web security - courses.cs.washington.edu · •user visits a malicious page, browser submits form...
TRANSCRIPT
![Page 1: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/1.jpg)
Spring 2019
Franziska (Franzi) Roesner [email protected]
Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...
CSE 484 / CSE M 584: Computer Security and Privacy
Web Security[Web Application Security]
![Page 2: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/2.jpg)
OWASP Top 10 Web Vulnerabilities
1. Injection2. Broken Authentication & Session Management3. Cross-Site Scripting4. Insecure Direct Object References5. Security Misconfiguration6. Sensitive Data Exposure7. Missing Function Level Access Control8. Cross-Site Request Forgery9. Using Known Vulnerable Components10. Unvalidated Redirects and Forwards
5/13/19 CSE 484 / CSE M 584 - Fall 2016 2
http://www.owasp.org
![Page 3: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/3.jpg)
Cross-Site Request Forgery(CSRF/XSRF)
5/13/19 CSE 484 / CSE M 584 - Spring 2019 3
![Page 4: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/4.jpg)
Cookie-Based Authentication Redux
5/13/19 CSE 484 / CSE M 584 - Spring 2019 4
ServerBrowser
![Page 5: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/5.jpg)
Browser Sandbox Redux
• Based on the same origin policy (SOP)• Active content (scripts) can send anywhere!– For example, can submit a POST request– Some ports inaccessible -- e.g., SMTP (email)
• Can only read response from the same origin– … but you can do a lot with just sending!
5/13/19 CSE 484 / CSE M 584 - Spring 2019 5
![Page 6: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/6.jpg)
Cross-Site Request Forgery
• Users logs into bank.com, forgets to sign off– Session cookie remains in browser state
• User then visits a malicious website containing<form name=BillPayFormaction=http://bank.com/BillPay.php><input name=recipient value=badguy> …
<script> document.BillPayForm.submit(); </script>
• Browser sends cookie, payment request fulfilled!• Lesson: cookie authentication is not sufficient
when side effects can happen
5/13/19 CSE 484 / CSE M 584 - Spring 2019 6
![Page 7: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/7.jpg)
Cookies in Forged Requests
5/13/19 CSE 484 / CSE M 584 - Spring 2019 7
User credentials automaticallysent by browser
Cookie: SessionID=523FA4cd2E
![Page 8: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/8.jpg)
Sending a Cross-Domain POST<form method="POST" action=http://othersite.com/action >...</form><script>document.forms[0].submit()</script>
• Hidden iframe can do this in the background• User visits a malicious page, browser submits
form on behalf of the user– Hijack any ongoing session (if no protection)
• Netflix: change account settings, Gmail: steal contacts, Amazon: one-click purchase
– Reprogram the user’s home router– Many other attacks possible
5/13/19 CSE 484 / CSE M 584 - Spring 2019 8
submit post
![Page 9: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/9.jpg)
Impact
• Hijack any ongoing session (if no protection)– Netflix: change account settings, Gmail: steal
contacts, Amazon: one-click purchase
• Reprogram the user’s home router• Login to the attacker’s account
5/13/19 9
![Page 10: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/10.jpg)
XSRF True Story
5/13/19 CSE 484 / CSE M 584 - Spring 2019 10
[Alex Stamos]
Internet Exploder
CyberVillians.com
StockBroker.com
ticker.stockbroker.comJava
GET news.html
HTML and JSwww.cybervillians.com/news.html
B er nank e R eal l y an Al i en?
scriptHTML Form POSTs
Hidden iframes submitted forms that…• Changed user’s email notification settings• Linked a new checking account• Transferred out $5,000• Unlinked the account• Restored email notifications
![Page 11: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/11.jpg)
Login XSRF: Attacker logs you in as them!
5/13/19 CSE 484 / CSE M 584 - Spring 2019 11
User logged in as attacker
Attacker’s account reflects user’s behavior
![Page 12: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/12.jpg)
XSRF (aka CSRF): Summary
5/13/19 CSE 484 / CSE M 584 - Spring 2019 12
Attack server
Server victim
User victim
1
2
4
Q: how long do you stay logged on to Gmail? Financial sites?
![Page 13: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/13.jpg)
Broader View of XSRF
• Abuse of cross-site data export– SOP does not control data export– Malicious webpage can initiates requests from
the user’s browser to an honest server– Server thinks requests are part of the
established session between the browser and the server (automatically sends cookies)
5/13/19 CSE 484 / CSE M 584 - Spring 2019 13
![Page 14: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/14.jpg)
XSRF Defenses
5/13/19 CSE 484 / CSE M 584 - Spring 2019 14
• Secret validation token
• Referer validation
<input type=hidden value=23a3af01b>
Referer: http://www.facebook.com/home.php
![Page 15: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/15.jpg)
Add Secret Token to Forms
• “Synchronizer Token Pattern”• Include a secret challenge token as a hidden input
in forms– Token often based on user’s session ID– Server must verify correctness of token before
executing sensitive operations
• Why does this work?– Same-origin policy: attacker can’t read token out of
legitimate forms loaded in user’s browser, so can’t create fake forms with correct token
5/13/19 CSE 484 / CSE M 584 - Spring 2019 15
<input type=hidden value=23a3af01b>
![Page 16: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/16.jpg)
Referer Validation
5/13/19 CSE 484 / CSE M 584 - Spring 2019 16
• Lenient referer checking – header is optional• Strict referer checking – header is required
Referer: http://www.facebook.com/home.php
Referer: http://www.evil.com/attack.html
Referer:
üû?
![Page 17: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/17.jpg)
Why Not Always Strict Checking?
• Why might the referer header be suppressed?– Stripped by the organization’s network filter– Stripped by the local machine– Stripped by the browser for HTTPS ® HTTP transitions– User preference in browser– Buggy browser
• Web applications can’t afford to block these users• Many web application frameworks include CSRF
defenses today
5/13/19 CSE 484 / CSE M 584 - Spring 2019 17
![Page 18: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/18.jpg)
Web Session Management
5/13/19 CSE 484 / CSE M 584 - Spring 2019 18
![Page 19: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/19.jpg)
Primitive Browser Session
5/13/19 CSE 484 / CSE M 584 - Spring 2019 19
www.e_buy.com
www.e_buy.com/shopping.cfm?
pID=269
View catalog
www.e_buy.com/shopping.cfm?
pID=269&item1=102030405
www.e_buy.com/checkout.cfm?
pID=269&item1=102030405
Check outSelect item
Store session information in URL; easily read on network
![Page 20: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/20.jpg)
Bad Idea: Encoding State in URL
• Unstable, frequently changing URLs• Vulnerable to eavesdropping and modification• There is no guarantee that URL is private
5/13/19 CSE 484 / CSE M 584 - Spring 2019 20
![Page 21: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/21.jpg)
FatBrain.com circa 1999
• User logs into website with his password, authenticator is generated, user is given special URL containing the authenticator
– With special URL, user doesn’t need to re-authenticate• Reasoning: user could not have not known the special URL
without authenticating first. That’s true, BUT…
• Authenticators are global sequence numbers– It’s easy to guess sequence number for another user
– Partial fix: use random authenticators
5/13/19 CSE 484 / CSE M 584 - Spring 2019 21
https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758
https://www.fatbrain.com/HelpAccount.asp?t=0&p1=SomeoneElse&p2=540555752
![Page 22: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/22.jpg)
Typical Solution: Web Authentication via Cookies
• Servers can use cookies to store state on client– When session starts, server computes an authenticator
and gives it back to browser in the form of a cookie• Authenticators must be unforgeable and tamper-proof
– Malicious client shouldn’t be able to compute his own or modify an existing authenticator
• Example: MAC(server’s secret key, session id)– With each request, browser presents the cookie– Server recomputes and verifies the authenticator
• Server does not need to remember the authenticator
5/13/19 CSE 484 / CSE M 584 - Spring 2019 22
![Page 23: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/23.jpg)
Storing State in Hidden Forms
5/13/19 CSE 484 / CSE M 584 - Spring 2019 23
• Dansie Shopping Cart (2006)– “A premium, comprehensive, Perl shopping cart. Increase your web
sales by making it easier for your web store customers to order.”
<FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl">
Black Leather purse with leather straps<BR>Price: $20.00<BR>
<INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"><INPUT TYPE=HIDDEN NAME=price VALUE="20.00"><INPUT TYPE=HIDDEN NAME=sh VALUE="1"><INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"><INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps">
<INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart">
</FORM>
Change this to 2.00
Bargain shopping!
Fix: MAC client-side data, or, more likely, keep on server.
![Page 24: Web Security - courses.cs.washington.edu · •User visits a malicious page, browser submits form on behalf of the user –Hijack any ongoing session (if no protection) •Netflix:](https://reader034.vdocument.in/reader034/viewer/2022052018/6031e49cdbe3796ac46a7b76/html5/thumbnails/24.jpg)
Top Web Vulnerabilities: Summary
• XSS (CSS) – cross-site scripting– Malicious code injected into a trusted context
(e.g., malicious data presented by an honest website interpreted as code by the user’s browser)
• SQL injection– Malicious data sent to a website is interpreted as code in
a query to the website’s back-end database• XSRF (CSRF) – cross-site request forgery– Bad website forces the user’s browser to send a request
to a good website• Broken authentication and session management
5/13/19 CSE 484 / CSE M 584 - Spring 2019 24