Web 2.0 Security

James WaldenNorthern Kentucky University

Speaker Biography

Assistant Professor at NKUGraduate certificate in Secure Software Eng.Minors in Infosec and Forensics.Papers & workshops in software security.

Contributor toSANS/CWE Top 25 programming flaws.SANS GSSP secure programmer cert.OWASP/Fortify Open Source Review.

Why Target Web Apps?

Attack Surface

A system’s attack surface consists of all of the ways an adversary can enter the system.

Merchant’s Bank Building

Defender’s View

firewall

VPN wireless

web server

History of Web Security

Year Technology Security

1993 CGI Firewalls, SSL

1995 PHP, Javascript Firewalls, SSL

1997 ASP, JSP Firewalls, SSL

2000 SOA Firewalls, SSL

2006 AJAX Firewalls, SSL

Firewalls and Web Apps

Firewall

Port 80HTTP Traffic

WebClient

WebServer

Application

Application

DatabaseServer

telnet

ftp

SSL: injection attacks, XSS

Firewall

Port 443HTTPS Traffic

WebClient

WebServer

Application

Application

DatabaseServer

telnet

ftp

Revised Attack Surface

firewall

VPN

wireless

external web server

external web apps

database

Intra-Security Assumptions

Since the firewall protects you Patches don’t have to be up to date. Passwords don’t have to be strong. There’s no need to be careful when you code. There’s no need to audit your source code. There’s no need to run penetration tests.

But do your users have web browsers?

Javascript Malware

Firewall

Port 80

HTTP Traffic

WebServer

(Javascript malware)

WebClient

telnet

ftp

Intranet

Main Server

Wiki

Group Server

Malware Sources

1. Evil web site owner inserts in page.

2. Attacker inserts malware into defaced page.

3. Attacker inserts malware into a public comment or forum post (stored XSS.)

4. Attacker creates link that causes web site to echo malware to user (reflected XSS.)

Re-revised Attack Surface

firewall

VPN

wireless

external web server

external web apps

database

internal web servers

internal web apps

Web Applications

firewall

VPN

wireless

external web server

external web apps

database

internal web servers

internal web apps

Web App Vulnerabilities

Input-based Security ProblemsInjection FlawsInsecure Remote File InclusionUnvalidated Input

Authentication and AuthorizationAuthenticationAccess ControlCross-Site Attacks

Other BugsError Handling and Information LeakageInsecure StorageInsecure Communications

SQL Injection

1. App sends form to user.2. Attacker submits form

with SQL exploit data.3. Application builds string

with exploit data.4. Application sends SQL

query to DB.5. DB executes query,

including exploit, sends data back to application.

6. Application returns data to user.

Attacker

Web Server DB Server

Firewall

User

Pass

‘ or 1=1--

Cross-Site Scripting

1. Login

2.

Cookie

Web Server

3. XSS Attack

AttackerUser

4. User clicks on XSS link.

5. XSS URL

7. Browser runs injected code.

Evil site saves ID.

8. Attacker hijacks user session.

6. Page with injected code.

Feature Vulnerability Map

Database interaction

Displays user-supplied data

Error messages

File upload/download

Login

SQL injection.

Cross-site scripting.

Information leakage.

Path traversal.

Authentication, session management, access control flaws.

Web App Attack Surface

form inputs

HTTP headersURLs

cookies

Traditional Web Apps

HTTP Request (form submission)

HTTP Response (new web page)Server processingUser waits

HTTP Request (form submission)User interaction

HTTP Response (new web page)User waits Server processing

AJAX

Asynchronous Javascript & XML User interacts with client-side

Javascript. Javascript makes asynchronous

requests to server for data. Continues to allow user to

interact with application. Updates when receives

encoded data from server.

AJAX Applications

Server processingUser interaction

User interaction

Server processing

Client-sideCode

HTTP request (asynchronous)

partial update

partial update

HTTP Response (data)

partial update HTTP request (asynchronous)

HTTP Response (data)

HTTP request (asynchronous)

HTTP Response (data)partial update

User interaction

Server processing

Architecture Differences

Traditional

Application on server.

Entire form sent to server.User fills in input items.Clicks on submit.

Server returns new page.Presentation + Data.

AJAX

App on client and server.

JavaScript receives user input, issues function calls to server when needed.Get map tile.Save location data.

Server returns individual data items.

JavaScript incorporates data items into existing page.

AJAX: More Entry Points

Purchase Item

downloadItem()

debitAccount()

getPrice()

Example Client-side Code

var auth = checkPassword(user, pass);

if (auth == false) {

alert(‘Authentication failed.’);

return;

}

var itemPrice = getPrice(itemID);

debitAccount(user, itemPrice);

downloadItem(itemID);

Client Side Data

Use Firebug to modify variables.

Modifying session stateSet auth to true.Set itemPrice to $0.01, $0, -$1.00.

Viewing sensitive dataif (discountCode == “HALF_OFF”) {

window.location(“discount_order.html”);

}

Client Side Code

Example Code (AJAX Security, p. 176)<script>function sum(x,y) { var z = x + y; alert(“Sum is “ + z);}</script><input type=“button” value=“5 + 6 = ?” onclick=“sum(5,6);” />

Insert with Firebug to replace sum() in 5s:setTimeout(“sum = function() { alert(‘hijacked!’); }”, 5000);

AJAX: More Client Data

Web ServerDatabase

SQL Injection SQL Injection

Web ServerDatabase

Intended DataExtra Data

Selected DataPresentation (HTML)

SQL Injection SQL Injection

Intended DataExtra Data

Selected DataData (XML,JSON)

Server returns XML/JSON full data for AJAX client to display.

Server returns HTML page that displays desired data.

Client Data Vulnerability

SQL QuerySELECT * FROM USERS WHERE UID=<>

Injected QuerySELECT * FROM USERS WHERE UID=12345UNION SELECT * FROM CREDITCARDS

XML Data<data>

<user><uid>12345</uid><name>John Smith</name>

</user><creditcard>

<ccnumber>4444-4444-4444-4444</ccnumber><expire>01/01/2011</expire>

</creditcard></data>

JSON

var json = getItem()

// json = “[ ‘Toshiba’, 499, ‘LCD TV’]”

var item = eval(json)

// item[0] = ‘Toshiba’

// item[1] = 499

// item[2] = ‘LCD TV’

JSON Injection

Evil input: ‘];alert(‘XSS’);//

var json = getItem()

// json = “[ ‘Toshiba’, 499, ‘’];alert(‘XSS’);//”

var item = eval(json)

// Alert box with ‘XSS’ appears.

// Use json2.js validation library to prevent.

Client-Side State

Storage Technologies

Client-Side Storage Issues

User can always modify client-side data.

Cross-Domain Attacks (between subdomains).

Cross-directory Attacks.

Cross-port Attacks.

Cookies

DOM Storage (HTML5)

Flash LSOs

UserData (IE)

AJAX Attack Surface

form inputs

HTTP headers

URLs

cookies

client-sidecode client-side

state

server API

client-side data

transforms

firewall

VPN

wireless

external web server

external web apps

database

internal web servers

internal web apps

client-sidestate

form inputs

HTTP headers

URLs

cookies client-sidecode

server API

client-side data

transformsis nearly fractal.

A site’s attack surface

Discussion Items

Are organization’s security policies changing in response to Web 2.0?

What are people currently doing to determine their attack surface?

How do people select which elements of the attack surface to reduce first?