PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Similar documents
PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

WEB SECURITY: XSS & CSRF

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

CIS 4360 Secure Computer Systems XSS

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

WHY CSRF WORKS. Implicit authentication by Web browsers

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security. Thierry Sans

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Information Security CS 526 Topic 8

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web Application Penetration Testing

Sichere Software vom Java-Entwickler

P2_L12 Web Security Page 1

Information Security CS 526 Topic 11

Security. CSC309 TA: Sukwon Oh

RKN 2015 Application Layer Short Summary

COMP9321 Web Application Engineering

CS 155 Project 2. Overview & Part A

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Computer Security CS 426 Lecture 41

Web basics: HTTP cookies

CS 161 Computer Security

Common Websites Security Issues. Ziv Perry

Application Layer Security

Solutions Business Manager Web Application Security Assessment

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

OWASP TOP 10. By: Ilia

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

1 About Web Security. What is application security? So what can happen? see [?]

Securing ArcGIS Services

C1: Define Security Requirements

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CS 161 Computer Security

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

The security of Mozilla Firefox s Extensions. Kristjan Krips

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

F5 Application Security. Radovan Gibala Field Systems Engineer

CSC 482/582: Computer Security. Cross-Site Security

Bank Infrastructure - Video - 1

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

Combating Common Web App Authentication Threats

IronWASP (Iron Web application Advanced Security testing Platform)

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Web Security II. Slides from M. Hicks, University of Maryland

Welcome to the OWASP TOP 10

Hacking Intranet Websites from the Outside

GOING WHERE NO WAFS HAVE GONE BEFORE

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Application Design and Development: October 30

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis


COMP9321 Web Application Engineering

EasyCrypt passes an independent security audit

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Web Application Threats and Remediation. Terry Labach, IST Security Team

INNOV-09 How to Keep Hackers Out of your Web Application

01/02/2014 SECURITY ASSESSMENT METHODOLOGIES SENSEPOST 2014 ALL RIGHTS RESERVED

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web Application Attacks

eb Security Software Studio

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CSCE 813 Internet Security Case Study II: XSS

Web Security. Web Programming.

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2017

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Progress Exchange June, Phoenix, AZ, USA 1

CS 161 Computer Security

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Certified Secure Web Application Engineer

Tutorial: Web Application Security

Reflected XSS Cross-Site Request Forgery Other Attacks

Transcription:

Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

THE WEB AS A DISTRIBUTED SYSTEM 2

WEB HACKING SESSION 3

3-TIER persistent state Client Web- Server DB Presentation Application Logic Data HTML JavaScript HTTP PHP Rails (No)SQL Relations KVS AJAX Node.js Documents 4

SCENARIO User UI Browser user visits a service attacker tries to disturb various complex layers independently developed technologies Server are being combined what you see may not be DB what you get 5

BACKEND User goal: manipulate state stored in the database UI not directly accessible (hopefully) Browser improper input checking in frontend server Server required nice: inconsistency is DB persistent 6

EXAMPLE IN PHP $password = $_POST['password']; $id = $_POST['id']; $sql = "UPDATE Accounts SET PASSWORD = '$password' WHERE account_id = $id"; Now imagine: password=';-- SQL injection 7

BOBBY TABLES Comic by Randall Munroe, xkcd.com 8

LICENSE PLATE 9

FRONTEND User UI Browser Server DB goal: manipulate content delivered to the browser infrastructure attacks like DNS cache poisoning solution for this: make sure you use SSL improper input checking can still bite you 10

EXAMPLE http://example.com/?query=query string generates website containing: <p>you are looking for: query string</p> so how about that: http://example.com/?query=html code remember that? http://www.wolfgang-schaeuble.de/? search=</strong></div> 11

STEPPING DOWN 12

XSS can inject <script> code this code will run with the privileges of the embedding site (think IE zones) cross-site scripting Can you steal site credentials with this? imagine a bank website allowing injection How do you exfiltrate the password? 13

SAME ORIGIN JavaScript can access password fields you cannot use AJAX to send the password same origin policy JavaScript may only connect back to the originating server (with some tolerance) can be defeated with <img> tags encode password in URL to ping your server JavaScript can also read cookies 14

FIXES disallow cross-site image loading? lots of sites use this no JavaScript access to password field? AJAX logins need this fix web application well never click on suspicious links always use SSL 15

SSL So you think SSL works? You explicitly type https://? Your site loads all JavaScript securely? Your platform checks for certificate revocation? and for X.509 Basic Constraints? You trust all CAs on this planet to never issue broken certs? 16

REMOTE CONTROL User goal: trick the browser to not show what s actually UI happening or: how to pull strings Browser behind the user s back or: can one website Server control another one? no mischief with the DB server communication 17

SCENARIO user visits a regular website you control Can you use credentials of a different site? some preconditions user is logged in to the target site in another browser tab the target site identifies the user session with a cookie no cross-site cookie leakage in browser 18

CSRF same origin policy denies AJAX to target again, <img> is your friend one website can send arbitrary requests to another, unrelated site cross site request forgery a special case of the confused deputy problem requests are blindly operating the target 19

CAN DO send requests and GET parameters click buttons in the UI of the target site operate search fields and other text input basic or digest authentication? cookies? browser automatically sends credential session riding POST requests? manufacture a <form> instead of <img> 20

TARGETS study in late 2008: high-profile bank websites vulnerable browser-based port scanning this is behind the corporate firewall WiFi routers with web interface disable firewall reset wifi protection enable UPnP 21

FIX disable cross-site POST requests GET requests should by definition never change persistent state never authenticate a change of persistent state by cookie only pass an additional credential session ID in URL, edit tokens 22

OTHERWISE 23

BLINDNESS User goal: mislead the user to not seeing what s UI actually happening nothing going on behind Browser your back the internal state of the Server browser is properly displayed DB but you don t notice 24

PICK ONE www.pаypаl.com CYRILLIC SMALL LETTER A (U+0430) LATIN SMALL LETTER A (U+0061) www.paypal.com homograph attack 25

GENERALIZE FRACTION SLASH (U+2044) https://www.bank.com account login.ab.cd www.bank.xn--comaccountloginuh0iha.ab.cd https://www.bank.com/account/login.ab.cd www.bank.com 26

CONTENT 27

PADLOCKS 28

CLICKJACKING 29

FIX this only works when logged in always log out explicitly do not use persistent logins you may want to check wether your password manager autofills inside frames 30

CONCLUSION web standards have gotten complex even bug-free behavior is vulnerable browsers are a bad application platform we did not even talk about WebSockets, WebGL, WebRTC, 31

SUMMARY Is everything lost? Yes 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback