URLRewri)ngforGood,notEvilUsingAlterna)veResourceLocatorsBryanSullivanSeniorSecurityProgramManager,SDLMicrosoA

TopWebVulnsHaveaCommonFactor

• Cross‐SiteScrip)ng▫ OWASP#1• Cross‐SiteRequestForgery▫ Growingfast• OpenRedirectPhishing▫ LotsofMSRCcases

[www.owasp.org]

Propaga)onViaPoisonedHyperlinks

• XSS▫ foo.aspx?bar=<script>alert('xss')</script>• XSRF▫ foo.aspx?ac)on=buy&symbol=GM• RedirectPhishing▫ foo.aspx?target=h_p://evil.com/foo.aspx

• Redirectors(TinyURL,bit.ly)makethingsworse

BrowserHistoryTheA

• Useanyofthefollowing:▫ Script▫ CSS▫ iframe)minga_acks

• Can’tlistall,butcancheckspecificsitesorsearches▫ www.verylargebank.com▫ www.bing.com/search?q=scarle_+johannson

[popcrunch.com]

Solu)on:PersonalizeHyperlinks

• NotURLsbutPRLs(PersonalizedResourceLocators)• Maliciouslinkcreatedbyana_ackercouldonlybeusedbyhim/her

• Wealreadyhaveanimplementa)onmechanism:

URLRewri)ng

URLRewri)nginBrief

h_p://www.site.com/foo.html

h_p://www.site.com/{sessionID}/foo.html

•Thisusuallycausesmoreproblemsthanitsolves▫ Sessionhijacking▫ Sessionfixa)on

Example

h_p://www.xbox.com/{abc123...}/rockband.aspx

RewritewithCanary,notSessionID

• Outbound:1. Servercreatessharedsecrettoken(canary)2. Storecanaryvalueinsessionstate3. RewritecanaryintoURL4. PassSIDincookieasusual

• Inbound:1. Servercomparesincomingcanaryagainststored2. Ifmissingormismatched,rejectrequest

PoisonedLinksareNowUseless

www.site.com/{a1b2...}/foo.aspx?ac)on=buy&symbol=GM

•Senditaroundinanemail•Postitonapage•Hidethepayloadwitharedirector

•Noneofthesema_er,becausevic)mcan’tuseit

HistoryTheABecomesInfeasible

• AssumeGUIDsareusedforcanaries• A_ackermustcheckallofthese:

www.site.com/{00000000‐0000‐0000‐000000000000}/www.site.com/{00000000‐0000‐0000‐000000000001}/www.site.com/{00000000‐0000‐0000‐000000000002}/

…• 3.4x1038possibili)es▫ Thiswouldtakeareally,reallylong)metocheck

StatelessAlterna)ve:TimedURLs

• Outbound:1. Getthecurrentdate/)me2. Createakeyedhashofthe)mestamp3. Writethe)mestampandhashintotheURL• Inbound:1. If)mestamporhashmissing,rejectrequest2. If)mestampandhashmismatch,rejectrequest3. If)mestampolderthanspecifiedexpira)onage(ie5

minutes),rejectrequest

PoisonedLinksareAlmostUseless

h_p://www.site.com/{07.30.2009...}/?ac)on=buy&symbol=GM

•Linksworkforeveryone,butonlyforashortlifespan▫ 5minutesorwhatevertheserverhasconfigured

•Seriouslylimitspoten)aldamage

HistoryTheAS)llInfeasible

• A_ackermustmakerequests,storekeyedhashes• Assumemillisecondgranularityfor)mestamp• A_ackermustcheckallofthese:

www.site.com/{2009‐07‐30‐T1330000000‐HASH}/www.site.com/{2009‐07‐30‐T1330000001‐HASH}/www.site.com/{2009‐07‐30‐T1330000002‐HASH}/

…

AppropriateCryptography

• Youmustincludeahashofthe)mestamp▫ Otherwisea_ackercouldcreatepoisonedURLswitharbitraryexpira)ondates(+10years)

• Youmustkeythehash▫ Otherwisea_ackercouldprecomputeavalidhash• UseSHA‐2▫ Ifyou’regoingtogotothismuchtrouble,useasecurealgorithm

LandingPages

• Youmustdesignateoneormorepagesas“landingpages”▫ Thesedonotrequirecanariesorkeyed)mestamps▫ Otherwisenoonewillbeabletousethesite

[poandpo.com]

BypassingDefenses

• ExternalXSSwillcompletelydefeatthesedefenses▫ Landingpage▫ Differentapplica)on,samedomain• UseXSStoinjectXHR▫ Readtoken+redirect▫ Readtoken+modifyDOM

• POSTredirec)onwilldefeat)medURLs

TemporaryURLBypassTechnique

1. A_ackersetsupmaliciouspage[www.evil.com]2. Whencalled,maliciouspagesendsrequestto

protectedpagetodeterminevalidtoken3. Maliciouspagethenredirectsusertovalidpage

• A_ackernowonlyneedstolureusertohismaliciouspageasusual▫ Phishing,etc

OtherUnfortunateSideEffects

• Can’temaillinks• Can’tbookmarklinks• Searchenginescan’tindexthesite

BestUsageScenario

• Don’tapplytoen)resite• Applytosecuresubdomain

• www.verylargebank.com(regularURLs)▫ Loca)ons,hours▫ Currentinterestrates• secure.verylargebank.com(alterna)veURLs)▫ Accountbalances▫ Transfers

Conclusions

• Alterna)veURLscanbeusefulasdefense‐in‐depth• Don’tjustapplythemglobally• Con)nuetofind&fixvulnerabili)es

• Moreresources▫ MSDNMagazine,March2009,SecurityBriefs▫ blogs.msdn.com/sdl▫ Myalias:bryansul