user into clicking a URL, for example: Another possibility is to prepare a login page (e.g., phishing page) where ID is embedded as a hidden from field additional method for session fixation attack: cookies 26
27 Step 2: Session Fixation The attacker needs to install the trap session ID cookie on the victim s browser However, browser will only accept cookie assigned either to the issuing server or the issuing server s domain. attacker.com cannot set cookie for worldbank.dom Hence, the attacker can exploit an XSS vulnerability in the website or browser to set a cookie cross-subdomain cooking evil.worldbank.com can set cookies for worldbank.com 27
28 Session Fixation Countermeasures Preventing session fixation is the responsibility of the web application, not the web server Only the web application can implement effective protection. The web server (e.g., Tomcat) only needs to make sure that session IDs cannot be brute-forced or guessed A common-denominator for session fixation attacks is that victim needs to login. Use strict session management policy (server refuses IDs it did not generate) If possible, web application should issue session IDs only after successful authentication alternatively, regenerate the session ID after login 28
29 Session Fixation Countermeasures Session ID usage should be restricted Bind to IP (network address): usual problems Session ID should be bound to SSL client certificate for highly-critical applications (was the session ID established using certificate?) Session destruction (timeout or logging out) User must have option to log out (destroy current session and any other session) use absolute session timeouts in order to prevent attacker from keeping trap session alive while waiting for victim to log in (can become inconvenient for the user) 29
30 Cross Site Request Forgery CSRF / XSRF 30
31 Cross Site Request Forgery CSRF: A type of attack that lets attackers send arbitrary HTTP requests on behalf of a victim The damage caused by this attack can be severe The attack is not too easy to understand and avoid, and it is likely that many web applications are vulnerable Typical scenario: User has established level of privilege with the site Attacker uses this privilege to do bad things 31
32 Cross Site Request Forgery The site is the target of the attack. User is the victim and unknowing accomplice. The request comes from the victim, hence, it is difficult to identify a CSRF attack. In fact, if you have not taken precautions, chances are very high that your application is vulnerable to CSRF Many web developers are still unaware of CSRF, so they take no precautions against it Many widely deployed web applications are vulnerable or have been vulnerable to CSRF 32
33 CSRF Example Suppose there exists a simple PHP Web application that can be used by (logged in) administraror for creating new users. Here is the form: <form action= create.php method= POST > <p> Username: <input type= text name= username > Password: <input type= text name= password > <input type= submit value= Create /> </p> </form> 33
34 CSRF Example here is the simple PHP application hosted at <?php session_start(); If (isset($_request[ username ] && isset($_request[ password ])) { create_new_user_dude($_request[ username ], $_REQUEST[ password ]); }?> 34
35 CSRF Example What is the problem with this application? Suppose an attacker manages to trick the authenticated user to visit a web page of which she has control Note that visiting is enough!! The owned web page has an embedded link such as: <img src= username=badguy&password=nopasswd > The browser tries to download the image from victim.com browser helpfully appends the user's cookies for victim.com 35
36 CSRF Example 1) Log in (username and password) victim.com USER attacker.com 36
37 CSRF Example 1) Log in (username and password) victim.com USER 2) GET /index.html attacker.com 37
38 CSRF Example 1) Log in (username and password) victim.com USER 3) <img src= username=badguy&password=nopasswd> 2) GET /index.html attacker.com 38
39 CSRF Example 1) Log in (username and password) 4) GET /create.php?username=badguy&password=nopasswd +session cookie for victim.com victim.com USER 3) <img src= username=badguy&password=nopasswd> 2) GET /index.html attacker.com 39
40 A First Fix Once the user visits the page, the URL is fetched and a new user is created. Hence, the web application is compromised Why did this error happen? The application used $_REQUEST instead of $_POST It could not distinguish between data sent in the URL and data provided in the form $_REQUEST and allowing GET increases your risk General principle of web application design: GET requests should have no side effects 40
41 CSRF over POST Using POST requests is not enough to prevent CSRF Attacker can fool user into clicking on submit button of a form on attacker.com form points to victim.com triggers POST request with hidden fields! JavaScript can be used to automatically submit a form no interaction needed! 41
42 CSRF Countermeasures Force the usage of your own forms. Try to identify if the request is coming from your own form For example, you could generate a token as part of the form and validate this token upon reception E.g., using unique IDs, MD5 hashes, etc. The token has to be bound to the user session Cannot be stored in a cookie You could limit the validity of the token time (e.g., 3 minutes) Attacker cannot steal the token because of SOP 42
43 CSRF Vulnerabilities Many high profile sites have been vulnerable Gmail allowed to steal user's contact list netflix allowed to change name and address, and order movies skype allowed to "steal" the user's skype number (impersonate user, receive his calls, use his credit) 43
44 CSRF against home routers Home DSL/Cable routers have often been vulnerable Typically have weak authentication no password username: admin, password: admin same password for all routers from a provider just google for "$provider $device_name password" most users don't change it Protected by firewall can only log in from inside home network Can use CSRF to send requests to the router from victim's PC inside the network 44
45 CSRF against home routers DSL router Home User attacker.cm 45
46 CSRF against home routers DSL router Home User ) <img src= 1) GET /index.html attacker.cm 46
47 CSRF against home routers 3) GET /action.php?do_something_bad DSL router Home User ) <img src= 1) GET /index.html attacker.cm 47
48 CSRF against home routers What can the attacker do? example: CSRF in home routers from mexican ISP no password was set by default /0/threaded Add names to the DNS ( PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&N AME= Disable Wireless Authentication PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_PO ST&NAME=encrypt_enabled&VALUE=0 Disable firewall, set new password,... 48
49 MITM Attacks against HTTPS 49
50 Stealing HTTPS cookies Man-in-the-middle attack against HTTPS encryption should protect from MITM! Cookie management policy is not consistent with Same Origin Policy SOP: in addition to domain, protocol must be the same: http https cookies: depends on a secure flag in the cookie if secure flag is not set, a cookie set inside an https session can be sent over an http session MITM can use this to steal a session ID that was set inside an HTTPS connection! 50
51 Stealing HTTPS cookies Attack steps: user logs in to server sets session ID for mybank.com in cookie encrypted in https user issues an unencrypted HTTP request for something else ( attacker (MITM) replies with redirect to browser follows redirect & sends out cookie with session ID attacker has access to user's session! 51
52 Stealing HTTPS cookies Easy to check for using your browser Check your online banking website, and send them an if they are vulnerable When I first checked the 2 banking websites I use, both were vulnerable OK! 52
53 Cookie Attributes HTTP/ OK Content-type: text/html Set-Cookie: name=value Limit to HTTPS: Set-Cookie: name=value; Secure Limit to real browser requests (not JS, XML-RPC, API...) Set-Cookie: name=value; HttpOnly 53
54 SSL Stripping A more powerful MitM attack against HTTPS Old problem, recently highlighted by: Users do not type " in their browser (or Most of the time, users reach https through http this first step is unprotected 54
55 SSL Stripping The basic idea: attacker speaks HTTPS with the server attacker speaks HTTP with the user HTTP USER HTTPS MitM mybank.com 55
56 SSL Stripping Initial requests: HTTP USER HTTP MitM mybank.com 56
57 SSL Stripping Initial requests: HTTP HTTP Now let's talk HTTPS! USER MitM mybank.com 57
58 SSL Stripping Initial requests: HTTP HTTP Now let's talk HTTPS! USER MitM HTTP mybank.com HTTPS 58
59 SSL Stripping User types in URL bar Before logging in, user would normally be directed to the bank's HTTPS website HTTP 3xx redirect, OR an https link MitM attacker can modify the data sent from the server change to in server replies! 59
60 SSL Stripping GET USER GET MitM mybank.com 60
61 SSL Stripping GET GET <html>... USER MitM <a href=" mybank.com> Online Banking </a>... mybank.com 61
62 SSL Stripping GET USER GET <html>... <html>... <a href=" mybank.com> Online Banking </a>... <a href=" mybank.com> Online Banking </a>... MitM mybank.com 62
63 SSL Stripping GET USER GET <html>... <html>... <a href=" mybank.com> Online Banking </a>... <a href=" mybank.com> Online Banking </a>... GET MitM mybank.com GET 63
64 Fooling the user User can see in the address bar some users may check for this lock favicon may help fool them Many sites use https only for login to protect username and password does not protect from session hijacking SSL stripping in these cases is undetectable unless user looks at html page source 64
65 Fooling the user user never sees https HTTPS submit link 65
66 Implementing SSL Stripping Modify server replies to replace https links with http in HTTP 3xx redirect replies in HTML page harder if page is dynamically generated with javascript Modify client requests remove secure flag on cookies sent by server otherwise user's browser will not send them over HTTP! Simplify the task: avoid compression and chunked encoding talk HTTP/1.0 with server Accept-Encoding: identity 66
67 SSL Stripping Variant Instead of stripping SSL, we can have 2 separate HTTPS conversations with user and destination site HTTPS USER HTTPS MitM mybank.com 67
68 SSL Stripping Variant Option 1: use fake, self-signed certificate for mybank.com browser warning may scare user away! Option 2: redirect user to attacker has a valid certificate for evil.com user may notice wrong domain in address bar! Option 3: like 2, but use a domain name that looks similar to mybank.com with internationalized domain names, this is a very powerful attack 68
69 SSL Stripping Variant HTTPS USER HTTPS mybonk.com Valid certificate for mybonk.com mybank.com Valid certificate for mybank.com 69
70 Recent SSL Stripping Attack DigiNotar hack July 10, 2011, wildcard certificates for google, etc. Short Video xwvy Other CAs: starcom(comodo) Certificates might also be used for software updates addons.mozilla.org login.live.com mail.google.com login.yahoo.com login.skype.com 70
71 Symantec vs Google (Sept. 2015) 71
72 72
73 Current Efforts Certificate/CA Pinning in Browser Certificate Transparency Currently for EV certificates Some APIs only accessible via HTTPS 73
74 Extended Validation (EV) Certificates Name of Entity shown Green Bar 74
75 Cryptocalypse Typical browser has 100+ Root certificates (CA) installed Each CA can delegate to sub-ca (resellers) Cost pressure reduces level of customer verification and security of infrastructure Any of theses sub-cas can sign certificates for any other domain. (e.g. finanzonline.gv.at) Also used by Deep-Packet-Inspection (DPI) Countermeasure CA or certificate pinning Software additionally checks, who issued the certificate 75
76 HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age= ; includesubdomains; Browser caches HTTPS capability HSTS headers over HTTP are ignored HTTPS Everywhere Browser plugin that automatically redirects to Whitelist based Related: HTTP Public Key Pinning (HPKP) Allows Server to pin key/certificate authority 76
77 Perfect Forward Secrecy Scenario Some attacker sniffs encrypted traffic Obtains private keys afterwards (years later?) Decrypts traffic Perfect Forward Secrecy Use special step in initial session setup for key exchange Short term session key is not compromised, even when long term keys are compromised in the future. Optional in Ipsec, SSL/TLS since SSLv3, [Browser comp.!!!] Computational Overhead 15-30% 77
78 Where is SSL added? 78
79 Browser History Stealing (Historical) Re HT bor G P ML n U 5 f sid ilte us e c rs ing ha an nn d els 79
80 Browser History Stealing Browsers display visited links differently from nonvisited links very helpful to users (which google search results have I already visited?) This can be used to find out if the user has visited a site has user visited example.com? attacker prepares webpage at attacker.com with link: <a href=" attacker checks how the link is displayed 80
81 Browser History Stealing How can the attacker check the link color? the link is displayed in the web page attacker.com SOP allows attacker to access the content use javascript to check color or font size Attack can also be performed without javascript using CSS (Cascading Style Sheets) 81
82 History Stealing without Javascript CSS is used to improve HTML by separating presentation from document structure HTML defines the content CSS specifies how to display that contant uses simple rules to match content specify how to display content matching the rules a:visited define the style for visited links a style can include a background image background: url(log_visited.php?example.com) use div+span to associate different "background" urls to each link 82
83 History Stealing Proofs of Concept CSS based used for this demo Javascript based 83
84 noscript is on 84
85 Browser History Stealing Browser history can leak user's private information not just porn!.. Recent work from seclab: de-anonymizing users of social networks using browser history stealing checks for URLs specific to facebook/xing/linkedin groups in browser history the groups you are part of, can uniquely identify you 85
86 Countermeasures (by Browsers) JAVASCRIPT Reading of certain CSS styles (e.g. color of links) always return the default value. CSS only Restrict usage of certain attributes (e.g. background:url() ) in a:visited styles. 86
87 History Stealing in Public WiFi Hotspots (and other MitM scenarios) 87
88 History stealing with Public Wi-Fi Hotspots Internet Like a well in a village We gather there, pull up a bucket or two of Internet Look at the sign from the sponsor and move on. 88
89 What is a Captive Portal? 89
90 Why Captive Portal Omnipresent in Wi-Fi Hotspots Used by you probably right now (in this very hotel) Has an elevated position on the network Man-in-the-Middle by design Sponsors of a Wi-Fi want us to see their messages (and accept the disclaimer) There is no standard for that Let's inject it into your traffic 90
91 MitM by design!? 91
92 Browser History Stealing, again? Baron et al., 2002 :visited link color Ruderman et al., 2000 :visited can load images Jang et al., 2010 Sites are actively trying to steal history TODO: Groundhog 92
93 History, so what? Culture & Language Amazon.fr, Amazon.jp Sexual orientation grindr.com, transblog.de Partnership status Okcupid.com, parship.com Employer intranet.ibm.com Other websites that give interesting insights Medical conditions Political campaigns Religious communities 93
94 Source: MindSource April 1996 BOF; Client State Tracking with Netscape Cookies; M. Strata Rose; Also reason for CSRF 95
95 Cookies (or not enough state for HTTP) Two kinds Session cookies: usually forgotten when browser closed Persistent cookies: stored on disk with expiry date Only depend on the FQDN and Protocol XSS XSRF HTTP set cookie also used for HTTPS Insecure set cookies mixed into the cookies over HTTPS 96
96 97
97 (+cookies) 302 redirect login.hotspotsys.com/login login.hotspotsys.com/login <html>. <img href= a.com/probe (+cookies) (+cookies). 98
98 99
99 Sure, crypto will save us! HTTPS hides content (and therefore cookies) But is not used by default (e.g., when URL entered in location bar) HTTP Strict Transport Security (HSTS) Site announces availability of HTTPS with same content as via HTTP Client caches this Uses HTTPS by default next time for this site 100
100 Sure, crypto will save us! HTTPS hides traffic (and cookies) But is not used by default (e.g., when URL entered in location bar) HTTP Strict Transport Security (HSTS) Site announces availability of HTTPS with same content as via HTTP Client caches this side channel Uses HTTPS by default next time for this site 101
101 102
102 103
103 Which users are affected? Everyone who uses the standard browser to login into the captivce portal (mobile, notebook,...) Even VPN users Android and ios introduced captive portal detectors Primarily for convenience starts stripped down browser The online test is very easy to fool, since based on HTTP User will use main browser to login, exposing their history 104
104 Sure, VPN will save us? Connecting to new WiFi Wifi Connection WiFi Connection DHCP Captive Portal VPN VPN Browser history time 105
105 Captive Portal Detection A convenience feature ios since Version 4 Android since 4.2 used default browser Android since 5 uses captive portal browser Test is easy to circumvent HTTP!
106 Which sites affected? Uses long-term (persistent) cookie e.g., for session, tracking, or configuration Can be set via HTTP Header Javascript Uses HSTS header 107
107 Top 1K 82-92% Top 200K 59-86% 108
108 Implementation POC implementation Speed up by Marking probe request with a special string Returning 1x1 pixel or killing connections Caching DNS Still one DNS request for each probed site Added de-anonymization e.g., via amazon.com 109
109 Hotspot Ecosystem Internet There is no standard for hotspot splash screen display Choose to present message in-band By redirecting/tampering with traffic Some do this also for SSL traffic e.g., via DNS _portal.local Effects VPN Users as well 111
110 Conclusions We covered a range of advanced topics in web security session fixation cross-site request forgery https cookie theft SSL problems Cryptocalypse browser history stealing 125
111 Web Security 3 Adrian Dabrowski 1
112 Overview More on session attacks continuation of last year's lecture (session highjacking) Cross Site Request Forgery Man-in-the-Middle attacks against HTTPS https cookie stealing SSL Stripping Cryptocalypse Browser history stealing (historical) 2
113 Session Attacks 3
114 What are Session IDs again? HTTP is a stateless protocol: it does not remember previous requests Web applications must create and manage sessions themselves Session data is stored at the server associated with a unique Session ID After session creation, the client is informed about the session ID The client attaches the session ID to each request 4
115 Session Attacks Targeted at "stealing" the session ID If I know the session ID of a currently logged in user I can impersonate him 5
116 Session Attacks Targeted at stealing the session ID Interception: intercept request or response and extract session ID Prediction: predict (or make a few good guesses about) the session ID Brute Force: make many guesses about the session ID Fixation: NEW! make the victim use a certain session ID The first three attacks can be grouped into Session Hijacking attacks we discussed them in Inetsec1 Interception WIFI 6
117 Session Hijacking Attacks Interception: based on sniffing traffic Prediction/Brute forcing possible if IDs are not random enough 7
118 Session Hijacking Attacks Interception: based on sniffing traffic Prediction/Brute forcing possible if IDs are not random enough Prevention: use SSL for each request/response that transports a session ID not only for login! 8
119 Session Hijacking Attacks Interception: based on sniffing traffic Prediction/Brute forcing possible if IDs are not random enough Prevention: use SSL for each request/response that transports a session ID not only for login! Prevention: use large enough, truly random session IDs 9
120 Session Fixation Attacks So far, we have focused on preventing the attacker from obtaining session credentials This approach, however, ignores the possibility of the attacker issuing a session ID to the user s browser The browser then uses a chosen session In a session fixation attack, the attacker fixes the user s session ID before the user even logs into the target server What does this mean? The session ID does not have to be stolen 10
121 Session Fixation Attacks Session management mechanisms can be classified as: permissive and strict Permissive are those that accept arbitrary session IDs from browser (e.g., Macromedia JRun Server, PHP) Strict are those that only accept sessions that they have created (e.g., MS IIS) 11 Permissive im sinne von Tollerant
122 Simple Scenario (permissive session management) Suppose we have a bank online.worldbank.dom, that uses permissive session management When the web site is accessed, a session ID is transported via URL parameter sessionid Attacker picks a sessionid=1234 Attacker sends sessionid to victim and tricks him into clicking on it: The user clicks on the link and is taken to the banking application login page The web application sees that a session has been assigned and does not issue a new one. Session is bound to new user The user is prompted to log in and provides his credentials Attacker can access victim s account 12
123 Simple Scenario 1) sessionid=1234 ATTACKER online.worldbank.com VICTIM 13
124 Simple Scenario 1) sessionid=1234 ATTACKER 2) login.jsp?sessionid=1234 online.worldbank.com VICTIM 14
125 Simple Scenario 1) sessionid=1234 ATTACKER 2) login.jsp?sessionid=1234 3) GET /login.jsp?sessionid=1234 4) username and password VICTIM online.worldbank.com 15
126 Simple Scenario 1) sessionid=1234 ATTACKER 5) G ET /acc o 2) login.jsp?sessionid=1234 unt. jsp? ses sio nid= ) GET /login.jsp?sessionid=1234 4) username and password VICTIM online.worldbank.com 16
127 Another Scenario (strict session managment) Strict session management: the server checks it generated the sessionid When the web site is accessed, a session ID is transported via URL parameter sessionid Attacker sends a request to server Server issues attacker a sessionid=1234 Attacker sends sessionid to victim and tricks him into clicking on it: sessionid=1234 The user clicks on the link and is taken to the banking application login page The web application sees that a session has been assigned and does not issue a new one. Session is bound to new user Attacker can access victim s account 17
128 Another Scenario ATTACKER 1) G ET /log in.js p 2) s e ss ioni d= online.worldbank.com VICTIM 18
129 Another Scenario 1) G ET /log in.js p 2) s e ss ioni d= ATTACKER 3) login.jsp?sessionid=1234 online.worldbank.com VICTIM 19
130 Another Scenario 1) G ET /log in.js p 2) s e ss ioni d= ATTACKER 3) login.jsp?sessionid=1234 4) GET /login.jsp?sessionid=1234 5) username and password VICTIM online.worldbank.com 20
131 Another Scenario 1) G ET /log in.js p 2) s e ss ioni d 6) G = 12 ATTACKER ET 34 /acc oun t.jsp?se ssio nid= 3) login.jsp?sessionid=1234 4) GET /login.jsp?sessionid=1234 5) username and password VICTIM online.worldbank.com 21
132 Session Fixation vs Hijacking Timing! Session Fixation: Victim s browser is attacked before she logs into the target server Session Hijacking: Victim s browser is attacked after she logs into the target server Difference? 22
133 Session Fixation Attacks Attacker needs to be able to get a session ID from the server attacker is a legitimate user of the service, OR server assigns session ID before authentication The victim needs to be tricked into clicking on link (before session times out) Generally, a session fixation attack is a three-step process 1) Session setup 2) Session fixation 3) Session entrance 23
134 Session Fixation Attacks In session startup, attacker sets up a socalled trap session. Session needs to be kept alive by sending requests Next, attacker needs to introduce her session ID to the victim s browser Attacker needs to wait until the victim logs in and then enter the victim s session. 24
135 Step 1: Session Setup Session management mechanisms can be classified as: permissive and strict Against permissive systems: attacker simply picks a session ID Against strict systems: attacker sends a request to the server to obtain a session ID Permissive systems are easy to attack because the session ID picked by the attacker can be sent to the server at any time; requires no trap session maintenance 25
136 Step 2: Session Fixation Attacker can use several methods to transport the trap session to the victim s browser One way is to trick user into clicking a URL, for example: Another possibility is to prepare a login page (e.g., phishing page) where ID is embedded as a hidden from field additional method for session fixation attack: cookies 26 Cookies obey same origin policy
137 Step 2: Session Fixation The attacker needs to install the trap session ID cookie on the victim s browser However, browser will only accept cookie assigned either to the issuing server or the issuing server s domain. attacker.com cannot set cookie for worldbank.dom Hence, the attacker can exploit an XSS vulnerability in the website or browser to set a cookie cross-subdomain cooking evil.worldbank.com can set cookies for worldbank.com 27
138 Session Fixation Countermeasures Preventing session fixation is the responsibility of the web application, not the web server Only the web application can implement effective protection. The web server (e.g., Tomcat) only needs to make sure that session IDs cannot be brute-forced or guessed A common-denominator for session fixation attacks is that victim needs to login. Use strict session management policy (server refuses IDs it did not generate) If possible, web application should issue session IDs only after successful authentication alternatively, regenerate the session ID after login 28 PHP creates session as soon as you use $_SESSION Maybe do your own session management?
139 Session Fixation Countermeasures Session ID usage should be restricted Bind to IP (network address): usual problems Session ID should be bound to SSL client certificate for highly-critical applications (was the session ID established using certificate?) Session destruction (timeout or logging out) User must have option to log out (destroy current session and any other session) use absolute session timeouts in order to prevent attacker from keeping trap session alive while waiting for victim to log in (can become inconvenient for the user) 29
140 Cross Site Request Forgery CSRF / XSRF 30
141 Cross Site Request Forgery CSRF: A type of attack that lets attackers send arbitrary HTTP requests on behalf of a victim The damage caused by this attack can be severe The attack is not too easy to understand and avoid, and it is likely that many web applications are vulnerable Typical scenario: User has established level of privilege with the site Attacker uses this privilege to do bad things 31
142 Cross Site Request Forgery The site is the target of the attack. User is the victim and unknowing accomplice. The request comes from the victim, hence, it is difficult to identify a CSRF attack. In fact, if you have not taken precautions, chances are very high that your application is vulnerable to CSRF Many web developers are still unaware of CSRF, so they take no precautions against it Many widely deployed web applications are vulnerable or have been vulnerable to CSRF 32
143 CSRF Example Suppose there exists a simple PHP Web application that can be used by (logged in) administraror for creating new users. Here is the form: <form action= create.php method= POST > <p> Username: <input type= text name= username > Password: <input type= text name= password > <input type= submit value= Create /> </p> </form> 33
144 CSRF Example here is the simple PHP application hosted at <?php session_start(); If (isset($_request[ username ] && isset($_request[ password ])) { create_new_user_dude($_request[ username ], $_REQUEST[ password ]); }?> 34
145 CSRF Example What is the problem with this application? Suppose an attacker manages to trick the authenticated user to visit a web page of which she has control Note that visiting is enough!! The owned web page has an embedded link such as: <img src= username=badguy&password=nopasswd > The browser tries to download the image from victim.com browser helpfully appends the user's cookies for victim.com 35
146 CSRF Example 1) Log in (username and password) victim.com USER attacker.com 36
147 CSRF Example 1) Log in (username and password) victim.com USER 2) GET /index.html attacker.com 37
148 CSRF Example 1) Log in (username and password) victim.com USER 3) <img src= username=badguy&password=nopasswd> 2) GET /index.html attacker.com 38
149 CSRF Example 1) Log in (username and password) 4) GET /create.php?username=badguy&password=nopasswd +session cookie for victim.com victim.com USER 3) <img src= username=badguy&password=nopasswd> 2) GET /index.html attacker.com 39
150 A First Fix Once the user visits the page, the URL is fetched and a new user is created. Hence, the web application is compromised Why did this error happen? The application used $_REQUEST instead of $_POST It could not distinguish between data sent in the URL and data provided in the form $_REQUEST and allowing GET increases your risk General principle of web application design: GET requests should have no side effects 40
151 CSRF over POST Using POST requests is not enough to prevent CSRF Attacker can fool user into clicking on submit button of a form on attacker.com form points to victim.com triggers POST request with hidden fields! JavaScript can be used to automatically submit a form no interaction needed! 41
152 CSRF Countermeasures Force the usage of your own forms. Try to identify if the request is coming from your own form For example, you could generate a token as part of the form and validate this token upon reception E.g., using unique IDs, MD5 hashes, etc. The token has to be bound to the user session Cannot be stored in a cookie You could limit the validity of the token time (e.g., 3 minutes) Attacker cannot steal the token because of SOP 42
153 CSRF Vulnerabilities Many high profile sites have been vulnerable Gmail allowed to steal user's contact list netflix allowed to change name and address, and order movies skype allowed to "steal" the user's skype number (impersonate user, receive his calls, use his credit) Facebook mobile site 43
154 CSRF against home routers Home DSL/Cable routers have often been vulnerable Typically have weak authentication no password username: admin, password: admin same password for all routers from a provider just google for "$provider $device_name password" most users don't change it Protected by firewall can only log in from inside home network Can use CSRF to send requests to the router from victim's PC inside the network 44
155 CSRF against home routers DSL router Home User attacker.cm 45
156 CSRF against home routers DSL router Home User ) <img src= 1) GET /index.html attacker.cm 46
157 CSRF against home routers 3) GET /action.php?do_something_bad DSL router Home User ) <img src= 1) GET /index.html attacker.cm 47
158 CSRF against home routers What can the attacker do? example: CSRF in home routers from mexican ISP no password was set by default /0/threaded Add names to the DNS ( PAGE=J38_SET&THISPAGE=J38&NEXTPAGE=J38_SET&N AME= Disable Wireless Authentication PAGE=C05_POST&THISPAGE=C05&NEXTPAGE=C05_PO ST&NAME=encrypt_enabled&VALUE=0 Disable firewall, set new password, More: Trigger firmware updates for printers, network phones, etc...
159 MITM Attacks against HTTPS 49
160 Stealing HTTPS cookies Man-in-the-middle attack against HTTPS encryption should protect from MITM! Cookie management policy is not consistent with Same Origin Policy SOP: in addition to domain, protocol must be the same: http https cookies: depends on a secure flag in the cookie if secure flag is not set, a cookie set inside an https session can be sent over an http session MITM can use this to steal a session ID that was set inside an HTTPS connection! 50
161 Stealing HTTPS cookies Attack steps: user logs in to server sets session ID for mybank.com in cookie encrypted in https user issues an unencrypted HTTP request for something else ( attacker (MITM) replies with redirect to browser follows redirect & sends out cookie with session ID attacker has access to user's session! 51
162 Stealing HTTPS cookies Easy to check for using your browser Check your online banking website, and send them an if they are vulnerable When I first checked the 2 banking websites I use, both were vulnerable OK! 52
163 Cookie Attributes HTTP/ OK Content-type: text/html Set-Cookie: name=value Limit to HTTPS: Set-Cookie: name=value; Secure Limit to real browser requests (not JS, XML-RPC, API...) Set-Cookie: name=value; HttpOnly 53
164 SSL Stripping A more powerful MitM attack against HTTPS Old problem, recently highlighted by: Users do not type " in their browser (or Most of the time, users reach https through http this first step is unprotected 54 See later: Most users enter or just and will be redirected to intercept first step
165 SSL Stripping The basic idea: attacker speaks HTTPS with the server attacker speaks HTTP with the user HTTP USER HTTPS MitM mybank.com 55
166 SSL Stripping Initial requests: HTTP USER HTTP MitM mybank.com 56
167 SSL Stripping Initial requests: HTTP HTTP Now let's talk HTTPS! USER MitM mybank.com 57
168 SSL Stripping Initial requests: HTTP HTTP Now let's talk HTTPS! USER MitM HTTP mybank.com HTTPS 58
169 SSL Stripping User types in URL bar Before logging in, user would normally be directed to the bank's HTTPS website HTTP 3xx redirect, OR an https link MitM attacker can modify the data sent from the server change to in server replies! Now on a more technical level 59
170 SSL Stripping GET USER GET MitM mybank.com 60
171 SSL Stripping GET GET <html>... USER MitM <a href=" mybank.com> Online Banking </a>... mybank.com 61
172 SSL Stripping GET USER GET <html>... <html>... <a href=" mybank.com> Online Banking </a>... <a href=" mybank.com> Online Banking </a>... MitM mybank.com 62
173 SSL Stripping GET USER GET <html>... <html>... <a href=" mybank.com> Online Banking </a>... <a href=" mybank.com> Online Banking </a>... GET MitM mybank.com GET 63
174 Fooling the user User can see in the address bar some users may check for this lock favicon may help fool them Many sites use https only for login to protect username and password does not protect from session hijacking SSL stripping in these cases is undetectable unless user looks at html page source 64
175 Fooling the user user never sees https HTTPS submit link 65
176 Implementing SSL Stripping Modify server replies to replace https links with http in HTTP 3xx redirect replies in HTML page harder if page is dynamically generated with javascript Modify client requests remove secure flag on cookies sent by server otherwise user's browser will not send them over HTTP! Simplify the task: avoid compression and chunked encoding talk HTTP/1.0 with server Accept-Encoding: identity 66
177 SSL Stripping Variant Instead of stripping SSL, we can have 2 separate HTTPS conversations with user and destination site HTTPS USER HTTPS MitM mybank.com 67
178 SSL Stripping Variant Option 1: use fake, self-signed certificate for mybank.com browser warning may scare user away! Option 2: redirect user to attacker has a valid certificate for evil.com user may notice wrong domain in address bar! Option 3: like 2, but use a domain name that looks similar to mybank.com with internationalized domain names, this is a very powerful attack 68
179 SSL Stripping Variant HTTPS USER HTTPS mybonk.com Valid certificate for mybonk.com mybank.com Valid certificate for mybank.com 69
180 Recent SSL Stripping Attack DigiNotar hack July 10, 2011, wildcard certificates for google, etc. Short Video xwvy Other CAs: starcom(comodo) Certificates might also be used for software updates addons.mozilla.org login.live.com mail.google.com login.yahoo.com login.skype.com 70 Online Certificate Status Protocol (OCSP) Diginotar did not publicly reveal the breach, Poorly serviced XP machines Chromium detected via certificate pinning Used in netherlands for tax & customs administration, state owned identity management,.
181 Symantec vs Google (Sept. 2015) 71
182 72
183 Current Efforts Certificate/CA Pinning in Browser Certificate Transparency Currently for EV certificates Some APIs only accessible via HTTPS 73
184 Extended Validation (EV) Certificates Name of Entity shown Green Bar 74
185 Cryptocalypse Typical browser has 100+ Root certificates (CA) installed Each CA can delegate to sub-ca (resellers) Cost pressure reduces level of customer verification and security of infrastructure Any of theses sub-cas can sign certificates for any other domain. (e.g. finanzonline.gv.at) Also used by Deep-Packet-Inspection (DPI) Countermeasure CA or certificate pinning Software additionally checks, who issued the certificate 75
186 HTTP Strict Transport Security (HSTS) Strict-Transport-Security: max-age= ; includesubdomains; Browser caches HTTPS capability HSTS headers over HTTP are ignored HTTPS Everywhere Browser plugin that automatically redirects to Whitelist based Related: HTTP Public Key Pinning (HPKP) Allows Server to pin key/certificate authority 76
187 Perfect Forward Secrecy Scenario Some attacker sniffs encrypted traffic Obtains private keys afterwards (years later?) Decrypts traffic Perfect Forward Secrecy Use special step in initial session setup for key exchange Short term session key is not compromised, even when long term keys are compromised in the future. Optional in Ipsec, SSL/TLS since SSLv3, [Browser comp.!!!] Computational Overhead 15-30% 77 Lavabit Eduad Snowdens provider. FBI seized private Key. Vienneese ISP recorded Traffic for one day for testing purposes 1 year later Debian SSL/SSH problems got public destroyed recordings immediately. PFS: Google starting transition in 2012, Twitter Nov 2013
188 Where is SSL added? 78 Involuntarily, unknowingly? Forced?
189 Browser History Stealing (Historical) Re HT bor G P ML n U 5 f sid ilte us e c rs ing ha an nn d e ls 79
190 Browser History Stealing Browsers display visited links differently from nonvisited links very helpful to users (which google search results have I already visited?) This can be used to find out if the user has visited a site has user visited example.com? attacker prepares webpage at attacker.com with link: <a href=" attacker checks how the link is displayed 80
191 Browser History Stealing How can the attacker check the link color? the link is displayed in the web page attacker.com SOP allows attacker to access the content use javascript to check color or font size Attack can also be performed without javascript using CSS (Cascading Style Sheets) 81
192 History Stealing without Javascript CSS is used to improve HTML by separating presentation from document structure HTML defines the content CSS specifies how to display that contant uses simple rules to match content specify how to display content matching the rules a:visited define the style for visited links a style can include a background image background: url(log_visited.php?example.com) use div+span to associate different "background" urls to each link 82
193 History Stealing Proofs of Concept CSS based used for this demo Javascript based 83
194 noscript is on 84
195 Browser History Stealing Browser history can leak user's private information not just porn!.. Recent work from seclab: de-anonymizing users of social networks using browser history stealing checks for URLs specific to facebook/xing/linkedin groups in browser history the groups you are part of, can uniquely identify you 85
196 Countermeasures (by Browsers) JAVASCRIPT Reading of certain CSS styles (e.g. color of links) always return the default value. CSS only Restrict usage of certain attributes (e.g. background:url() ) in a:visited styles. 86
197 History Stealing in Public WiFi Hotspots (and other MitM scenarios) 87
198 History stealing with Public Wi-Fi Hotspots Internet Like a well in a village We gather there, pull up a bucket or two of Internet Look at the sign from the sponsor and move on. 88 Public internet hotspots are like village wells For letting me pull up one or two buckets of their internet, I accept to look at a sign from the sponsor and accept their terms and conditions
199 What is a Captive Portal? 89 Many people use it but don't know it by its name. You probably have used it this morgning when you logged into the conference WIFI Step by step
200 Why Captive Portal Omnipresent in Wi-Fi Hotspots Used by you probably right now (in this very hotel) Has an elevated position on the network Man-in-the-Middle by design Sponsors of a Wi-Fi want us to see their messages (and accept the disclaimer) There is no standard for that Let's inject it into your traffic 90
201 MitM by design!? 91 The way to look at it: Its is effectively Man-in-the-middeling connections. Spoof a redirect to the login/info page We expect to not tamper with the traffic after login
202 Browser History Stealing, again? Baron et al., 2002 :visited link color Ruderman et al., 2000 :visited can load images Jang et al., 2010 Sites are actively trying to steal history TODO: Groundhog 92
203 History, so what? Culture & Language Amazon.fr, Amazon.jp Sexual orientation grindr.com, transblog.de Partnership status Okcupid.com, parship.com Employer intranet.ibm.com Other websites that give interesting insights Medical conditions Political campaigns Religious communities 93 You don't need much immagination if to draw conclusions about one, if you know about a subjects browser history Its not only a privacy thing, its also a money thing United, delta vs kayak, chipmonk, Xvideos vs pornhub
204 Source: MindSource April 1996 BOF; Client State Tracking with Netscape Cookies; M. Strata Rose; Also reason for CSRF Cookie beeing sent depend on Protocol, host (suffix), path (prefix) 95
205 Cookies (or not enough state for HTTP) Two kinds Session cookies: usually forgotten when browser closed Persistent cookies: stored on disk with expiry date Only depend on the FQDN and Protocol XSS XSRF HTTP set cookie also used for HTTPS Insecure set cookies mixed into the cookies over HTTPS Used for login sessions Configuration Tracking 96
206 To small, close up 97
207 (+cookies) 302 redirect login.hotspotsys.com/login login.hotspotsys.com/login <html>. <img href= a.com/probe123 >... (+cookies) (+cookies). 98
208 99 Dont mind if the flow chart looks sparse and unfinished We will complete it later on
209 Sure, crypto will save us! HTTPS hides content (and therefore cookies) But is not used by default (e.g., when URL entered in location bar) HTTP Strict Transport Security (HSTS) Site announces availability of HTTPS with same content as via HTTP Client caches this Uses HTTPS by default next time for this site 100
210 Sure, crypto will save us! HTTPS hides traffic (and cookies) But is not used by default (e.g., when URL entered in location bar) HTTP Strict Transport Security (HSTS) Site announces availability of HTTPS with same content as via HTTP Client caches this side channel Uses HTTPS by default next time for this site 101
211 102
212 103
213 Which users are affected? Everyone who uses the standard browser to login into the captivce portal (mobile, notebook,...) Even VPN users Android and ios introduced captive portal detectors Primarily for convenience starts stripped down browser The online test is very easy to fool, since based on HTTP User will use main browser to login, exposing their history 104
214 Sure, VPN will save us? Connecting to new WiFi Wifi Connection WiFi Connection DHCP Captive Portal VPN VPN Browser history time 105
215 Captive Portal Detection A convenience feature ios since Version 4 Android since 4.2 used default browser Android since 5 uses captive portal browser Test is easy to circumvent HTTP! Chromium So included in mobile and desktop chrome
216 Which sites affected? Uses long-term (persistent) cookie e.g., for session, tracking, or configuration Can be set via HTTP Header Javascript Uses HSTS header 107 An attacker would test popular sites first, unless its an targeted attack or he/she is just filtering for particular users (e.g. users of a specific site, e.g. intranet) How did we test ans estimate how prevailing the conditions or problem is? Run a headless browser on amazon s3 spot instances Recorded all the traffic while visiting the main page and randomly selecting and visiting 3 links to sub pages Analyzed recorded traffic for HTTP headers
217 Top 1K 82-92% Top 200K 59-86% 108 For top % For top 200k 59-86% Estimation! Upper bound Overestimate: Some JS cookies could be session only (not seen in traffic dump) Underestimate:
218 Implementation POC implementation Speed up by Marking probe request with a special string Returning 1x1 pixel or killing connections Caching DNS Still one DNS request for each probed site Added de-anonymization e.g., via amazon.com 109 Poc implementation ~ probed sites per sek Cookies: de-anonymization e.g. via Amazon Half and full login Wish list feature leaks full name of user, even when not fully logged in via the unsecure http cookie
Internet Security VU Web Application Security 3. Adrian Dabrowski, Johanna Ullrich, Aljosha Judmayer, Georg Merzdovnik, and Christian Kudera
Internet Security VU 188.366 Web Application Security 3 Adrian Dabrowski, Johanna Ullrich, Aljosha Judmayer, Georg Merzdovnik, and Christian Kudera inetsec@seclab.tuwien.ac.at Overview More on session
More informationHSTS and Cookies: Side-channels to Steal Browsing History
HSTS and Cookies: Side-channels to Steal Browsing History Adrian Dabrowski adabrowski@sba-research.org Twitter: @atrox_at Co-Authors: Georg Merzdovnik, Nikolaus Kommenda, Edgar R. Weippl DeepSec 2016-11-10
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWeb Security Part B. Davide Balzarotti
Web Security Part B Davide Balzarotti davide@iseclab.org Administrative News 40 Registered students so far... 1 or 2 new registrations every day :( Deadline for registration: next Friday First challenge
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationCS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationSECURING APACHE : ATTACKS ON SESSION MANAGEMENT
SECURING APACHE : ATTACKS ON SESSION MANAGEMENT In this part of the series, we are going to concentrate on attacks on session management. Application-level attacks on the session is about obtaining or
More informationSPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of
More informationBerner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2
Table of Contents Hacking Web Sites Broken Authentication Emmanuel Benoist Spring Term 2018 Introduction Examples of Attacks Brute Force Session Spotting Replay Attack Session Fixation Attack Session Hijacking
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Introduction Examples of Attacks Brute Force Session
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationHTTPS and the Lock Icon
Web security HTTPS and the Lock Icon Goals for this lecture Brief overview of HTTPS: How the SSL/TLS protocol works (very briefly) How to use HTTPS Integrating HTTPS into the browser Lots of user interface
More informationSoftware and Web Security 2
Software and Web Security 2 Session Management age e sws2 1 Recall from last week Server and client, ie. web application and browser, communicate by HTTP requests and responses HTTP response can be with
More informationICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationEndpoint Security - what-if analysis 1
Endpoint Security - what-if analysis 1 07/23/2017 Threat Model Threats Threat Source Risk Status Date Created File Manipulation File System Medium Accessing, Modifying or Executing Executable Files File
More informationPerslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.
Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationWeb Security Computer Security Peter Reiher December 9, 2014
Web Security Computer Security Peter Reiher December 9, 2014 Page 1 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow around
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationComputer Security CS 426 Lecture 41
Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationWebGoat Lab session overview
WebGoat Lab session overview Initial Setup Virtual Machine Tamper Data Web Goat Basics HTTP Basics Sniffing Web server attacks SQL Injection XSS INITIAL SETUP Tamper Data Hold alt to reveal the menu in
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationRobust Defenses for Cross-Site Request Forgery
University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,
More informationSECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA
SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA CTO Office www.digi.me another Engineering Briefing digi.me keeping your data secure at all times ALL YOUR DATA IN ONE PLACE TO SHARE WITH PEOPLE WHO
More informationHTTP Security Headers Explained
HTTP Security Headers Explained Scott Sauber Slides at scottsauber.com scottsauber Audience Anyone with a website Agenda What are HTTP Security Headers? Why do they matter? HSTS, XFO, XSS, CSP, CTO, RH,
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationBank Infrastructure - Video - 1
Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation
More information2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.
Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationEn#ty Authen#ca#on and Session Management
En#ty Authen#ca#on and Session Management Jim Manico @manicode OWASP Volunteer - Global OWASP Board Member - OWASP Cheat- Sheet Series, Top Ten Proac=ve Controls, OWASP Java Encoder and HTML Sani=zer Project
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationDrone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created
Drone - 2 04/12/2018 Threat Model Description Threats Threat Source Risk Status Date Created Mobile Phone: Sensitive Data Leakage Smart Devices Mobile Phone: Session Hijacking Smart Devices Mobile Phone:
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationCSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno
CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli,
More informationMODERN WEB APPLICATION DEFENSES
MODERN WEB APPLICATION DEFENSES AGAINST DANGEROUS NETWORK ATTACKS Philippe De Ryck SecAppDev 2017 https://www.websec.be SETUP OF THE HANDS-ON SESSION I have prepared a minimal amount of slides Explain
More informationHow to Configure Authentication and Access Control (AAA)
How to Configure Authentication and Access Control (AAA) Overview The Barracuda Web Application Firewall provides features to implement user authentication and access control. You can create a virtual
More informationCertified Secure Web Application Security Test Checklist
www.certifiedsecure.com info@certifiedsecure.com Tel.: +31 (0)70 310 13 40 Loire 128-A 2491 AJ The Hague The Netherlands Certified Secure Checklist About Certified Secure exists to encourage and fulfill
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationFrequently Asked Questions WPA2 Vulnerability (KRACK)
Frequently Asked Questions WPA2 Vulnerability (KRACK) Release Date: October 20, 2017 Document version: 1.0 What is the issue? A research paper disclosed serious vulnerabilities in the WPA and WPA2 key
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationWHITE PAPER. Authentication and Encryption Design
WHITE PAPER Authentication and Encryption Design Table of Contents Introduction Applications and Services Account Creation Two-step Verification Authentication Passphrase Management Email Message Encryption
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationThe Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez
The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationAruba Central Guest Access Application
Aruba Central Guest Access Application User Guide Copyright Information Copyright 2017Hewlett Packard Enterprise Development LP. Open Source Code This product includes code licensed under the GNU General
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationWeb Security Session Management
Web Security Session Management websec 1 Recall from many weeks ago: the web On the web, servers and clients, ie. web applications and browsers, communicate by HTTP requests and responses HTTP request
More informationLecture 9a: Sessions and Cookies
CS 655 / 441 Fall 2007 Lecture 9a: Sessions and Cookies 1 Review: Structure of a Web Application On every interchange between client and server, server must: Parse request. Look up session state and global
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationWeb Vulnerabilities. And The People Who Love Them
Web Vulnerabilities And The People Who Love Them Me Tom Hudson Technical Trainer at Sky Betting & Gaming TomNomNom online Occasional bug hunter Lover of analogies Lover of questions Insecure Direct Object
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationFeaturing. and. Göteborg. Ulf Larson Thursday, October 24, 13
Featuring and Göteborg OWASP top ten 2013 Based on risk data from eight firms that specialize in application security, This data spans over 500,000 vulnerabilities across hundreds of organizations and
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationIntroduction to Ethical Hacking
Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview
More informationWeb Security. Aggelos Kiayias Justin Neumann
Web Security Aggelos Kiayias Justin Neumann Dynamic HTML Umbrella term : HTML Javascript Cascading Style Sheets (CSS) Document Object Model (DOM) : a hierarchical structure API for accessing / manipulating
More information5. Authentication Contents
Contents 1 / 47 Introduction Password-based Authentication Address-based Authentication Cryptographic Authentication Protocols Eavesdropping and Server Database Reading Trusted Intermediaries Session Key
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationCHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS
180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),
More informationCan HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit
Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1 2 o hai. 3 Why Think About HTTP Strict Transport Security? Roadmap what is HSTS?
More information