Lecture 34: Cookie Monsters and Web Application Security - Prof. David Evans, Study notes of Computer Science

Download Lecture 34: Cookie Monsters and Web Application Security - Prof. David Evans and more Study notes Computer Science in PDF only on Docsity! 1 David Evans http://www.cs.virginia.edu/evans CS150: Computer Science University of Virginia Computer Science Lecture 35: Cookie Monsters and Semi-Secure Websites 2Lecture 34: Cookie Monsters Secure Programming cs150 “Honor System” Programming All your users are nice and honest Nothing terribly bad happens if your program misbehaves cs205 “Real World” Programming Some users are mean and dishonest Bad things happen if your program misbehaves Enough to (hopefully) make you dangerous! 3Lecture 34: Cookie Monsters Buffer Overflows int main (void) { int x = 9; char s[4]; gets(s); printf ("s is: %s\n“, s); printf ("x is: %d\n“, x); } Stack s[0] s[1] s[2] s[3] x return address C Program a b c d e f g h ... 4Lecture 34: Cookie Monsters Buffer Overflows int main (void) { int x = 9; char s[4]; gets(s); printf ("s is: %s\n“, s); printf ("x is: %d\n“, x); } > gcc -o bounds bounds.c > bounds abcdefghijkl s is: abcdefghijkl x is: 9 > bounds abcdefghijklm s is: abcdefghijklmn x is: 1828716553 > bounds abcdefghijkln s is: abcdefghijkln x is: 1845493769 > bounds aaa... [a few thousand characters] crashes shell (User input) = 0x6d000009 = 0x6e000009 Note: your results may vary (depending on machine, compiler, what else is running, time of day, etc.). This is what makes C fun! What does this kind of mistake look like in a popular server? 5Lecture 34: Cookie Monsters Code Red 6Lecture 34: Cookie Monsters Security in cs150 Can you have a Buffer Overflow vulnerability in Scheme, Charme, LazyCharme, StaticCharme, or Python? No (unless there is a bug in the underlying implementation)! Memory is managed by the interpreter, so you don’t have to allocate it, or worry about how much space you have. 2 7Lecture 34: Cookie Monsters Web Application Security • Malicious users can send bad input to your application • Authentication: most interesting applications need user logins 8Lecture 34: Cookie Monsters Cross-Site Scripting Python Code: Evaluate using Python interpreter, send output Python Interpreter to Client Database SQL Command Values #!/uva/bin/python ... Output pages contain information provided by other users! 9Lecture 34: Cookie Monsters Cross-Site Scripting Demo user: evans password: $1$79756$Fq4bh/ajnBmzIX.12GPnL0 <script language="javascript"> function button() { while (1) alert("I 0wn you!") } </script> <BODY onLoad="button()"> Enter Review: 10Lecture 34: Cookie Monsters Preventing Cross-Site Scripting • Never never never ever trust users! • Everything you generate from user input needs to be checked and sanitized (remove the tags) For your ps9 websites, you may assume all users are bound by the UVa Honor Code and won’t do anything evil. But, don’t forget how irresponsible it is to put something like this on the web! 11Lecture 34: Cookie Monsters Authentication 12Lecture 34: Cookie Monsters How do you authenticate? • Something you know – Password • Something you have – Physical key (email account?, transparency?) • Something you are – Biometrics (voiceprint, fingerprint, etc.) Serious authentication requires at least 2 kinds 5 25Lecture 34: Cookie Monsters Salt of the Earth 932 2437 1125 Salt DES+25 (0, “schemer”, 2437)ben PasswordUserID DES+25 (0, “Lx.Ly.x”, 932)dave DES+25 (0, “Lx.Ly.x”, 1125)alyassa How much harder is the off-line dictionary attack? DES+ (m, key, salt) is an encryption algorithm that encrypts in a way that depends on the salt. Salt: 12 random bits (This is the standard UNIX password scheme.) 26Lecture 34: Cookie Monsters Python Code // We use the username as a "salt" (since they must be unique) encryptedpass = md5crypt.encrypt (password, user) bafd72c60f450ed665a6eadc92b3647fevans 9928ef0d7a0e4759ffefbadb8bc84228alyssa passworduser 27Lecture 34: Cookie Monsters Authenticating Users • User proves they are a worthwhile person by having a legitimate email address – Not everyone who has an email address is worthwhile – Its not too hard to snoop (or intercept) someone’s email • But, provides much better authenticating than just the honor system 28Lecture 34: Cookie Monsters Registering for Account • User enters email address • Sent an email with a temporary password rnd = str(random.randint (0, 9999999)) + str(random.randint (0, 9999999)) encrnd = md5crypt.encrypt (rnd, str(random.randint (0, 99999))) users.userTable.createUser (user, email, firstnames, \ lastname, encrnd) ... From register-process.cgi Do you trust Pythons random number generator? 29Lecture 34: Cookie Monsters Users and Passwords def createUser(self, user, email, firstnames, lastname, password) : c = self.db.cursor () encpwd = md5crypt.encrypt (password, user) query = "INSERT INTO users (user, email, firstnames, lastname, password) " \ + "VALUES ('" + user + "', '" + email + "', '" \ + firstnames + "', '" + lastname + "', '" + encpwd"')" c.execute (query) self.db.commit () From users.py (cookie processing and exception code removed) def checkPassword(self, user, password): c = self.db.cursor () query = "SELECT password FROM users WHERE user='" + user + "'" c.execute (query) pwd = c.fetchone ()[0] if not pwd: return False else: encpwd = md5crypt.encrypt (password, user) return encpwd == pwd 30Lecture 34: Cookie Monsters Cookies • HTTP is stateless: every request is independent • Don’t want user to keep having to enter password every time • A cookie is data that is stored on the browser’s machine, and sent to the web server when a matching page is visited 6 31Lecture 34: Cookie Monsters Using Cookies • Cookie must be sent before any HTML is sent (util.printHeader does this) • Be careful how you use cookies – anyone can generate any data they want in a cookie – Make sure they can’t be tampered with: use md5 hash with secret to authenticate – Don’t reuse cookies - easy to intercept them (or steal them from disks): use a counter than changes every time a cookie is used 32Lecture 34: Cookie Monsters Hungry vs. Cookies def checkCookie (): try: if 'HTTP_COOKIE' in os.environ: cookies = os.environ['HTTP_COOKIE'] c = Cookie.SimpleCookie(cookies) user = c['user'].value auth = c['authenticator'].value count = users.userTable.getCookieCount (user) ctest = md5crypt.encrypt (constants.ServerSecret + str(count) + user, \ str(count)) if True: users.userTable.setCurrentUser (user) return True else: users.userTable.setCurrentUser (False) return False else: return False except: return False ctest == auth: 33Lecture 34: Cookie Monsters Problems Left • The database password is visible in plaintext in the Python code – No way around this (with UVa mysql server) – Anyone who can read UVa filesystem can access your database • The password is transmitted unencrypted over the Internet (later) • Proving you can read an email account is not good enough to authenticate for important applications 34Lecture 34: Cookie Monsters Charge • Feel free to use the ps8 users/cookies code for your ps9 site unchanged • But, don’t put anything really valuable on your websites without paying more attention to security!