web 2.0 security james walden northern kentucky university
TRANSCRIPT
Speaker Biography
Assistant Professor at NKUGraduate certificate in Secure Software Eng.Minors in Infosec and Forensics.Papers & workshops in software security.
Contributor toSANS/CWE Top 25 programming flaws.SANS GSSP secure programmer cert.OWASP/Fortify Open Source Review.
Why Target Web Apps?
Attack Surface
A system’s attack surface consists of all of the ways an adversary can enter the system.
Merchant’s Bank Building
Defender’s View
firewall
VPN wireless
web server
History of Web Security
Year Technology Security
1993 CGI Firewalls, SSL
1995 PHP, Javascript Firewalls, SSL
1997 ASP, JSP Firewalls, SSL
2000 SOA Firewalls, SSL
2006 AJAX Firewalls, SSL
Firewalls and Web Apps
Firewall
Port 80HTTP Traffic
WebClient
WebServer
Application
Application
DatabaseServer
telnet
ftp
SSL: injection attacks, XSS
Firewall
Port 443HTTPS Traffic
WebClient
WebServer
Application
Application
DatabaseServer
telnet
ftp
Revised Attack Surface
firewall
VPN
wireless
external web server
external web apps
database
Intra-Security Assumptions
Since the firewall protects you Patches don’t have to be up to date. Passwords don’t have to be strong. There’s no need to be careful when you code. There’s no need to audit your source code. There’s no need to run penetration tests.
But do your users have web browsers?
Javascript Malware
Firewall
Port 80
HTTP Traffic
WebServer
(Javascript malware)
WebClient
telnet
ftp
Intranet
Main Server
Wiki
Group Server
Malware Sources
1. Evil web site owner inserts in page.
2. Attacker inserts malware into defaced page.
3. Attacker inserts malware into a public comment or forum post (stored XSS.)
4. Attacker creates link that causes web site to echo malware to user (reflected XSS.)
Re-revised Attack Surface
firewall
VPN
wireless
external web server
external web apps
database
internal web servers
internal web apps
Web Applications
firewall
VPN
wireless
external web server
external web apps
database
internal web servers
internal web apps
Web App Vulnerabilities
Input-based Security ProblemsInjection FlawsInsecure Remote File InclusionUnvalidated Input
Authentication and AuthorizationAuthenticationAccess ControlCross-Site Attacks
Other BugsError Handling and Information LeakageInsecure StorageInsecure Communications
SQL Injection
1. App sends form to user.2. Attacker submits form
with SQL exploit data.3. Application builds string
with exploit data.4. Application sends SQL
query to DB.5. DB executes query,
including exploit, sends data back to application.
6. Application returns data to user.
Attacker
Web Server DB Server
Firewall
User
Pass
‘ or 1=1--
Cross-Site Scripting
1. Login
2.
Cookie
Web Server
3. XSS Attack
AttackerUser
4. User clicks on XSS link.
5. XSS URL
7. Browser runs injected code.
Evil site saves ID.
8. Attacker hijacks user session.
6. Page with injected code.
Feature Vulnerability Map
Database interaction
Displays user-supplied data
Error messages
File upload/download
Login
SQL injection.
Cross-site scripting.
Information leakage.
Path traversal.
Authentication, session management, access control flaws.
Web App Attack Surface
form inputs
HTTP headersURLs
cookies
Traditional Web Apps
HTTP Request (form submission)
HTTP Response (new web page)Server processingUser waits
HTTP Request (form submission)User interaction
HTTP Response (new web page)User waits Server processing
AJAX
Asynchronous Javascript & XML User interacts with client-side
Javascript. Javascript makes asynchronous
requests to server for data. Continues to allow user to
interact with application. Updates when receives
encoded data from server.
AJAX Applications
Server processingUser interaction
User interaction
Server processing
Client-sideCode
HTTP request (asynchronous)
partial update
partial update
HTTP Response (data)
partial update HTTP request (asynchronous)
HTTP Response (data)
HTTP request (asynchronous)
HTTP Response (data)partial update
User interaction
Server processing
Architecture Differences
Traditional
Application on server.
Entire form sent to server.User fills in input items.Clicks on submit.
Server returns new page.Presentation + Data.
AJAX
App on client and server.
JavaScript receives user input, issues function calls to server when needed.Get map tile.Save location data.
Server returns individual data items.
JavaScript incorporates data items into existing page.
AJAX: More Entry Points
Purchase Item
downloadItem()
debitAccount()
getPrice()
Example Client-side Code
var auth = checkPassword(user, pass);
if (auth == false) {
alert(‘Authentication failed.’);
return;
}
var itemPrice = getPrice(itemID);
debitAccount(user, itemPrice);
downloadItem(itemID);
Client Side Data
Use Firebug to modify variables.
Modifying session stateSet auth to true.Set itemPrice to $0.01, $0, -$1.00.
Viewing sensitive dataif (discountCode == “HALF_OFF”) {
window.location(“discount_order.html”);
}
Client Side Code
Example Code (AJAX Security, p. 176)<script>function sum(x,y) { var z = x + y; alert(“Sum is “ + z);}</script><input type=“button” value=“5 + 6 = ?” onclick=“sum(5,6);” />
Insert with Firebug to replace sum() in 5s:setTimeout(“sum = function() { alert(‘hijacked!’); }”, 5000);
AJAX: More Client Data
Web ServerDatabase
SQL Injection SQL Injection
Web ServerDatabase
Intended DataExtra Data
Selected DataPresentation (HTML)
SQL Injection SQL Injection
Intended DataExtra Data
Selected DataData (XML,JSON)
Server returns XML/JSON full data for AJAX client to display.
Server returns HTML page that displays desired data.
Client Data Vulnerability
SQL QuerySELECT * FROM USERS WHERE UID=<>
Injected QuerySELECT * FROM USERS WHERE UID=12345UNION SELECT * FROM CREDITCARDS
XML Data<data>
<user><uid>12345</uid><name>John Smith</name>
</user><creditcard>
<ccnumber>4444-4444-4444-4444</ccnumber><expire>01/01/2011</expire>
</creditcard></data>
JSON
var json = getItem()
// json = “[ ‘Toshiba’, 499, ‘LCD TV’]”
var item = eval(json)
// item[0] = ‘Toshiba’
// item[1] = 499
// item[2] = ‘LCD TV’
JSON Injection
Evil input: ‘];alert(‘XSS’);//
var json = getItem()
// json = “[ ‘Toshiba’, 499, ‘’];alert(‘XSS’);//”
var item = eval(json)
// Alert box with ‘XSS’ appears.
// Use json2.js validation library to prevent.
Client-Side State
Storage Technologies
Client-Side Storage Issues
User can always modify client-side data.
Cross-Domain Attacks (between subdomains).
Cross-directory Attacks.
Cross-port Attacks.
Cookies
DOM Storage (HTML5)
Flash LSOs
UserData (IE)
AJAX Attack Surface
form inputs
HTTP headers
URLs
cookies
client-sidecode client-side
state
server API
client-side data
transforms
firewall
VPN
wireless
external web server
external web apps
database
internal web servers
internal web apps
client-sidestate
form inputs
HTTP headers
URLs
cookies client-sidecode
server API
client-side data
transformsis nearly fractal.
A site’s attack surface
Discussion Items
Are organization’s security policies changing in response to Web 2.0?
What are people currently doing to determine their attack surface?
How do people select which elements of the attack surface to reduce first?