P2P networks course
Download
Report
Transcript P2P networks course
Web Security (cont.)
1
Referral issues
HTTP referer (originally referrer) – HTTP header
that designates calling resource
Page on which a link is clicked
Page that shows an image
Usage
Pay for referral
Limit access to certain pages (e.g. login pages)
Limit deep linking (e.g. bypassing advertising)
Limit CSRF
Risks:
Spam (if referral is rewarded) and spoofing
Sensitive information (i.e. session ID) in query string
2
Redirection
HTTP uses redirection for
Similar domain names
Moved sites
Referral masking – before leaving site, redirect
through less sensitive page
Implementation: several methods
Usually, 3xx HTTP status (e.g. 301 or 302)
followed by location tag
Malicious uses
Phishing
Ad clicking and other malicious sites
3
XSS
Cross Site Scripting
Attacker, target, web server scenario
Target executes client-side script crafted
by attacker
Types
Reflected – browser to server to same browser
Stored – browser to server to any browser
DOM – do not necessarily reach web browser
Delivery – reflected or stored. DOM is
typically reflected.
4
XSS DOM
DOM – Document Object Model
Objects in page
Examples
document.URL
document.location
document.cookie
document.referrer
Javascript can access and manipulate these
objects and properties
Problems:
HTML page can be static (independent of parameters)
Script in page runs on DOM objects
5
XSS DOM (cont.)
The XSS attack may not reach the server
Server side filtering won’t detect attack
URL format
HTTP://domain/path?query#fragment
Fragment does not reach server
6
Example – DOM XSS I
Welcome page
< HTML>
< TITLE>Welcome!</TITLE>
Hi
< SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.l
ength));
< /SCRIPT>
< BR>
Welcome to our system
…
< /HTML>
7
Example – DOM XSS II
Attack that doesn’t go through server
www.vulnerable.site/welcome.html#name=<script>alert(do
cument.cookie)</script>
What happens if the Javascript checks that all
characters in name are alphanumeric? Here is an
attack
http://www.vulnerable.site/welcome.html?notname=<scrip
t>alert(document.cookie)<script>&name=Joe
Defenses
Manipulate objects in server side scripts and sanitize
them.
Or, sanitize carefully in client-side script.
8
Browser separation model
Separation from OS
Scripts cannot manipulate data and processes outside the
browser context, e.g. local files
Same origin policy
Separation of domains
Suppose two pages interact
If the host name matches, i.e. www.cse.bgu.ac.il (possibly
other matches such as port number) then the pages
interact
Page can set document.domain to higher domain, e.g.
bgu.ac.il
Two pages with the same domain can interact (but all
others with the same domain can also interact)
9
More on same origin
Behavior on high level domains (.com) not defined
Behavior on file:// not defined
Depending on browser(e.g. all IE versions), local files may
access other local file
Same-origin for cookies
Based on identical host name
May be changed by DOMAIN or PATH headers
There are similar same origin requirements for
Flash, Java and other technologies
What’s not same origin
Multimedia - <IMG SRC="..."> or <BGSOUND SRC="...">
Remote scripts
10
SQL Injection
11
SQL
Common database language
Database organized in schema
Data is organized in tables
Tables organized in rows of data fields
SQL enables
Table creation, data insertion, deletion
Queries to the database
Implementation issues and checks outside
the scope of the language
12
Tidbits of SQL syntax
Table creation
CREATE TABLE users(
• UserName VARCHAR(50),
• CreditCard VARCHAR(30),
• ExpirationDate VARCHAR(8),
• PRIMARY KEY (username);
Row insertion
INSERT INTO users
• (UserName , CreditCard )
• VALUES (‘Bob', ‘6510….');
13
More syntax
Deletion
Delete users
• WHERE UserName = ‘Bob’;
DROP users;
14
SQL queries
SELECT UserName , CreditCard
FROM users
WHERE UserName = ‘Bob’;
WHERE evaluates a logical statement to
true or false
SELECT UserName , CreditCard
FROM users
WHERE UserName = ‘Bob’ AND ExpirationDate
< $date;
15
More queries
Queries can be prepared in statements,
which are executed by parameter
statement =
"SELECT UserName , CreditCard
• FROM users
• WHERE name = '" + userName + "';“
16
Usage scenario in web server
E-commerce web server stores user data in SQL
database
Registration process
User enters name and credit card number
Database adds row to database
Shopping process
User authenticates to web server (e.g. TLS and HTTP
authentication)
User selects products
Database retrieves user data and web server shows it to
user
User clicks “buy” and process ends
17
Example continued
Username passed by browser in
http://www.site.com/store/username.asp?usern
ame=Bob
Attack
http://www.site.com/store/username.asp?usern
ame=‘or '1'='1
SQL interprets as
SELECT UserName , CreditCard
• FROM users
• WHERE UserName = ‘‘or '1'='1’;
WHERE evaluates to true.
18