Advanced Web Technology 10) XSS, CSRF and SQL Injection

Similar documents
Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CIS 4360 Secure Computer Systems XSS

P2_L12 Web Security Page 1

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CS 161 Computer Security

CSCD 303 Essential Computer Security Fall 2017

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Hacking Intranet Websites from the Outside

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Copyright

NET 311 INFORMATION SECURITY

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Preparing for the Cross Site Request Forgery Defense

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Web Security, Summer Term 2012

Web Security, Summer Term 2012

WHY CSRF WORKS. Implicit authentication by Web browsers

Welcome to the OWASP TOP 10

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

WEB SECURITY: XSS & CSRF

Sichere Software vom Java-Entwickler

1 About Web Security. What is application security? So what can happen? see [?]

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Web Application Security

Some Facts Web 2.0/Ajax Security

CSCD 303 Essential Computer Security Fall 2018

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Combating Common Web App Authentication Threats

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Common Websites Security Issues. Ziv Perry

OWASP TOP 10. By: Ilia

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

COMP9321 Web Application Engineering

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Web Security, Summer Term 2012

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Aguascalientes Local Chapter. Kickoff

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Web basics: HTTP cookies

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CSCE 813 Internet Security Case Study II: XSS

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Application Penetration Testing

COMP9321 Web Application Engineering

Security. CSC309 TA: Sukwon Oh

Assignment 6: Web Security

GOING WHERE NO WAFS HAVE GONE BEFORE

CS 161 Computer Security

Top 10 Web Application Vulnerabilities

Project 2: Web Security

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

RKN 2015 Application Layer Short Summary

Web Security. Thierry Sans

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web basics: HTTP cookies

Solutions Business Manager Web Application Security Assessment

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Information Security CS 526 Topic 8

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

C1: Define Security Requirements

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

CS 155 Project 2. Overview & Part A

Web Application Vulnerabilities: OWASP Top 10 Revisited

Information Security CS 526 Topic 11

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

A D V I S O R Y S E R V I C E S. Web Application Assessment

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery Review

Web Security: Web Application Security [continued]

Exploiting and Defending: Common Web Application Vulnerabilities

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

CSE 127 Computer Security

Information Security. Gabriel Lawrence Director, IT Security UCSD

Application Layer Security

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Your Turn to Hack the OWASP Top 10!

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web Penetration Testing

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Web Security, Summer Term 2012

Web Security, Summer Term 2012

F5 Application Security. Radovan Gibala Field Systems Engineer

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

INNOV-09 How to Keep Hackers Out of your Web Application

Transcription:

Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1

Table of Contents Cross Site Request Forgery - CSRF Presentation Vulnerability CSRF allows to access the intranet Protection Conclusion Injection Flows Presentation Vulnerability Protection Examples Conclusion 2

Cross Site Request Forgery Not a new attack, but simple and devastating CSRF attack forces a logged-on victim s browser to send a request to a vulnerable web application Target: Perform the chosen action on behalf of the victim Cross Site Request Forgery - CSRF 3

Sending a request without the consent of the victim? Insert an image in a HTML file <img src= http://www.benoist.ch/image/test.gif > Browser: Downloads an image GET /image/test.gif HTTP/1.1... An image can be generated by a PHP program (or any program) <img src= http://www.benoist.ch/image/test.php > Browser: Downloads an image Cross Site Request Forgery - CSRF: Presentation 4

Sending a request? (Cont.) An image can be generated according to some parameters <img src= /barcode.php?number=12345678901 > Browser: Downloads an image An image tag can contain something else <img src= http://www.benoist.ch/index.php?action= logout > Browser????? Cross Site Request Forgery - CSRF: Presentation 5

Very widespread vulnerability Touches any web application that has no authorization checks for vulnerable actions will process an action if a default login is able to be given in the request <img src= http://www.benoist.ch/dosomething?user=admin& pwd=123 > Authorizes requests based only on credentials that are automatically submitted cookies if currently logged into the application or Remember me functionality if not logged into the application or a Kerberos token if part of an Intranet participating in integrated logon with Active Directory. Cross Site Request Forgery - CSRF: Presentation 6

State of the art Most of web applications rely solely on automatically submitted credentials cookies basic authentication credentials source IP addresses SSL certificates or windows domain credentials Vulnerability also known as Session Riding, One-Click Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack Acronym XSRF is also used together with CSRF Cross Site Request Forgery - CSRF: Presentation 7

Vulnerability A typical CSRF attack directs the user to invoke some function for instance application s logout page The following tag can be inserted in any page viewed by the victim <img src= http://www.benoist.ch/logout.php > it generates the same request as clicking on a link containing this address! Example: Online banking transfer <img src= http://www.mybank.de/transfer.do? frmacct=document.form.frmacct&toacct=4567890&amt =3434.43 > Could transfer the money from the account of the user, to a given account. Cross Site Request Forgery - CSRF: Vulnerability 8

Vulnerability (Cont.) Jeremiah Grossman 1 Succeeded in making changes in victims DSL routers Even if the user doesn t know that he can configure his router ;-) He used the router s default account name to perform his attack Example <img src= http://admin:password@192.168.1.1/ > Then you just have to reconfigure the system <img src= http://192.168.1.1/changedns?newdns =143.23.45.1 > Once DNS changed, user will never be able to access a site securely! 1 Talk in Blackhat 2006 : Hacking Intranet Sites from the outside Cross Site Request Forgery - CSRF: Vulnerability 9

How such a link could reach a victim Web-site Owner embedded JavaScript malware Web page defaced with embedded JavaScript malware JavaScript Malware injected into a public area of a website. (persistent XSS) Clicked on, a specially-crafted link causing the website to echo JavaScript malware. (non-persistent XSS) Cross Site Request Forgery - CSRF: Vulnerability 10

CSRF allows to access the intranet The attacker sends requests from inside the Intranet Doesn t have to go throw the firewall, the victim is already CSRF combined with javascript allows to send many requests sequentially javascript adds an image in the DOM (possibly invisible). when the request is sent, another image is added and so on Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 11

Internet is protected, but Intranet? You would never dare doing this on Internet! But what about Intranet? Leaving hosts unpatched Servers are always patched regularly, but local PC s? Using default passwords What the use of changing the password, the IP address can only be reached from inside my network 192.168.x.y Do not putting a firewall in front of a host Everything seams OK because the perimeter firewalls black external access So CSRF attacks can be very fruitful Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 12

Why do CSRF attacks work? User authorization credential is automatically included in any request by the browse Typical: Session Cookie The Attacker doesn t need to supply that credential It belongs to the victim s browser Success of CSRF belongs on the probability that the victim is logged in the attacked system Idea: attack the site the victim visits Mean : XSS Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 13

CSRF and XSS Combine CSRF and XSS The tag is already posted inside the vulnerable application Risk is increased by that combination Probability to find a logged in user is higher CSRF does not require XSS One can attack a site from another one Any application with XSS flaws is susceptible to CSRF CSRF attacks can exploit the XSS flaw to steal any non-automatically submitted credential When building defenses against CSRF attacks, you must eliminate XSS vulnerabilities Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 14

Protection Application must ensure that they are not only relying on credentials or tokens that are automatically submitted by browsers Session Cookies Certificates Remember me... Application should use a custom token that the browser will not Remember So it can not be included in the Requests sent automatically Cross Site Request Forgery - CSRF: Protection 15

Strategies Ensure that there are no XSS vulnerabilities in your application Otherwise, any protection is useless, since javascript could access the hidden data. Insert custom random tokens into every form and URL It will not be automatically submitted by the browser Example: <form action= /transfer.do method= POST > <input type= hidden name= 383838 value= 1234323433 >... </form> Then you have to verify that token Token can be unique for a session or even for each page The more focused the token is, the higher the security is, but the application is then much more complicated to write Cross Site Request Forgery - CSRF: Protection 16

Strategies (Cont.) For sensitive data or value transactions, re-authenticate or use transaction signing to ensure that the request is genuine. Set up external mechanism to verify requests (phone, e-mail) Notify the user of the request using an e-mail Do not use GET requests for sensitive data or to perform value transactions Use only POST methods when processing sensitive data from the user. However the URL may contain the random token as this creates a unique URL, which makes CSRF almost impossible to perform POST alone is an insufficient protection You must also combine it with random tokens Cross Site Request Forgery - CSRF: Protection 17

Verifying Security Goal: Verify that the application generates and requires some authorization token that is not resent automatically by the browser Automated approaches: Automated approach: few automated scanners can detect CSRF vulnerabilities. Manual Approach: Penetration testing and verification of the code Cross Site Request Forgery - CSRF: Protection 18

Conclusion - CSRF Cross Site Scripting - XSS Exploits the trust a user has in a website Cross Site Request Forgery - CSRF Exploits the trust the site has in a user by forging the enactor and making a request appear to come from a trusted user 2 2 wikipedia Cross Site Request Forgery - CSRF: Conclusion 19

Injection Flows Principle: Occurs when user supplied data is sent to an interpreter as part of a command or a query. Injection Flows may be done on: SQL (most common) LDAP XPath XSLT HTML OS Command injection... This vulnerability is very common on Web Application Injection Flows: Presentation 20

How does it work? Attacker tricks the interpreter into executing unintended command Attacker supplies unexpected content to a site Data is especially designed to fool the site Attacker may take control of the interpreter, for instance SQL: Read data (unintended, of course) update, delete or create any arbitrary data For the Operating System interpreter Attacker may have the opportunity to execute any command Injection Flows: Presentation 21

Vulnerability Environments affected Any framework using an interpreter or invoke process SQL Command line... System is vulnerable when user input is passed without tests PHP $query = select from guestbook ; $query.= where title like.$ REQUEST[ search ]; $result = mysql query($query, $conn); Java String query = select from user where username= ; query += req.getparameter( userid ); query += and password = +req.getparameter( pwd ) + ; Injection Flows: Vulnerability 22

Protection Avoid the use of interpreter if possible Otherwise: Use safe APIs Strongly typed parameterized queries Object Relational Mapping (ORM) They handle data escaping Validation is still recommended in order to detect attacks Injection Flows: Protection 23

Take Extra Care when using interpreters Input Validation Validate all input data: length, type, syntax, business rules validation is done before displaying or storing any data Validation must be done server-side Javascript validation doesn t bring any security Use strongly typed parameterized query APIs with placeholder substitution markers, Enforce least privilege Configure your DB such that the web account can t do more than what is expected restrict the rights of your user when executing an OS command Injection Flows: Protection 24

Take Extra Care (Cont.) Avoid detailed error messages Give access to versions numbers Give access to parts of the code Give access to configurations Use stored procedures They are generally safe from SQL injection Can however be injected (for instance using exec()) Do not use dynamic query interfaces (such as mysql query()) Injection Flows: Protection 25

Take Extra Care (Cont.) Do not use simple escaping functions such as addslashes() in PHP str replace(" "," ") it is weak and has been successfully exploited Prefer following methods use mysql real escape string() or preferably PDO which does not require escaping Injection Flows: Protection 26

Language Specific recommendations Java EE use strongly typed PreparedStatement or use an ORM (Object Relational Manager) such as Hibernate or Spring PHP Use PDO with strongly typed parameterized queries (using bindparam()). Injection Flows: Protection 27

Which site is subject to SQL injection? Such a site must access a DB The parameter should be given by the user This parameter is then used to select data in the DB Example www.mysite.com/index.php?id=100 Means there exists a request for the page number 100 If the site does not test its input You can test it by typing something like: www.mysite.com/index.php?id=%2710 If the site lets the user see error messages Test the output of your input Examples Search form (SELECT with LIKE) Login form (SELECT with two =) Insertion of new entries... Injection Flows: Examples 28

Example: Presentation Suppose we have the following HTML Form <form method= POST > <input type= text name= username ><br> <input type= password name= password ><br> <input type= submit value= Login > </form> and the following PHP line defining a SQL command: $query = SELECT FROM user WHERE username= $user ; $query.= AND password= $pwd ; For our examples, we disable a security feature from the php.ini file (normally this option is on, and it quotes all GET, POST and COOKIES parameters, means chars like: and are escaped and Advanced become Web\ Technology and 10) \ ): XSS, magic_quotes_gpc CSRF and SQL Injection = off Injection Flows: Examples 29

Example: Select user and password We want the select to work in any case Following expressions are always true SELECT FROM table WHERE 1=1; SELECT FROM table WHERE 1; SELECT FROM table WHERE ISNULL(NULL) SELECT FROM table WHERE 1 IS NOT NULL SELECT FROM table WHERE NULL IS NULL... Injection Flows: Examples 30

Example: Select user and password (Cont.) So we do not need a valid username and password if $user=" OR a = a" and $password remains empty then the previous expression becomes: SELECT FROM user WHERE username= OR a = a AND \ password= ; Returns the list of all users So we are logged in with the first provided Injection Flows: Examples 31

Login on a specific account We can specify the right username and change the password If we give $user="emmanuel" And $password=" OR b BETWEEN a AND c" The previous SQL statement becomes SELECT FROM user WHERE username= Emmanuel AND \ password= OR b BETWEEN a AND c ; So username is OK, but password is not checked! Injection Flows: Examples 32

Example, using Comments Another great principle in SQL injection is Comments It is also very common in all the other injections If we inject a #, the rest of the SQL expression is not evaluated if $user="john #" the request becomes SELECT FROM user WHERE username= John # AND password= which is equal to SELECT FROM user WHERE username= John If we use the comments /* comments */ we may escape some tests Injection Flows: Examples 33

More injection in SELECT Suppose we have the following query, for displaying the content of one single comment in our guestbook: $query = select from guestbook where guestbookid= $number ; We can copy the content in a file suppose we define $number="11 or 1=1 INTO OUTFILE /tmp/test.security.txt " The total content of the table is sent to a file. Suppose the Attacker has an account on the system (e.g. foobar). It is possible to change the password of foobar If we can write the following query: SELECT password FROM user WHERE login= foobar INTO OUTFILE\ /opt/lampp/htdocs/test.php Injection Flows: Examples 34

Attacks compatible with magic quotes Since most of the server have magic quotes gpc = on Attackers can not use or Use MySQL char() function Returns the character denoted by the number, For instance char(104,111,112) returns the string hop Previous attack becomes The following query is used to count one vote: UPDATE news SET votes=votes+1, score=score+$note WHERE\ newsid= $id, We have the following attack $note= 3, title=char(104,111,112) Injection Flows: Examples 35

How to protect yourself From SQL injection in PHP Configure PHP such that and are automatically escaped magic quotes gpc = on Always quote input before sending query to an interpreter mysql real escape string() Do not use any interpreter at all Use PDO Injection Flows: Examples 36

Conclusion (Injection Flows) SQL Injection allows attacker to Read data: Access passwords, data stored Change Data : Access security level Delete data SQL injection Vulnerabilities opens the door to: Privacy breach : Data can be accessed without consent Identity theft : idem + failure in authentication Compromission of the system : write of new files (maybe PHP)... Easy protection are already exploited Adding one (or more) layers between presentation and database layer is a must (also from the point of view of Design) Even this has also been successfully exploited. Solution? test your inputs! Injection Flows: Conclusion 37

Conclusion (Web Security) Infrastructure Security is Vital Good Network Architecture (Firewals, DMZ,... ) Application Security must not be forgotten Test Inputs Encode Outputs Teach your users No security is efficient is users aren t included for instance if they never log-out Security is expensive in Development time or in Usability Injection Flows: Conclusion 38

References OWASP Top 10-2007 http://www.owasp.org/index.php/top_10_2007 A Guide for Building Secure Web Applications and Web Services http://www.lulu.com/content/1401012 Advanced SQL Injection in SQL Server Applications - Chris Anley http://www.nextgenss.com/papers/advanced_sql_ injection.pdf L injection (My)SQL via PHP - leseulfrog http://www.phpsecure.info/v2/article/injsql.php Advanced version: http://www.phpsecure.info/v2/article/phpmysql.php SQLMAP (a SQL Injection Tool) http://sqlmap.sourceforge.net Injection Flows: Conclusion 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback