Introduction to Computer Security - Web Application Security · Security of web applications...
Transcript of Introduction to Computer Security - Web Application Security · Security of web applications...
![Page 1: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/1.jpg)
Introduction to Computer SecurityWeb Application Security
Pavel LaskovWilhelm Schickard Institute for Computer Science
![Page 2: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/2.jpg)
Modern threat landscape
The majority of modern vulnerabilities are found in webapplications.
Source: MITRE CVE trends
![Page 3: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/3.jpg)
Web application vulnerabilities in numbers
3,462/2,029 web/non-web application vulnerabilities werediscovered by Symantec in 2008Average exposure time: 60 days12,885 site-specific XSS vulnerabilities were submitted toXSSed in 2008Only 3% of site-specific vulnerabilities were fixed by the endof 2008
![Page 4: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/4.jpg)
Web application: a user’s view
HTTP: a simple stateless protocol.
Browser Web server
HTTP reply
HTTP request
Client-side operations:open a TCP connection on port 80send a request
Server-side operationsestablish a TCP connection requestprocess an HTTP requestsend an HTTP reply
![Page 5: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/5.jpg)
Web application: technical infrastructure
Browser Web server
Firewall HTTP proxy
Cache
HTTP request
HTTP reply
Cached reply
Additional requirements:Traffic filteringLoad balancingPerformance improvement
![Page 6: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/6.jpg)
Web application: software instrumentation
Browser Web server
Firewall HTTP proxy
Cache
HTTP request
HTTP reply
Cached reply
ExtensionsApplication
gateway
Application,e.g. database
Applet,Javascript,
ActiveX
CGI, PHP,Ajax, Ruby
on Rails Application-specificrequest
![Page 7: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/7.jpg)
Web application threats
Client side Server sideImplementation C/C++, Java Script languages
Attack types buffer overflowsdrive-by downloadsXSS, XSRF
code injectionSQL injection
Attack outcome malware installationloss of private data
defacementloss of private dataloss of corporate secrets
![Page 8: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/8.jpg)
HTTP protocol
Simple protocol for transfer of hyperlinked contentRequest/responseStatelessClear-text
![Page 9: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/9.jpg)
HTTP request structure
Initial request line:Method (GET, POST, etc.)Resource specified by URIProtocol version
Header lines: key/value pairs, e.g.Accept-language: <language>
Body (arbitrary byte stream, separated by CR LF)Uploaded filesForm data
![Page 10: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/10.jpg)
HTTP methods
GETretrieves a resourceform parameters in URIsafe, no side-effects
GET /cgi-bin/birthday.pl?
month=june&day=27 HTTP/1.0
POSTsends data to a serverform parameters in bodypotential side-effects
POST /script.cgi HTTP/1.0
User-Agent: HTTPTool/1.0
Content-Type: ...
Content-Length: 32
<CR><LF>
name=pavel&surname=laskov
![Page 11: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/11.jpg)
Uniform resource identifier (URI)
Syntax:<scheme>://<authority><path>?<query>#<fragment>
Special characters can be hex-encoded%0A = newline%20 or + = space%2B = +
Examples:ftp://ftp.ietf.org/rfc/rfc1808.txt
http://ida.first.fhg.de/∼laskov
http%3A%2F%2F//ida%2Efirst%2Efhg%2Ede%2F%7Elaskov
mailto:[email protected]
![Page 12: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/12.jpg)
HTTP response structure
Initial response lineprotocol versionstatus codestatus message
Header lines (same as request)Body (arbitrary byte stream, separated by CR LF)
requested resources in HTML
![Page 13: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/13.jpg)
HTTP basic authentication
Goal: allow a browser send login credentialsMethod
concatenate user name and password separated by the colonencode using base64send in clear text
![Page 14: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/14.jpg)
HTTP digest authentication
Server receives a (method:URI) request.Server denies access and returns a nonce as a challenge.Client asks a user for credentialsClient calculates:
H1 = MD5(username:realm:password)H2 = MD5(method:URI)
Client sends msg = MD5(H1:nonce:H2) to a serverServer knows password for the user and computes:
H1 = MD5(username:realm:password)H2 = MD5(method:URI)
Server compares MD5(H1:nonce:H2) with msg.
![Page 15: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/15.jpg)
Session management and cookies
Cookie is a set of name/value pairs stored in a browserCookie usage:
authenticationstate maintenance (e.g. “shopping cart”)user preference tracking
Cookie attributes:namevalueexpiration datethe path and domain the cookie is valid for
![Page 16: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/16.jpg)
Persistent authentication using cookies
![Page 17: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/17.jpg)
Cross-site scripting (XSS)
Any web application that returns user input without filteringis a potential XSS vulnerability!Allows execution of arbitrary Javascript in user’s browser.Why would a user do this?
Inadvertently click on an emailed linkClick on an infected imageLeave a mouse on an image infected with an “onMouseOver”tag.
![Page 18: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/18.jpg)
Basic XSS scenario
![Page 19: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/19.jpg)
What is “cross-site” in XSS?
“Injection” of Javascript in a browser is actually perfectlylegal, but...Typically Javascript is allowed to only access resources fromthe same site that has injected it into a browser.In a XSS attack, Javascript does not originate from a webserver but is dynamically injected into it via a user requestfollowing a reflection from a third-party, a “cross-site”.
![Page 20: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/20.jpg)
Cross-site scripting: an example
![Page 21: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/21.jpg)
Samy worm
Inject Javascript into a user profile usingdocument.body.innerHTMLGet the list of user’s heros by using a GET on a user profileAdd Samy as a field by performing XML-HTTP on theaddFriends pageAny user who visits an infected user’s page will gets profileinfected with Javascript and his friends list infected withSamyEventually about 1,000,000 MySpace profiles were infected.More technical details and hacks at:http://web.archive.org/web/20060208182348/namb.la/popular/tech.html
![Page 22: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/22.jpg)
Cross-site request forgery: an example
Why does every online bank request you to sign off?
User logs in to bank.com and does not sign off.Session cookie remains in browser stats.User accidentally visits a malicious site with the followingcontent:<form name=F action=http://bank.com/PayBill.php>
<input name=recipient value=badguy>...</form>
<script> document.F.submit(); </script>
Browser sends user request including the existingauthorization credentials.
![Page 23: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/23.jpg)
Cross-site request forgery: an example
Why does every online bank request you to sign off?
User logs in to bank.com and does not sign off.
Session cookie remains in browser stats.User accidentally visits a malicious site with the followingcontent:<form name=F action=http://bank.com/PayBill.php>
<input name=recipient value=badguy>...</form>
<script> document.F.submit(); </script>
Browser sends user request including the existingauthorization credentials.
![Page 24: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/24.jpg)
Cross-site request forgery: an example
Why does every online bank request you to sign off?
User logs in to bank.com and does not sign off.Session cookie remains in browser stats.
User accidentally visits a malicious site with the followingcontent:<form name=F action=http://bank.com/PayBill.php>
<input name=recipient value=badguy>...</form>
<script> document.F.submit(); </script>
Browser sends user request including the existingauthorization credentials.
![Page 25: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/25.jpg)
Cross-site request forgery: an example
Why does every online bank request you to sign off?
User logs in to bank.com and does not sign off.Session cookie remains in browser stats.User accidentally visits a malicious site with the followingcontent:<form name=F action=http://bank.com/PayBill.php>
<input name=recipient value=badguy>...</form>
<script> document.F.submit(); </script>
Browser sends user request including the existingauthorization credentials.
![Page 26: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/26.jpg)
Cross-site request forgery: an example
Why does every online bank request you to sign off?
User logs in to bank.com and does not sign off.Session cookie remains in browser stats.User accidentally visits a malicious site with the followingcontent:<form name=F action=http://bank.com/PayBill.php>
<input name=recipient value=badguy>...</form>
<script> document.F.submit(); </script>
Browser sends user request including the existingauthorization credentials.
![Page 27: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/27.jpg)
XSRF: main scenario
![Page 28: Introduction to Computer Security - Web Application Security · Security of web applications crucially depends on sanitisation of user input. The latter is easier said than done.](https://reader034.fdocuments.us/reader034/viewer/2022042804/5f599514f7c2696e7666d9d4/html5/thumbnails/28.jpg)
Summary
Security of web applications crucially depends onsanitisation of user input.The latter is easier said than done.Typical attacks, such as XSS and XSRF, can be highlyautomatic and result in serious compromised.