Solution of Exercise Sheet 5

Similar documents
Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

P2_L12 Web Security Page 1

Web Security: Vulnerabilities & Attacks

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

CSCE 813 Internet Security Case Study II: XSS

Web Security. Thierry Sans

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

WebGoat Lab session overview

Integrity attacks (from data to code): Cross-site Scripting - XSS

NET 311 INFORMATION SECURITY

CIS 4360 Secure Computer Systems XSS

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

CS 161 Computer Security

CS 161 Computer Security

CS 155 Project 2. Overview & Part A

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

IS 2150 / TEL 2810 Introduction to Security

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

SQL Injection Attack Lab

John Coggeshall Copyright 2006, Zend Technologies Inc.

XSS Homework. 1 Overview. 2 Lab Environment

CS 161 Computer Security

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Information Security CS 526 Topic 11

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

CSCD 303 Essential Computer Security Fall 2017

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CS 142 Winter Session Management. Dan Boneh

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CSCD 303 Essential Computer Security Fall 2018

CSC 564: SQL Injection Attack Programming Project

CSE 127 Computer Security

Security Course. WebGoat Lab sessions

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

Project 2: Web Security

Assignment 6: Web Security

EasyCrypt passes an independent security audit

CS 161 Computer Security

Pass, No Record: An Android Password Manager

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

An analysis of security in a web application development process

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web Security IV: Cross-Site Attacks

Web Application Penetration Testing

Web Application Security

CSCE 548 Building Secure Software SQL Injection Attack

Client Side Injection on Web Applications

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Security. Attacks on Servers 11/6/2017 1

CS 361S - Network Security and Privacy Spring Project #1

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Evaluating the Security Risks of Static vs. Dynamic Websites

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

WEB SECURITY: XSS & CSRF

COMP9321 Web Application Engineering

Web Security. Web Programming.

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Detecting XSS Based Web Application Vulnerabilities

eb Security Software Studio

Robust Defenses for Cross-Site Request Forgery Review

Application Design and Development: October 30

The security of Mozilla Firefox s Extensions. Kristjan Krips

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Robust Defenses for Cross-Site Request Forgery

Automatically Checking for Session Management Vulnerabilities in Web Applications

OpenID Security Analysis and Evaluation

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

C1: Define Security Requirements

Welcome to the OWASP TOP 10

Robust Defenses for Cross-Site Request Forgery

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Lecture Notes on Safety and Information Flow on the Web: II

epldt Web Builder Security March 2017

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Web basics: HTTP cookies

Information Security CS 526 Topic 8

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Protecting users against XSS-based password manager abuse. AsiaCCS 2014, Kyoto Ben Stock, Martin Johns

Computer Security CS 426 Lecture 41

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Security, Part 2

WebGoat& WebScarab. What is computer security for $1000 Alex?

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Finding Vulnerabilities in Web Applications

How to perform the DDoS Testing of Web Applications

Web security: an introduction to attack techniques and defense methods

Combating Common Web App Authentication Threats

Transcription:

Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 5 1 SQL Injection Consider a website foo.com that stores authentication cookies for its registered users in their browsers (after a successful login) using the following PHP code 1 : 1 $randomness = mt_ rand (); 2 $token = hash ( sha256, $randomness. $password ); 3 $arr = array ( $username, $token ); 4 $logincookie = base64_ encode ( serialize ( $arr )); 5 6 setcookie (" login ", $logincookie ); where $username and $password are the correct username and password of the user who has logged in. The token $token is also stored in the website s database. Upon an HTTP request, the website s server checks whether the client issuing the request is logged in as a registered user as follows. 1 /* (1) get cookie data */ 2 $logincookie = $_ COOKIE [" login "]; 3 $arr = unserialize ( base64_ decode ( $logincookie )); 4 list ( $username, $token ) = $arr ; 5 6 /* (2) authenticate user */ 7 if (! $username or! $token ) { /* not logged in */ } 8 else { 9 $sql = " SELECT * FROM users WHERE ". 10 " username = $username AND token = $token ;"; 11 $result = pg_query ( $sql ); 12 if ( pg_ num_ rows ( $result ) > 0 ) { 13 echo " Successfully logged in: ". pg_ fetch_ result ( $result, username )."!"; 14 /* successful login */ 15 } 16 else { /* authentication failed */ } 17 } (4 points) (a) Specify values for $username and $token such that the code snippet starting at comment (2) would output the message Successfully logged in: administrator!, even though you have no idea what the stored token of the user administrator on the website may be. You may assume that user names on the website are unique and that there indeed exists a registered user administrator in the database. 1 For more information on Base64, please refer to https://en.wikipedia.org/wiki/base64. 1/6

$username = "administrator ; --" and $token = "dontcare". This leads to the query: SELECT * FROM users WHERE username = administrator ; -- AND token = dontcare This query will exactly return the unique row whose value in the column username is administrator. The comment -- causes the rest of the query to be ignored, including the token check. Note that therefore the value for $token does not matter as long as it is non-empty. Otherwise, the condition!$token would be true, and you would be considered as not logged in. (6 points) (b) Now, considering the entire above code snippet (starting at comment (1)), how would you craft a cookie that would allow you to authenticate as the user administrator? Describe the values you have to pick for the name, value and domain fields of the cookie (for the value field, explain how to compute the desired value). Note that you can edit your own cookies using appropriate plugins, e.g. Cookie Inspector for Chrome, or using browsers with direct support for cookie editing, e.g. Firefox. We need to create a cookie with the following properties: The domain is the domain of the website (i.e. foo.com), exactly as when the website sets a honest cookie. The name is login. The value can be computed by: base64_encode(serialize(array("administrator ; --", "dontcare")))); (10 points) (c) In the next step, we want to fix this vulnerability using prepared statements. 1. Look up the PHP functions used here to send a query to the (PostgreSQL) database (pg query). 2. Look up the existing PHP functions to use prepared statements instead of a raw query. As we are still working with PostgreSQL, they also start with pg_. 3. This is the part that actually gives you the points. Rewrite the given code to use prepared statements instead of a direct query. You do not have to change any function operating on the result, this is just about protecting the query. In order retrofit the program to use prepared statements, we first have to 2/6

prepare an SQL query to fix its structure and make it impossible to change it with user input. PHP offers the pg prepare function that takes two arguments as an input: The name to assign for this statement and actual SQL query, where the data input is marked with a $ sign. In our case, the statement looks like this: pg_prepare("query", "SELECT * FROM users WHERE ". "username = $1 AND token = $2 ;"); After preparing the statement, we can execute it with our data: $result = pg_execute("query", array($username, $token)); As pg_execute returns the same result as the original pg_query, there is no need to adapt the remaining code, so the result looks like this: 1 /* (1) get cookie data */ 2 $logincookie = $_ COOKIE [" login "]; 3 $arr = unserialize ( base64_ decode ( $logincookie )); 4 list ( $username, $token ) = $arr ; 5 6 /* (2) authenticate user */ 7 if (! $username or! $token ) { /* not logged in */ } 8 else { 9 pg_ prepare (" query ", " SELECT * FROM users WHERE ". 10 " username = $1 AND token = $2 ;"); 11 $result = pg_ execute (" query ", array ( $username, $token ) ); 12 if ( pg_ num_ rows ( $result ) > 0 ) { 13 echo " Successfully logged in: ". pg_ fetch_ result ( $result, username )."!"; 14 /* successful login */ 15 } 16 else { /* authentication failed */ } 17 } 2 Reflected vs stored Cross-Site Scripting In the lecture, we have learned about two different flavors of Cross-Site Scripting, namely reflected and stored XSS. (4 points) (a) Both need a different kind of preparation before the actual attack can happen. Assume you already have found the vulnerabilities and created the XSS code. How do you deliver it to your victim? Give a brief explanation for reflected and stored each. Who (user, website) is targeted at which point in time and why? 3/6

For reflected XSS we require the user to click on a carefully crafted link in order to trigger the attack, so we need to somehow convince her to do so. This is mostly accomplished by sending out phishing email where the attacker pretends to be another entity (bank, co-worker,...) and tries to convince the user to click on the provided link. Often, the prepared link is concealed, so the user does not notice it is malicious. To prepare a stored XSS attack, the attacker directly targets the vulnerable website to store the attacker code in the database. Later, when user visit the website, the attacker code that was stored before will appear as a regular part of the delivered website and execute in the victim s browser. (6 points) (b) For this task, consider the perspective on an attacker that found exploits for both kinds of vulnerabilities in a messaging board web application. Assume you only want to exploit exactly one of those. As an attacker, which one do you most likely choose if you want to attack...... as many victims as possible without caring about the actual individuals.... a well-defined set of targets that you have carefully chosen. For each of those two scenarios above, state whether you would rather use reflected or stored XSS and give an explanation why this is the better choice. Many victims In case the attack tries to maximize the amount of victims, e.g. when it collects credentials or other personal information, using stored XSS on a public messaging board is the more promising approach since we do not require users to read their emails, fall for the phishing and click a prepared link. It suffices if they visit the webpage that was attacked before. Targeted attacks In case we want to target a specific set of victims, reflected XSS is preferable in this scenario since the attack only works for those that click on the carefully crafted attack URL. Regular website visitors will not be attacked, so chances are higher the attack stays undetected. 3 Combining stored and reflected XSS Consider a website bar.com that allows login via GET parameters, which means you can provide username and password via URL. The following snippet of index.php shows the login process: 4/6

1 $username = base64_decode ( $_GET [ username ]); // get username from URL 2 $password = base64_decode ( $_GET [ password ]); // get password from URL 3 if (! $username or! $password ) { /* not logged in */} 4 else { 5 $sql = " SELECT * FROM users WHERE username = " 6. $username. " AND password = ". $password. " ;"; 7 $result = pg_query ( $sql ); 8 if ( pg_num_rows ( $result ) > 0) { 9 echo " Welcome ". pg_ fetch_ result ( $result, username ). "!"; 10 /* successful login */ 11 } 12 else { 13 /* authentication failed */ 14 } 15 } If, for example, a registered user foo exists and has chosen bar as the password, the following URL can login this user... 1 http :// bar. com / index. php? username = Zm9v & password = YmFy... because Zm9v is the base64 encoding of foo and YmFy is the base64 encoding of bar. You may assume that you can register new users and choose their passwords. (3 points) (a) Identify the code line that provides the reflection necessary for an reflected XSS attack and explain why this line of code makes an attack possible. The line responsible for this vulnerability is 1 echo " Welcome ". pg_ fetch_ result ( $result, username ). "!"; The username is reflected back by writing it to the webpage that is generated for the user. This is exploitable by choosing the username to be javascript code. (15 points) (b) Describe an attack that will execute Javascript code to open an alarm window in the victims browser. What preparations do you have to do before sending out a link to a victim? How does the attack URL look like? 5/6

The general idea is to choose a username that is actually executed as javascript code. As it needs to be embedded into the webpage, we choose... 1 <script > alert ( PWNED! );</ script >... to be our username. In order to reach the reflection point, we register the above username with some password we know, e.g. known pw (stored XSS). Now we can craft the exploit URL by providing base64 encoded versions of our attack code (username) and known pw as a password (reflected XSS). 1 base64 ("<script > alert ( PWNED! );</ script >") -> PHNjcmlwdD5hbGVydCgnUFdORUQhJyk7PC9zY3JpcHQ + 2 base64 (" known_pw ") -> a25vd25fchc = So the final attack URL now looks like this: 1 https :// bar. com / index. php? username = PHNjcmlwdD5hbGVydCgnUFdORUQhJyk7PC9zY3JpcHQ & password = a25vd25fchc = (2 points) (c) Beside the apparent XSS vulnerability, the login mechanism is very insecure and badly designed for a variety of reasons. For example, it is a horrible idea to provide username and password in cleartext in an URL. Give at least one example scenario where logging in via URL leaks the used credentials. One example is a webproxy that caches requests to websites. In this case, whoever has access to the proxy can simply read your credentials and impersonate you. Another example is sharing links to websites via social media or messengers. If you blindly share a webpage, the complete URL will be used and therefore whoever receives this message also receives your credentials. 6/6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback