Project 2: Web App Security - PowerPoint PPT Presentation

About This Presentation
Title:

Project 2: Web App Security

Description:

profile of user who clicks it. Only works when user logged in. User might have multiple tabs open ... http://scriptasylum.com/tutorials/encdec/encode-decode.html ... – PowerPoint PPT presentation

Number of Views:328
Avg rating:3.0/5.0
Slides: 22
Provided by: anted
Category:

less

Transcript and Presenter's Notes

Title: Project 2: Web App Security


1
Project 2 Web App Security
CS 155
Spring 2007
  • Collin Jackson

2
Part 1
  • Attacks

3
Overview
  • Explore several
  • attack types
  • Requires both
  • effectiveness
  • and stealth
  • Learn
  • How an attacker can evade sanitization
  • Consequences of an exploit
  • JavaScript
  • Very basic CSS

4
Attacks
  • A Cookie Theft
  • Use URL encoding
  • Could hijack session
  • C Password Theft
  • Evade sanitization
  • Handle DOM events
  • B Request Forgery
  • Navigate browser
  • Use iframes, forms
  • D Profile Worm
  • Persistent attack
  • Replicates

form
email
link
zoobar.org
zoobar.org
badguy.com
redirect
stanford.edu
form
badguy.com
email
zoobar.org
zoobar.org
5
Sanitization
  • Works differently depending on context
  • lttag property" attackstring "gt
  • Attack Break out with ' "
  • Defense escape quotes with \
  • ltbodygt attackstring lt/bodygt
  • Attack Launch script with lt gt
  • Attack Close off parent tag lt/taggt
  • Defense escape angle brackets
  • eval( attackstring )
  • Attack Do whatever you want
  • Defense Dont do that

6
Example Profile Deleter
???
  • Malicious hyperlink deletes
  • profile of user who clicks it
  • Only works when user logged in
  • User might have multiple tabs open
  • Might have chosen/forgotten not to log out
  • Might appear in another users profile
  • Uses vulnerability in users.php from Attack A
  • Constructs profile deletion form and submits it

7
Find vulnerability
Site reflects query parameter in input field
Link can include anything we want here
8
Copy form data
View source to find form fields
Create copycat form with our modifications
9
URL encode
http//scriptasylum.com/tutorials/encdec/encode-de
code.html
http//www.dommermuth-1.com/protosite/experiments/
encode/index.html
Close previous ltinputgt, ltformgt
Button click triggers form submit
10
Debugging
It didnt work.
Open JavaScript console
Check error
Undefined ? No properties!
Two forms with same name
11
Fixed version
Now with correct form
12
Final Test
http//zoobar.org/users.php?user223E3C2Fform
3E3Cform20method3D22POST2220name3Dprofilefo
rm 0D2020action3D222Findex2Ephp223E0D3C
textarea20name3D22profile5Fupdate223E3C 2F
textarea3E3Cbr2F3E0D3Cinput20type3Dsubmit
20name3D22profile5Fsubmit2220value3D22 Save
20Profile223E3C2Fform3E0D3Cscript3Edocume
nt2Eforms5B15D2Eprofile5Fsubmit2Eclick28 2
93C2Fscript3E
users.php replaced with index.php
Profile deleted
13
Stealthier approaches
  • Post form into hidden iframe
  • ltform nameF action/index.php targetmyframegt
  • ltiframe namemyframe stylevisibilityhiddengt
  • Open page with form in hidden iframe
  • ltiframe namemyframe stylevisibilityhiddengt
  • ltscriptgtdocument.myframe.contentDocument.forms0
  • .profile_update.value
    lt/scriptgt

14
Part 2
  • Defenses

15
Goals
  • Learn
  • How easy it is to make mistakes
  • That even simple code can be hard to secure
  • Techniques for appropriate input validation
  • PHP
  • Very basic SQL

Little programming knowledge can be a dangerous
thing
16
File structure
  • index.php
  • users.php
  • transfer.php
  • login.php
  • includes/
  • auth.php (cookie authentication)
  • common.php (includes everything else)
  • navigation.php (site template)
  • db/
  • zoobar/
  • Person.txt (must be writable by web server)
  • Includes /usr/class/cs155/projects/pp2/txt-db-api/

Only edit these files
17
txt-db-api
  • Third-party text file database library
  • Data can be int, string, and autoincrement
  • Need to escape strings \' \" \\
  • Actually magic_quotes_gpc does this for us
  • recipient _POSTrecipient // already
    escaped
  • sql "SELECT PersonID FROM Person WHERE
    Username'recipient'"
  • rs db-gtexecuteQuery(sql)
  • if( rs-gtnext() )
  • id rs-gtgetCurrentValueByName(PersonID)

18
Defenses to Part 1
  • A Cookie Theft
  • C Password Theft
  • B Request Forgery
  • Attack D Profile Worm

19
PHP Sanitization Techniques
  • addslashes(string)
  • Prepends backslash to ' " \
  • Already done by magic_quotes_gpc
  • Inverse stripslashes(string)
  • htmlspecialchars(string , quote_style)
  • Converts lt gt " to HTML entities
  • Use ENT_QUOTES to change ' to 039
  • strip_tags(string, , allowable_tags)
  • Max tag length 1024
  • Does not sanitize tag properties
  • preg_replace(pattern, replacement, subject)
  • More info http//php.net

20
More XSS hunting
  • Look for untrusted input used as output
  • Note sanitization already applied to each
    variable
  • Form data has magic_quotes_gpc, db data does not
  • Sanitize the output if necessary
  • No penalty for erring on the side of caution
  • But sanitizing multiple times may lead to
    problems
  • No credit for solving non-goals SQL injection,
    etc.

21
Good luck!
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Project 2: Web App Security" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!