csc 443: web programming · 2020. 9. 21. · csc 443: web programming lecture 19: web security our...
TRANSCRIPT
-
CSC443:WebProgrammingLECTURE19:WEBSECURITY
Ourcurrentviewofsecurity• untilnow,wehaveassumed:
• validuserinput
• non-malicioususers
• nothingwillevergowrong
• thisisunrealistic!
-
Therealworld• inordertowritesecurecode,wemustassume:
• invalidinput
• evilusers
• incompetentusers
• everythingthatcangowrong,willgowrong
• everybodyisouttogetyou
• botnets,hackers,scriptkiddies,KGB,etc.areoutthere
• thesecuritymindset: assumenothing;trustnoone
Attackers'goals• Whywouldanattackertargetmysite?• Readprivatedata (usernames,passwords,creditcard
numbers,grades,prices)• Changedata (changeastudent'sgrades,pricesofproducts,
passwords)• Spoofing (pretendingtobesomeonetheyarenot)• Damageorshutdownthesite,sothatitcannotbe
successfullyusedbyothers• Harmthereputationorcredibility oftheorganizationrunning
thesite• Spreadviruses andothermalware
-
ToolsthatattackersuseAssumethattheattackerknowsaboutwebdev andhasthesametoolsyouhave:
• Firebug
• extensionse.g. WebDev Toolbar
• portscanners,e.g. nmap
• networksniffers,e.g. Wireshark, EtherDetect, Firesheep
Somekindsofattacks• DenialofService(DoS):Makingaserverunavailablebybombardingitwithrequests.• SocialEngineering:Trickingauserintowillinglycompromisingthesecurityofasite(e.g.
phishing).• PrivilegeEscalation:Causingcodetorunasa"privileged"context(e.g."root").• InformationLeakage:Allowinganattackertolookatdata,files,etc.thathe/sheshouldnotbe
allowedtosee.• Man-in-the-Middle:Placingamaliciousmachineinthenetworkandusingittointercept
traffic.• SessionHijacking:Stealinganotheruser'ssessioncookietomasqueradeasthatuser.• Cross-SiteScripting(XSS) orHTMLInjection:InsertingmaliciousHTMLorJavaScriptcontent
intoawebpage.• SQLInjection:InsertingmaliciousSQLquerycodetorevealormodifysensitivedata.
-
Informationleakagewhentheattackercanlookatdata,files,etc.thathe/sheshouldnotbeallowedtosee
• filesonwebserverthatshouldnotbethere• orhavetoogenerousofpermissions(read/writetoall)
• directoriesthatlisttheircontents(indexing)• canbedisabledonwebserver
• guessthenamesoffiles,directories,resources• see loginfail.php,try loginsuccess.php• see user.php?id=123,try user.php?id=456• see /data/public,try /data/private
Man-in-the-middleattackwhentheattackerlistensonyournetworkandreadsand/ormodifiesyourdata
• worksifattackercanaccessandcompromiseanyserver/routerbetweenyouandyourserver
• alsoworksifyouareonthesamelocalareanetworkastheattacker
• often,theattackerstillsendsyourinfobackandforthto/fromtherealserver,buthesilentlylogsormodifiessomeofitalongthewaytohisownbenefit
• e.g.listensforyoutosendyourusername/password/creditcardnumber/...
-
SecureHTTP(HTTPS)• HTTPS:encryptedversionofHTTPprotocol
• allmessagesbetweenclientandserverareencryptedsomeninthemiddlecannoteasilyreadthem
• serverscanhave certificates thatverifytheiridentity
SessionhijackingwhentheattackergetsaholdofyoursessionIDandmasqueradesasyou
• exploitsitesthatuseHTTPSforonlytheinitiallogin:• HTTPS:browser→server(POSTlogin.php)• HTTPS:browser←server(login.php + PHPSESSID
cookie)• HTTP:browser→server(GETwhatever.php
+ PHPSESSIDcookie)• HTTP:browser←server(whatever.php + PHPSESSID
cookie)• attackercanlistentothenetwork,getyoursessionID
cookie,andmakerequeststothesameserverwiththatsamesessionIDcookietomasqueradeasyou!• example: Firesheep
-
HTMLinjectionaflawwhereauserisabletoinjectarbitraryHTMLcontentintoyourpage
• Thisflawoftenexistswhenapageacceptsuserinputandinsertsitbareintothepage.
• Whatkindsofsillyormaliciouscontentcanweinjectintothepage?Whyisthisbad?
InjectingHTMLcontent8ball.php?question=lololol
• injectedcontentcanleadto:• annoyance/confusion• damagetodataontheserver• exposureofprivatedataontheserver• financialgain/loss• endofthehumanraceasweknowit
• whyisHTMLinjectionbad?Itallowsothersto:• disrupttheflow/layoutofyoursite• putwordsintoyourmouth• possiblyrunmaliciouscodeonyourusers'
computers
-
Cross-sitescripting(XSS)aflawwhereauserisabletoinjectandexecutearbitraryJavaScriptcodeinyourpage
8ball.php?question=alert('pwned');
• JavaScriptisoftenabletobeinjectedbecauseofapreviousHTMLinjection• masqueradeastheoriginalpageandtricktheuserintoenteringsensitivedata• stealtheuser'scookies• masqueradeastheuserandsubmitdataontheirbehalf(submitforms,click
buttons,etc.)• ...
SecuringagainstHTMLinjection/XSS• oneidea:disallowharmfulcharacters
• HTMLinjectionisimpossiblewithout<>• canstripthosecharactersfrominput,orrejecttheentirerequestiftheyare
present• anotheridea:allowthem,but escape them
htmlspecialchars returnsanHTML-escapedversionofastring
$text = "
hi 2 u & me
";$text = htmlspecialchars($text); # "hi 2 u & me
"
-
AnotherXSSexample• example:Lab4,Buy-a-Grade(buyagrade.html)
• Recallthattheusersubmitshisname,section,andcreditcardnumbertotheserver,whicharethendisplayedonthepage.
• HowcanweinjectHTML/JavaScriptintothepage?Becreative...
• Whatcouldwedotostealtheuser'ssensitiveinformation?
SQLinjectionaflawwheretheuserisabletoinjectarbitrarySQLintoyourquery
• Thisflawoftenexistswhenapageacceptsuserinputandinsertsitbareintothequery.
• WhatkindsofSQLcanweinjectintothequery?Whyisthisbad?
-
ASQLinjectionattack• ThequeryintheSimpsonsPHPcodeis:
$query = "SELECT * FROM studentsWHERE username = '$username' AND password = '$password'"; SQL
• Aretheremaliciousvaluesfortheusernameandpasswordthatwecouldenter?
• Password:• Thiscausesthequerytobeexecutedas:$query = "SELECT * FROM students
WHERE username = '$username' AND password = '' OR '1'='1'"; • Whatwilltheabovequeryreturn?Whyisthisbad?
' OR '1'='1
Tootrue...
• injectedSQLcan:• changethequerytooutputothers'data(revealingprivateinformation)• insertaquerytomodifyexistingdata(increasebankaccountbalance)• deleteexistingdata(; DROP TABLE students; -- )• bloatthequerytoslowdowntheserver(JOIN a JOIN b JOIN c ...)• ...
-
SecuringagainstSQLinjection• similartosecuringagainstHTMLinjection,escapethestringbeforeyouincludeitin
yourqueryquote returnsaSQL-escapedversionofastring
$username = $db->quote($_POST["username"]);$password = $db->quote($_POST["password"]);$query = "SELECT name, ssn, dob FROM usersWHERE username = $username AND password = $password"; PHP
• replaces ' with \',etc.,andsurroundswithquotes