Download web and database security - Course Website Directory

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
page
33
page
34
page
35
page
36
page
37
page
38
page
39
page
40
page
41
Document related concepts

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

Transcript 
Web Security
Cyber Security Lab
Spring '10
04/15/10
Cyber Security Lab
1
Outline


Web application weaknesses

XSS

AJAX weaknesses
SQL Injection Attacks

(Slides from Lars Olson)

http://www.cs.uiuc.edu/class/fa07/cs461/slide
s/DBSecurity.ppt
04/15/10
Cyber Security Lab
2
The Web as a Ripe Target

Attack targets


Client browser/machine

Install adware

Email address book

Bank information displayed in browser
Web server


Backend server

04/15/10
Infect pages to be served to others, e.g. Knoppix
Grab valuable customer data
Cyber Security Lab
3
Attack Tools

Used to be HTML, CGI and Java

Now Javascript and AJAX


Active content which may not be apparent

Script access to current page (DOM)

Ability to make additional HTTP requests
SQL injections to attack the backend
04/15/10
Cyber Security Lab
4
Cross Site Scripting (XSS)


Goal – Inject malicious code into web pages
viewed by others.
Cross site a bit of a misnomer.

Term applies to general injection of malicious script

Three types

Wikipedia reference

04/15/10
http://en.wikipedia.org/wiki/Cross_site_scripting
Cyber Security Lab
5
Type 2 XSS


Type 2 – Stored or persistent

User entered data is stored

Later used to create dynamic pages

Very powerful attack
Examples

04/15/10
Sites that allow HTML formatted user input, e.g.
Blog comments, wiki entries.
Cyber Security Lab
6
Second Order XSS

Combine type 2 attack with social engineering

Sign up for an account


Enter exploit script in address field
Call help desk

Display your record

Launch from the inside
04/15/10
Cyber Security Lab
7
Type 1 XSS


Type 1 – Non-persistent or reflected

User enters data. Server uses data to dynamically
create page, e.g. Search engine

Generally attacking self, but could be tool for social
engineering.
E.g., enter the following into a form that then
shows the original query in the response.

04/15/10
<script>confirm("Do you hate purple
dinosaurs?");</script>
Cyber Security Lab
8
Type 0 XSS

Type 0 -DOM-based or Local

Very similar to Type 1 except the actual script is
passed argument and parsed on client side only

Server processing cannot fix the problem

Again self attack. Likely invoked through phishing
link, email HTML rendering, or hidden link in main
page.
04/15/10
Cyber Security Lab
9
Type 0 XSS

Consider


<HTML>
<TITLE>Welcome!</TITLE>
Hi
<SCRIPT>
var pos=document.URL.indexOf("name=")+5;
document.write(document.URL.substring(pos,document.URL.length));
</SCRIPT>
<BR>
Welcome to our system…</HTML>
Invoke as

http://vulsystem.com/welcome.html?name=Bob

http://vulsystem.com/welcome.html?name=<script>alert(document.cookie)</scrip
t>
04/15/10
Cyber Security Lab
10
Input Cleansing

Ensure that the user is providing the type of
information you are expecting.

No HTML tags in blog comments

Perform escaping of all special characters


Mozilla and “get” arguments
Could defeat by alternative encodings
04/15/10
Cyber Security Lab
11
Example MySpace Exploit

Samy Worm – October '05

Person views infected myspace page

Executes javascript exploit


Adds Samy to viewer's hero list

Adds infection to viewer's myspace page
http://namb.la/popular/tech.html - Technical
explanation apparently from Samy

04/15/10
Many cases of tediously finding alternative ways of
expressing javascript components
Cyber Security Lab
12
Newer Exploits

Quicktime worm – December '06

Blank movie provides hook to execute malicious
script

Script redirects to phishing page that looks like
myspace login page

http://www.securityfocus.com/brief/375
Koobface virus on MySpace and Facebook
See link to movie. Movie requires flash update
(really virus)
04/15/10
Cyber Security Lab
13
Multi-Encoding Techniques


Trick system into incorrectly processing “special
characters”

US-ASCII

Unicode encodings - UTF-8 or UTF-16

ISO 8859-n

Different prefixes for different languages

Multiple ways of encoding the same character
Multiple ways of encoding and IP address

04/15/10
192.168.1.1 or C0.A8.1.1 or 3232235777
Cyber Security Lab
14
Cleansing Options

Improve input cleansing in code

Web firewall


Web proxy


Hosting solution
Client solution
A couple packages
04/15/10
Cyber Security Lab
15
Web security packages

Pen test tools and proxies

Web Scarab


BURP


http://www.owasp.org/index.php/Category:OWASP_Web
Scarab_Project
http://www.portswigger.net/suite/
Web application firewall (WAF)
– Imperva WAF - http://www.imperva.com/waf/
– WAF Evaluation Criteria
http://www.webappsec.org/projects/wafec/
04/15/10
Cyber Security Lab
16
Play with Flawed Web Sites

Examine missions to discover and exploit each
web sites flaw

04/15/10
http://www.hackthissite.org/missions/
Cyber Security Lab
17
AJAX

Allows JavaScript to request additional data


Dynamically update part of page
XmlHttpRequest (XHR) is the key class

http://www.w3.org/TR/XMLHttpRequest/

Generally used to pull new information or send
information
04/15/10
Cyber Security Lab
18
Same origin policy

Script can only make requests to the domain of
its original source

Script can only access document it fetched

Bound what sneaky scripts can access

Could avert

Signed scripts

ActiveX/Java proxies

Trusted security zones
04/15/10
Cyber Security Lab
19
Mashups


Combine data from two sources in one new
groovy page

E.g., Google map data plus address information
from corporate directory

Create personal desktop by combining scripts from
multiple sources
What if you include my “magic 8” service in your
desktop?
04/15/10
Cyber Security Lab
20
Mashup restrictions


In general cross domain communication
forbidden by same origin policy
Ad Hoc workarounds


Proxy, iframes, dynamic script creation
New mashup explicit standards being
developed
04/15/10
Cyber Security Lab
21
Data Harvesting



XML or JSON data offered via HTTP

Intended as target for AJAX apps

Could be accessed directly
Fetching entire data set may be undesirable

Load on server

Possibility of competitor leveraging your data
collection work
Introduce throttling or metering mechanisms
04/15/10
Cyber Security Lab
22
Web Services

Standards for enabling machine to machine
communication over the web.


Web Service Standards - WS-*

Many thoroughly defined standards

Generally encoded through XML and SOAP

Perceived as very heavy weight
Representational State Transfer – RESTful web
services

04/15/10
Just use simple set of HTTP operations GET, PUT, and
DELETE
Cyber Security Lab
23
SQL Injections
•
04/15/10
http://xkcd.com/327/
Cyber Security Lab
24
Disclaimer!!





Do not use your powers for evil.
The purpose of showing these attacks is
to teach you how to prevent them.
Established e-commerce sites are
already hardened to this type of attack.
You might cause irreparable harm to a
small “mom-and-pop” business.
Even if you don’t, breaking into someone
else’s database is illegal and unethical.
04/15/10
Cyber Security Lab
25
Characterization of Attack

Not a weakness of SQL




...at least in general
SQL Server may run with administrator privileges,
and has commands for invoking shell commands
Not a weakness of database, PHP/scripting
languages, or Apache
Building executable code using data from an
untrusted user

04/15/10
Perl taint mode was created to solve a similar
problem
Cyber Security Lab
26
Simple Attack Example

Logging in with:
select count(*) from login where
username =
'$username' and
password = '$password';

Setting the password to “' or 'a' = 'a”:
select count(*) from login where
username =
'alice' and
password = '' or 'a' =
'a';

In fact, username doesn’t even have to match
anyone in the database
04/15/10
Cyber Security Lab
27
Detecting Vulnerability

Try single apostrophe




If quotes aren’t filtered, this should yield an error
message
Error message may be useful to attackers
May reveal database vendor (important later on)
Try a comment character (double-hyphen in
some databases, # symbol in others)


04/15/10
Only works for numeric fields, if quotes are filtered
Not as commonly filtered
Cyber Security Lab
28
Inferring Database Layout (1)

Guess at column names
' and email is null-' and email_addr is null--

Use error messages (or lack of)
04/15/10
Cyber Security Lab
29
Inferring Database Layout (2)

Guess at table name
' and users.email_addr is null--
' and login.email_addr is null-


Can be done with an automated dictionary attack
Might discover more than one table in the query
Guess at other table names
' and 1=(select count(*) from test)--
04/15/10
Cyber Security Lab
30
Discovering Table Data


Depends on query structure, output format
May be directed at a particular user or account
(e.g. root)
' or username like '%admin%'--

May include brute-force password attacks
04/15/10
Cyber Security Lab
31
Query Stacking (1)

Use semicolon as command separator

Useful output is limited by application
My main example doesn’t output anything from the database.
 Try the queries on a login page that displays a query result.
1; select * from test-

Doesn’t display the entire table? Try modifying the query:
1; select b from test-1; select a from test where a not in (1)--
04/15/10
Cyber Security Lab
32
Query Stacking (2)

Displaying database structure

Highly vendor-specific
1; select relname from pg_class-
Output displays only one result? Use repeated
application
1; select relname from pg_class where relname
not in ('views')--
04/15/10
Cyber Security Lab
33
Query Stacking (3)

Displaying database structure (cont)

Table structure: vendor-specific, use repeated
application if needed
1; select attname from pg_class, pg_attribute
where pg_class.relname = 'login' and
pg_class.oid = pg_attribute.attrelid--
04/15/10
Cyber Security Lab
34
Query Stacking (4)

Modifying the database
'; insert into login values(100, 'attacker',
'attackerpw', 2222, '[email protected]')-'; update login set password='newpw' where
username like '%admin%'--
04/15/10
Cyber Security Lab
35
Second-Order SQL Injection

Inserting text fields that will pass initial
validation, but could be used later on.



e.g. Adding a new user on a web form
Username: alice'' or username=''admin
Later, the user updates her password. The
application runs:
update users set password='$password' where
username='$username'

The query expands to:
update users set password='newpw' where
username='alice' or username='admin'
04/15/10
Cyber Security Lab
36
How to Prevent Attacks (1)

Input Verification



Use pattern matching
May be tricky if we want to allow arbitrary text
Escape characters


addslashes() function or other input sanitizer
PHP “Magic Quotes”


04/15/10
Automatically corrects single-quote, double-quote,
backslash, null
Enabled by default in PHP 5, removed in PHP 6
Cyber Security Lab
37
How to Prevent Attacks (2)





MySQL doesn’t allow query stacking
Use stored procedures instead of queries
Limit database privileges of application
Run in non-admin user space to prevent
system calls (e.g. MS SQL Server)
Hide error messages
04/15/10
Cyber Security Lab
38
How to Prevent Attacks (3)

Prepared Statements (Java, Perl, PHP, ...)

PHP/PostgreSQL: select count(*) from login where
username=$1 and password=$2

Java: select count(*) from login where username=?
and password=?



Partially builds parse tree, fills in gaps after user input
Also allows database optimization
Please note: some parts of a query cannot be
parameterized in a prepared statement.


04/15/10
Table name, column name, answer size limit
Arbitrary number of conditions
Cyber Security Lab
39
Query Syntax Analysis

Injection attacks necessarily change the parse
tree of a query
04/15/10
Su Wasserman 06
Cyber Security Lab
40
Conclusions

Rich target



Most Internet activity is web based
Fast changing technology

JavaScript, AJAX, web services

People innovating tech by using tools in unexpected
ways
“Web 2.0” will continue to be interesting source
of new attacks and exploits
04/15/10
Cyber Security Lab
41
Related documents
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
TODAY’S TECHNOLOGY CAN CHANGE IN THE BLINK OF AN EYE.
Maritime Cyber Vulnerabilities in the Energy Domain
Maritime Cyber Vulnerabilities in the Energy Domain
Siemplify, a fast-growing cyber security start
Siemplify, a fast-growing cyber security start
Artificial Intelligence Engineer
Artificial Intelligence Engineer
• Overview of Cyber Security & need of cyber security • Introduction
• Overview of Cyber Security & need of cyber security • Introduction
NOTE: Your selected records (to a maximum of 500
NOTE: Your selected records (to a maximum of 500
Connecting the dots in Cyber Security Regional Workshop on Cyber Security Policies
Connecting the dots in Cyber Security Regional Workshop on Cyber Security Policies
Internet Techniques
Internet Techniques
chapter2
chapter2
Preparing for a Cyber Attack
Preparing for a Cyber Attack
Data Mining
Data Mining
Finnish Information Security Cluster
Finnish Information Security Cluster