Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 8 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 Homework / Exam Exam 3 –Solutions Posted –Questions? HW8 due next class Final Exam –See posted schedule Websites on UNIX systems Course Evaluations.
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Server-side Scripting Powering the webs favourite services.
Introduction to InfoSec – Recitation 7 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Chapter 6 The World Wide Web. Web Pages Each page is an interactive multimedia publication It can include: text, graphics, music and videos Pages are.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Robust Defenses for Cross-Site Request Forgery
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 2: Introduction to IS2803 Rob Gleasure
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Web Applications on the battlefield Alain Abou Tass.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Javascript worms By Benjamin Mossé SecPro
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
Cross-Site Request Forgeries: Exploitation and Prevention
Less Known Web Application Vulnerabilities
Riding Someone Else’s Wave with CSRF
CSC 495/583 Topics of Software Security Intro to Web Security
Active Man in the Middle Attacks
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Security and JavaScript
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Today XSS – Cross Site Scripting SOP - Same origin policy CSRF – Cross site request Forgery PHP file inclusion vulnerabilities DNS rebinding (if we have time)

Original Problem Problem: $.get(" function(data) { $.post(“ {maildata: data}); }); Solution: SOP XMLHttpRequest cannot load Origin website.com is not allowed by Access-Control- Allow-Origin.

Same Origin Policy Modern sites use elements from many different sources (e.g.: main content, embedded ads, embedded google maps controls, embedded twitter feed, etc.) Without the SOP – we’d have to trust ALL that code With the SOP – interactions are limited by ‘origin’ An origin is the combination of domain name and protocol type

SOP examples Compared URLOutcomeReason http ː // protocol and host http ː // protocol and host http ː // Same protocol and host but different port protocol host Different host (exact match required) Different host (exact match required) http ː // use Port explicit. Depends on implementation in browser.

Cross Site Request Forgery User goes to malicious site Site initiates a request to a different site (e.g.: Gmail) Request is sent using user’s credentials Site accepts request, but due to SOP – the attacker cannot read contents or state (‘blind’ attack) … Profit! Psuedo example:

CSRF - Limitations Cannot spoof referrer header (but few sites check it) Depends on a ‘GET’ request to cause side- effects Blind attack – if the attack depends on any prior info, attacker has to guess Attack must take place while the user is logged in to the target site Solution: Verification based on random input.

XSS – Cross site scripting reloadeed Today, many sites just aggragate user- generated content o Forums o Facebook / Twitter / Reddit o Web mail o Ynet / nrg – ‘talkbacks’ That’s great, but what happens if we trust user submitted content? On a website. A user can submit HTML code Which can be malicious

How malicious are they? Once the malicious code runs in the context of the target site, it can do whatever the original site can o Steal javascript-accessible cookies o Use any aspect of the site’s API Write posts Add friends Delete all user content Send out mass- E.g.: Sammy is my hero

Non persistent XSS User clicks a link with extra parameters, the server reflects it back, without proper sanitation

Persistent XSS Malicious user submits content to the target site via o Forum post / ‘talkback’ / FB post, twitter post o o Etc. Content is not sanitized, and therefore – displayed to the user The user’s browser treats it as code from the target site, thereby bypassing the SOP … Profit!

Questions?

PHP File Inclusion Source: Wikipedia

PHP File Inclusion cont. /vulnerable.php?COLOR= C:\\ftp\\upload\\expl oit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability) /vulnerable.php?COLOR= C:\\notes.txt%00 - example using NULLs to remove the.phpsuffix, allowing access to files other than.php /vulnerable.php?COLOR= /etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversalUNIXdirectory traversal /vulnerable.php?COLOR= /webshell.txt? - injects a remotely hosted file containing a malicious code

DNS Rebinding CSRF We’ll discuss a very specific example Client has a home router, which we want to access We can get the client to browse to attacker.com But thanks for the SOP – JS code from attacker.com cannot access the router other than blindly (CSRF)

Enter DNS Rebinding The DNS for attacker.com returns two records: o Our web server public address o The requesting client’s address By default, a browser will use the first address, and download our malicious JavaScript That Javascript will make another request to attacker.com But this time – the server will refuse the connection The browser will happily try the next entry

DNS Rebinding cont. But that’s the client’s home router public address… Which should be protected via a FW from access… But since most routers are configured with interface-based rules, and have internal webservers that listen on :80 – it won’t matter – they will answer our client So now our JS code can connect to attacker.com and access the home router! And it can still connect back outside

DNS Rebinding doesn’t work anymore Most routers will use HTTP-authentication You used to be able to browse to: But it has been disabled. All HTTP auth now requires a user dialog Which makes the attack non-feasible Also, there are some browser and network mitigations one can do (DNS pinning, DNS filtering, NoScript, etc.)

Questions?