Integrity attacks (from data to code): Cross-site Scripting - XSS

Size: px

Start display at page:

Download "Integrity attacks (from data to code): Cross-site Scripting - XSS"

Collin Hutchinson
5 years ago
Views:

Pattern Recognition and Applications Lab Integrity

Igino Corona igino.corona (at) diee.unica.

Electrical and Electronic Engineering University of

1 Pattern Recognition and Applications Lab Integrity attacks (from data to code): Cross-site Scripting - XSS Igino Corona igino.corona (at) diee.unica.it Computer Security April 12, 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy 1 Let s play with OWASP Mutillidae II Very useful training application by OWASP 2

2 Reflected XSS 3 Reflected XSS The input of parameter PathToDocument is present in the web page output 4

Reflected XSS Put the classical test string as input for PathToDocument: <script>alert('vulnerable')</script> Such string is reflected as is, in the page output where is interpreted by the browser as

3 Reflected XSS Put the classical test string as input for PathToDocument: <script>alert('vulnerable')</script> Such string is reflected as is, in the page output where is interpreted by the browser as HTML and then JavaScript code 5 Reflected XSS In a real-world attack, reflected XSS may be used to stealthily collect confidential information about a user of the vulnerable site perform impersonation, execute an exploit on the victim s browser the attacker can execute arbitrary JavaScript code with the privileges given by the victim s browser to the vulnerable website To this end, a targeted phishing may be crafted using athe identity of the vulnerable site (es. Google) to induce the user to click on the malicious link, e.g., %3e%61%6c%65%72%74%28%27%76%75%6c%6e%65%72 %61%62%6c%65%27%29%3c%2f%73%63%72%69%70%74% 3e 6

Reflected XSS https://www.google.com /mutillidae/index.php?p age=documentviewer.

4 Reflected XSS /mutillidae/index.php?p age=documentviewer.php&pathtodoc ument=%3c%73%63% 72%69%70%74%3e%6 1%6c%65%72%74%28 %27%76%75%6c%6e %65%72%61%62%6c %65%27%29%3c%2f% 73%63%72%69%70%7 4%3e 7 Persistent (Stored) XSS 8

5 Persistent (Stored) XSS Test code tries to output document cookies in a window 9 Persistent (Stored) XSS We inserted HTML code that executes JavaScript code within a blog entry Such code is stored as is within the database outputted as is when blog entries are displayed (by any user) 10

Persistent XSS In a real-world attack, persistent XSS may be used to stealthily collect confidential information about any user of the vulnerable site, including admin users perform impersonation,

6 Persistent XSS In a real-world attack, persistent XSS may be used to stealthily collect confidential information about any user of the vulnerable site, including admin users perform impersonation, execute an exploit on the victim s browser the attacker can execute arbitrary JavaScript code with the privileges given by the victim s browser to the vulnerable website More powerful than reflected XSS Typically, no need for phishing s The attacker can add arbitrary code within the vulnerable site 11 Persistent XSS Vulnerable admin webpages are expecially useful for cyber criminals 12

Client-side XSS In this case, vulnerable code is @client-side

code executed by web browsers We experiment with a special case, using

7 Client-side XSS In this case, vulnerable code applications Typically, leverages on vulnerabilities within JavaScript code executed by web browsers We experiment with a special case, using DOM injection 13 Client-side XSS We see that a username input is outputted in the page 14

Client-side XSS Let s look @ the source code It seems that username input is appended (by the server application) to the string "This password is for The string is then put through JavaScript code

8 Client-side XSS Let s the source code It seems that username input is appended (by the server application) to the string "This password is for The string is then put through JavaScript code into the DOM element with id idusernameinput <script> try{ document.getelementbyid("idusernameinput").innerhtml = "This password is for anonymous"; } catch(e) { alert("error: " + e.message); }// end catch </script> <tr style="text-align: center;"> <td id="idusernameinput" HTMLEventReflectedXSSExecutionPoint="1" class="label"></td> </tr> 15 Server-side XSS The attacker may try to directly inject (add) JavaScript code exploiting a vulnerable server-side: username=anonymous";alert(document.cookie);var a= <script> try{ document.getelementbyid("idusernameinput").innerhtml = "This password is for anonymous";alert(document.cookie);var a=""; } catch(e) { alert("error: " + e.message); }// end catch </script> 16

$Client-side XSS HTML input is not filtered by JavaScript code The attacker may also exploit such client-side vulnerability to inject HTML code through the DOM: username=google\<img src=\"https://www.$

9 Client-side XSS HTML input is not filtered by JavaScript code The attacker may also exploit such client-side vulnerability to inject HTML code through the DOM: username=google\<img src=\" a=" <script> try{ document.getelementbyid("idusernameinput").innerhtml = "This password is for username google\<img src=\" hp.gif\"/\>";var a=""; } catch(e) { alert("error: " + e.message); }// end catch </script> 17 Type: Persistent (stored) Malicious input data is stored and comes from a database Reflected Malicious input data comes directly from the client (user) and is reflected in the webpage output Location of vulnerable code: Server-side Web application code (e.g., PHP) server-side Client-side Web application code (typically JavaScript) clientside 18

10 Targets: HTML/JavaScript code generation routines of client- and server-side applications Interpreter: JavaScript client-side (browser) An insecure handling of input data by web application HTML/JS generator routines, allows the attacker to convert input data into (arbitrary) JavaScript code Flash Silverlight PDF Reader Images JavaScript application CSS HTTP(S) Client HTML/JS code generation HTML Client-side XSS Application HTML/JS code generation HTTP(S) server Database Server-side XSS 19 Many TOP 10 attacks violate integrity TOP 10 Threat Security Violation A1:2017 Injection Integrity (DataàCode) A2: Broken Authentication Authentication A3:2017 Sensitive Data Exposure Confidentiality A4: XML External Entities (XXE) Integrity (DataàCode) A5: Broken Access Control Access Control A6: Security Misconfiguration Any A7: Cross-Site Scripting (XSS) Integrity (DataàCode) A8: Insecure Deserialization Integrity (DataàCode) A9: Using Components with Known Vulnerabilities Any A10: Insufficient Logging & Monitoring Monitoring

11 Take aways We have seen different data->code attack instances that lead to (system) integrity violations SQL Injection Cross-site Scripting Protecting web applications against data->code attacks require one to: Identify ALL involved interpreters in the web application From HTTP(S) level to DB interfaces and browser plugins For each interpreter use a safe API that prevents data from becoming code accurately determine the functioning of the application for ANY data input (expected or unexpected) Take aways Key security functionalities Authentication Access Control Authentication and access control are the key components to support Availability Integrity Confidentiality (strictly coupled!) Monitoring and response are necessary to mitigate (unavoidable) security violations self-monitoring and monitoring data protection

12 Are you interested in cybersecurity? The Cybersecurity Market is HUGE Thesis proposals include Botnet detection DNS traffic ISP premises /en/fluxbuster Web intrusion detection systems /en/sustorid Phishing detection Android malware detection /en/androidpraguarddataset Adversarial Machine Learning - for computer security Many successful stories, latest ones (with my supervision) Simone Moro Android Vulnware /en/node/1198 Matteo Contini Phishing Detection

Web Application Vulnerabilities: OWASP Top 10 Revisited

Pattern Recognition and Applications Lab Web Application Vulnerabilities: OWASP Top 10 Revisited Igino Corona igino.corona AT diee.unica.it Computer Security April 5th, 2018 Department of Electrical and