Web-Application Security

Transcription

1 Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011

2 Overview Web Applications SQL Injection XSS Bad Practice DNS Rebinding

3 Web applications applications that are accessed over a network software, hosted in a browser controlled environment, relying on browser to execute it cross-platform, no native install webmail, wikis, google docs difference to client-server

4 History JavaScript (Netscape, 1995) client-side scripting Flash (Macromedia, 1996) web application in Java (Servlet Specification, 1999) Ajax (2005) todays cross-platfom approach, browser embedding internet operating systems (ChromeOS)

5 Structure and Development the browser-server seperation naturally leads to an tiered architecture presentation, application, storage dumb client + smart server vs. smart client + dumb server web application frameworks (MVC) database access, templates, session management CMS

6 Drawbacks browser dependence connection dependence supplier/vendor dependence

7 Attack vectors SQL Injection XSS, CSRF, Response Splitting Magic URLs, Predictable Cookies, Hidden Form Fields DNS Rebinding

8 Overview Web Applications SQL Injection XSS Bad Practice DNS Rebinding

9 SQL Injection can lead to machine compromise, disclosure of sensitive data, spreading of malware most common form: attacker controlled string is used to create a SQL query or as parameter of a stored procedure results from lack of filtering/masking of untyped input

10 SQL Injection SqlCommand cmd = new SqlCommand( "SELECT ccnum FROM cust WHERE id = " + id + " ;"); CREATE PROCEDURE dbo.doquery(@id nchar(128)) AS nchar(256) = select ccnum from cust where id = + RETURN

11 Attack 1 OR 1=1 2<3 SqlCommand cmd = new SqlCommand( "SELECT ccnum FROM cust WHERE id = " + id + " ;");

12 Little Bobby Tables

13 Example 2008 thousands of computers running SQL Server and IIS compromised through a bug in a custom ASP script obfuscated SQL injection to add a malicous and obfuscated JavaScript file serverd by the webserver in an iframe to all clients the script installed malware on the clients

14 Blind SQL Injection application is vulnerable, but results are not visible page does not show data but will display differently depending on result of a query effectively a one bit channel, time consuming attack automated with tools SELECT a FROM b WHERE Id = OOk14cd AND 1 = 1 ; SELECT a FROM b WHERE Id = OOk14cd AND 1 = 2 ;

15 Countermeasures don t use string concat or string replacement prepared statements/parameterized queries validate input limit database access (only stored procedures and views) web application firewalls, IDS

16 Overview Web Applications SQL Injection XSS Bad Practice DNS Rebinding

17 Cross Site Scripting most common bug nowadays, thanks to increasing amount of web applications without security exploitable basically with just a browser attacker is able to inject client-side script into web pages can lead to bypass of same origin policy, stealing of cookies, or manipulation of the web site (all data the browser has access to) XSS worms not a bug in the web server but a bug in the web page rendered by the server

18 Types DOM-based XXS, local or type 0 Reflected XSS, nonpersistent or type 1 Stored XSS, persistent or type 2 HTTP response splitting Cross-site request forgery (XSRF, CSRF)

19 DOM-Based XSS web-based gadgets, widgets make these bugs more common attack depend solely on an insecurely written HTML page on an users computer bug in the content processing on the client gadgets is a mini applicatoin built using web technologies (HTML, JavaScript, XML) mobile code that runs on a desktop or browser with access to system resources gadgets can render untrusted input that might contain code

20 DOM-Based XSS

21 Reflected XSS most common form data provided by the web client (i.e. HTTP query parameter or HTML form submissions) is used directly by server-side scripts to generate a page of results without sanitizing the request markup injection (JavaScript, iframe,...) user clicks on link to vulnerable web app containing malicous code, code is reflected back and executed in his browser

22 Reflected XSS

23 Reflected XSS malicous code runs in context of the vulnerable domain has access to domain cookies, DOM famous sample code: <script>alert("xss");</script>

24 Stored XSS similar to type 1 but web server persists the input, which is later served up to victims blogs, forums, comments (accept arbitrary input from users and echo it back to all visitors) more dangerous, since no social engineering is required in the context of social networking sites this code can be designed to self propagate

25 Persistent XSS

26 HTTP Response Splitting instead of manipulating the HTML body, the header is attacked just as powerful and versatile as regular XSS attacks in HTTP (RFC 2616) Headers are separated by one CRLF failure to sanitize input from CRs and LFs lets attacker set arbitrary headers, body, or split the response

27 CSRF XSS: client (browser) trusts the server CSRF: server trusts the client (browser) server can not differentiate, whether a request from the browser was initiated by the user or by an attacker attacker includes a link or script in a page that accesses a site to which the user is known/authenticated <img src=" account=bob&amount= &for=mallory">

28 CSRF requirements target site does not check referer, or referer must be spoofed target must have form submission field or URL that has side effects all values must be known beforehand (no nonces) victim has to be logged in at target

29 XSS Mitigation allow only valid input (validate) encoding/escaping of output, so it won t get executed but displayed use POST instead of GET (data in form fields instead of query, operations that change state should be POST anyway) bind cookies to IPs filter CRs and LFs in headers add secret values to the session, which is not included in the cookie session timeouts FireFox Plugins: NoScript, RequestPolicy

30 Overview Web Applications SQL Injection XSS Bad Practice DNS Rebinding

31 Bad Practice in general: sensitive information is read from a cookie, HTTP header, or URL hidden forms (hold important data) predictable cookies, i.e. autoincrement userid or lousy encryption

32 magic URLs (parameters, access control) base64 decode: My$ecre+pA$$w0rD

33 Overview Web Applications SQL Injection XSS Bad Practice DNS Rebinding

34 DNS Rebinding we have to rely on name resolution, which is a fragile system infrastructure design flaw all applications that need to identify a host are affected

35 DNS hierarchy

36 DNS recursion

37 DNS interna when doing a request a client knows IP address of server source port of request name to resolve 16-bit request id (to differentiate between multiple applications) an attacker knows or can learn clients DNS server IP (same subnet or with DNS-server under attackers control, IDS) source port incremented monotonically (nowadays random 16-bit) 16-bit request id incremented monotonically (nowadays also random)

38 More on DNS cache (TTL) in response packet servers display the same problems when acting as clients to their authorities don t rely on only DNS for authentication DNSSEC, provides origin authentication, data integrity, authenticated denail of existence crypto, PKI, IPSec, SSL/TLS

39 Discussion Questions?