Web Security II. Slides from M. Hicks, University of Maryland

Similar documents
2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Security for the Web. Thanks to Dave Levin for some slides

Security for the Web. Thanks to Dave Levin for some slides

WEB SECURITY: XSS & CSRF

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Web basics: HTTP cookies

CS 161 Computer Security

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

CS 142 Winter Session Management. Dan Boneh

Information Security CS 526 Topic 8

P2_L12 Web Security Page 1

Computer Security CS 426 Lecture 41

CIS 4360 Secure Computer Systems XSS

Information Security CS 526 Topic 11

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

CS 155 Project 2. Overview & Part A

Web Security Computer Security Peter Reiher December 9, 2014

Web Security: XSS; Sessions

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

CS 161 Computer Security

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

NET 311 INFORMATION SECURITY

Web Application Security

CSCE 813 Internet Security Case Study II: XSS

Web Security, Part 2

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

The security of Mozilla Firefox s Extensions. Kristjan Krips

CS 161 Computer Security

Web Application Security. Philippe Bogaerts

Application vulnerabilities and defences

Web Pen Tes)ng. Michael Hicks CMSC 498L, Fall 2012 Part 2 slides due to Eric Eames, Lead Penetra)on Tester, SAIC, March 2012

Hacking Intranet Websites from the Outside

CSC 405 Computer Security. Web Security

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Robust Defenses for Cross-Site Request Forgery

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Security: Cross-Site Attacks

Robust Defenses for Cross-Site Request Forgery Review

Web Security: Vulnerabilities & Attacks

SECURING APACHE : ATTACKS ON SESSION MANAGEMENT

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

RKN 2015 Application Layer Short Summary

Client Side Injection on Web Applications

John Coggeshall Copyright 2006, Zend Technologies Inc.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Some Facts Web 2.0/Ajax Security

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Web Application & Web Server Vulnerabilities Assessment Pankaj Sharma

Web Security: Web Application Security [continued]

last time: command injection

CSCD 303 Essential Computer Security Fall 2018

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Content Security Policy

CS526: Information security

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

WEB SECURITY: WEB BACKGROUND

CSCD 303 Essential Computer Security Fall 2017

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

WHY CSRF WORKS. Implicit authentication by Web browsers

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Base64 The Security Killer

6.170 Tutorial 7 - Rails Security. Prerequisites. Goals of this tutorial. Resources

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

CSC 482/582: Computer Security. Cross-Site Security

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Lecture Notes on Safety and Information Flow on the Web: II

Web Security. Aggelos Kiayias Justin Neumann

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

EasyCrypt passes an independent security audit


Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

CIS 5373 Systems Security

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Secure Coding and Code Review. Berlin : 2012

ESORICS September Martin Johns

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Security Course. WebGoat Lab sessions

Copyright

django-secure Documentation

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Secure Frame Communication in Browsers Review

Evaluating the Security Risks of Static vs. Dynamic Websites

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Transcription:

Web Security II Slides from M. Hicks, University of Maryland

Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived state Send such state to the client Client returns the state in subsequent responses Two kinds of state: hidden fields, and cookies

0.5

Capabilities Server maintains trusted state (while client maintains the rest) Server stores intermediate state Send a capability to access that state to the client Client references the capability in subsequent responses Capabilities should be large, random numbers, so that they are hard to guess To prevent illegal access to the state

Cookies Server maintains trusted state Server indexes/denotes state with a cookie Sends cookie to the client, which stores it Client returns it with subsequent queries to that same server

Why cookies Session identifier After a user has authenticated, subsequent actions provide a cookie So the user does not have to authenticate each time Personalization Let an anonymous user customize your site Store font choice, etc., in the cookie

Personalization

Web Authentication An extremely common use of cookies is to track users who have already authenticated If the user already visited http://website.com/login.html?user=alice&pass=secret with the correct password, then the server associates a session cookie with the logged-in user s info Subsequent requests include the cookie in the request headers and/or as one of the fields: http://website.com/dostuff.html?sid=81asf98as8eak The idea is to be able to say I am talking to the same browser that authenticated Alice earlier.

Cookie Theft Session cookies are, once again, capabilities The holder of a session cookie gives access to a site with the privileges of the user that established that session Thus, stealing a cookie may allow an attacker to impersonate a legitimate user Actions that will seem to be due to that use Permitting theft or corruption of sensitive data

Defense: Unpredictability Avoid theft by guessing; cookies should be Randomly chosen, Sufficiently long (Same goes with hidden field identifiers) Can also require separate, correlating information Only accept requests due to legitimate interactions with web site (e.g., from clicking links)

A FacebookStory: Firesheep A Firefox s Add-on Sniff HTTP headers on unsecured Wi-Fi Downloaded > 400000 in 5 days 1 M searches on Google in 10 days Defense: HTTPS

A Twitter Story Uses one cookie (auth_token) to validate user, which is a function of User name, password auth_token weaknesses Does not change from one login to the next Does not become invalid when the user logs out Thus: steal this cookie once, and you can log in as the user any time you want (until password change)! Defense: Time out session IDs and delete them once the session ends

Non-Defense Address-based (non)defense: Store client IP address for session; if session changes to a different address, must be a session hijack, right? Problem, false positives: IP addresses change! Moving between WiFi network and 3G network DHCP renegotiation Problem, false negatives: could be hijacked to different machine with same IP address Both requests via same NAT box

Cross-Site Request Forgery Target: User who has an account on a vulnerable server Attack goal: make requests to the server via the user s browser that look to the server like the user intended to make them Attacker tools: ability to get the user to click a link crafted by the attacker that goes to the vulnerable site Key tricks: Requests to the web server have predictable structure Use of something like <imgsrc= > to force the victim to send it

Problem: Referrer Optional Not included by all browsers Sometimes other legitimate reasons not to have it Response: lenient referrer checking Blocks requests with a bad referrer, but allows requests with no referrer Missing referrer always harmless? No: attackers can force the removal of referrer! Bounce user off of ftp: page Exploit browser vulnerability and remove it Man-in-the-middle network attack

CSRFProtection: SecretizedLinks Include a secret in every link/form Can use a hidden form field, custom HTTP header, or encode it directly in the URL Must not be guessable value Can be same as session id sent in cookie Frameworks help: Ruby on Rails embeds secret in every link automatically

Review: SOP Same-Origin-Policy Browsers need to confine Javascript s power A script on attacker.comshould not be able to: Alter the layout of a bank.comweb page Read keystrokes typed by the user while on a bank.com web page Read cookies belonging to bank.com

Cross-Site Scripting (XSS) Site attacker.com provides a malicious script Tricks the user s browser into believing that the script s origin is bank.com Runs with bank.com s access privileges One general approach: Trick the server of interest (bank.com) to actually send the attacker s script to the user s browser! The browser will view the script as coming from the same origin because it does!

Stored XSSSummary Target: User with Javascript-enabled browser who visits user-influenced content page on a vulnerable web service Attack goal: run script in user s browser with the same access as provided to the server s regular scripts (i.e., subvert the Same Origin Policy) Attacker tools: ability to leave content on the web server (e.g., via an ordinary browser). Optional tool: a server for receiving stolen user information Key trick: Server fails to ensure that content uploaded to page does not contain embedded scripts

Samyand Myspace.com Samyembedded Javascriptprogram in his MySpace page (via stored XSS) MySpace servers attempted to filter it, but failed Users who visited his page ran the program, which made them friends with Samy; displayed but most of all, Samyis my hero on their profile; installed the program in their profile, so a new user who viewed profile got infected From 73 friends to 1,000,000 friends in 20 hours Took down MySpace for a weekend

Reflected XSSSummary Target: User with Javascript-enabled browser who uses a vulnerable web service that includes parts of URLs it receives in the web page output it generates Attack goal: run script in user s browser with the same access as provided to the server s regular scripts Attacker tools: get user to click on a specially-crafted URL. Optional tool: a server for receiving stolen user information Key trick: Server does not ensure that it s output doesnot contain foreign, embedded scripts

XSSDefense: Filter/Escape Typical defense is sanitizing: remove all executable portions of user-provided content that will appear in HTML pages E.g., look for <script>... </script> or <javascript>... </javascript> from provided content and remove it So, if I fill in the name field for Facebookas <script>alert(0)</script> and the script tags removed Often done on blogs, e.g., WordPress

Problem: Finding the Content Bad guys are inventive: lots of ways to introduce Javascript; e.g., CSS tags and XML-encoded data: <div style="background-image: url(javascript:alert( JavaScript ))">...</div> <XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><! [CDATA[cript:alert( XSS );">]]>! Worse: browsers helpful by parsing broken HTML! Samyfigured out that IE permits javascripttag to be split across two lines; evaded MySpace filter Hard to get it all

Better defense: White list Instead of trying to sanitize, ensure that your application validates all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous spec of what should be allowed. Example: Instead of supporting full document markup language, use a simple, restricted subset E.g., markdown

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback