Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Issues in Web Applications Vitaly Shmatikov CS 6431.

Published byAlicia Logan Modified over 9 years ago

Similar presentations

Presentation on theme: "Security Issues in Web Applications Vitaly Shmatikov CS 6431."— Presentation transcript:

1 Security Issues in Web Applications Vitaly Shmatikov CS 6431

2 slide 2  Web applications need to reject invalid inputs “Credit card number should be 15 or 16 digits” “Expiration date in the past is not valid”  Traditionally done at the server Round-trip communication, increased load  Better idea (?): do it in the browser using client-side JavaScript code User Input Validation [Bisht et al. “NoTamper: Automatic Blackbox Detection of Parameter Tampering Opportunities in Web Applications”. CCS 2010]

3 slide 3 Client-Side Validation onSubmit= validateCard(); validateQuantities(); Validation Ok? reject inputs YesNo send inputs to server [Bisht et al.]

4 slide 4 Problem: Client Is Untrusted Previously rejected values sent to server Inputs must be re-validated at server! [Bisht et al.]

5 slide 5 Online Shopping Vulnerability: malicious client submits negative quantities for unlimited shopping rebates Client-side constraints: quantity1 ≥ 0 quantity2 ≥ 0 Server-side code: total = quantity1 * price1 + quantity2 * price2 CodeMicro.com Two items in cart: price1 = $100, price2 = $500 quantity1 = -4, quantity2 = 1, total = $100 (rebate of $400 on price2) [Bisht et al.]

6 slide 6 Online Banking Client-side constraints: from IN (Accnt1, Accnt2) to IN (Accnt1, Accnt2) Server-side code: transfer money from  to SelfReliance.com Vulnerability: malicious client submits arbitrary account numbers for unauthorized money transfers [Bisht et al.]

7 slide 7 IT Support Vulnerability: update arbitrary account Client-side constraints: userId == 96(hidden field) Server-side code: Update profile with id 96 with new details Inject a cross-site scripting (XSS) payload in admin account, cookies stolen every time admin logged in Hidden Field [Bisht et al.]

8 slide 8 Content Management Vulnerability: malicious client sets make_install_prn cookie, creates fake admin account Server-side code: privilege = non-admin; if ( _COOKIE[‘make_install_prn’] == 1 ) privilege = admin; [Bisht et al.]

9 slide 9 Cashier-as-a-Service PayPal, Amazon Payments, Google Checkout, etc. Web store Shopper communication about the order communication about the payment Joint decision: is an order appropriately paid? [Wang et al. “How to Shop for Free Online: Security Analysis of Cashier-as-a-Service Based Web Stores”. Oakland 2011]

10 slide 10 nopCommerce + Amazon Simple Pay [Wang et al.] (and seller Mark) Jeff, I want to buy this DVD. Shopper Chuck Amazon (CaaS) Jeff Chuck, pay in Amazon with this signed letter: Dear Amazon, order#123 is $10, when it is paid, text me at 425-111-2222. [Jeff’s signature] Amazon, I want to pay with this letter Dear Amazon, order#123 is $10, when it is paid, text me at 425-111- 2222. [Jeff’s signature] [Mark’s signature] Hi, $10 has been paid for order#123. [Amazon’s signature] Great, I will ship order#123!  Anyone can register an Amazon seller account, so can Chuck Purchase a $25 MasterCard gift card by cash, register under a fake address and phone number Create seller accounts in PayPal, Amazon and Google using the card  Chuck’s trick Check out from Jeff, but pay to “Mark” (Chuck himself) Amazon tells Jeff that payment has been successful Jeff is confused, ships product

11 slide 11 Interspire + PayPal Express Message A redirects to store.com/finalizeOrder?[orderID1] store Session 1: pay for a cheap order (orderID1), but prevent the merchant from finalizing it by holding Message B Expensive order is checked out but the cheap one is paid! Message A Message B Message B calls store.com/finalizeOrder?[orderID1] store [orderID2] store store Session 2: place an expensive order (orderID2), but skip the payment step Message A Message A redirects to store.com/finalizeOrder?[orderID2] store store [Wang et al.]

12 slide 12 Side-Channel Leaks [Chen et al. “Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow”. Oakland 2010] encrypted! privacy problems solved? Attacker can still see the number of packets, size of each packet, time between packets…

13  Search using encrypted Wi-Fi (WPA / WPA2)  Example: user types “l-i-s-t” on his laptop… slide 13 [Chen et al.] 821   910 822   931 823   995 824   1007 Query suggestion Consequence: any eavesdropper knows our search queries Attacker’s effort linear in the size of query Each additional letter of query… …different size of suggestion list

14  Entering health records By typing – auto-suggestion By mouse – a tree structure of elements  Finding a doctor Dropdown list slide 14 [Chen et al.] Online Medical Application 2000x reduction in ambiguityUniquely identify the specialty

15  Wizard-style questionnaire Tailor the questions based on previous inputs  Which forms you work on reveal filing status, big medical bills, adjusted gross income…  Knowing the state machine of the application the eavesdropper can infer sensitive information Especially by combining information learned from multiple state machines slide 15 [Chen et al.] Tax Preparation Application

16 slide 16 [Chen et al.] Child Credit State Machine Entry page of deductions & credits Summary of deductions & credits Full credit Not eligible Partial credit All transitions have unique traffic patterns Consult the IRS instruction: $1000 for each child Phase-out starting from $110,000. For every $1000 income, lose $50 credit.

17 slide 17 [Chen et al.] Student Loan Interest State Machine Entry page of deductions & credits Summary of deductions & credits Full credit Not eligible Partial credit Enter your paid interest Even worse, most decision procedures for credits/deductions have asymmetric paths: eligible – more questions, not eligible – no more questions

18 slide 18 [Chen et al.] Some Identifiable AGI Thresholds Disabled Credit $24999 Retirement Savings $53000 IRA Contribution $85000$105000 College Expense $116000 $115000 Student Loan Interest $145000 First-time Homebuyer Credit $150000 $170000 Earned Income Credit $41646 Child Credit $110000 Adoption Expense $174730 $214780 $130000 or $150000 or $170000 … $0

19 slide 19 [Chen et al.] Online Investments Which funds you invest in?  Each price history curve is a GIF image from MarketWatch Anyone in the world can get them from this website  Just compare the image sizes! Your investment allocation?  Can see the size of the pie chart, but hundreds of pie charts have the same image…

20 slide 20 [Chen et al.] Change Over Time Is Revealing!  800 charts  80 charts  8 charts 1 chart Size of day 1 Size of day 2; Prices of the day Size of day 3; Prices of the day Size of day 4; Prices of the day  80000 charts Financial institution updates your pie chart every day after market close. Mutual fund prices are public knowledge.

21  Still have the asymmetric path problem  Google’s responses are compressed, destination networks may or may not uncompress responses For example, Microsoft gateways uncompress and inspect Web traffic, but university does not Round before compression – university still sees distinguishable sizes; after compression – Microsoft does  Random padding is not appropriate If user checks several times, repeated random padding of the same responses quickly degrades effectiveness Images come from MarketWatch, not site itself slide 21 [Chen et al.] Rounding? Padding?

22 Trends in Software Design  Applications rely on OS abstractions to improve their safety and reliability “Process”, “User”  Case study: Web browsers slide 22 xbank.com quickdate.com Fork a new process OS isolation Fork a new process [Jana and Shmatikov. “Memento: Learning Secrets from Process Footprints”. Oakland 2012]

23 Unintended Consequences Good Better isolation Better reliability – Others not affected if one process crashes Better safety Bad Leaks more info to concurrent processes slide 23

24 Introduced in the 1980s cat /proc/1/ status ps top –p 1 Tom Killian "Processes as Files” (1984) slide 24 ProcFS in Multi-User OS

25 “Noone Uses Multi-User OS Anymore” slide 25

26 Multi-User Isolation UNIX multi-users in the 1980s slide 26 cat /proc/1/ status ps top –p 1

27 Android Sandboxing Android “multi-users” today slide 27 cat /proc/1/ status ps top –p 1

28 Android Apps as “Users” Different apps run as different users Android uses OS “user” abstraction to isolate applications slide 28

29 ProcFS Did Not Go Away Android “multi-users” today ProcFS API is still unchanged! slide 29 cat /proc/1/ status ps top –p 1

30 This Is Not Just About Android slide 30

31 What Can Be Learned from ProcFS?  No permissions needed to read any world- readable file in ProcFS … IP addresses of network connections Value of stack pointer Various statistics –Packet counters –Number of context switches / CPU scheduling statistics –Memory usage “Peeping Tom” attacks TCP sequence number inference Keystroke sniffing “Memento” attacks WTF?! slide 31

32 Putting Memory Streams Together slide 32

33 Memprint: Stream of Memory Usage 10568 KB 15976 KB 11632 KB 65948 KB 49380 KB 48996 KB 60280 KB 60820 KB 59548 KB slide 33

34 Sniffing Memory Footprints 2050 zero-permission malicious process OS isolation browser process alloc 1 alloc 2 OS free page pool used page count memprint 2050 Parsing JavaScript… Rendering images… slide 34

35 Sniffing Memory Footprints 2056 zero-permission malicious process OS isolation browser process alloc 1 alloc 2 OS free page pool used page count memprint brk/mmap 2050 2056 Parsing JavaScript… Rendering images… slide 35

36 Sniffing Memory Footprints 2080 zero-permission malicious process OS isolation browser process alloc 1 alloc 2 OS free page pool used page count memprint brk/mmap 2056 2050 2080 Parsing JavaScript… Rendering images… slide 36

37 Loading BeNaughty.com in Chrome slide 37

38 slide 38 Loading BeNaughty.com in Chrome

39 slide 39

40 Full Attack OS isolation browser zero-permission app /proc/pid/statm memprint database slide 40

41 Why the Attack Works uMemprints are unique - for up to 43% of Alexa top 100,000 pages Can tune recognition to achieve zero false positives uMemprints are stable across repeated visits to the same page memprints are OS/browser- dependent but machine- independent slide 41

42 Cross-Page Similarity Different from others Similar to themselves web page ID similarity = Jaccard index of memprints slide 42

43 Other Privacy Leaks  Fine-grained memory dynamics reveal membership in dating sites, interest in medical conditions, etc.  Dynamics of CPU scheduling reveal individual keystrokes  General problem: fine-grained resource usage statistics are correlated with secrets These statistics are visible across isolation boundary Their dynamics are a high-bandwidth side channel slide 43

Download ppt "Security Issues in Web Applications Vitaly Shmatikov CS 6431."

Similar presentations

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.

RP Designs Semi-Custom e-Commerce Package. Overview RP Designs semi- custom e-commerce package is a complete website solution. Visitors can browse a catalog.
Weighing the Risks and Benefits of Online Financial Transactions

Weighing the Risks and Benefits of Online Financial Transactions
Rui Wang, XiaoFeng Wang and Kehuan Zhang Shuo Chen IEEE Symposium on Security and Privacy Oakland, California May 17 th, 2010.

Rui Wang, XiaoFeng Wang and Kehuan Zhang Shuo Chen IEEE Symposium on Security and Privacy Oakland, California May 17 th, 2010.
Chapter 3 Process Description and Control

Chapter 3 Process Description and Control
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Helping retailers sell to mobile shoppers since 2007 5 Features for Higher Conversion Rates May 16, 2012 Ken Barber – VP Marketing and Gwin Coleman – Client.

Helping retailers sell to mobile shoppers since Features for Higher Conversion Rates May 16, 2012 Ken Barber – VP Marketing and Gwin Coleman – Client.
CP3397 ECommerce.

CP3397 ECommerce.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.

Parameter Tampering. Attacking the Ecommerce Shopping Cart In the above image we see that a user who wants to purchase a Television visits an online Store.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
OWASP WEBGOAT Alaa Darabseh Department of Computer Science

OWASP WEBGOAT Alaa Darabseh Department of Computer Science
Back to Table of Contents

Back to Table of Contents
Important Things to Know About Your FlexComp Plan University Systems.

Important Things to Know About Your FlexComp Plan University Systems.
Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from Process Footprints 33 rd Security & Privacy (May, 2012)

Suman Jana and Vitaly Shmatikov The University of Texas at Austin Memento: Learning Secrets from Process Footprints 33 rd Security & Privacy (May, 2012)
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.

Similar presentations

Ads by Google