P2P networks course

Download Report

Transcript P2P networks course 

Web Security (cont.)
1
Referral issues
 HTTP referer (originally referrer) – HTTP header
that designates calling resource


Page on which a link is clicked
Page that shows an image
 Usage
 Pay for referral
 Limit access to certain pages (e.g. login pages)
 Limit deep linking (e.g. bypassing advertising)
 Limit CSRF
 Risks:
 Spam (if referral is rewarded) and spoofing
 Sensitive information (i.e. session ID) in query string
2
Redirection
 HTTP uses redirection for
Similar domain names
 Moved sites
 Referral masking – before leaving site, redirect
through less sensitive page

 Implementation: several methods
 Usually, 3xx HTTP status (e.g. 301 or 302)
followed by location tag
 Malicious uses
 Phishing
 Ad clicking and other malicious sites
3
XSS
 Cross Site Scripting
 Attacker, target, web server scenario
 Target executes client-side script crafted
by attacker
 Types
Reflected – browser to server to same browser
 Stored – browser to server to any browser
 DOM – do not necessarily reach web browser

 Delivery – reflected or stored. DOM is
typically reflected.
4
XSS DOM
 DOM – Document Object Model
Objects in page
 Examples





document.URL
document.location
document.cookie
document.referrer
 Javascript can access and manipulate these
objects and properties
 Problems:


HTML page can be static (independent of parameters)
Script in page runs on DOM objects
5
XSS DOM (cont.)
 The XSS attack may not reach the server
 Server side filtering won’t detect attack
 URL format
HTTP://domain/path?query#fragment
 Fragment does not reach server

6
Example – DOM XSS I
 Welcome page
 < HTML>
< TITLE>Welcome!</TITLE>
Hi
< SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.l
ength));
< /SCRIPT>
< BR>
Welcome to our system
…
< /HTML>
7
Example – DOM XSS II
 Attack that doesn’t go through server
 www.vulnerable.site/welcome.html#name=<script>alert(do
cument.cookie)</script>
 What happens if the Javascript checks that all
characters in name are alphanumeric? Here is an
attack

http://www.vulnerable.site/welcome.html?notname=<scrip
t>alert(document.cookie)<script>&name=Joe
 Defenses
 Manipulate objects in server side scripts and sanitize
them.
 Or, sanitize carefully in client-side script.
8
Browser separation model
 Separation from OS
Scripts cannot manipulate data and processes outside the
browser context, e.g. local files
 Same origin policy
 Separation of domains
 Suppose two pages interact
 If the host name matches, i.e. www.cse.bgu.ac.il (possibly
other matches such as port number) then the pages
interact
 Page can set document.domain to higher domain, e.g.
bgu.ac.il
 Two pages with the same domain can interact (but all
others with the same domain can also interact)

9
More on same origin
 Behavior on high level domains (.com) not defined
 Behavior on file:// not defined
 Depending on browser(e.g. all IE versions), local files may
access other local file
 Same-origin for cookies
 Based on identical host name
 May be changed by DOMAIN or PATH headers
 There are similar same origin requirements for
Flash, Java and other technologies
 What’s not same origin


Multimedia - <IMG SRC="..."> or <BGSOUND SRC="...">
Remote scripts
10
SQL Injection
11
SQL
 Common database language
 Database organized in schema
 Data is organized in tables
 Tables organized in rows of data fields
 SQL enables
 Table creation, data insertion, deletion
 Queries to the database
 Implementation issues and checks outside
the scope of the language
12
Tidbits of SQL syntax
 Table creation
 CREATE TABLE users(
• UserName VARCHAR(50),
• CreditCard VARCHAR(30),
• ExpirationDate VARCHAR(8),
• PRIMARY KEY (username);
 Row insertion
 INSERT INTO users
• (UserName , CreditCard )
• VALUES (‘Bob', ‘6510….');
13
More syntax
 Deletion

Delete users
• WHERE UserName = ‘Bob’;

DROP users;
14
SQL queries
 SELECT UserName , CreditCard
FROM users
 WHERE UserName = ‘Bob’;

 WHERE evaluates a logical statement to
true or false
 SELECT UserName , CreditCard
FROM users
 WHERE UserName = ‘Bob’ AND ExpirationDate
< $date;

15
More queries
 Queries can be prepared in statements,
which are executed by parameter
 statement =

"SELECT UserName , CreditCard
• FROM users
• WHERE name = '" + userName + "';“
16
Usage scenario in web server
 E-commerce web server stores user data in SQL
database
 Registration process


User enters name and credit card number
Database adds row to database
 Shopping process
 User authenticates to web server (e.g. TLS and HTTP
authentication)
 User selects products
 Database retrieves user data and web server shows it to
user
 User clicks “buy” and process ends
17
Example continued
 Username passed by browser in

http://www.site.com/store/username.asp?usern
ame=Bob
 Attack

http://www.site.com/store/username.asp?usern
ame=‘or '1'='1
 SQL interprets as

SELECT UserName , CreditCard
• FROM users
• WHERE UserName = ‘‘or '1'='1’;
 WHERE evaluates to true.
18