LECTURE 23: MORE SECURITY - CSE442 · 2020. 10. 21. · Cross Site Scripting (XSS) ¨ Attacks by...
Transcript of LECTURE 23: MORE SECURITY - CSE442 · 2020. 10. 21. · Cross Site Scripting (XSS) ¨ Attacks by...
LECTURE23:MORESECURITYCSE442–SoftwareEngineering
SeriousHackingAttempts
CrossSiteRequestForgery
Cross-SiteRequests
¨ Same-siterequestiflocalpagemakesHTTPrequest¨ Requestsenttoothersitecalledcross-siterequest¨ ManydifferentreasonsforincludingHTTPrequest
¤ Embedimages¤ Loadframes¤ Showads¤ Sendlink
¨ Sendscookiesonsame-siteANDcross-siterequests
Browser
CrossSiteRequestExample
PagefromFacebook
Browser
CrossSiteRequestExample
PagefromFacebook
Browser
Same-Site Request
CrossSiteRequestExample
PagefromGoogle
PagefromFacebook
Browser
CrossSiteRequestExample
Same-Site Request
PagefromGoogle
PagefromFacebook
Browser
Same-Site Request
Same-Site Request
CrossSiteRequestExample
PagefromGoogle
PagefromFacebook
Browser
Same-Site Request
PagewithAds&Likebutton
Cross-Site Requests
Same-Site Request
CrossSiteRequestExample
Cross-SiteKnowledge
¨ Browsersknowifrequestcross-siterequestornot¤ ButtypeofrequestNOTsharedwithserver
¨ Whencookiesstorestateproblemscanarise¤ Tocheckforauthorization,serverretrievescurrentstate¤ Butcookiessentonallrequests,evenifitiscross-site
¨ Createsopportunityformischiefbyforgingrequest¤ Cross-SiteRequestForgery(CSRF)nameforthisattack
PageonNotEvilHacker.com <img src= “facebook.com?
action=post& content=HertzStuff”>
Browser
CSRFExample
CSRFBankExample
¨ Toidentifyuser,setssessioncookiewhenloggedin¤ Serveralwayscheckscookie,sohacknotpossible
¨ Oncecomplete,victimleavesWITHOUTloggingout¤ HTTPstateless,soserverassumesauthorizationvalid
¨ Eachtimevictimloadssite,attackersteals$500www.vic.com/transfer.php?to=250&amt=500 ¤ Sitesecuredonserver-side&attackerlacksaccess¤ Butvictimstillhasbrowsercookie,sorequestlooksvalid
¨ Justneedrequest,noclicksrequired¤ Willconnectiflinkissrcforimg,iframe,orscript
GetandPost
¨ GETrequestssimpler,butforgingPOSTpossible¤ Usuallyneedsbuttonclick,butthatcanbedoneinJS
<body onload="document.forms[0].submit();"> <form action="http://vic.com/transfer.do" method="POST">
<input type="hidden" name="to" value="250"/> <input type="hidden" name="amt" value="500"/> <input type="submit" value="Dank Memes"/>
</form>
Socialengineering
¨ Musttrickvictimintoloadingpage¨ Todothis,manytechniquesexist¨ BrowsernotneededifemailinHTML
¤ Aside:Weoftendisableimagesinemail
¨ Verylowchancethatschemeworks¤ Handlethisbysendingtomanypeople¤ Commonlyusedwebsitebestforthis¤ Iftargetsknown,lesserusedsiteokay
CSRFCountermeasures
¨ referrer(optional)fieldinHTTPheaderstatessender¤ Field(hasto)exposehistory,soleak’sinfoaboutuser¤ Toprotectprivacy,somebrowsersneverincludefield
¨ HTTPanopenprotocol;couldwriteownprogram¤ Spoofreferrertomatchneedsratherthanreality
¨ Couldaddfieldspecifyingifrequestcross-siteornot
CSRFCountermeasures
¨ referrer(optional)fieldinHTTPheaderstatessender¤ Field(hasto)exposehistory,soleak’sinfoaboutuser¤ Toprotectprivacy,somebrowsersneverincludefield
¨ HTTPanopenprotocol;couldwriteownprogram¤ Spoofreferrertomatchneedsratherthanreality
¨ Couldaddfieldspecifyingifrequestcross-siteornot
CSRFCountermeasures
¨ Randomsecretvalue("SecretToken")oneachpage¨ Includesecretvaluewhenpageinformationsent
¤ Otherpageslackaccess,duetosameoriginpolicy:
ScriptscanonlyaccessDOMonpageswithsameorigin
¨ Couldalsousecookietostoresecretvalue¤ Whenrequestsubmitted,read&addcookietorequest¤ Sameoriginpolicypreventsattackingpagefromcookie
CrossSiteScripting
CrossSiteScripting(XSS)
¨ Attacksbyprovidingcoderatherthandata¤ Typeof“injection”attackthatisverycommononweb¤ Workswhenbrowserinterpretsasscriptinglanguage
¨ AnyinputchannelpotentialattackvectorforXSS¤ Attackcanoccurimmediatelyifreal-timeinputsused¤ Withpersistentstorage,delayeduntildataread&used
CrossSiteScripting(XSS)
CrossSiteScripting(XSS)
WhoCares?
¨ CanprogramuseractionsbyembeddingJavascript¤ Browserwouldactasifactionsperformedbyuser¤ ComputershaveIQof0;donotknowwhatuserwanted
¨ UsingXSSmaliciousactorcan:¤ Stealcookies¤ Defacewebsites(fakenews;embarrassingimages)¤ Createwiretapofkeystrokes¤ Stealpersonalinformation¤ Runexploits(SAMYworm)
DefenseAgainstXSS
¨ Replacewithencoding&haveHTMLrender:¤ <becomes< ¤ >becomes> ¤ &becomes& ¤ ␠becomes ¤ ¶becomes<br/> Manyothersalsopossible
Filtering Encoding
¨ ForHTML,mustreject:¤ <script> ¤ <iframe> ¤ <div style=
“background:url( ‘javascript:alert(1)’)”>
¤ <IMG src= jAvascript:alert(1)>
¤ eval( ‘xmlhttp.onread’+ ‘ydstatechang’+ ‘e=callback’);
DefenseAgainstXSS
¨ Replacewithencoding&haveHTMLrender:¤ <becomes< ¤ >becomes> ¤ &becomes& ¤ ␠becomes ¤ ¶becomes<br/> Manyothersalsopossible
Filtering Encoding
¨ ForHTML,mustreject:¤ <script> ¤ <iframe> ¤ <div style=
“background:url( ‘javascript:alert(1)’)”>
¤ <IMG src= jAvascript:alert(1)>
¤ eval( ‘xmlhttp.onread’+ ‘ydstatechang’+ ‘e=callback’);
Filtering&EncodingSupport
¨ Manylibrariescreatedtohelpdeveloperswithwork¤ JSoupexistsforJava(jsoup.org/)¤ AntiXSSusablein.Net(www.nuget.org/packages/AntiXSS)
¤ OWASPEnterpriseSecurityhasmulti-lingualsupport(www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Home)
¨ Canalsofindhelpinlanguagesprovidingfunctions¤ htmlspecialchars()definedforPHP¤ ValidateRequest()methoddefinedbyASP.net
SQLInjectionAttacks
SQLInjectionAttack
¨ LikeXSS,attacksbyprovidingcoderatherthandata¤ Muchmoredangerousbecauseitattacksdataservers¤ Damagegreater,too;allofserver'sdatacompromised
SQLInjectionAttackKey
¨ Attacktakesadvantageofmostwebapps'structure¤ Browserattacksbycraftinginputsenttoappserver¤ Butthisattackisnotonappserver,butbyappserver¤ Databaseleftdefenselesssinceittrustsappserver
Browser
WebApplication
Server Database
SampleDatabaseTable
UID NAMEGENDER AGE EMAIL PASSWD
1 Alice F 22 [email protected] az34Fn892 Bob M 30 [email protected] Ff4323sa93 Carol F 26 [email protected] Ra234d024 Douglas M 44 [email protected] 22as95asdF
TableName:USERS_TABLE
¨ Basicoperations:select,insert,update,&delete ¤ Nameis”cooler”CRUDforcreate,read,update,delete
InsertStatement
UID NAMEGENDER AGE EMAIL PASSWD
1 Alice F 22 [email protected] az34Fn892 Bob M 30 [email protected] Ff4323sa93 Carol F 26 [email protected] Ra234d024 Douglas M 44 [email protected] 22as95asdF
TableName:USERS_TABLE
INSERT INTO USERS_TABLE VALUES (‘5’,‘Edgar’, ‘M’, ‘30’, ‘[email protected]’, ‘45adr56y’)
UpdateStatement
UID NAMEGENDER AGE EMAIL PASSWD
1 Alice F 22 [email protected] az34Fn892 Bob M 30 [email protected] Ff4323sa93 Carol F 26 [email protected] Ra234d024 Douglas M 44 [email protected] 22as95asdF
TableName:USERS_TABLE
UPDATE USERS_TABLE SET EMAIL=‘[email protected]’ WHERE NAME=‘Alice’
UPDATE USERS_TABLE SET AGE=43
DeleteStatement
UID NAMEGENDER AGE EMAIL PASSWD
1 Alice F 22 [email protected] az34Fn892 Bob M 30 [email protected] Ff4323sa93 Carol F 26 [email protected] Ra234d024 Douglas M 44 [email protected] 22as95asdF
TableName:USERS_TABLE
DELETE FROM USERS_TABLE WHERE NAME=‘Alice’
DELETE FROM USERS_TABLE WHERE Age < 25
DELETE FROM USERS_TABLE
SQLCOMMENTS
¨ SQLsupportssingleandmultilinecomments¤ Startwith--forsinglelinecomments ¤ Addtextbetween/* */formultilinecomment
SELECT * FROM Customers -- WHERE City='Berlin'; /*Select all the columns of all the recordsin the Customers table:*/ SELECT * FROM Customers; SELECT CustomerName /*, City, Country*/ FROM Customers;
WebAppFlowofData
Browser Web Application Server Database
<?php $sql = “SELECT id, name, salary FROM credential WHERE eid= ‘$eid’ AND password=‘$passwd’”; $result = $conn->query($sql); ?>
SELECT id, name, salary FROM credential WHERE eid= ‘9999’ AND passwd= ‘secret’;
HackAttack!
Whatinput(s)
willretrievemorethanweshould?
<?php $sql = “SELECT id, name, salary FROM credential WHERE eid= ‘$eid’ AND password=‘$passwd’”; $result = $conn->query($sql); ?>
SQLInjectionAttack(1)
¨ If$eidis:x’ OR 1=1 –-
¨ Querywouldbesenttodatabaseandexecutedas:
SELECT * FROM credential
WHERE eid = ‘x’ OR 1=1 -- ’
MultipleSQLstatements
¨ Alsousesemicolon(;)tocreate1+statements¨ Makespossibleworsehacksthanjustretrieval
SELECT * FROM credential WHERE eid = ‘x’;
DELETE FROM credential -- ’
¨ Countermeasuresmayexistifscripttriggersaction
MoreHackAttack!
Whatinput(s)
willgivesomeoneBIGraise?
<?php $sql = “UPDATE credential SET NickName = ‘$nname’, PhoneNumber=‘$phone’ WHERE eid= ‘$eid’; $result = $conn->query($sql); ?>
SQLInjectionAttack(2)
¨ When$nnameis:A’, Salary=1000000, Email=‘
¨ Querybecomes: UPDATE credential
SET NickName = ‘A’, Salary=1000000,
Email=‘ ’, PhoneNumber=‘ ’ WHERE eid = ‘20000’
¨ CommentsnotalwaysneededforSQLinjection
InputValidationtoBlock
¨ Couldvalidateinput(checkforspecialcharacters)&¤ Inputwithspecialcharactersrejected¤ Removespecialcharactersfromtheinput¤ Playitsafeandescapespecialcharacters
¨ ButrequiresknowingALLspecialcharacters¤ Mustbeupdatedasnewcharacterscreated
¨ Betterapproachisusinglibraryforthis¤ InPHP,havemysql_real_escape_string()¤ Stillcreatesgame–whatifMySQLupdatedfirst?
UnderlyingCause
¨ Problemcomesfrommixingdata&codeinprogram¨ Userinput(data)providedtoparserforitswork¨ Shouldbedata,butaddedtostringexecutedascode
¤ Userinjectscodewhichisthenexecutedasnormal
¨ Bestsolution:alwaysseparatecode&data
Don’tmakeitagame
PreparedStatementsalwaysbetter
thanfiltersorsanitizing
SQLInjectionKeyConcept
PHPPreparedStatement
$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();
PHPPreparedStatement
Step1:Sendcodethatwillbeexecuted
$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();
PHPPreparedStatement
Step2:Senddatatofillinvariables
$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();
PHPPreparedStatement
Step3:Profit
$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();
BufferOverflows
¨ FormusedbymajorityofInternetattacks¤ 50%ofCERTadvisoriesdealwithbufferoverflows¤ Veryquick&easywaytoinfectlotsofmachines
BufferOverflows
¨ Morriswormoverflowedfingerd¤ Infected10%oftheexistingInternet
¨ CodeRedusedoverflowinMS-IISserver¤ Infected300,000machinesinabout14hours
¨ SQLSlammerhackedthroughMS-SQLserver¤ Neededjust10minutestoinfect75,000machines
MajorBufferOverflows
¨ Bufferoverflowattacksareeasytostop¤ Javadoesnotallowthisexploittowork,infact¤ VerycommoninCcode
WhatCanWeDo?
¨ Memorysetasideforquickaccessbyprogram¤ Usuallyfoundonprogramstackorintheheap¤ Pre-definedsizeusedtoimproveaccessspeed¤ Butwhathappensifmoredatastuffedintoit
WhatisaBuffer?
¨ Shouldcheckforspacebeforestoringdata¤ Justcommonsensetostoreonlywherepermitted¤ Buffersnormallyhugesotheycanholdalldata¤ Butthere’scost:addedchecksslowprogramdown
¨ Languagessplitinhandlingofarrayaccess¤ AutomaticarrayboundschecksdonebyJava,C#¤ NotinmanyolderlanguageslikePascal&C++
HowtoHandleBuffer
¨ Whencallingfunction,programcreatesframe¤ Valueofparametersstoredinthisframe¤ Containsspaceforallofthelocalvariables¤ Addresstoreturntowhenfunctioncompletes
¨ Sinceautomatic,systemassumesvaluesvalid¤ Programmercannotadjustorcontrolthisdata¤ Assoonascomplete,blindlyjumpstoreturnaddress
ProgramStack
HighAddress Parameters i à 456 (4 bytes)
ReturnAddress 0xFEEDFACE (4 bytes)
CallingFP0xA0029482 (4 bytes)
LowAddress
LocalVariables x à 34 (4 bytes) y à 34 (4 bytes) buffer (100 bytes)
void foo(int i) { int x; int y; char buffer[100]; // Code here… }
StackframeExample
¨ Whenweoverflowthebuffer…¤ Localvariablesoverwritteninitiallybythisextradata¤ Thencreatebrandnewaddressforframepointer¤ Assignreturnaddressnexttowhateverisininput
SmashingTheStack
¨ Whenweoverflowthebuffer…¤ Localvariablesoverwritteninitiallybythisextradata¤ Thencreatebrandnewaddressforframepointer¤ Assignreturnaddressnexttowhateverisininput
¨ Oops.¤ Importantthatreturnaddressshouldbeaccurate¤ Randomvalueusedasresultofouroverflow¤ Codethatwillbeexecuteddecidedbywhom?
SmashingTheStack
¨ Systemwillnormallycrashasresultofoverrun¤ Moreoftenthannot,datawillberandom¤ Rarelyproductivetojumptorandomaddress¤ Woo-hoo!Ourprogramisnotunsafe,itjustsucks.
UsuallyJustCrashes
¨ Mustfirstwaitforhackertofindbug¤ Solongasnobodyusesprogramthisisnotaproblem¤ Onceprogramused,countonshortestwaitever
Neverask“Howcoulditbeworse?”
WhatisLeft?
¨ Mustfirstwaitforhackertofindbug¤ Solongasnobodyusesprogramthisisnotaproblem¤ Onceprogramused,countonshortestwaitever
¨ Neverask“Howcoulditbeworse?”¤ SomelanguageshaveStringsasprimitivetype¤ Manyothersusenullterminatedarrayofchar ¤ Functionsprocessarrayuntilnullcharacterfound¤ Createsanentirelynewsourceofpossiblehacks
WhatisLeft?
¨ Avoidfunctionsusingunlimitednumberofbytes¤ Canalwaysfind&uselimitedmemoryversions
¨ Restricttoactualsizetopreventoverflow¤ Requiresyoubeabletoknowarray’sactualsize¤ Updateeverywherewhenchangingcode¤ Usingmagicnumbersmakesverydifficult
PossibleSolutions
¨ Commerciallibrariesinjectcheckswhereitcan¤ Asinmodernlanguages,butlesscapableoruseful¤ Checksaddtime:programruns2-3%slower
¨ Legacycodetoodifficulttofixcanuselibraries¤ Mostbosseswouldbeangryaddingtonewcode
OtherSolutions