LECTURE23:MORESECURITYCSE442–SoftwareEngineering

SeriousHackingAttempts

CrossSiteRequestForgery

Cross-SiteRequests

¨  Same-siterequestiflocalpagemakesHTTPrequest¨  Requestsenttoothersitecalledcross-siterequest¨  ManydifferentreasonsforincludingHTTPrequest

¤ Embedimages¤ Loadframes¤ Showads¤ Sendlink

¨  Sendscookiesonsame-siteANDcross-siterequests

Browser

CrossSiteRequestExample

PagefromFacebook

Browser

CrossSiteRequestExample

PagefromFacebook

Browser

Same-Site Request

CrossSiteRequestExample

PagefromGoogle

PagefromFacebook

Browser

CrossSiteRequestExample

Same-Site Request

PagefromGoogle

PagefromFacebook

Browser

Same-Site Request

Same-Site Request

CrossSiteRequestExample

PagefromGoogle

PagefromFacebook

Browser

Same-Site Request

PagewithAds&Likebutton

Cross-Site Requests

Same-Site Request

CrossSiteRequestExample

Cross-SiteKnowledge

¨  Browsersknowifrequestcross-siterequestornot¤ ButtypeofrequestNOTsharedwithserver

¨  Whencookiesstorestateproblemscanarise¤ Tocheckforauthorization,serverretrievescurrentstate¤ Butcookiessentonallrequests,evenifitiscross-site

¨  Createsopportunityformischiefbyforgingrequest¤ Cross-SiteRequestForgery(CSRF)nameforthisattack

PageonNotEvilHacker.com <img src= “facebook.com?

action=post& content=HertzStuff”>

Browser

CSRFExample

CSRFBankExample

¨  Toidentifyuser,setssessioncookiewhenloggedin¤ Serveralwayscheckscookie,sohacknotpossible

¨  Oncecomplete,victimleavesWITHOUTloggingout¤ HTTPstateless,soserverassumesauthorizationvalid

¨  Eachtimevictimloadssite,attackersteals$500www.vic.com/transfer.php?to=250&amt=500 ¤ Sitesecuredonserver-side&attackerlacksaccess¤ Butvictimstillhasbrowsercookie,sorequestlooksvalid

¨  Justneedrequest,noclicksrequired¤ Willconnectiflinkissrcforimg,iframe,orscript

GetandPost

¨  GETrequestssimpler,butforgingPOSTpossible¤ Usuallyneedsbuttonclick,butthatcanbedoneinJS

<body onload="document.forms[0].submit();"> <form action="http://vic.com/transfer.do" method="POST">

<input type="hidden" name="to" value="250"/> <input type="hidden" name="amt" value="500"/> <input type="submit" value="Dank Memes"/>

</form>

Socialengineering

¨  Musttrickvictimintoloadingpage¨  Todothis,manytechniquesexist¨  BrowsernotneededifemailinHTML

¤ Aside:Weoftendisableimagesinemail

¨  Verylowchancethatschemeworks¤ Handlethisbysendingtomanypeople¤ Commonlyusedwebsitebestforthis¤  Iftargetsknown,lesserusedsiteokay

CSRFCountermeasures

¨  referrer(optional)fieldinHTTPheaderstatessender¤ Field(hasto)exposehistory,soleak’sinfoaboutuser¤ Toprotectprivacy,somebrowsersneverincludefield

¨  HTTPanopenprotocol;couldwriteownprogram¤ Spoofreferrertomatchneedsratherthanreality

¨  Couldaddfieldspecifyingifrequestcross-siteornot

CSRFCountermeasures

¨  referrer(optional)fieldinHTTPheaderstatessender¤ Field(hasto)exposehistory,soleak’sinfoaboutuser¤ Toprotectprivacy,somebrowsersneverincludefield

¨  HTTPanopenprotocol;couldwriteownprogram¤ Spoofreferrertomatchneedsratherthanreality

¨  Couldaddfieldspecifyingifrequestcross-siteornot

CSRFCountermeasures

¨  Randomsecretvalue("SecretToken")oneachpage¨  Includesecretvaluewhenpageinformationsent

¤ Otherpageslackaccess,duetosameoriginpolicy:

ScriptscanonlyaccessDOMonpageswithsameorigin

¨  Couldalsousecookietostoresecretvalue¤ Whenrequestsubmitted,read&addcookietorequest¤ Sameoriginpolicypreventsattackingpagefromcookie

CrossSiteScripting

CrossSiteScripting(XSS)

¨  Attacksbyprovidingcoderatherthandata¤ Typeof“injection”attackthatisverycommononweb¤ Workswhenbrowserinterpretsasscriptinglanguage

¨  AnyinputchannelpotentialattackvectorforXSS¤ Attackcanoccurimmediatelyifreal-timeinputsused¤ Withpersistentstorage,delayeduntildataread&used

CrossSiteScripting(XSS)

CrossSiteScripting(XSS)

WhoCares?

¨  CanprogramuseractionsbyembeddingJavascript¤ Browserwouldactasifactionsperformedbyuser¤ ComputershaveIQof0;donotknowwhatuserwanted

¨  UsingXSSmaliciousactorcan:¤ Stealcookies¤ Defacewebsites(fakenews;embarrassingimages)¤ Createwiretapofkeystrokes¤ Stealpersonalinformation¤ Runexploits(SAMYworm)

DefenseAgainstXSS

¨  Replacewithencoding&haveHTMLrender:¤ <becomes&lt; ¤ >becomes&gt; ¤ &becomes&amp; ¤ ␠becomes&nbsp; ¤ ¶becomes<br/> Manyothersalsopossible

Filtering Encoding

¨  ForHTML,mustreject:¤ <script> ¤ <iframe> ¤  <div style=

“background:url( ‘javascript:alert(1)’)”>

¤  <IMG src= j&#X41vascript:alert(1)>

¤  eval( ‘xmlhttp.onread’+ ‘ydstatechang’+ ‘e=callback’);

DefenseAgainstXSS

¨  Replacewithencoding&haveHTMLrender:¤ <becomes&lt; ¤ >becomes&gt; ¤ &becomes&amp; ¤ ␠becomes&nbsp; ¤ ¶becomes<br/> Manyothersalsopossible

Filtering Encoding

¨  ForHTML,mustreject:¤ <script> ¤ <iframe> ¤  <div style=

“background:url( ‘javascript:alert(1)’)”>

¤  <IMG src= j&#X41vascript:alert(1)>

¤  eval( ‘xmlhttp.onread’+ ‘ydstatechang’+ ‘e=callback’);

Filtering&EncodingSupport

¨  Manylibrariescreatedtohelpdeveloperswithwork¤ JSoupexistsforJava(jsoup.org/)¤ AntiXSSusablein.Net(www.nuget.org/packages/AntiXSS)

¤ OWASPEnterpriseSecurityhasmulti-lingualsupport(www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=Home)

¨  Canalsofindhelpinlanguagesprovidingfunctions¤ htmlspecialchars()definedforPHP¤ ValidateRequest()methoddefinedbyASP.net

SQLInjectionAttacks

SQLInjectionAttack

¨  LikeXSS,attacksbyprovidingcoderatherthandata¤ Muchmoredangerousbecauseitattacksdataservers¤ Damagegreater,too;allofserver'sdatacompromised

SQLInjectionAttackKey

¨  Attacktakesadvantageofmostwebapps'structure¤ Browserattacksbycraftinginputsenttoappserver¤ Butthisattackisnotonappserver,butbyappserver¤ Databaseleftdefenselesssinceittrustsappserver

Browser

WebApplication

Server Database

SampleDatabaseTable

UID NAMEGENDER AGE EMAIL PASSWD

1 Alice F 22 alice@buffalo.edu az34Fn892 Bob M 30 bob@buffalo.edu Ff4323sa93 Carol F 26 carol@buffalo.edu Ra234d024 Douglas M 44 doug@buffalo.edu 22as95asdF

TableName:USERS_TABLE

¨  Basicoperations:select,insert,update,&delete ¤ Nameis”cooler”CRUDforcreate,read,update,delete

InsertStatement

UID NAMEGENDER AGE EMAIL PASSWD

1 Alice F 22 alice@buffalo.edu az34Fn892 Bob M 30 bob@buffalo.edu Ff4323sa93 Carol F 26 carol@buffalo.edu Ra234d024 Douglas M 44 doug@buffalo.edu 22as95asdF

TableName:USERS_TABLE

INSERT INTO USERS_TABLE VALUES (‘5’,‘Edgar’, ‘M’, ‘30’, ‘ed@buffalo.edu’, ‘45adr56y’)

UpdateStatement

UID NAMEGENDER AGE EMAIL PASSWD

1 Alice F 22 alice@buffalo.edu az34Fn892 Bob M 30 bob@buffalo.edu Ff4323sa93 Carol F 26 carol@buffalo.edu Ra234d024 Douglas M 44 doug@buffalo.edu 22as95asdF

TableName:USERS_TABLE

UPDATE USERS_TABLE SET EMAIL=‘a@gmail.com’ WHERE NAME=‘Alice’

UPDATE USERS_TABLE SET AGE=43

DeleteStatement

UID NAMEGENDER AGE EMAIL PASSWD

1 Alice F 22 alice@buffalo.edu az34Fn892 Bob M 30 bob@buffalo.edu Ff4323sa93 Carol F 26 carol@buffalo.edu Ra234d024 Douglas M 44 doug@buffalo.edu 22as95asdF

TableName:USERS_TABLE

DELETE FROM USERS_TABLE WHERE NAME=‘Alice’

DELETE FROM USERS_TABLE WHERE Age < 25

DELETE FROM USERS_TABLE

SQLCOMMENTS

¨  SQLsupportssingleandmultilinecomments¤ Startwith--forsinglelinecomments ¤ Addtextbetween/* */formultilinecomment

SELECT * FROM Customers -- WHERE City='Berlin'; /*Select all the columns of all the recordsin the Customers table:*/ SELECT * FROM Customers; SELECT CustomerName /*, City, Country*/ FROM Customers;

WebAppFlowofData

Browser Web Application Server Database

<?php $sql = “SELECT id, name, salary FROM credential WHERE eid= ‘$eid’ AND password=‘$passwd’”; $result = $conn->query($sql); ?>

SELECT id, name, salary FROM credential WHERE eid= ‘9999’ AND passwd= ‘secret’;

HackAttack!

Whatinput(s)

willretrievemorethanweshould?

<?php $sql = “SELECT id, name, salary FROM credential WHERE eid= ‘$eid’ AND password=‘$passwd’”; $result = $conn->query($sql); ?>

SQLInjectionAttack(1)

¨  If$eidis:x’ OR 1=1 –-

¨  Querywouldbesenttodatabaseandexecutedas:

SELECT * FROM credential

WHERE eid = ‘x’ OR 1=1 -- ’

MultipleSQLstatements

¨  Alsousesemicolon(;)tocreate1+statements¨  Makespossibleworsehacksthanjustretrieval

SELECT * FROM credential WHERE eid = ‘x’;

DELETE FROM credential -- ’

¨  Countermeasuresmayexistifscripttriggersaction

MoreHackAttack!

Whatinput(s)

willgivesomeoneBIGraise?

<?php $sql = “UPDATE credential SET NickName = ‘$nname’, PhoneNumber=‘$phone’ WHERE eid= ‘$eid’; $result = $conn->query($sql); ?>

SQLInjectionAttack(2)

¨  When$nnameis:A’, Salary=1000000, Email=‘

¨  Querybecomes: UPDATE credential

SET NickName = ‘A’, Salary=1000000,

Email=‘ ’, PhoneNumber=‘ ’ WHERE eid = ‘20000’

¨  CommentsnotalwaysneededforSQLinjection

InputValidationtoBlock

¨  Couldvalidateinput(checkforspecialcharacters)&¤  Inputwithspecialcharactersrejected¤ Removespecialcharactersfromtheinput¤ Playitsafeandescapespecialcharacters

¨  ButrequiresknowingALLspecialcharacters¤ Mustbeupdatedasnewcharacterscreated

¨  Betterapproachisusinglibraryforthis¤  InPHP,havemysql_real_escape_string()¤ Stillcreatesgame–whatifMySQLupdatedfirst?

UnderlyingCause

¨  Problemcomesfrommixingdata&codeinprogram¨  Userinput(data)providedtoparserforitswork¨  Shouldbedata,butaddedtostringexecutedascode

¤ Userinjectscodewhichisthenexecutedasnormal

¨  Bestsolution:alwaysseparatecode&data

Don’tmakeitagame

PreparedStatementsalwaysbetter

thanfiltersorsanitizing

SQLInjectionKeyConcept

PHPPreparedStatement

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

PHPPreparedStatement

Step1:Sendcodethatwillbeexecuted

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

PHPPreparedStatement

Step2:Senddatatofillinvariables

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

PHPPreparedStatement

Step3:Profit

$stmt = $conn->prepare( “SELECT * FROM credential WHERE user = ? AND age = ? AND height = ?”); $stmt->bind_param(“sid”, $user, $age, $meters); $stmt->execute();

BufferOverflows

¨  FormusedbymajorityofInternetattacks¤ 50%ofCERTadvisoriesdealwithbufferoverflows¤ Veryquick&easywaytoinfectlotsofmachines

BufferOverflows

¨  Morriswormoverflowedfingerd¤  Infected10%oftheexistingInternet

¨  CodeRedusedoverflowinMS-IISserver¤  Infected300,000machinesinabout14hours

¨  SQLSlammerhackedthroughMS-SQLserver¤ Neededjust10minutestoinfect75,000machines

MajorBufferOverflows

¨  Bufferoverflowattacksareeasytostop¤ Javadoesnotallowthisexploittowork,infact¤ VerycommoninCcode

WhatCanWeDo?

¨  Memorysetasideforquickaccessbyprogram¤ Usuallyfoundonprogramstackorintheheap¤ Pre-definedsizeusedtoimproveaccessspeed¤ Butwhathappensifmoredatastuffedintoit

WhatisaBuffer?

¨  Shouldcheckforspacebeforestoringdata¤ Justcommonsensetostoreonlywherepermitted¤ Buffersnormallyhugesotheycanholdalldata¤ Butthere’scost:addedchecksslowprogramdown

¨  Languagessplitinhandlingofarrayaccess¤ AutomaticarrayboundschecksdonebyJava,C#¤ NotinmanyolderlanguageslikePascal&C++

HowtoHandleBuffer

¨  Whencallingfunction,programcreatesframe¤ Valueofparametersstoredinthisframe¤ Containsspaceforallofthelocalvariables¤ Addresstoreturntowhenfunctioncompletes

¨  Sinceautomatic,systemassumesvaluesvalid¤ Programmercannotadjustorcontrolthisdata¤ Assoonascomplete,blindlyjumpstoreturnaddress

ProgramStack

HighAddress Parameters i à 456 (4 bytes)

ReturnAddress 0xFEEDFACE (4 bytes)

CallingFP0xA0029482 (4 bytes)

LowAddress

LocalVariables x à 34 (4 bytes) y à 34 (4 bytes) buffer (100 bytes)

void foo(int i) { int x; int y; char buffer[100]; // Code here… }

StackframeExample

¨  Whenweoverflowthebuffer…¤ Localvariablesoverwritteninitiallybythisextradata¤ Thencreatebrandnewaddressforframepointer¤ Assignreturnaddressnexttowhateverisininput

SmashingTheStack

¨  Whenweoverflowthebuffer…¤ Localvariablesoverwritteninitiallybythisextradata¤ Thencreatebrandnewaddressforframepointer¤ Assignreturnaddressnexttowhateverisininput

¨  Oops.¤  Importantthatreturnaddressshouldbeaccurate¤ Randomvalueusedasresultofouroverflow¤ Codethatwillbeexecuteddecidedbywhom?

SmashingTheStack

¨  Systemwillnormallycrashasresultofoverrun¤ Moreoftenthannot,datawillberandom¤ Rarelyproductivetojumptorandomaddress¤ Woo-hoo!Ourprogramisnotunsafe,itjustsucks.

UsuallyJustCrashes

¨  Mustfirstwaitforhackertofindbug¤ Solongasnobodyusesprogramthisisnotaproblem¤ Onceprogramused,countonshortestwaitever

Neverask“Howcoulditbeworse?”

WhatisLeft?

¨  Mustfirstwaitforhackertofindbug¤ Solongasnobodyusesprogramthisisnotaproblem¤ Onceprogramused,countonshortestwaitever

¨  Neverask“Howcoulditbeworse?”¤ SomelanguageshaveStringsasprimitivetype¤ Manyothersusenullterminatedarrayofchar ¤ Functionsprocessarrayuntilnullcharacterfound¤ Createsanentirelynewsourceofpossiblehacks

WhatisLeft?

¨  Avoidfunctionsusingunlimitednumberofbytes¤ Canalwaysfind&uselimitedmemoryversions

¨  Restricttoactualsizetopreventoverflow¤ Requiresyoubeabletoknowarray’sactualsize¤ Updateeverywherewhenchangingcode¤ Usingmagicnumbersmakesverydifficult

PossibleSolutions

¨  Commerciallibrariesinjectcheckswhereitcan¤ Asinmodernlanguages,butlesscapableoruseful¤ Checksaddtime:programruns2-3%slower

¨  Legacycodetoodifficulttofixcanuselibraries¤  Mostbosseswouldbeangryaddingtonewcode

OtherSolutions